Securing Sensitive Data Initiative

1
Securing Sensitive Data Initiative Phase II
Automated Security Self Evaluation Tools (ASSETs)

• Standardized Risk Assessment
• Compliance Report Generator
• Security Evaluation Report Generator
• Security Plan Generator
• Readily Available Security Tools
• Basic Business Continuity Plan Generator

2
Introductions and Overview
3
Presentation Objectives

• In this presentation we will
• Review SSD Phase II components
• Walk Through the ASSETs Steps 1-5
• Introduce Future ASSETs components
• ASSETs QA

4
Presentation Materials

• Presentation Slides
• ASSETs Flow Chart
• ASSETs Unit Level Liaison Letter
• Other InfoSec Materials

5
Logistics

• Please place all communication devices on vibrate
• Timeline
• Restrooms/water fountains/exits
• Other important items

6
Begin

• The beginning is the most important part of the
  work.
• Plato

7
Discuss SSD Phase II Components
8
Design a set of tools that establish a good
security baseline

• Standardized Risk Assessment
• Compliance Report Generator
• Security Evaluation Report Generator
• Security Plan Generator
• Readily Available Security Tools
• Basic Business Continuity Plan Generator

9

• Build a UGA Security Community

10
Build an InfoSec Community

• Create an affiliation of campus IT and Business
  personnel Unit-Level Security Liaison
• Educate and empower an existing resource
• Implement the university's policies, procedures
  and education at the relevant academic or
  administrative unit and will be the information
  security office's point of contact for
  information security compliance issues relating
  to that academic or administrative unit

11
Build an InfoSec Community

• Communicate
• Create quarterly meetings to discuss information
  security issues
• Provide a discussion list for sharing information
  between meetings, and for discussing issues in a
  timely manner
• Train
• Mass training, instructor-led, web-based,
  computer-based and multi-media

12
Build an InfoSec Community

• Train (cont.)
• Train using intuitive repeatable measurable
  steps
• Standardize on risk assessments and compliance
  reporting
• Develop a business continuity plan template for
  all units/depts.

13
ASSETs

• Standardized Risk Assessment
• Compliance Report Generator
• Security Evaluation Report Generator
• Security Plan Generator
• Readily Available Security Tools
• Basic Business Continuity Plan Generator

14
Walk Through ASSETs Steps 1-5
15
(No Transcript)
16
First, lets register

• https//assets.uga.edu/registration.php

17
Registration Process

• Receive Unit Level Liaison Letter or designated
  by unit/dept management
• Review role and scope of a Unit Level Security
  Liaison
• Designate a Primary and Backup Liaison
• Go to URL provided in the Unit Level Liaison
  Letter

18
(No Transcript)
19
(No Transcript)
20
IMPORTANT STEP

• Select the unit/dept or units/depts for which
  you have been designated liaison

21
(No Transcript)
22
Registration Process (contd.)

• Receive your personal ASSETs password via email
  from the ASSETs administrator ltassets_at_uga.edugt

23
ASSETs Step 1

• https//assets.uga.edu/disclaimer.php

24
(No Transcript)
25
(No Transcript)
26
ASSETs Step 1

• Read the ASSETs logon page
• Enter your MyID and ASSETs password
• Press login

27
(No Transcript)
28
ASSETs Step 1

• You must select the unit/dept you would like to
  work with (the list units/depts are the
  unit/depts you selected in the Liaison
  registration process

29
ASSETs General Screen layout
30
(No Transcript)
31
Centralized Risk Assessment (RA) and Compliance

• Step 1 - Inventory Assessment
• Start by identifying and inventorying all
  server-level or desktop computers that process,
  store or transmit sensitive/critical/confidential
  data and enter them in the inventory assessment
  database online. (approx. 45 minutes)
• You can't secure what you dont know about

32
Centralized RA and Compliance

• Step 2 Risk Assessment
• Evaluate risk (probability and impact) for one of
  the sensitive/critical/confidential information
  resources using the "Risk Assessment step.
  (approx. 10 minutes)
• This step will immediately classify the system(s)
  and corrective action offered
• Policies/guidelines (passwords, checklists and
  guidelines)
• Technology (scanning, FW/IDS/AV/Anti-Spam or
  Spyware, vulnerability management, baseline
  analyzers, etc)
• Awareness (awareness, training and education)

33
Centralized RA and Compliance

• Step 2 Risk Assessment
• The assessment may reveal a deficiency in an
  area, and if so, you may stop the assessment to
  address the deficiency (or formulate a plan to
  correct it at later date), and then return to the
  assessment.

34
Centralized RA and Compliance

• Step 3 Security and Business Processes
  Questionnaire
• Complete the comprehensive security and business
  processes questionnaire.
• The goal is to provide a comprehensive approach
  to enhanced security within the unit by
  presenting opportunities to mitigate risk.

35
Centralized RA and Compliance

• Step 4 Automatically generates a Security
  Evaluation Report
• The Evaluation will provide information on what
  the unit now has in relation to security.

36
Centralized RA and Compliance

• Step 5 - Automatically generates a Security Plan
• The goal of the security plan is to determine an
  appropriate level of security and arrange to
  organize suitable security for the Unit IT
  assets. Every unit is expected to develop a
  security plan.
• Meets and exceeds the BOR requirement for
  security plans

37
Steps 1-5

• The Inventory Assessment identified those assets
  that are sensitive/critical
• The Risk Assessment helped determine the unit's
  IT security risk level
• The Unit Security Checklist helped evaluate the
  unit's IT security strengths and weaknesses
• Security Evaluation Report what security
  measures are in place
• Security Plan what needs to be worked on
• Deadline to complete Steps 1-5 October 31, 2006

38
Introduce Future ASSETs Components
39
Centralized Risk Assessment and Compliance

• Step 6
• Take the output of steps 1-5 and let is serve as
  the input for 6
• "Business Continuity Planner" application will
  provide the units with guidance and assist in
  developing the basic unit-level BC plan.
• Note Audit finding 2003 2004

40
The UGA BCP Plan Generator

• Step 6
• Attend the Staff Training and Development
  Centers Business Continuity Plan (BCP) classes
  (i.e. Intro to the UGA Unit Level BCP or Basic
  Unit Level BCP)
• Go to UGA ASSETs Program and select Step 6
  Baseline Business Continuity Plan (BCP)
• Complete the online webforms
• Deadline to complete Step 6 May 31, 2007

41
Summary
42
UGA ASSETs Program

• Next logical step in Securing Sensitive Data
  Initiative
• Creates constancy of purpose toward improvement
  of security and privacy, with the aim to lower
  risk to an acceptable level and to
  provide trusted systems and trusted information
• Intuitive, Repeatable, Scalable, Robust and
  Measurable
• Institutes a vigorous program of education and
  self-improvement.
• Puts everybody to work on securing and protecting
  information and information systems.

43
UGA ASSETs Program

• Assigns accountability
• Meets and exceeds State and BOR security and
  electronic privacy requirements
• Utilizes International, national standards and
  best practices
• Cost effective solution
• Implements shared responsibility
• security is everyone's responsibility...

44
UGA ASSETs

• Standardized Risk Assessment
• Compliance Report Generator
• Security Evaluation Report Generator
• Security Plan Generator
• Readily Available Security Tools
• Basic Business Continuity Plan Generator

45
QA?