IT Risk Management
Assessor SPECTRIM Tool Training
FY 2017
Group email: [email protected]
David Sustaita
Lead
IT Policy Analyst
Zachary Cox
Senior
IT Policy Analyst
Daniel Janecek
IT Policy Analyst
Why you are here
You have been identified as a potential
Assessor by someone in your IT department
• Admin rights to individual workstation(s)
• Manage servers or domain workstations
• Maintain lab equipment
Objectives
By the end of this training, you will be able to:
• Answer risk assessment questions
• Respond to findings – corrective actions /
risk management decisions
Outline
•
•
•
•
•
•
•
FY17 Timeline
SPECTRIM Overview
Process Overview
Roles & Responsibilities
Assessment Questions
Findings
Assessment Support
FY 2017 Timeline
SPECTRIM
•
Replaced ISAAC as the IT risk assessment tool for the university
•
SPECTRIM is:
• a web based tool provided by the state
• a self reporting tool – like tax software
• an auditable process
• NOT an inventory management system - don’t need to worry
about duplicating efforts
New Standard Administrative Procedure (SAP) 29.01.03.M0.03
Security of Electronic Information Resources (07-18-2016): Dean/VP
must sign off on the college/division risk assessment report
Roles and Responsibilities
Roles and Responsibilities
Division Risk Assessment Coordinator (D-RAC):
•
•
D-RAC is a liaison between his/her unit and Texas A&M IT concerning
the annual IT risk assessment process.
Each college and division may have up to two D-RACs.
Assessor:
•
The Assessor is a staff or faculty member who will answer the assessment
questions and then be responsible for responding to Findings generated from
the assessment results.
Reviewer:
•
The reviewer will be another person who reviews an assessment to help
ensure its accuracy.
•
The reviewer role is generally a secondary role for a D-RAC and/or Assessor.
An individual cannot hold the Assessor and Reviewer roles for the same
assessment.
Process Overview
Guided collaborative effort with TAMU IT Risk Management and
Policy (IT-RMP)
Outside SPECTRIM
• Phase 1: Inventory Management/Resource Identification
• Phase 2: Grouping and Assessment
Inside SPECTRIM
• Phase 3: Data Entry and Reporting
Roles and Responsibilities
Phase 1: Inventory Management/Resource
Identification
Division Risk Assessment Coordinator (D-RAC):
•
•
•
Liaison to TAMU IT-RMP
Monitor progress
Ensure inventory list is accurate and up-to-date
• Canopy / FAMIS
• Unit IT inventory list
Assessor:
•
Assist D-RAC as needed
Roles and Responsibilities
Phase 2: Grouping and Assessment
Division Risk Assessment Coordinator:
•
•
•
•
Liaison to TAMU IT-RMP
Monitor progress
Coordinate the scoping of groupings
Assign assessor and reviewer roles
Assessor:
•
•
•
Assist D-RAC as needed
Answer assigned assessment questions for groupings
Respond to Findings that were generated
Roles and Responsibilities
Phase 3: Data Entry and Reporting
Division Risk Assessment Coordinator
•
•
•
•
•
Monitor progress in SPECTRIM
Input general information about the groupings created in Phase 2
Create and assign assessments
• One grouping to one assessment
• Add defined assessors and reviewers
Launch assessments
Approve/Reject assessments prior to submission to CISO and Dean/VP
Assessor
•
Input assessment answers and findings into SPECTRIM
Reviewer
•
•
Help ensure the data accuracy for assigned assessments
Approve/Reject assessments and Findings submitted by the assessor
Assessment Questions
• FY 2017: Questionnaire Type Low
• Questions relate to specific security controls
•
Answer the question as it relates to Texas A&M security control or SAP
• Multiple choice (5 answer choices)
Assessment Type
Low
Questionnaire
Moderate
Type
High
Application
Location
Network
42
35
38
61
51
57
101
101
107
Assessment Answer Choices
Response
Implemented
Partially Implemented
Value
Description
0
The full extent of the requirement has been put into place, documented,
and communicated; and is consistently applied.
-0.5
Some of the characteristics of the control requirement are being
performed, but may not be documented and communicated, nor
consistently applied.
Not Implemented
-1
The control requirement is not currently being performed or has not
been put into practice.
Unknown
-1
It cannot be determined whether the control requirement is being
performed or has been put into practice.
Not Applicable
0
The specific control requirement is not applicable to the component
being assessed.
Questionnaire Screenshot
Findings
Assessors are responsible for responding to Findings that were
generated based on how he/she answered the assessment
questions.
• A Finding will be generated for every question that was
answered as “Partially Implemented”, “Not Implemented”, or
“Unknown”. These answer choices demonstrate
noncompliance for the related control which then impacts the
risk score.
• Response choices – “Accept Risk” or “Remediate Risk”
Note: Findings should be discussed with IT staff to be sure they
actively reflect the views of unit.
Finding Responses
1. Accept - nothing will be done to improve compliance from its current
state in the following year(s); score will not change
•
•
Describe why compliance is not met with current controls
Justify the risk acceptance
2. Remediate - will do something to improve compliance from its current
state in the following year(s); score will change
•
•
•
Describe why compliance is not met with current controls
Give tangible actions that will take place in order to work towards becoming
compliant.
A date of completion is required in SPECTRIM, and that date can go out further
than the next risk assessment period.
SPECTRIM Flowchart
Assessment Support
(don’t panic)
Documents:
1. Excel Spreadsheets – allows you to answer all assessment questions and
potential Findings before getting into SPECTRIM
2. SPECTRIM User Guide – give guidance on what each question is asking and
how it may apply to the information resources you are assessing
•
Some answers will be provided based on certain criteria
Meetings:
1. Office Hours (fall & spring semester) – Thursday 2:30-4:00pm @ TAES Annex,
room 117
2. 1 on 1 meetings – scheduled through your college/division D-RAC
Group Email: [email protected]