Information Security Information Security Awareness, Assessment, Awareness, Assessment,
and Complianceand ComplianceA Success Story
1
What ISAAC was intended What ISAAC was intended to addressto addressProvide an information security risk assessment
process that was thorough, effective, and efficiently used the time of the system administrators and other assessors
A large decentralized university environment with over 200 departments, each having their own IT function and budget
Had to be cost effective Minimal expenditure to create and operate Currently, institutions using ISAAC spend less than
$2,000 per year for the Web-SQL based system
2
Approach and MethodologyApproach and MethodologyInformation Security Awareness, Assessment,
and Compliance (ISAAC) Awareness is a key aspect in that ISAAC creates a
familiarity with information security standards and best practices for IT personnel
ISAAC leverages the concept of known threat vectors and best practices/countermeasures thus providing a time savings for those involvedo Assessment process may begin immediately
without spending large amounts of preparation time in committee meetings as is typical of other methodologies
3
Approach and Methodology (cont.)Approach and Methodology (cont.) The 2 major components are:oA module that assesses or evaluates compliance with
information security standards, best practices, and requirements, legal or otherwise
oCompliance modules for HIPAA and PCI are also included
oA risk assessment methodology, which is currently the Relative Risk Index (borrowed from the National Institutes of Health)• The RRI simplifies to acceptable or unacceptable in terms
of risk• Requires identifying mitigation measures that will bring the
risk to an acceptable level
4
Benefits of this ApproachBenefits of this ApproachDesigned to be used independently at the
department levelIndividual departments are able to decide
what risk management decisions to make and what risk mitigation measures to implement based on their departmental budget and personnel resources
5
Benefits of this Approach (cont.)Benefits of this Approach (cont.)The assessment is considered to be
completed when the department head signs the assessment and risk management report
This creates awareness of the nature of the security environment at the department head level and fosters communication between the department head/administrative level and those in an IT function
6
Benefits of this Approach (cont.)Benefits of this Approach (cont.)A composite view of departmental risk assessment
reports Are used to create a composite report to highlight common
risks Provide guidance to the CIO on what centrally based
initiatives would be of most benefit to improve the security posture of the institution
Are used to develop an institution-wide risk management plan to address global risks
ISAAC has grown not only to provide awareness, risk, and compliance checks supporting information security but also into other awareness and compliance aspects of IT policy administration
7
Current UsersCurrent UsersUse of ISAAC has grown over the years from
use at a single institution (TAMU)Now used as the officially recommended
assessment tool for all Texas state agenciesCurrently in use by Health Science Centers
and universities from 4 major state university systems
Also being utilized by a Health Science Center outside of Texas
This is primarily due to an efficient and cost effective methodology
8
Plans for FuturePlans for FutureThere are currently 4 different versions of
ISAAC and additional sub-modulesISAAC-EU is the newest module soon to be
widely available A module that is brief and simple Designed for the individual with administrative
rights for their own desktop unit Ensures that the essential countermeasures/best
practices are in place This can be very useful for systems that are not
centrally supported by the department (research groups, faculty desktops, etc.)
9
Plans for Future (cont.)Plans for Future (cont.)The infrastructure of ISAAC is being
rewritten from the ground up to develop a very modular and table driven framework
This allows for Assessments to be highly customizable Individual institutions can include their own
customized questions and methods
10
Plans for Future (cont.)Plans for Future (cont.)Assessments will be keyed to resourcesWill also allow various “views” in terms of
reporting Likert scale evaluation for a phased view of
compliance initiatives/levels Capability maturity model approach Additional or multiple measures/views
Plans include the availability of online tutorials (delivered by Articulate) addressing the various aspects of ISAAC that are available
11