Program CUVA Conference M ay 23 2012 Mason Inn George Mason University Robert Nakles and Josh Schiefer IT Security Office George Mason University Presentation Overview Purpose of the DRAC Program ID: 815373
Download The PPT/PDF document "Departmental Risk Assessment Coordinator..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Departmental Risk Assessment Coordinators (DRAC)ProgramCUVA ConferenceMay 23, 2012Mason InnGeorge Mason University
Robert
Nakles
and Josh Schiefer
IT Security Office
George Mason University
Slide2Presentation OverviewPurpose of the DRAC ProgramState RequirementsUniversity ResponseReview of DRAC ProgramKey ComponentsThe Role of the DRACThe RA ProcessProgram Management
Current Status
Lessons Learned and Future Plans
Slide3State RequirementsInformation Security Standard SEC501-062.6 Risk AssessmentFor sensitive IT system, not less than every 3 years4.2 IT System Security PlanDocuments security controlsBased on results of the risk assessmentIT Risk Management Guideline SEC506-01
6.2 Risk Assessment Process
At least, once every 3 years, unless “substantial change”
Slide4University ResponseIn distributed environment, discover sensitive systemsCentrally managed systems and departmentsHow is access controlledHow is data managedBusiness processes that impact sensitive systemsInvolve knowledgeable staff within departments
Slide5DRAC ProgramPurpose: to provide university departments with the framework and resources necessary to complete a required risk assessment for information technology (IT) security within their individual environments. Each department will appoint one or more Departmental Risk Assessment Coordinator or DRAC to conduct the IT risk assessment and develop an appropriate security plan.Helps each department come to terms with what risk they have
Slide6The Role of the DRACA successful Departmental Risk Assessment Coordinator (DRAC) is someone who knows the business processes of his or her unit, department or office and has been authorized by the department head to act on his or her behalf.The DRAC facilitates the completion of a risk assessment and security plan in a 3 year period of time.
Slide7Profile of a DRACWho is a DRAC?Appointed by dean or vice presidentExamples of DRACS
Slide8The Risk AssessmentThe risk assessment questionnaire consists of a Business Impact Analysis and a series of security questions based upon industry “best practices,” university policies and applicable federal regulations. The security plan is a documented response to the risks identified during the completion of the questionnaire.
Slide9Program ManagementThe Information Technology Security Office provides resources and procedures for each DRAC so they can complete the risk assessment accurately and develop a practical security plan. Cohort based: Each DRAC is placed into a cohort based on risk level and/or similar business function. Meet quarterly.myMason: projects updates, exchange documents, scheduling, e-mail communications, etc.
Slide10Current Status2 Cohorts working nowCohort A: administrative units Active since April 2010Cohort B: academic space Active since August 2010
Slide11Lessons LearnedGetting the right DRAC not always easyAcademic space presents different challenges than the administrative. Research space even more difficult to hands around.TurnoverManaging ExpectationsResource intensive
Slide12Next StepsAdd additional CohortsRefine processOverhaul QuestionnaireUtilize MyMason Portal morePaper less
Slide13Questions?Contact informationJosh Schiefer(703) 993-9893Email: jschiefe@gmu.eduBob
Nakles
(703) 993-2975
Email: rnakles@gmu.edu
DRAC Web site
security.gmu.edu