Information Security Awareness, Assessment

advertisement
Information Security
Awareness, Assessment,
and Compliance
A Success Story
1
What ISAAC was intended
to address



Provide an information security risk assessment
process that was thorough, effective, and
efficiently used the time of the system
administrators and other assessors
A large decentralized university environment with
over 200 departments, each having their own IT
function and budget
Had to be cost effective
 Minimal expenditure to create and operate
 Currently, institutions using ISAAC spend less than
$2,000 per year for the Web-SQL based system
2
Approach and Methodology

Information Security Awareness, Assessment,
and Compliance (ISAAC)
 Awareness is a key aspect in that ISAAC creates a
familiarity with information security standards and
best practices for IT personnel
 ISAAC leverages the concept of known threat
vectors and best practices/countermeasures thus
providing a time savings for those involved
o Assessment process may begin immediately without
spending large amounts of preparation time in
committee meetings as is typical of other
methodologies
3
Approach and Methodology (cont.)
 The 2 major components are:
o A module that assesses or evaluates compliance with
information security standards, best practices, and
requirements, legal or otherwise
o Compliance modules for HIPAA and PCI are also
included
o A risk assessment methodology, which is currently the
Relative Risk Index (borrowed from the National
Institutes of Health)
• The RRI simplifies to acceptable or unacceptable in terms
of risk
• Requires identifying mitigation measures that will bring the
risk to an acceptable level
4
Benefits of this Approach
Designed to be used independently at the
department level
 Individual departments are able to decide
what risk management decisions to make
and what risk mitigation measures to
implement based on their departmental
budget and personnel resources

5
Benefits of this Approach (cont.)


The assessment is considered to be
completed when the department head signs
the assessment and risk management report
This creates awareness of the nature of the
security environment at the department head
level and fosters communication between the
department head/administrative level and
those in an IT function
6
Benefits of this Approach (cont.)

A composite view of departmental risk assessment
reports
 Are used to create a composite report to highlight common
risks
 Provide guidance to the CIO on what centrally based
initiatives would be of most benefit to improve the security
posture of the institution
 Are used to develop an institution-wide risk management
plan to address global risks

ISAAC has grown not only to provide awareness, risk,
and compliance checks supporting information
security but also into other awareness and
compliance aspects of IT policy administration
7
Current Users





Use of ISAAC has grown over the years from
use at a single institution (TAMU)
Now used as the officially recommended
assessment tool for all Texas state agencies
Currently in use by Health Science Centers
and universities from 4 major state university
systems
Also being utilized by a Health Science Center
outside of Texas
This is primarily due to an efficient and cost
effective methodology
8
Plans for Future


There are currently 4 different versions of
ISAAC and additional sub-modules
ISAAC-EU is the newest module soon to be
widely available
 A module that is brief and simple
 Designed for the individual with administrative
rights for their own desktop unit
 Ensures that the essential countermeasures/best
practices are in place
 This can be very useful for systems that are not
centrally supported by the department (research
groups, faculty desktops, etc.)
9
Plans for Future (cont.)
The infrastructure of ISAAC is being
rewritten from the ground up to develop a
very modular and table driven framework
 This allows for

 Assessments to be highly customizable
 Individual institutions can include their own
customized questions and methods
10
Plans for Future (cont.)


Assessments will be keyed to resources
Will also allow various “views” in terms of
reporting
 Likert scale evaluation for a phased view of
compliance initiatives/levels
 Capability maturity model approach
 Additional or multiple measures/views

Plans include the availability of online
tutorials (delivered by Articulate) addressing
the various aspects of ISAAC that are
available
11
Contact Us
Information Technology Issues
Management
(979)845-9254
itim@cis-gw.tamu.edu
Download