Enterprise IT Risk Assessment Pages/IT Risk... · FLORIDA AUDITOR GENERAL – RISK MGT. FINDING Finding 4: Information Technology Risk Assessment For the 2017 calendar year, we requested

IT RISK ASSESSMENT SURVEY WORKSHOP

Brian RueDaniel LeggettISPO

INFORMATION TECHNOLOGY SERVICES

AGENDA1. IT Risk Management @FSU

2. Completing the IT Risk Management Survey

2


Risk Management –It’s in the Security Policy

Each University unit will conduct an annual risk analysis to evaluate the information security and privacy status of the unit.

3


FLORIDA AUDITOR GENERAL – RISK MGT. FINDING

Finding 4: Information Technology Risk Assessment

For the 2017 calendar year, we requested for examination University records supporting each University unit annual risk assessment and found that, contrary to University policies, 239 (88 percent) of the 273 units did not conduct the assessments.

4


DISTRIBUTED AT THE JANUARY FACULTY SENATE MEETING

5


JUST THE FACTS - THE IT RISK ASSESSMENT SURVEY

Your unit is not being scored by the results of your survey.

A “No” response is a path to a critical risk based decision with management. Does the cost of the control exceed the value of the information it will protect?

The IT Risk Assessment is not a audit.

You're never going to eliminate all the risks but they must still be managed.

6


The FSU IT Risk Assessment Survey is a tool used to coordinate a risk reduction strategy to

safeguard the Confidentiality, Integrity, and Availability

of unit IT resources.

7


FOUR METHODS USED TO MANAGE RISK

8


1) Avoidance – Withdraw plans or discontinue activity to circumvent the risk/problem.

2) Reduction/Mitigate – Enact control(s) to reduce the impact or likelihood of a successful execution of a threat to the confidentiality, integrity, or availability IT assets.

3) Retention/Acceptance – Continue to execute a business function with known control weakness. Assume higher risk a threat can result in an unauthorized event occurring.

4) Transfer / Share – Outsource risk (or a portion of the risk) to a third party that is obligated by an agreement to reduce risk.

9


PUBLIC SERVICE ANNOUNCEMENT-PARTIAL EXECUTION OF CONTROL RESPONSE

Check the partial response if you have part of a control in place. The form is hosted at: https://its.fsu.edu/ispo/support-resources


MANAGING INFORMATION TECHNOLOGY RISKS-YOU CANNOT ALWAYS “ACCEPT” RISK

You must understand how external factors may require you to answer “Yes” or a hybrid “Yes/No” to select control questions due to:

1) FSU Policy;

2) Best Practices;

3) Contractual Obligations;

4) Federal and State Law.

11


SETTING BOUNDARY RESPONSIBILITIES FOR ITS SERVICES

Computer Technology Support- CTSWorkstation ManagementSoftware ServicesHardware Support Services

Classroom SupportAudio/Visual Equipment

Desktop BackupDigital SignageEmail AccountsEnterprise SSLFile StorageFSU Campus Wi-FiFSUID Account ManagementITAPPInternet/Network Access (On and Off Campus)ITS Software LicensingMicrosoft Team

Linux SupportNetwork ServicesNWRDCOffice 365Patch ManagementRemote AssistanceResearch Computing CenterSharePoint OnlineSkypeTelephone ServicesVirtual Server HostingVulnerability Assessment

12


THE FSU IT RISK MANAGEMENT SURVEY

13


This survey was designed to take 2-3 hours to complete; however, the complexity of your infrastructure may extend the time needed to complete.

Do not abandon your efforts if you get stuck on a control question. ISPO can assist you in completing the survey.

Today’s workshop will give you the foundation for the completion of your survey..

14


SURVEYS DUE APRIL 24TH

15


2. COMPLETING THE SURVEY

16


1: INVENTORY AND CONTROL OF DATA SETS

Does the unit maintain an inventory of the data sets it stores, transmits, processes, or creates including classification of such data sets (Protected, Private, Public)?

17


WHAT IS A DATASET?

A data set is organized into some type of data structure. In a database, for example, a data set might contain a collection of business data (names, salaries, contact

information, sales figures, and so forth). The database itself can be considered a data set, as can bodies of

data within it related to a particular type of information, such as sales data for a particular university unit.

18


GOOD CANDIDATE FOR BRAINSTORMING/WHITE BOARDING ANSWERS WITH DATA OWNERS IN YOUR UNITBusiness Functions - Admissions

DatasetsStudent ApplicationsThe Common Data SetResidency FormsChange FormsThe Graduate SchoolCampus Safety

19


The Information Security and Privacy Office (ISPO) provides an Excel spreadsheet to perform this process if the unit does not already have this information recorded. The unit must understand the data sets it is responsible for safeguarding to ensure proper security and privacy controls are in place to protect these assets.

20


2: INVENTORY AND CONTROL OF HARDWARE ASSETS

Does the unit actively inventory and track FSU-owned hardware devices (PCs, laptops, tablets, phones, switches, routers, Internet of Things devices, and security appliances)?

You do not need to use this spreadsheet if you are already using a spreadsheet or tool to manage your IT inventory. Exclude BYOD accessing FSU resources.

21


3: INVENTORY AND CONTROL OF SOFTWARE ASSETS

Does the unit actively inventory and track unit software it is responsible for managing? Exclude enterprise applications unless your unit is responsible for managing one or more of these applications. Include 3rd party applications.

22


4: CONTINUOUS VULNERABILITY MANAGEMENT

Does the unit use Nexpose or another vulnerability scanning application to conduct periodic vulnerability scans of computing devices (operating systems and applications) to ensure critical vendor security patches are applied to devices in a timely manner?

23


4: CONTINUOUS VULNERABILITY MANAGEMENT

Avoidance (N/A) – Go back to analog paper and pencils.

Reduction/Mitigate (Yes) – Run a vulnerability scanner against computing and network devices.

Retention/Acceptance (No) – Do not run vulnerability scans on unit computing and network devices (Not recommended)

Transfer/Share (Yes) – Engage a 3rd party to run scans against your computing and network devices.

24


5: CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES

Does the unit have processes and tools used to track and control the use, assignment, and configuration of administrative accounts with elevated privileges on computers, networks, and applications?

25


WHAT ARE PRIVILEGED ACCOUNTS?A privileged account is how administrators login in to servers, switches, firewalls, routers, database servers, shared drives, Internet of Things (IoT) devices, and the many applications they must manage.

Privileged accounts also applies to any user account with access to information classified as private or protected.

Don’t forget vendors providing support to unit applications or databases.

26


5: CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES

Avoidance (N/A) – Go back to paper, pencils, and locked file cabinets.

Reduction/Mitigate (Yes) – Institute either formal manual procedures to review privileged accounts or purchase/run a Privileged Account Management (PAM) application

Retention/Acceptance (No) – Do not monitor privileged account activity (Not recommended)

Transfer/Share (Yes) – Hire a vendor to run a Privileged Account Management application with alerts sent to administrators upon the detection of anomalous user account activity.

27


6: SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON MOBILE DEVICES, LAPTOPS, WORKSTATIONS, AND SERVERS

Does the unit have computing device hardening guidelines to configure mobile devices, laptops, servers, and workstations?

28


6: SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON MOBILE DEVICES, LAPTOPS, WORKSTATIONS,

AND SERVERSAvoidance (N/A) – Go back to paper and pencils.

Reduction/Mitigate (Yes) – Adopt formal hardening guidelines for all computing/network devices supported by the unit.

Retention/Acceptance (No) – Deploy computing/network devices without formal hardening guidelines. (Not recommended)

Transfer/Share (Yes) – Outsource the management of unit computing and network devices to a third party and require the use of formal hardening guidelines in the service agreement.

29


7: MAINTENANCE, MONITORING AND ANALYSIS OF AUDIT LOGS

Does the unit collect, manage, and analyze audit logs of events

that could help detect, understand, or

recover from an attack?

30

INFORMATION TECHNOLOGY SERVICES 31


7: MAINTENANCE, MONITORING AND ANALYSIS OF AUDIT LOGS

Avoidance (N/A) – Stop using computing devices.

Reduction/Mitigate (Yes) – Maintain a unit supported/hosted log aggregation, monitoring, and alert program.

Retention/Acceptance (No) – Do not have any logging turned on or minimal logging with no review. (Not recommended)

Transfer/Share (Yes) – Outsource logging and alerting services to a vendor.

32


8: EMAIL AND WEB BROWSER PROTECTIONS

Does the unit have procedures in place

to ensure web browsers and email

clients are fully patched?

33


8: EMAIL AND WEB BROWSER PROTECTIONSAvoidance (N/A) – Delete all the Web browsers and email clients from user machines.

Reduction/Mitigate (Yes) – Maintain an active patch management program for all supported browser and email applications.

Retention/Acceptance (No) – Run browsers and email applications without a patch management solution. (Not recommended)

Transfer/Share (Yes) – Outsource patch management functions for browsers and email applications.

34


9: MALWARE DEFENSES

Does the unit install antimalware applications on computing devices to control the installation, spread, and execution of

malicious code at multiple points in the enterprise?

35


9: MALWARE DEFENSESAvoidance (N/A) – Use compensating controls to protect computing devices you do not have any malware applications on.

Reduction/Mitigate (Yes) – Unit supports an antimalware application on all devices capable of running a chosen security software. It also cannot be disabled by users.

Retention/Acceptance (No) – Unit runs computing devices without antimalware software. (Not recommended)

Transfer/Share (Yes) – Outsource support of antimalware on unit devices.

36


10: LIMITATION AND CONTROL OF NETWORK PORTS, PROTOCOLS, AND SERVICES

Does the unit manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize points of access to hackers/attackers?

37


10: LIMITATION AND CONTROL OF NETWORK PORTS, PROTOCOLS, AND SERVICES

Avoidance (N/A) – Disconnect all computing assets from a network.

Reduction/Mitigate (Yes) – Employ network and host based security controls on supported subnets to manage ports/protocols/services to limit access to only ports/protocols needed.Retention/Acceptance (No) – Do not deploy any security appliances on the network to protect unit assigned subnets. (Not recommended)

Transfer/Share (Yes) – Outsource support of security services on the CORE network or use a vendor supported security appliance.

38


11: DATA RECOVERY CAPABILITIES

Are processes and tools used to properly

back up critical information with a

tested procedure to meet the business

processes of the unit?


DR IN FSU POLICY

IT Infrastructure Security

5)Information technology resources identified as critical to the continuity of University operations shall have documented disaster recovery plans providing for quick resumption of critical functions and the eventual return to normalcy for IT operations.

6)Through the use of backup, replication, high availability, or other technology, data and software essential to the continued operation of critical University functions must be recoverable.

DR training session April 9th



Avoidance (N/A) – Discontinue all non-enterprise related computing activities or determine you do not have any local critical apps or datasets.

Reduction/Mitigate (Yes) – Support a formal DR program meeting policy requirements for local critical applications and datasets.



Retention/Acceptance (No) – You have local critical IT functions/applications but do have made a decision not to have a DR program in place.

Transfer/Share (Yes) – Outsource select applications backup operations. Understand the unit still needs a local plan to support outsourced backup requirements.


12: SECURE CONFIGURATION FOR NETWORK DEVICES, SUCH AS FIREWALLS, ROUTERS AND

SWITCHES

Does the unit establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a configuration management and change control process?


12: SECURE CONFIGURATION FOR NETWORK DEVICES, SUCH AS FIREWALLS, ROUTERS AND SWITCHES



Avoidance (N/A) – Discontinue all computing activities.

Reduction/Mitigate (Yes) – The unit has a formal and functional plan to manage changes to the security configurations of unit controlled network devices.



Retention/Acceptance (No) – Continue to handle local network devices without a formal configuration management program. (Not recommended)

Transfer/Share (Yes) – Outsource configuration management of network devices to a 3rd party.


13: BOUNDARY DEFENSEDoes the unit: 1) Use automated tools such as an Intrusion Prevention System (IPS)

to block the unauthorized flow of information between the unit's internal network and known malicious IP addresses;

2) Internally support or have contracted with a vendor to provide a Security Information Event Management (SIEM) security appliance/service to monitor unit network communications for anomalous activity; and

3) Require two-factor authentication for all remote access (non-FSU network) to unit internal systems hosting protected information?


13: BOUNDARY DEFENSE1>Host and Network Based Intrusion Prevention Systems 2>Security Information and Event Management

3>Multi-Factor Authentication

Network Based

Host Based


13: BOUNDARY DEFENSE

Avoidance (N/A) – Go back to pencils, paper, and locking file cabinets.

Reduction/Mitigate (Yes) – The unit maintains 1) IPS, 2) SIEM, 3) Two-Factor Authentication for remote access.


13: BOUNDARY DEFENSE

Retention/Acceptance (No) – The unit does not maintain an 1) IPS, 2) SIEM, 3) Two-factor authentication for remote access to unit IT assets. (Not recommended)

Transfer/Share (Yes) – The unit has outsourced 1) IPS 2) SIEM, and 3) Two-Factor Authentication services.


14: DATA PROTECTIONHas the unit:

1) Deployed hard drive or file encryption to identified systems holding protected data including mobile storage devices; 2) Implemented network or host-based Data Loss Prevention (DLP) solutions; and 3) Utilized a data discovery tool to scan servers, mapped drives, and user devices for protected information?


14: DATA PROTECTIONFile and Whole Drive Encryption

Data Loss Prevention Host/Network Based

Data Discovery Tools to Find PII


14: DATA PROTECTION

Avoidance (N/A) – Discontinue all computing activities. (Not likely)

Reduction/Mitigate (Yes) – Have 1) Employed disk or file encryption for info classified as “Protected” 2) Implemented either host or a network DLP solution 3) Use a data discovery tool to search computing devices for un-cataloged protected info.


14: DATA PROTECTION

Retention/Acceptance (No) – Not 1) Implement disk/file encryption 2) A DLP solution 3) Use a data discovery tool.

Transfer/Share (Yes) – Outsource support for 1) disk/file encryption 2) DLP solution 3) Data discovery activities.


15: CONTROLLED ACCESS BASED ON LEAST PRIVILEGE

Has the unit: 1) Restricted network access to protected information to allow only users who have a business need for accessing these systems; 2) Deployed "Certificates" to encrypt all communications of protected information over local network or Internet connections; 3) Deployed Virtual Local Area Networks (VLANs) to restrict access to unit network segments hosting protected information?



1>It’s in the Policy- Least Privilege User Management2>Deploy Server Certificates to Encrypt Transmission of Protected Information over Web

3>Deploy Multiple VLANS to Segregate




Reduction/Mitigate (Yes) – Unit 1) Reviews user account access to network resources 2) Deploys server certificates to any servers used to collect protected information 3) Reviewed their local VLAN configurations to determine if VLANS can be used to restrict general user access from server/critical asset (IoT, Research).



Transfer/Share (Yes) – Outsource your computing infrastructure but retain user account review responsibilities with appropriate contacted vendor terms.

Retention/Acceptance (No) – Unit does not 1) Review user access 2) Use server certificates for servers used to collect protected information 3) review local networks to see if VLANS can be used to protect critical resources from general computing use.


16: WIRELESS ACCESS CONTROL

1) Has the unit educated users to only conduct university transactions involving information classified as "Protected" over

encrypted wireless connections on campus or when accessing non-university

wireless connections?

2) Has the unit periodically used a wireless discovery tool to ensure

unauthorized wireless access points are not connected to unit assigned subnets?



Part 2 of the Wireless Control

Part 1 of the Wireless Control



Avoidance (N/A) – Discontinue all wireless computing activities.

Reduction/Mitigate (Yes) – Unit users are given training on connecting to wireless access points when conducting official FSU business. Unit periodically warwalks or uses other technologies to look for unauthorized wireless access points on their network subnets.



Transfer/Share (Yes) – Obtain the appropriate user wireless training support from a 3rd party. Use a security vendor to assess your network for unauthorized wireless access point connections

Retention/Acceptance (No) – Users are not trained. Unit does not have any procedures in place to discover unauthorized wireless access points connected to their network.


17: IMPLEMENT A SECURITY AWARENESS AND TRAINING PROGRAM

Does the unit have a functional training program in place to ensure users and those positions supporting unit technologies are educated on current security and privacy topics/strategies to protect unit resources?




Reduction/Mitigate (Yes) – Unit proactively trains their users on information security and privacy topics. The unit trains their systems and privacy administrators on the latest technologies and topics to safeguard unit protected information assets. All training attendance is auditable.



Transfer/Share (Yes) – Engage ITS or 3rd party training resources to meet training requirements.

Retention/Acceptance (No) – Do not have a training program in place for users, system administrators, or privacy administrators.


18: INCIDENT RESPONSE MANAGEMENT

Does the unit maintain a copy of the university's

incident response plan and does it educate users on

how to manage a breach of protected information

and/or computing equipment using the plan?




Reduction/Mitigate (Yes) – Download FSU incident response program and distribute to ISMs and UPCs. Train users on IR procedures.



Retention/Acceptance (No) – Do not educate ISMs or UPCs on the university’s incident response program.

Transfer/Share (Yes) – Use university or vendors to train employees on IR procedures. Ensure outsourced computing functions involving protected information are covered by the university’s security/privacy terms and conditions for incident response.


19: APPLICATION SOFTWARE SECURITY

• 1) Only run applications or application versions that are supported by the vendor with security patches/security strategies;

• 2) Protect web applications with a Web Application Firewall (WAF);

Does the unit:


19: APPLICATION SOFTWARE SECURITY (PART DUEX)

• 3) Perform code vulnerability scans for any internally developed applications;

• 4) Maintain separate production and test environments to validate patch updates or to test code changes on internally supported applications?

Does the unit:




19: APPLICATION SOFTWARE SECURITYAvoidance (N/A) – Discontinue all computing activities.

Reduction/Mitigate (Yes) – Ensure the unit is 1) Running vendor/shareware/freeware supported versions of software (unless you have instituted compensating controls for unsupported software you are required to run) 2) Employ a Web Access Firewall for external websites collecting/accessing protected information 3) Perform code vulnerability scans if unit is coding applications 4) Maintain separate test and production environments.



Retention/Acceptance (No) – 1) Run Unsupported software 2) Do not run a WAF 3) Do not perform code vulnerability scans 4) Do application testing in the production environment.

Transfer/Share (Yes) – 1) Outsource software applications 2) Obtain a vendor supported local appliance or run apps in cloud w/WAF services 3) Obtain 3rd party code vulnerability assessments 4) Use cloud services for a test environment.


20: PENETRATION TESTING

Has the unit completed external (from outside of the FSU/Unit network) and internal (from within the FSU/Unit network) penetration tests against computing assets including desktops, servers, and network devices?




Reduction/Mitigate (Yes) – Create and run unit supported penetration test program against assigned subnets.



Retention/Acceptance (No) – Do not run penetration tests.

Transfer/Share (Yes) – Contract for internal and external penetration tests by a vendor.


DON’T WING-IT, IF YOU GET STUCK-CONTACT US

77


THE END


Brian RueAssociate Director

Information Technology ServicesFlorida State University

[email protected]

Daniel LeggettRisk Manager

Information Technology ServicesFlorida State University

[email protected]

CONTACT

Documents

Enterprise IT Risk Assessment Pages/IT Risk... · FLORIDA AUDITOR GENERAL – RISK MGT. FINDING Finding 4: Information Technology Risk Assessment For the 2017 calendar year, we requested