1 / 18

Title V Risk Assessment

Title V Risk Assessment. Progress Report 8/17/2005. Awareness Video. EDUCAUSE Security Awareness Task Force produced Educate Executive Level. Title V Grant.

shafira-campbell
Download Presentation

Title V Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Title V Risk Assessment Progress Report 8/17/2005

  2. Awareness Video • EDUCAUSE Security Awareness Task Force produced • Educate Executive Level

  3. Title V Grant Partner Colleges and Universities:California State University, San Bernardino (Coordinating Institution) - a public, four-year university that enrolls 16,927 students, 32.4% of whom are Hispanic.California State University, Los Angeles - a public, four-year university that enrolls 20,637 students, 52.4% of whom are Hispanic.California Polytechnic State University, Pomona - a public, four-year university that enrolls 19,804 students, 24% of whom are Hispanic.Mt. San Antonio College - a public, two-year community college that enrolls 64,552 students, 36.8% of whom are Hispanic.Oxnard College - a public, two-year community college that enrolls 7,061 students, 59.2% of whom are Hispanic.

  4. Title V – Activities • Staff and faculty training and development • Conducting complete assessments at each campus • The acquisition of H/W and S/W systems to facilitate assessments • Developing curriculum • Assisting each campus to develop new policies and procedures • Conduct security awareness training

  5. Title V - Outcomes • Reduce vulnerabilities and reaction time • Increase in the number of trained staff • Increase in the number of trained faculty • Increase course offerings

  6. Assessment – Year One • Title V vulnerability assessment training • Posture analysis – identify hosts • Develop assessment procedure • Prepare hardware and software • Conduct vulnerability assessment • Provide report to each campus • Notify system administrators and help with corrective action

  7. System Administrator Report Sample

  8. Year Three Assessment • Title V calls for repeat of year one assessment • Vulnerability scans alone - not adequate • H/W and S/W controls alone - not adequate • Higher level risk assessment required • Asset and risk management – level of risk • Improve policies and procedures • Assess security awareness • Qualitative assessment calls for a structured process

  9. NIST – Flowchart

  10. Preventative Measures • Tighter firewall rules and ACLs • Border firewall (Title V funded) • Better patch coordination • Security tools • Awareness and technical training (Title V) • Enterprise anti-virus • Product evaluation • Periodic scanning • Better communication to the campus • Discontinue use of insecure protocols

  11. Risk Assessment Process • Create detailed project plan – updated often • Update database of known systems (Posture) • Training for risk team • Consultation with CSUSB • Scanning infrastructure and procedures • Conduct vulnerability scans • Conduct wireless scans • Produce reports – notify stakeholders and system administrators • Help with corrective measures

  12. Risk Team – Blackboard Hosted A Blackboard organization is used to facilitate: • Ease of communication • Meeting notes • Documentation • Sub-projects • Surveys

  13. Risk Assessment Process • Risk team continues to meet biweekly • Risk team leads meet during off weeks • Student assistance was offered by CIS • Special thanks go to Fred Gallegos and Dan Manson for their invaluable support • Student projects were integral

  14. Risk Assessment – Develop Procedure • Research best practices • Identify possible report templates • Create surveys • Produce interim report • Bleeding edge security technology evaluations – presentations • Understand legal liability

  15. Risk Assessment – Develop Procedure • Methods and best practices plentiful • Documentation collected from many sources • EDUCAUSE, Burton Group, SANS, NIST, Others • Common Thread • Understand liability • Asset identification and valuation • Threat analysis • Assign risk to assets • Determine tolerable level of risk • Cost basis analysis for mitigation costs

  16. Risk Management and Mitigation • Provide awareness training • Product demonstration and recommendations • Participate on EDUCAUSE Awareness Task force • Possible recommendations • Central policy enforcement – logging • Enterprise scanning • Policy development • Intrusion prevention • Email security implementation • Safeguarding data – education (in the works)

  17. Risk Assessment • Professional Consultant • Help refine our process and procedures • Provide training and education • Assist with risk assessment reporting • Provide external validation

  18. Risk Assessment - Consultant • Review existing documentation and surveys • Recommend additional data gathering approaches • Conduct interviews • Identify missing pieces in the methodology • Help develop report templates • Help prepare an executive report

More Related