BAKER TILLY AND ACUA WEBINAR How to perform a National ...
Transcript of BAKER TILLY AND ACUA WEBINAR How to perform a National ...
BAKER TILLY AND ACUA WEBINAR
How to perform a National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Assessment in Seven Easy Steps
November 18, 2021
The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in this communication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and any attachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments. Baker Tilly Virchow Krause, LLP trading as Baker Tilly is a member of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. © 2021 Baker Tilly US, LLP
SPONSORED BY:
ACUA Virtual Learning Director
Lisa Gendusa, CIA, CFE
Internal Auditor
Texas State University System
▪ Don’t forget to
connect with us on
social media!
ACUA Virtual Learning Volunteer
Jeremy Lynch, CIA
Sr. Internal Auditor
University of Missouri System
Meet the presentersINTRODUCTION
3
Jimmy EdmundsonManager
Baker Tilly [email protected]
Rosa LaraChief Information Officer
Pennsylvania State System of Higher Education
Meghan SenseneyManager
Baker Tilly [email protected]
– Introductions
– Webinar objectives
– Pennsylvania’s State System of Higher Education background
– NIST CSF background
– Seven easy steps
AgendaINTRODUCTION
Webinar objectivesBACKGROUND
5
Specialized information technology (IT) and cybersecurity risks prevalent in higher education
How to execute a NIST CSF assessment
Tips for articulating the value of these assessments to their campus colleagues
In this webinar, participants will learn:
2
3
1
PA State System Background
Pennsylvania State System of Higher Education
– State agency of the Commonwealth of Pennsylvania that oversees 14 state-owned colleges and universities
– Largest provider of higher education in the Commonwealth of Pennsylvania
– 43rd largest university system in the world
7
How familiar are you with NIST CSF?
A. Very familiar
B. Somewhat familiar
C. I have heard of it before in passing
D. I have never heard of NIST CSF before
Question #1POLLING QUESTION
8
Common higher education IT/cybersecurity risks
10
IT Risk Area Definition
Information Security and Privacy The policies, practices, and tools implemented on the University’s systems and data to maintain confidentiality of information, specifically sensitive data about students, faculty, staff, donors, alumni, and research activities.
Data Management The processes and software implemented to manage, analyze, and report on data used to operate and manage the University, as well as report to external entities.
IT Governance The processes and structure for planning, implementing, communicating, and monitoring of IT strategy to meet the University’s mission and goals.
People Resources The personnel resources, both employed and contracted, that provide IT services to various constituencies within and outside of the University.
Enterprise applications The process of implementing new, upgrading existing and maintaining enterprise applications.
Funding The monetary resources allocated to acquire, maintain, and retain the people and technology resources required to operate and manage University systems.
Device Management The policies, practices, and tools implemented to manage, track, and secure University and personally owned laptops, desktops, phones, and tablets that collect, process, or store University data.
Project Management The processes and tools implemented for planning, managing, and reporting on IT projects to ensure a successful outcome.
Academic Computing The practices and tools implemented to support academic computing.
Identity and Access Management The processes in place to facilitate access to University resources. The identity is created through business processes, policies, data governance, and supporting technologies.
IT Systems Administration The policies, practices, and tools implemented to plan, implement, operate, change, and monitor University networks, applications, databases, and servers.
System Availability The policies, practices, and tools implemented for maintaining the availability of systems during or after impactful events.
Application Development The processes and tools used to acquire, build, test, and maintain software applications.
Research Computing The practices and tools implemented to support research computing.
Physical and Environmental Controls The policies, practices, and tools used to maintain the security of and environmental protections for physical spaces containing computing resources (e.g., data center facilities).
Common higher education IT/cybersecurity risks
NIST CSF introduction
NIST Cybersecurity Framework (CSF)
12
Has a cybersecurity assessment ever been performed at your institution?
A. Yes
B. No
C. I don’t know
Question #2POLLING QUESTION
13
Seven easy steps of NIST CSF assessment
Overview of the stepsSEVEN EASY STEPS OF NIST CSF ASSESSMENT
15
1. Planning
2. Survey
3. Working sessions
4. Assessing cybersecurity risks
5. Assessing NIST CSF maturity
6. Validation with stakeholders
7. Reporting
Planning activities to be conducted at the start of the assessment include:
– Conducting a project kick-off meeting with key stakeholders to validate the scope and approach and determine the end deliverable format
– Establish dates and protocols for each major milestone of the assessment (e.g., the survey, working session, reporting)
– Identify key personnel to participate in the assessment
The goal of planning activities is to establish a road map and direction to perform the assessment.
16
Step 1: Planning
Step 1: Planning
17
Identify
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Supply Chain Risk Management
Protect
Identity Management and Access Control
Awareness and Training
Data Security
Information Protection Processes and
Procedures
Maintenance
Protective Technology
Detect
Anomalies and Events
Security Continuous Monitoring
Detection Processes
Respond
Response Planning
Communications
Analysis
Mitigation
Improvements
Recover
Recovery Planning
Improvements
Communications
Purpose: Gather background information prior to the initial discussion interviews to help you prepare for and conduct the interviews effectively
18
Surveys should be a maximum of ~40
questions and include dynamic/open-ended follow-up questions
Surveys should be provided with a hard due date/deadline for completion
Institutions should spend no more than a few hours
completing
If entity does not know how to respond, offer options to select like: “I don’t know” or
“Unsure”
Step 2: Survey
Topics to be covered in each working session:
– Introductions and recap assessment background and objectives
– Validation and expansion upon the provided survey results
– NIST CSF structured discussion
The purpose of working sessions is to validate and expand upon the initial survey results. The number of working session and length of each working session will be determined by the institution itself.
19
Step 3: Working Sessions
Step 3: Working sessions
20
Function Risk Category Question
2. Protect Access Control How are credentials managed for authorized devices and users?
2. Protect Access Control How is physical access to assets managed?
2. Protect Access Control How is remote access to assets managed?
2. Protect Access Control How are access permissions managed to minimize privileges and separate duties?
2. Protect Access Control How is network integrity maintained, including segmentation?
2. Protect Awareness and Training How are users informed and trained on their information security roles and responsibilities, including
privileged users, third-parties, and leadership?
2. Protect Awareness and Training How well do security professionals understand their roles and responsibilities?
2. Protect Data Security How is data protected "at-rest" on systems, "in-transit" when transferred, and during disposition?
2. Protect Data Security How is adequate capacity maintained to ensure availability?
2. Protect Data Security How are data loss prevention protections employed?
2. Protect Data Security How are integrity checking mechanisms used?
2. Protect Data Security How are development, testing, and production environments segmented?
2. Protect Information Protection Processes and Procedures How is the baseline configuration for systems created and maintained
2. Protect Information Protection Processes and Procedures How are information security practices incorporated into human resources processes, such as
recruiting, hiring, on-boarding, evaluation, off-boarding)?
2. Protect Information Protection Processes and Procedures How was the vulnerability management plan developed and implemented?
2. Protect Information Protection Processes and Procedures What systems development lifecycle method is implemented?
2. Protect Information Protection Processes and Procedures What configuration change control processes are implemented?
2. Protect Information Protection Processes and Procedures How are backups of information conducted, maintained, and tested?
2. Protect Information Protection Processes and Procedures What are the requirements for the physical environment of systems?
2. Protect Information Protection Processes and Procedures How is data destroyed, does this follow policy?
2. Protect Information Protection Processes and Procedures How are protection processes continuously improved?
2. Protect Information Protection Processes and Procedures How is the effectiveness of protection technologies communicated to leadership?
2. Protect Information Protection Processes and Procedures How are incident and disaster recovery plans created, managed, and tested and how are you
involved in response activities?
What areas of performing a NIST CSF maturity assessment at your institution present the most challenges?
A. Lack of understanding from board/audit committee
B. Lack of IT/cybersecurity knowledge in internal audit
C. Push back from IT/information security
D. Other/I don’t know
Question #3POLLING QUESTION
21
Analyze cybersecurity processes and
synthesize IT risks noted via working
sessions
Determine the potential likelihood and
impact of the IT risks based on survey and
working sessions
Document an inventory of IT risks
prioritized by likelihood and
impact
Analyze and review survey results
Step 4: Assessing cybersecurity risks
Step 5: Assessing NIST CSF maturity
23
Recommended or Desired Maturity Level
Current State Maturity Level
Step 5: Assessing NIST CSF maturity
24
Based on the results of the surveys and working sessions, determine the maturity of the NIST CSF categories and overall functions based on the CMMI maturity ratings below:
Do you believe your institution would benefit from a NIST CSF maturity assessment?
A. Yes
B. No
C. I’m not sure
Question #4POLLING QUESTION
25
– Project status recap
– Initial draft results of the NIST CSF maturity assessment, including an assessment of cybersecurity risks (likelihood and impact)
– Address/vet any questions and additional follow-ups
A meeting with key stakeholders should be held that includes the following discussion areas:
26
Step 6: Validation with Stakeholders
Consider the following when reporting on the
final results:
– Include a summary assessment with both the NIST CSF maturity ratings and prioritized cybersecurity risk inventory
– Include a heat map of IT risks to identify and prioritize IT risks
– Offer recommendations that would help the institution advance their maturity further
– Point to advisable areas that would benefit for subsequent technical reviews or “deep dives” and audits
After validation, the results of the assessment should be documented.
27
Step 7: Reporting
Tips for articulating the value of these assessments
There are many reasons why a cybersecurity assessment
is valuable for higher education institutions. Consider
specifically articulating the following to campus
stakeholders:
– Can help the institution prioritize cybersecurity risks and pinpoint where investments should be made
– In decentralized environments, assessments can help show where certain centralized services and/or processes can benefit the institution (or system)
– Provides leadership with a holistic picture of cybersecurity maturity they may have never seen before
– Helps internal audit, IT/information security determine where effort and resources should be spent
Value of NIST CSF assessments
29
Questions?
Connect with usTHANK YOU!
31
Jimmy [email protected]
Rosa [email protected]
Meghan [email protected]
ACUA Kick StartersUse a Kick Starter to launch your next audit!
• Developed by ACUA members with subject matter expertise
• Focused on higher education specific topics
https://acua.org/Audit-Tools/ACUA-Kick-Starters
Do you have a great idea for an
ACUA Kick Starter? Contact John
Winn at [email protected].
New Kick Starter Available!
Control of Hazardous Energy:
Lock Out Tag Out
Download today in the members-only Audit Tools
section of www.ACUA.org
Next Kick Starter Release is Dec. 15th!
FERPA
Will be available in the members-only Audit Tools
section of www.ACUA.org
• Mentorship is a proven method to help colleagues feel supported, drive workplace satisfaction, and foster member engagement in higher ed auditing.
• The program is no longer focused on only small audit shops! The program has been expanded to be more inclusive of all types of shops.
• The program is only a one-year commitment, but we encourage the mentorship to continue even after one year.
• Consider signing up! Watch for registration deadlines to be communicated via email. For more information, go to https://acua.org/Member-Resources/Mentorship-Program
ACUA Mentorship Program
Stay Updated
• The College and University Auditor is
ACUA's official journal. Current and past
issues are posted on the ACUA website.
• News relevant to Higher Ed internal audit
is posted on the front page. Articles are
also archived for your reference under the
Resources/ACUA News.
Connect with Colleagues
• Subscribe to one or more Forums on the
Connect ACUA to obtain feedback and
share your insights on topics of concern
to higher education internal auditors.
• Search the Membership Directory to
connect with your peers.
• Share, Like, Tweet & Connect on social
media.
Get Involved
• The latest Volunteer openings are posted on
the front page of the website.
• Visit the listing of Committee Chairs to learn
about the various areas where you might
participate.
• Nominate one of your colleagues for an
ACUA annual award.
• Submit a conference proposal.
• Present a webinar.
• Become a Mentor
• Write an article for the C&U Auditor.
• Write a Kick Starter.
Solve Problems
• Discounts and special offers from ACUA's Strategic Partners
• Kick Starters
• Risk Dictionary
• Mentorship Program
• NCAA Guides
• Resource Library
• Internal Audit Awareness Tools
• Governmental Affairs Updates
• Survey Results
• Career Center......and much more.
Get Educated
• Take advantage of the several FREE
webinars held throughout the year.
• Attend one of our upcoming conferences:
Audit Interactive
March 27 – 20, 2022
Raleigh, NC
AuditCon
September 11 - 15, 2022
Las Vegas, NV
• Contact ACUA Faculty for training needs.www.ACUA.org
Upcoming ACUA Events
Audit Interactive
March 27 – 30, 2022