IT-28 Risk Mitigation Policy and Peer Review Process
Time 10/17/17 01:30PM-02:20PM
Room Seacliff A
Indiana University began the IT-28 Risk Mitigation and Peer Review Process initiative three years ago. Now, we are prepared to kick off our next round of IT-28 peer reviews. Indiana University saw the overwhelming task of our security office reviewing each department individually and providing mitigation plans to all of our 100 plus schools, institutes and organizations. There simply isn’t enough time to do these effectively and timely with the IT security staff we have. Sound Familiar? Our solution? Form teams of peers (academic staff and faculty), train them using the Factor Analysis of Information Risk (FAIR) methodology to identify risk and work with departments to create risk mitigation plans that are signed and accepted by Deans and Executive Directors.
The first round of IT-28 was focused on reducing threat surfaces by working with departments to relocate systems to the IU Data Center. This effort to help departments transition, where “practicable”, and provide recommendations for appropriate safeguards when systems weren’t able to be moved, required a deep understanding of the academic mission of each of unit, the sensitivity of their data and the mentality and perceptions of their faculty and staff. Using a process whereby units are reviewed by a team of peers helped to create many circles of trust and it time created a community of trust.
Today we have changed our focus from the centralization of systems and hardware to the adoption of practices within departments to improve operational security. IU wants to promote a deeper understanding of risk vs. threat and align knowledge, resources and services in ways that make them more accessible and easier to implement for departments. Our areas of focus within the realm of Operational Security will be, Access Control, Change Management and Risk Assessment. Given the top findings from our audit staff, the industry reports of common vulnerabilities and increasing vectors of attack we feel these three areas of focus will provide units with lenses through which they can accurately identify, plan, mitigate and document risk.
Speaker Charles Escue Indiana University
Speaker Ian Washburn Indiana University
Primary track Information Security
Secondary tracks Information Security