1 / 20

Guaranty Agency Security Reviews

Guaranty Agency Security Reviews. Bridget-Anne Hampden U.S. Department of Education. Why We Did It… How We Did It… What We Did… What We Found… Next Steps…. Guaranty Agency Reviews. Why We Did It…. PII Breach reported in March 2010

rasha
Download Presentation

Guaranty Agency Security Reviews

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Guaranty Agency Security Reviews Bridget-Anne Hampden U.S. Department of Education

  2. Why We Did It… How We Did It…What We Did…What We Found… Next Steps… Guaranty Agency Reviews

  3. Why We Did It… • PII Breach reported in March 2010 • 2010 Guaranty Agency (GA) Security and Privacy Conference in Washington, DC • Focus on Privacy, Data Security, and Critical Infrastructure Protection • GA’s asked to prepare and submit Self-Assessment Forms

  4. Why We Did It…(cont’d.) • Assessment of results • Creation of an FSA Report • Summary of findings based on risk category • Highlight key focus areas

  5. How We Did It… • Used a risk-based approach • Outstanding loan balance • Risk profile • Size • Outstanding Loan Balance (75%) • Result was an assessment of 15 Guaranty Agencies visited in FY 2011 • Remaining 16 Guaranty Agency visits were conducted in FY 2012

  6. How We Did It… (cont’d.) • Preparation and Distribution of Pre-Visit Questionnaire • Perform Market Research on each GA • Review 10K Reports • Google and Blog Searches • Recent Audit and SAS70 Reports • Review System Security Plans (SSP’s)

  7. What We Did… • FSA Team performed a day long visit at each site • Senior Management opening briefing • Review of information submitted in pre-visit package • Engage Guaranty Agency technical team (CIO, CISO, Audit Manager, etc) • In depth discussions/questions based on risk categories/groupings

  8. What We Did… (cont’d) • Focus on privacy and records management • Review Guaranty Agency’s processes, policies, and procedures • Data Center visit • Operational Unit tour (vault, call center, etc.) • Management out brief • Prepare and distribute report – observations and recommendations • Receive and record GA management responses

  9. What We Found… Overall observations (SWOT analysis) • Strengths • Logical Access Control • Critical Infrastructure Protection • Governance • Weaknesses • Strategy • Incident Breach Response

  10. What We Found… • Opportunities • Update and embellish policies/processes • Improve communication between GA’s and service partners • Improve certification of technical staff • Create and expand on the trusted relationship between FSA and the GA’s • Threats • Monitoring • Revalidating user accounts

  11. Summary of FY 11 Reviews

  12. Summary of FY12 Reviews

  13. Logical Access Control

  14. Critical Infrastructure Protection

  15. Strategy

  16. Incident/Breach Response

  17. Monitoring (Vulnerability Management)

  18. Governance

  19. Next Steps… • Populate the OVMS database • Liaising with GA’s on remediation plans – quarterly reporting • Continuing Dialogue – explore ways for continued collaboration with the GA community

  20. Contact Information • We appreciate your feedback & comments. • Bridget-Anne Hampden • Deputy CIO • E-mail: Bridget-Anne.Hampden@ed.gov • Phone: 202-377-3508

More Related