Facilitated IT Risk Assessment
Program
Protecting Your Business
Information Security Awareness | security.uwm.edu
Protecting campus data
is no longer an option.
It is a requirement.
security.uwm.edu
Major breach of UCLA's computer files
800,000 students, alumni and others are exposed.
Attacks lasted a year LA Times.com December 12, 2006
Hacker accesses 14,000 records at
OSU
Source: AP
The Plain Dealer.com Wednesday, April 18, 2007
Hackers strike Georgia Tech computer,
gain credit card data
InfoSecNews.com 3/31/03
Boston University
50 laptops stolen (between9/03 & 9/04)…
totaling $78,000 in losses for victims
CSOonline.com 9/14/04
security.uwm.edu
What is an IT risk assessment?
• Systematic review of risks, threats, hazards
and concerns
• Prioritizes threat vulnerability
• Identifies appropriate, cost-effective
safeguards to lower risk to acceptable level
security.uwm.edu
What are we protecting?
• Confidential data (defined in next slide)
• Critical systems
• The network
• Our reputation
security.uwm.edu
Examples of confidential data:
• Social Security Numbers (SSNs)
• Student ID numbers
• Credit card numbers
• Banking information
• Research data
• Login/passwords
• Health care information
• Grades
security.uwm.edu
Some of the risks:
• Information exposure
• DOS (Denial of Service)
• Malicious editing
• Equipment theft
• Damage to equipment
security.uwm.edu
How are risks exposed?
• Hacker gets remote access to a computer
• Virus or “worm” causes loss of service-DOS
• Computer lost or stolen and data illegally
shared
• Disgruntled employee compromises data
integrity
• Appropriate security controls not in place or
not enforced
security.uwm.edu
How an assessment is different
from an audit:
• No predetermined criteria to be judged against
• Assesses what is needed to protect business
processes
• Self-directed
• Facilitator is neutral
• Provides a prioritized list of threats and
suggested solutions
• Actions taken are up to you!
security.uwm.edu
Legislative Impetus for
IT Risk Assessments
Wisconsin Act 138 (WA 138)
Data Breach Notification Law
Requires:
• Notification to victims when specific types of
data are exposed to unauthorized third
parties
• Examples include stolen laptops, lost
paperwork, hacked servers, etc.
security.uwm.edu
Legislative Requirements for
IT Risk Assessments
HIPAA
(Health Insurance Portability and Accountability Act)
Requires:
• Periodic information security risk evaluations
• Organizations to assess risks to information
security
• Take steps to mitigate risks to acceptable level
• Maintain acceptable risk level
security.uwm.edu
Legislative Requirements for
IT Risk Assessments
Gramm-Leach-Bliley Act
Financial-based consumer rights legislation
Requires:
• Assessment of data security risks
• Documented plans to address those
risks
security.uwm.edu
Good Records Management
Lowers Institutional Risk
• UWM Libraries and I&MT are strategic
partners in this initiative.
• UWM IT Risk Assessment Program can
help business units get a baseline as
partial preparation for comprehensive
records management review.
• Good records management and good
security practices go hand in hand.
Campus Benefits of
Risk Assessment
• Provides snapshot of IT system and business
process concerns by department/area
• Shows due diligence for legal purposes
• Using information, creates protection strategy
designed to reduce the highest priority
information security risks
• Ensures that funds for security spent where
needed most
security.uwm.edu
Unit Benefits
• Generates a comprehensive list of information
assets and analysis of their relative importance
• Identifies risks to those assets; reviews existing
controls and identifies needed controls
• Leverages internal expertise; not dependent on
outside “experts”
• Provides experience implementing information
security risk assessments for future use
security.uwm.edu
Benefits for Employees
• Increased IT security awareness
• Team-building experience
• Direct involvement in the decisionmaking process
• Provides a structured environment to
offer suggestions/comments/concerns
and solutions
security.uwm.edu
The Process
• Assemble a team consisting of broad
representation from the organization
• Facilitate brainstorming of key business
processes and office/IT systems
• Rank those assets based on importance to
fulfillment of the unit’s mission
security.uwm.edu
The Process (cont.)
• Brainstorm risks to those assets and prioritize
those risks based on likelihood of occurrence
and impact
• Analyze where controls for these high priority
risks exist and suggest controls for the rest
• Provide ongoing monitoring of effectiveness
and ensure risk assessment happens for new
products and services
security.uwm.edu
Business Process Review
• Review how employees access, use and
transmit data; i.e., the “human” element
• Determine data ownership – who is
ultimately responsible for data usage and
protection?
• Where does data come from? Where does
data go?
Business Process Review (cont.)
• How is data shared?
• What is security level for data - public,
confidential, private, proprietary, personal?
• Are policies/procedures established for
accessing and/or sharing data?
security.uwm.edu
Information System/Program
Review
• Review of office equipment, desktop
computers, laptops, servers used
• Discuss purpose of the systems and/or
programs used; Are outdated or ineffective
equipment/programs/images in use?
• Active scan of random IT systems to
determine vulnerabilities
• Map IT systems
security.uwm.edu
Physical Security Review
• Physical location of IT systems
- secured/fire/water/theft protection
• How/where is data stored?
– Paper or electronic? Is it backed up?
• Is data access secured?
– Is data locked up? Is PantherFile used?
Are office space/desk/storage areas
secure?
security.uwm.edu
Required Resources
• Department and UWM IT security staff
• Risk Assessment forms
• Meeting room
• Digital projector
• Whiteboard and markers
security.uwm.edu
Timing and Commitment
• Support from upper management
• 1 mid-level or higher unit designee dedicated
to facilitating process to completion
• Cross-representation (front-line and
management staff) from each major
business and system process
• 2-4 three-hour sessions for each group
Process should have minimal impact on
your operation during the review.
security.uwm.edu
UWM IT Security Commitment
• UWM Facilitated IT Risk Assessment
program administered by UWM IT security
staff specifically trained in IT security
• IT’s role to guide group through program
and provide professional documentation of
results
• Program provided at no cost to the campus
community - benefits are immeasurable
security.uwm.edu
Systemic Approaches Underway
• Comprehensive security policy
• Standardization of laptops and desktops
• Standardization of desktop and laptop images,
active directory (with Vista)
• Standardization of network devices
• Campus VPN
• PantherFile - security and records management
• Standardization of laptop encryption
security.uwm.edu
To request a
Facilitated IT Risk Assessment:
Please have your dean, division head
or designee
contact the
IT Risk Assessment Team at
osa-list@uwm.edu
security.uwm.edu
Facilitated IT Risk Assessment
Program
Protecting Your Business
Questions?
Please contact:
Visit the
UWM IT Security Web Site
security.uwm.edu
Steve Brukbacher, CISSP
Information Security Coordinator
sab2@uwm.edu
414-229-2224