Upload
rasha
View
24
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Guaranty Agency Security Reviews. Bridget-Anne Hampden U.S. Department of Education. Why We Did It… How We Did It… What We Did… What We Found… Next Steps…. Guaranty Agency Reviews. Why We Did It…. PII Breach reported in March 2010 - PowerPoint PPT Presentation
Citation preview
Bridget-Anne HampdenU.S. Department of Education
Guaranty Agency Security Reviews
Why We Did It… How We Did It…What We Did…What We Found… Next Steps…
2
Guaranty Agency Reviews
Why We Did It…
• PII Breach reported in March 2010• 2010 Guaranty Agency (GA)
Security and Privacy Conference in Washington, DC
• Focus on Privacy, Data Security, and Critical Infrastructure Protection
• GA’s asked to prepare and submit Self-Assessment Forms
3
Why We Did It…(cont’d.)
• Assessment of results• Creation of an FSA Report
• Summary of findings based on risk category• Highlight key focus areas
4
How We Did It…• Used a risk-based approach
• Outstanding loan balance• Risk profile• Size
• Outstanding Loan Balance (75%)• Result was an assessment of 15 Guaranty
Agencies visited in FY 2011• Remaining 16 Guaranty Agency visits were
conducted in FY 2012
5
How We Did It… (cont’d.)
• Preparation and Distribution of Pre-Visit Questionnaire
• Perform Market Research on each GA• Review 10K Reports• Google and Blog Searches• Recent Audit and SAS70 Reports
• Review System Security Plans (SSP’s)
6
What We Did…
• FSA Team performed a day long visit at each site• Senior Management opening briefing• Review of information submitted in pre-visit package• Engage Guaranty Agency technical team (CIO,
CISO, Audit Manager, etc)• In depth discussions/questions based on risk
categories/groupings
7
What We Did… (cont’d)
• Focus on privacy and records management• Review Guaranty Agency’s processes, policies, and
procedures• Data Center visit • Operational Unit tour (vault, call center, etc.)• Management out brief • Prepare and distribute report – observations and
recommendations • Receive and record GA management responses
8
What We Found…
Overall observations (SWOT analysis)• Strengths
• Logical Access Control• Critical Infrastructure Protection• Governance
• Weaknesses • Strategy• Incident Breach Response
9
What We Found…• Opportunities
• Update and embellish policies/processes • Improve communication between GA’s and service partners
• Improve certification of technical staff• Create and expand on the trusted relationship between FSA and the GA’s
• Threats• Monitoring• Revalidating user accounts
10
Summary of FY 11 Reviews
11
Summary of FY12 Reviews
12
Logical Access Control
13
?JKL
Role Based Access Revalidating user accounts Passwords/authentication Privileged vs. non-privileged accounts
0
5
10
15
20
25
Critical Infrastructure Protection
14
?JKL
Visitor badges/sign-in Business resumption plan DR site DR/BR tests0
5
10
15
20
25
30
Strategy
15
?JKL
Dedicated privacy staff/officer
Encryption PII segregation Network perimeter/boundary
protection
Tracking/Destruction of expired records
0
5
10
15
20
25
30
Incident/Breach Response
16
?JKL
Automation and tracking Periodic test Notification/escalation tree0
5
10
15
20
25
Monitoring (Vulnerability Management)
17
Vulnerability identification Continuous monitoring Log reviews0
5
10
15
20
25
?JKL
Governance
18
?JKL
Personnel security Policies/procedures Training Knowledgeable staff
Risk assessment Risk tracking Risk acceptance0
5
10
15
20
25
30
Next Steps…
• Populate the OVMS database• Liaising with GA’s on remediation plans – quarterly
reporting• Continuing Dialogue – explore ways for continued
collaboration with the GA community
19
Contact Information
20
We appreciate your feedback & comments.
Bridget-Anne HampdenDeputy CIO
• E-mail: [email protected] • Phone: 202-377-3508