Getting Ahead of an Incident Through Risk Assessment
13
Ahead of an Incident Through Risk Assessment Cheryl O’Dell, BIS, CISSP
description
Getting Ahead of an Incident Through Risk Assessment. Cheryl O’Dell, BIS, CISSP. Problem. New technologies being purchased and implemented onto the ESU network without TCS personnel engaged Wrong equipment getting purchased and unable to be implemented - PowerPoint PPT Presentation
Transcript of Getting Ahead of an Incident Through Risk Assessment
Getting Ahead of an Incident Through Risk Assessment
Getting Ahead of an Incident Through Risk AssessmentCheryl ODell, BIS, CISSP
ProblemNew technologies being purchased and implemented onto the ESU network without TCS personnel engagedWrong equipment getting purchased and unable to be implementedTCS engaged only when problems getting the technology to workDevices getting compromised devices unknown to exist on the ESU networkPolicies not being followed$$$$ wasted
Fact: TCS could get volume pricing with deep discounts IF we could get people to standardize their ordersFact: TCS could review the new technology BEFORE purchase to determine if it will work on the ESU network and if it would need further security controlsFact: ESU has one central location all purchase orders go through before purchaseFact: ESU had procurements being made via a State Procurement Card without any review PRIOR to purchase
Phase 1Prove our point: TCS User Support Services Team used the equipment request list supplied to them by the Provost Council spring of 2009 and gave back same or similar equipment list with deep discounts saving the university over $100,000 the first year JUST on desktop computer purchases
Point taken and implemented: Standardizing purchases and get quotes from TCS for POsLessons Learned from Phase 1BPC purchases still being made without any involvement from TCS or Controllers officeSometimes because the only way to purchase was onlineSometimes to circumvent the systemNot everyone would come to TCS for a quoteSometimes because they didnt think TCS would have a vendor (e.g., spectrometers) Sometimes because they didnt want TCS to be involvedDifferent times of the year USS spent a good deal of their day putting quotes togetherUSS worked with vendors to get volume quotes that would be valid for longer than 30 daysUsed TECHSITE to provide a resource page for departments to use to get purchasing information & quotes
Phase 2 a very painful phaseNew purchasing guidelinesAll technology related purchase orders will be routed through the AVP/CIO of TCS for approval PRIOR to purchaseAll technology BPC purchases will need prior approval from controllers and TCS offices
Some people were saying: What?!? Why does TCS have to APPROVE my technology purchases?!? They just want to CONTROL me. They dont like me so they wont let me purchase ANYTHING.What some TCS people were saying: What?!? Are you kidding? But they will be DIFFICULT to deal with! They wont listen to us or follow the rules. Theyll still just go out and buy it anyway!All the leaders of this initiative were saying: Here we go be ready this is going to get ugly!
Phase 2 continuedGround RulesIf purchasers engaged TCS prior to the PO (e.g., get quotes) purchases went smoothly and POs are quickly turned around/approvedIf TCS learned about the new technology solution with the notice of a PO it would take time depending on the solution, from a couple of hours to a couple of weeksQuotes, POs and Assessments are a high priority
Success.but why is it still painful?
Advantages and DisadvantagesAdvantage: $$$$ saved on purchasing technologies that will work on the ESU infrastructureAdvantage: Security controls can be defined prior to implementation and if there are additional hardware or software needing to be purchased, it will be known upfront at the start of a project.Disadvantage: Purchases come sometimes fast and furious at different times of the year, and turn around time for assessments can be literally hours not days. Disadvantage: Risk assessments have to occur annually so this year information security did 75 assessments, next year well have to re-assess those 75 and do assessments for all new technologies. Gulp.Lessons Learned from Phase 2Communication, communication, communicationUse a standard assessment and reporting mechanism so it can be a checklist and same format (more time spent on the assessment, less on making it look nice and professional)Have a backup to approve POs and do assessments and develop a system to track what has been approved and what is still being checked on.Need a good working relationship with fiscal departments TCS Public Relations be ready for long term commitment and keep PO reviews and assessments a high priority in IT
Assessment DetailsFirst attempt **Second attempt **Current **Sample Risk Management Framework **http://rmf.org/home.htmlhttp://rmf.org/images/stories/rmf_documents/draft-sp800-53a-rev1-fpd.pdf http://rmf.org/images/stories/rmf_documents/draft-sp-800-137-ipd.pdf
Sample Report **
**CONTACT [email protected] FOR A COPY OF THE FILES REFERENCED ON THIS SLIDE.Last slideSuccess StoriesQuestions?
Cheryl [email protected]
