DRAC Program: Departmental Risk Assessment Coordinators

1. Departmental Risk Assessment Coordinators (DRAC)ProgramCUVA ConferenceMay 23, 2012Mason InnGeorge Mason University Robert Naklesand Josh Schiefer IT Security Office George Mason University

2. Presentation Overview • Purpose of the DRAC Program • State Requirements • University Response • Review of DRAC Program • Key Components • The Role of the DRAC • The RA Process • Program Management • Current Status • Lessons Learned and Future Plans

3. State Requirements • Information Security Standard SEC501-06 • 2.6 Risk Assessment • For sensitive IT system, not less than every 3 years • 4.2 IT System Security Plan • Documents security controls • Based on results of the risk assessment • IT Risk Management Guideline SEC506-01 • 6.2 Risk Assessment Process • At least, once every 3 years, unless “substantial change”

4. University Response • In distributed environment, discover sensitive systems • Centrally managed systems and departments • How is access controlled • How is data managed • Business processes that impact sensitive systems • Involve knowledgeable staff within departments

5. DRAC Program • Purpose: to provide university departments with the framework and resources necessary to complete a required risk assessment for information technology (IT) security within their individual environments. • Each department will appoint one or more Departmental Risk Assessment Coordinator or DRAC to conduct the IT risk assessment and develop an appropriate security plan. • Helps each department come to terms with what risk they have

6. The Role of the DRAC • A successful Departmental Risk Assessment Coordinator (DRAC) is someone who knows the business processes of his or her unit, department or office and has been authorized by the department head to act on his or her behalf. • The DRAC facilitates the completion of a risk assessment and security plan in a 3 year period of time. 

7. Profile of a DRAC • Who is a DRAC? • Appointed by dean or vice president • Examples of DRACS

8. The Risk Assessment • The risk assessment questionnaire consists of a Business Impact Analysis and a series of security questions based upon industry “best practices,” university policies and applicable federal regulations.  • The security plan is a documented response to the risks identified during the completion of the questionnaire.

9. Program Management • The Information Technology Security Office provides resources and procedures for each DRAC so they can complete the risk assessment accurately and develop a practical security plan. • Cohort based: Each DRAC is placed into a cohort based on risk level and/or similar business function. Meet quarterly. • myMason: projects updates, exchange documents, scheduling, e-mail communications, etc.

10. Current Status • 2 Cohorts working now • Cohort A: administrative units • Active since April 2010 • Cohort B: academic space • Active since August 2010

11. Lessons Learned • Getting the right DRAC not always easy • Academic space presents different challenges than the administrative. Research space even more difficult to hands around. • Turnover • Managing Expectations • Resource intensive

12. Next Steps • Add additional Cohorts • Refine process • Overhaul Questionnaire • Utilize MyMason Portal more • Paper less

13. Questions? • Contact information • Josh Schiefer • (703) 993-9893 • Email: jschiefe@gmu.edu • Bob Nakles • (703) 993-2975 • Email: rnakles@gmu.edu • DRAC Web site • security.gmu.edu