Data Risk Management - Technical IT Staff
The purpose of risk management is to identify potential problems before they occur so that risk mitigation activities may be implemented as needed to avoid adverse impact on the business process. Risk management is a continuous, forward-looking process that is an important part of business and technical management processes. Risk management should address issues that could endanger achievement of campus objectives.
Effective risk management includes early and aggressive risk identification through the collaboration and involvement of relevant stakeholders. Strong leadership across all relevant stakeholders is needed to establish an environment for the free and open disclosure and discussion of risk.
Although technical issues are a primary concern both early on and throughout all project phases, risk management must consider both internal and external sources for cost, schedule, and technical risk. Early and aggressive detection of risk is important because it is typically easier, less costly, and less disruptive to make changes and correct work efforts during the earlier, rather than the later, phases of the project.
Risk - It’s All About the Data
There are many of types of information and data stored and processed on campus. The use of data ranges from aiding teaching and learning to the administration of the University and the UW System to numerous research projects crossing disciplines. This data is the target of cybercriminal and cyber espionage activities to either harm others, gain financial profit, or to expose information to benefit nation-state, corporation or other social/political agenda.
Risk is never fully eliminated. No matter what controls are put in place, by storing and processing information, there is some element of risk to the confidentiality, integrity or availability of the data. This training, for example, attempts to reduce risk by providing awareness of what IT security risk is and controls to help reduce it. Awareness alone does not sufficiently reduce the risk. Risk is also reduced by:
- Network Design: Implement network segmentation to limit who can access the data from where and to isolate the systems.
- Access Controls: Implement access controls that practice the concepts of least privilege and separation of duties. For restricted and sensitive data, limit the access to those who have a business need. One step further is to limit the access to locations or times where and when they would need it. To reduce the likelihood of fraud access controls can also be used to enforce the concept of separation of duties.
- Encryption: Implement encryption of restricted or sensitive data in transit or at rest. There are many methods to encryption and several considerations around types of tools to use and how to manage the encryption keys.
- Patching and Upgrading: Attackers will exploit vulnerabilities to gain access to systems to look for information or other systems to attack. Close these exploits by patching them in a timely manner.
- Testing and Monitoring: Test and monitor the security controls that are in place. Verify that they are working and are efficient. This can be done through vulnerability scans of hosts, applications and databases. The Office of Cybersecurity can conduct vulnerability scanning and penetration-testing exercises. In addition, applications and systems logs should be aggregated and reviewed for potential security events.
- Ongoing Assessment: The Office of Cybersecurity is available to conduct IT Security Risk Assessments. Assessments should be conducted to address changes in business function, technology or regulatory compliance.
The Cybersecurity field is focused on working across the organization to identify, measure, and when necessary remediate or eliminate risk. The Office of Cybersecurity is working on the following initiatives to improve how we collectively identify, measure and address risk. These activities are part of the 2015-2019 UW-Madison Cybersecurity Strategy.
Cybersecurity is working with the UW-Madison Chief Data Officer to create a campus data management governance plan. This includes updating the data classification matrix, identifying security controls for different data types and to provide education and training around the proper handling of the different types of data elements. The Chief Data Officer will continue to provide updates on the status of this effort.
Risk Management Framework
The Office of Cybersecurity is working with campus to develop a Risk Management Framework (RMF). The framework with provide processes around the six steps of:
- categorize information systems;
- select security controls;
- implement security controls;
- assess security controls;
- authorize information systems; and
- monitor security controls.
The result of the RMF is a security plan for the system to follow. The Office of Cybersecurity will have a draft of these processes in the first quarter of 2016.