Getting Ahead of an Incident Through Risk Assessment

Getting Ahead of an Incident Through Risk Assessment Cheryl O’Dell, BIS, CISSP

Problem • New technologies being purchased and implemented onto the ESU network without TCS personnel engaged o Wrong equipment getting purchased and unable to be implemented o TCS engaged only when problems getting the technology to work o Devices getting compromised – devices unknown to exist on the ESU network o Policies not being followed o $$$$ wasted

• Fact: TCS could get volume pricing with deep discounts IF we could get people to standardize their orders • Fact: TCS could review the new technology BEFORE purchase to determine if it will work on the ESU network and if it would need further security controls • Fact: ESU has one central location all purchase orders go through before purchase • Fact: ESU had procurements being made via a State Procurement Card without any review PRIOR to purchase

Phase 1 • Prove our point: TCS User Support Services Team used the equipment request list supplied to them by the Provost Council spring of 2009 and gave back same or similar equipment list with deep discounts saving the university over $100, 000 the first year JUST on desktop computer purchases • Point taken and implemented: Standardizing purchases and get quotes from TCS for PO’s

Lessons Learned from Phase 1 • BPC purchases still being made without any involvement from TCS or Controller’s office o Sometimes because the only way to purchase was online o Sometimes to circumvent the system • Not everyone would come to TCS for a quote o Sometimes because they didn’t think TCS would have a vendor (e. g. , spectrometers) o Sometimes because they didn’t want TCS to be involved • Different times of the year – USS spent a good deal of their day putting quotes together o USS worked with vendors to get volume quotes that would be valid for longer than 30 days o Used TECHSITE to provide a resource page for departments to use to get purchasing information & quotes

Phase 2 – a very painful phase • New purchasing guidelines o All technology related purchase orders will be routed through the AVP/CIO of TCS for approval PRIOR to purchase o All technology BPC purchases will need prior approval from controllers and TCS offices • Some people were saying: “What? !? Why does TCS have to APPROVE my technology purchases? !? They just want to CONTROL me. They don’t like me so they won’t let me purchase ANYTHING. ” • What some TCS people were saying: “What? !? Are you kidding? But they will be DIFFICULT to deal with! They won’t listen to us or follow the rules. They’ll still just go out and buy it anyway!” • All the leaders of this initiative were saying: “Here we go – be ready – this is going to get ugly!”

Phase 2 continued… • Ground Rules o If purchasers engaged TCS prior to the PO (e. g. , get quotes) – purchases went smoothly and PO’s are quickly turned around/approved o If TCS learned about the new technology solution with the notice of a PO – it would take time – depending on the solution, from a couple of hours to a couple of weeks o Quotes, PO’s and Assessments are a high priority

Success…. but why is it still painful?

Advantages and Disadvantages • Advantage: $$$$ saved on purchasing technologies that will work on the ESU infrastructure • Advantage: Security controls can be defined prior to implementation and if there additional hardware or software needing to be purchased, it will be known upfront at the start of a project. • Disadvantage: Purchases come sometimes fast and furious at different times of the year, and turn around time for assessments can be literally hours – not days. • Disadvantage: Risk assessments have to occur annually – so this year information security did 75 assessments, next year we’ll have to re-assess those 75 and do assessments for all new technologies. Gulp.

Lessons Learned from Phase 2 • Communication, communication… • Use a standard assessment and reporting mechanism so it can be a checklist and same format (more time spent on the assessment, less on making it look nice and professional) • Have a backup to approve PO’s and do assessments – and develop a system to track what has been approved and what is still being checked on. • Need a good working relationship with fiscal departments • TCS Public Relations – be ready for long term commitment and keep PO reviews and assessments a high priority in IT

Assessment Details • First attempt ** • Second attempt ** • Current ** o Sample Risk Management Framework ** • http: //rmf. org/home. html • http: //rmf. org/images/stories/rmf_documents/draft-sp 800 -53 a-rev 1 -fpd. pdf • http: //rmf. org/images/stories/rmf_documents/draft-sp-800 -137 -ipd. pdf o Sample Report ** **CONTACT codell@emporia. edu FOR A COPY OF THE FILES REFERENCED ON THIS SLIDE.

Last slide • Success Stories • Questions? Cheryl O’Dell codell@emporia. edu 620 -341 -5969