Information Security Awareness, Assessment, and Compliance A Success Story 1 What ISAAC was intended to address Provide an information security risk assessment process that was thorough, effective, and efficiently used the time of the system administrators and other assessors A large decentralized university environment with over 200 departments, each having their own IT function and budget Had to be cost effective Minimal expenditure to create and operate Currently, institutions using ISAAC spend less than $2,000 per year for the Web-SQL based system 2 Approach and Methodology Information Security Awareness, Assessment, and Compliance (ISAAC) Awareness is a key aspect in that ISAAC creates a familiarity with information security standards and best practices for IT personnel ISAAC leverages the concept of known threat vectors and best practices/countermeasures thus providing a time savings for those involved o Assessment process may begin immediately without spending large amounts of preparation time in committee meetings as is typical of other methodologies 3 Approach and Methodology (cont.) The 2 major components are: o A module that assesses or evaluates compliance with information security standards, best practices, and requirements, legal or otherwise o Compliance modules for HIPAA and PCI are also included o A risk assessment methodology, which is currently the Relative Risk Index (borrowed from the National Institutes of Health) • The RRI simplifies to acceptable or unacceptable in terms of risk • Requires identifying mitigation measures that will bring the risk to an acceptable level 4 Benefits of this Approach Designed to be used independently at the department level Individual departments are able to decide what risk management decisions to make and what risk mitigation measures to implement based on their departmental budget and personnel resources 5 Benefits of this Approach (cont.) The assessment is considered to be completed when the department head signs the assessment and risk management report This creates awareness of the nature of the security environment at the department head level and fosters communication between the department head/administrative level and those in an IT function 6 Benefits of this Approach (cont.) A composite view of departmental risk assessment reports Are used to create a composite report to highlight common risks Provide guidance to the CIO on what centrally based initiatives would be of most benefit to improve the security posture of the institution Are used to develop an institution-wide risk management plan to address global risks ISAAC has grown not only to provide awareness, risk, and compliance checks supporting information security but also into other awareness and compliance aspects of IT policy administration 7 Current Users Use of ISAAC has grown over the years from use at a single institution (TAMU) Now used as the officially recommended assessment tool for all Texas state agencies Currently in use by Health Science Centers and universities from 4 major state university systems Also being utilized by a Health Science Center outside of Texas This is primarily due to an efficient and cost effective methodology 8 Plans for Future There are currently 4 different versions of ISAAC and additional sub-modules ISAAC-EU is the newest module soon to be widely available A module that is brief and simple Designed for the individual with administrative rights for their own desktop unit Ensures that the essential countermeasures/best practices are in place This can be very useful for systems that are not centrally supported by the department (research groups, faculty desktops, etc.) 9 Plans for Future (cont.) The infrastructure of ISAAC is being rewritten from the ground up to develop a very modular and table driven framework This allows for Assessments to be highly customizable Individual institutions can include their own customized questions and methods 10 Plans for Future (cont.) Assessments will be keyed to resources Will also allow various “views” in terms of reporting Likert scale evaluation for a phased view of compliance initiatives/levels Capability maturity model approach Additional or multiple measures/views Plans include the availability of online tutorials (delivered by Articulate) addressing the various aspects of ISAAC that are available 11 Contact Us Information Technology Issues Management (979)845-9254 itim@cis-gw.tamu.edu