bridget-anne hampden u.s. department of education guaranty agency security reviews
TRANSCRIPT
Bridget-Anne Hampden
U.S. Department of Education
Guaranty Agency Security Reviews
Why We Did It… How We Did It…What We Did…What We Found… Next Steps…
2
Guaranty Agency Reviews
Why We Did It…
• PII Breach reported in March 2010• 2010 Guaranty Agency (GA)
Security and Privacy Conference in Washington, DC
• Focus on Privacy, Data Security, and Critical Infrastructure Protection
• GA’s asked to prepare and submit Self-Assessment Forms
3
Why We Did It…(cont’d.)
• Assessment of results• Creation of an FSA Report
• Summary of findings based on risk category• Highlight key focus areas
4
How We Did It…• Used a risk-based approach
• Outstanding loan balance• Risk profile• Size
• Outstanding Loan Balance (75%)• Result was an assessment of 15 Guaranty
Agencies visited in FY 2011• Remaining 16 Guaranty Agency visits were
conducted in FY 2012
5
How We Did It… (cont’d.)
• Preparation and Distribution of Pre-Visit Questionnaire
• Perform Market Research on each GA• Review 10K Reports• Google and Blog Searches• Recent Audit and SAS70 Reports
• Review System Security Plans (SSP’s)
6
What We Did…
• FSA Team performed a day long visit at each site• Senior Management opening briefing• Review of information submitted in pre-visit package• Engage Guaranty Agency technical team (CIO,
CISO, Audit Manager, etc)• In depth discussions/questions based on risk
categories/groupings
7
What We Did… (cont’d)
• Focus on privacy and records management• Review Guaranty Agency’s processes, policies, and
procedures• Data Center visit • Operational Unit tour (vault, call center, etc.)• Management out brief • Prepare and distribute report – observations and
recommendations • Receive and record GA management responses
8
What We Found…
Overall observations (SWOT analysis)• Strengths
• Logical Access Control• Critical Infrastructure Protection• Governance
• Weaknesses • Strategy• Incident Breach Response
9
What We Found…
• Opportunities• Update and embellish policies/processes • Improve communication between GA’s and service partners
• Improve certification of technical staff• Create and expand on the trusted relationship between FSA and the GA’s
• Threats• Monitoring• Revalidating user accounts
10
Summary of FY 11 Reviews
11
Summary of FY12 Reviews
12
Logical Access Control
13
?JKL
Role Based Access Revalidating user accounts Passwords/authentication Privileged vs. non-privileged accounts
0
5
10
15
20
25
Critical Infrastructure Protection
14
?JKL
Visitor badges/sign-in Business resumption plan DR site DR/BR tests0
5
10
15
20
25
30
Strategy
15
?JKL
Dedicated privacy staff/officer
Encryption PII segregation Network perimeter/boundary
protection
Tracking/Destruction of expired records
0
5
10
15
20
25
30
Incident/Breach Response
16
?JKL
Automation and tracking Periodic test Notification/escalation tree0
5
10
15
20
25
Monitoring (Vulnerability Management)
17
Vulnerability identification Continuous monitoring Log reviews0
5
10
15
20
25
?JKL
Governance
18
?JKL
Personnel security Policies/procedures Training Knowledgeable staff
Risk assessment Risk tracking Risk acceptance0
5
10
15
20
25
30
Next Steps…
• Populate the OVMS database• Liaising with GA’s on remediation plans – quarterly
reporting• Continuing Dialogue – explore ways for continued
collaboration with the GA community
19
Contact Information
20
We appreciate your feedback & comments.
Bridget-Anne HampdenDeputy CIO
• E-mail: [email protected] • Phone: 202-377-3508