Risk Assessment 101

Kelley Bradder

VP and CIO

Simpson College

Agenda

• Environment

• Why – Federal Act GLBA

• Risk Assessment Tool

• Results

• Pros and Cons

• Recommendations

Simpson College

• Small private liberal arts college

• 2000 students

• 2 satellite campuses

• Residential campus

• 12 miles south of Des Moines, IA

Culture

Simpson’s core values

Community

Quality

Respect

Environment

• Federal Regulations

GLBA. HIPPA, FERPA

• Increasing number of Identity Theft incidences

• Increasing number of security incidences reported from colleges and universities

Environment

• Serve a wide variety of “consumers”• Promote learning and information

sharing• Historically open architecture• Infusion of mobile computing

(combination of laptops and wireless)• Powerful set of productivity tools

The Reason

Gramm Leach Bliley Act

Financial Services Modernization Act of 1999 - provides consumer safeguards

Compliance by May 23, 2003

How?

• IT security improvements and security audit

• How do we perform a risk assessment for physically safeguarding data?

• Searched for a company who would help us.

• Researched risk assessment

IT Security Program

• James Perry and Mark Newman – University of Tennessee -Lessons Learned in the Establishment of a Vulnerability Assessment Program

• Cedric Bennett and Richard Jacik –Educause -The Zen of Risk Assessment

IT Security Program

• Used tools found through Educause

• Addressed vulnerabilities found

• IT security audit with an outside consulting firm

• Don’t forget physical facilities/storage of data and all equipment

Step One

Identify the risk

Protected Data

• Identified top 5 data elements that needed to be protected by everyone

• Finance person answered differently than our academic person

• If the process was too long we would lack participation

Protected Data

• Settled on SSN, ID, DOB, home address and home phone

• Asked questions about processing this data

• Knew that we would have to develop at least 2 other surveys to address financial and academic areas

Step Two

Collect the Information

Survey

Goals• Raise awareness and educate

• Perform risk assessment for the physical safeguarding portion of the GLBA provision

Survey

Separated into 6 different areas

Sensitive DataPhysical SafeguardingPasswordsOff campus useWork study accessBest practices

Physical SafeGuarding

• Physical location and storage of sensitive data

• Paper file, reports and forms

• Screen location

• Shredding

Passwords

• Changing passwords

Applications

• Are they written down?

• Does anyone else know them?

Off Campus Use

• Laptop use

• Wireless use

• Internet use

• Electronic storage of files with sensitive data on non-college owned computers

• Off campus email use

Work Study Access

• Access to electronically stored sensitive data

• Access to sensitive data on paper files, forms or reports

• Confidentiality statements

Best Practices

• Asked for good practices

• Went fishing for bad practices

Step three

Analyze the information and act on the results

Results

• Vulnerabilities

• Risk assessment reports

• Broad changes

• Policy development and best practices

• Interaction with outside entities

Vulnerabilities

• Identified 5 areas of vulnerability– Physical location of computer screens– Physical handling of paper files– Storage of paper files– Storage of materials before shredding– Participation in campus wide shredding

program

Risk Assessment Reports

Each Division/Department asked to file a risk assessment report on each vulnerability– Report improvements made– Report any outstanding risks– Identify resources needed to mitigate risk– Assign risk rating (critical, high, medium,

low)

Broad changes

• Examination of all uses of SSN

• Goal of removing SSN from processing unless federally mandated

• 2 more surveys planned targeting financial information and academic records information

Broad changes

• Powerful, productive conversations about protecting sensitive data

• Removal of SSN off all screens• Masking of DOB• Removal of SSN off transcripts• Culture change –employees are aware

of potential security risks

Policies and best practices

• No sensitive information stored on non-college owned machines.

• Sensitive information needs to be encrypted when ever possible

• What information can be sent over email

• Web posting• Identifying students over the phone

Outside Entities

In the last 9 months, Simpson has refused to allow non encrypted sensitive data to be transferred by email or CD, by three different entities.

– Lending organization– Collection company– Predictive modeling company

Step four

Communicate the results

Pros

• Manageable

• Quick start

• Provides metrics to measure improvements

• Builds security awareness

• Low cost

Cons

• Not comprehensive

• High priority vulnerabilities may not be first to be discovered

Recommendations

• Establish a team

• Identify your greatest risk

• Collect information

• Keep the scope narrow

• Keep the survey short

• Communicate

Questions?

`

Copyright

Copyright Kelley L. Bradder, 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.