A Practical Approach to Risk Management That Delivers Results

Bill Arnold, Information Security Analyst@The University of Tampa Dr. Lawrence Dobranski, Director, ICT Security, Access & Compliance @

University of Saskatchewan

Overview1. Information Security

Assessments with campus departments

2. Collaboration with Campus Departments to Reduce Risks

3. Enabling Appropriate Business Risk Decisions

4. Using Importance-Performance Analysis Tools

The University of Tampa● Independent University in Tampa, Florida● 8000+ students enrolled, Liberal Arts tradition● Students from 50 states and 140 countries● 65% of full-time students live in campus

housing● 1200 staff; hundreds of contractors and student

part time workers; 900 faculty; 4 colleges (Arts & Letters, Business & Technology, Natural & Health Sciences, Social Sciences, Mathematics & Education)

● $235 million annual revenues● $850 million annual economic impact

Office of Information Security@UTampa● Information Security

Program formalized 3 yrs ago

● CISO reports to UT President

● Chief among initiatives building a culture of risk management, security awareness, and data protection

● Also co-manage academic cybersecurity Lab Infrastructure

● ISO/IEC 27001:2013 Certified in July 2015

© 2015. All Rights Reserved. Information and Communications Technology

• www.usask.ca/ict5

•

•

•••

••

uSask’s ICT Security, Access & Compliance

● Program formalized June 1st, 2012

● Three main responsibilities:○○○

● Risk based program

Cybersecurity Challenges

When the CIO is the Last to Know

Identifying Barriers to Progress Risk Management can focus the right attention on:● Lack of executive support in

objective examinations of information security risks/treatment options

● Inadequate investment in infosecurity program/strategy

● Ineffective information security leadership

● Information security ‘unaware’ community

● Information security gaps in regards to third party service providers

Risk Management Challenges

How do you find out what you don’t know?

Practical Approach to Risk Management

● The answers are at your fingertips--all you have to do is ask the right questions to the right people

● Don’t worry (yet) about adopting every aspect of a rigorous standard approach like NIST

● Focus in on the information lifecycle● Insights will come quickly● Pieces of the puzzle will fall into place● Begin.

HEISC Information Security Guide

www.educause.edu/security/guide

Engaging With Campus Departments● Advance planning and

effective communication are key critical success factors

● Decide how you will engage--either in person or through focused surveys

● Keep the process simple● Focus on business processes

and impacts to information

How We Got Executive Level ‘Buy In’ First

● Developed a risk assessment strategy document and CISO presented to President and senior executives seeking approval & support

● Executives discussed with their department heads before we began so everyone would know what to expect when we visited campus departments

Performing the Business Process Assessment

● Developed a spreadsheet that included each major area on campus, each major business process and the process ‘owner’

● Process owner ranked each of their processes on a scale of 1 to 5 in 3 areas

● Degree of sensitivity of the data; impact of loss of integrity; and impact of loss of availability

● Averaged the 3 scores for each process to arrive at a risk score for the process

● Averaged in other key information (vulnerability ranking, threat impact score)

Qualitative Risk Assessment● Discussed information handling lifecycle involved with each process:

○ Access○ Process○ Transmit○ Share○ Store (paper and electronic)○ Compliance requirements associated with the type of information

● Found out whether IT provided the service or a third party provider● Through discussing the above, examining the supporting infrastructure

vulnerability and threat scores, and comparing with standards (NIST and ISO 27002) various ‘risks’ emerged.

● If the overall process score was a ‘5’ and confidential information was involved, that raised the priority of a particular risk and it was noted in the risk assessment report that was presented to executives

Data Protection Initiatives● Data Discovery--where does

confidential data reside?● Opening the Doors to Positive

Change in Campus Departments● Re-engineering information

handling processes● Getting everyone to

Participate--everyone!● Security Awareness Education is

also key● Once they trust you, they will

come...bringing information about risks right to your doorstep!

Rinse, Wash and Repeat

Collaborating to Reduce Risks

Work Together to Improve Information Handling Lifecycle Practices and build information security

➢ Awareness➢ Behavior➢ Culture

Delivering Results that Enable Appropriate Business Risk Decisions

How to Present Risk to Senior Administration?

● Best when Senior Administration understand and accept the Cyber Risk

● Must be in a familiar format● They cannot afford to focus on understanding

the display● Need to focus on the risk information● Most graphical representations -> people

stop listening and start trying to understand the graphic

Challenge @ uSaskDiverse population:● 1200 faculty: agriculture,

law, medicine, health sciences, engineering, arts & science, vet med…

● 182 senior administration (director and above), diverse background, reporting to 4 VPs

● they need to make the business risk decision

● not just admin, but teaching, learning, and research

•–

–•

––

––

Then along came Compliance● Universities are

businesses● Requirements

○ Granting agencies● Examples:

○ PCI DSS○ Privacy Legislation○ HIPPA

Threat and Risk AssessmentPrivacy Impact Assessment

● ID Assets● Regulatory, Legislative,

Contractual Requirements● Consequence of compromise● Determine threats● Rate each threat in terms of

likelihood and impact to get risk

● Risk ranking

Using Importance Performance Analysis Tools

How to get threat input from university leaders and presenting risk to them accurately without a lot of training…

...needs to be applicable in administration, teaching & learning, and research!

Importance-Performance Analysis

28

Scale Likelihood1 Extremely unlikely2 Unlikely3 Neutral4 Likely5 Extremely likely

Scale Impact1 No consequence2 Minor consequence3 Moderate consequence4 Major consequence5 Critical consequence

•

•

•

31

Number Attribute Description Risk Rank1 Owner of the device controls the context of use, not the organization. 15.9 52 Loss of policy enforcement points. 14.3 93 Device handling personal and work data simultaneously. 15.7 6

4 Device will be used to access networks which the organization cannot control access. 16.1 4

5 Security perimeter now at data level. 15.2 7

6 Verification of the implementation of security controls may not be possible. 13.0 14

7 A copy of data of interest to the organization may only exist on the device and not within the organizational network. 12.6 15

8 Security policy on device is not in the control of the organization. 13.1 139 Lack of clear boundaries/areas of trust. 13.2 12

10 Organization administrators not controlling the configuration of the device connecting to the organization's network. 13.9 10

11 Cannot completely wipe the device because it contains personal data that may or may not be backed up. 13.5 11

12 Data on the device may not be encrypted. 17.5 2

13 Device may not have a password or a password of appropriate strength. 14.5 8

14 Lack of user understanding that the use of personal mobile device can expose organization to significant risks. 17.5 3

15 Lack of user understanding of where the device is used affects the risk to the organization's assets. 17.8 1

•

•••

34

Our Contact InformationBill Arnold, CISSPInformation Security AnalystOffice of Information SecurityThe University of Tampawarnold@ut.edu

Lawrence Dobranski, DSc, MBA, MSc (Eng), P.Eng.Director, ICT Security, Access & ComplianceProfessional Affiliate, Department of Computer ScienceUniversity of Saskatchewanlawrence.dobranski@usask.ca

35

Questions?

Slides were uploaded to EDUCAUSE Conference Site--see session on agenda

Thank You and See You Around the Conference!

@ 2015 Tammy L. Clark and Dr Lawrence Dobranski. This presentation leaves copyright of the content to the presenters. Unless otherwise noted in the materials, uploaded content carries the Creative Commons Attribution-NonCommercial-ShareAlike license, which grants usage to the general public with the stipulated criteria. Users of this content should credit presenters and are not authorized to distribute this work for commercial purposes.