1 / 70

Introduction to Risk Assessment Using Archer GRC

Introduction to Risk Assessment Using Archer GRC. Nancy Rainosek. Statewide GRC Program Manager State of Texas Department of Information Resources. SISAC Risk Assessment Subcommittee. Arturo Montalvo - OAG Matt Riemersma - DARS Brandon Rogers - GLO

relizabeth
Download Presentation

Introduction to Risk Assessment Using Archer GRC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Risk Assessment Using Archer GRC Nancy Rainosek Statewide GRC Program Manager State of Texas Department of Information Resources

  2. SISAC Risk Assessment Subcommittee Arturo Montalvo - OAG Matt Riemersma - DARS Brandon Rogers - GLO Charlotte Russell - UNTS KhatijaSyeda - HHSC Lisa Wei - CPA Robert Myles - Symantec • Kevin Kjosa, Co Chair – UT System • Darrell Bateman - TTU • Kent Dyer - TDLR • Shirley Erp – HHSC • Dave Gray - CPA • Ann Hallam - SORM • Mark Herber - DFPS • Jeff McCabe - TAMU

  3. Today’s Game Plan • Background • Understand common terms and roles • Risk assessment workflow • Bulk upload files • Case Study

  4. Background

  5. TAC 202 §202.25/75 Managing Security Risks. A risk assessment of the agencies/institutions information and information systems shall be performed and documented.

  6. TAC 202 (1) The inherent impact will be ranked, at a minimum, as either "High," "Moderate," or "Low“ and (2) The frequency of the future risk assessments will be documented. (3) Risk assessment results, vulnerability reports, and similar information shall be documented and presented to the Information Security Officer or his or her designated representative(s). (4) Approval of the security risk acceptance, transference, or mitigation decision shall be the responsibility of: • the information security officer or his or her designee(s), in coordination with the information owner, for systems identified with a Low or Moderate residual risk. • the state agency/institution of higher education head for all systems identified with a residual High Risk.

  7. Understanding Common Terms and Roles

  8. RISK ASSESSABLE UNIT The scope of a risk assessment. The risk assessable unit (RAU) is what is being assessed. It may be an application, a location such as a data center, etc.

  9. Assessment Component Each piece that makes up the risk assessable unit is an assessment component.

  10. Assessment Questionnaire The list of questions asked during an assessment. Each assessment component has its own questionnaire. Based on NIST 800-53.

  11. Security Categories Based on the security categorization from NIST 800-60.

  12. Risk Assessment Workflow

  13. Archer Risk Assessment Process C Assessor Reviewer (Optional) Security Office (Optional) Risk Assessment Coordinator • Review the assessment and related findings • Evaluate overall risk and either accept or reject assessments • Review questionnaires • Reviewers either accept or reject assessment • If accepted, then generate findings Determines scope of RAU Assigns questionnaires to assessors and reviewers Generates questionnaires Completes questionnaire Or reject and provide feedback Or reject and provide feedback

  14. Archer Finding Resolution Process ISO / Business Owner Risk Assessment Coordinator Assessor Reviewer (Optional) Organization Head • At RAU level, Reviews and sends to ISO/Business Owner. • Review findings and remediation plans and risk acceptance. • Accept risk acceptance or remediation plans • Approve risk acceptance / mitigation. Labels the findings from a criticality / priority standpoint Recommends to either accept or remediate the risk Assigns the remediation activity along with a due date. Approve risk acceptance / mitigation if residual risk = high Is residual risk = High Or reject and provide feedback Or reject and provide feedback Or reject and provide feedback Or reject and provide feedback

  15. Scoping the Assessment

  16. Identify the Assessment Components Employee Time and Leave System

  17. Identify the Assessment Components Employee Time and Leave System

  18. Assigning Roles

  19. Assigning Roles

  20. Assigning Roles RAU Level Assessment Level

  21. Requesting New Users Support Request or send DIR template for bulk upload

  22. Add Assessment Components

  23. Add Assessment Components

  24. Assign Security Category

  25. Security Categorization Confidentiality – Low Integrity – Low Availability - Low Compensation Management Low

  26. Number of Questions Security Program Location Network Application

  27. Generate the Questionnaire

  28. Launch the Assessment

  29. Demonstration

  30. Exercise #1 • Log into the system with your account RACxx. • Create a new Risk Assessable Unit. • Add Network for your organization. Select NIST Low as your questionnaire type. Save the record. • Add a new questionnaire for your Network. • Add an Assessor and ISO as Reviewer and ISO. • Save and close the Assessment • Click Apply at the top of the RAU. • Go back into the Network Questionnaire. • Make sure you are assigned as the RAC. • Edit the Questionnaire. • Launch the assessment from the Questionnaire screen. • Save and close the Questionnaire. • Select “Assessments Launched” under Risk Assessment Coordinator Status and Save the RAU.

  31. Complete the Questionnaire

  32. Completed all Questionnaires The Assessor receives an email when the questionnaire is launched.

  33. Completing the Questionnaire Responses defined:

  34. Completing the Questionnaire

  35. Submit for Review

  36. Reviewing the Questionnaire

  37. Reviewing the Questionnaire

  38. Reviewing the Questionnaire

  39. Reviewing the Questionnaire

  40. Demonstration

  41. Exercise #2 • Log off and log on as AssessorXX. • Access the RAU by accessing current RAU records • Access the Network Questionnaire • Click Edit and answer the questions on the Questionnaire. Answer every question as “Implemented” except for 2 or three, where you should answer “Not Implemented” • Click “Save and Continue” • Make sure the Progress % = 100%. • Click “Submit for Review” and save an close.. • Log off and log on as ISOxx. • Access the RAU by accessing current RAU records • Access the Network Questionnaire. • Approve the questionnaire as both the Reviewer and Security Office.

  42. Findings are Generated

  43. Findings are Generated

  44. Findings are Generated

  45. Reviewing Findings

  46. Completed all Questionnaires The Risk Assessment Coordinator receives an email when all questionnaires for an RAU are complete.

  47. Completing the RAU

  48. Completing the RAU The Risk Assessment Coordinator generates workflow to the ISO when they select “Submit for Approval”.

  49. Approving the Risk Assessment

  50. Approving the Risk Assessment The ISO can reject, approve, or approve and submit to the organization head if residual risk is high.

More Related