FY 2011-12 IT Funding Request Application I. Funding request overview
A. List the name, unit, and email contact information for each author of the funding request.
Name Unit Email
Ann Geyer OCIO: SPP ageyer@berkeley.edu
B. Give the title of the funding request.
Campus Security Assessment Program (formerly DSR) C. Give a brief description of the funding request.
This proposal describes a three-tiered approach for conducting data security risk assessments to identify and rate campus systems based on their risk characteristics; review and assess the adequacy of current security practices; recommend actionable plans for remediation; and promote ongoing security risk management.
The proposal is intimately linked to the Chancellor’s Operational Excellence (OE) goals in that risk reduction is implicitly embedded in each of the seven individual initiatives. Effective security risk management requires risk awareness. A key component of the Security Assessment Program is to work closely with campus units in business and IT positions to help them understand the data security risks associated with their
information environments and identify effective ways in which they can reduce those risks. If risk is being accepted, the program promotes active risk monitoring so that data owners stay alert to potential security incidents and are able to react quickly if needed. The proposal addresses the Chancellor’s OE goal of efficiency by using the security assessment results to build a campus security baseline. The baseline becomes the foundation for new security programs sponsored and supported by the OCIO office for Security, Privacy, Policy (SPP).
The proposal addresses the Chancellor’s OE goal of cost savings through risk reduction. Data breaches, even minor ones, are expensive. A recent campus breach that impacted 35 credit card numbers stored only on paper resulted in $50,000 of breach response expenses.
D. Estimated Start Date: 7/1/2011
E. Estimated Completion Date: 6/30/2012
Name Unit Email
Sponsor(s)1 Shelton Waggener OCIO shelw@berkeley.edu
Functional Owner2 Ann Geyer OCIO:SPP ageyer@berkeley.edu Project Manager3 New Hire OCIO:SPP
Budget Contact4 Sarita Dixit OCIO sarita@berkeley.edu
G. Give a summary of the IT Bank funding being requested:
FY 2011-12 IT Bank funding request Total (all years) IT Bank funding request $700,000 $1.5 million (includes prior funding for the DSR
program in FY09 and FY10)
II.Statement of need and proposed solution
A. Identify and describe what needs the proposed solution is seeking to address
(e.g., a software upgrade is necessary because the version currently in use is no longer supported).
Prevent Data Breaches & Improve Data Stewardship
The Chancellor has assigned a high priority to preventing data breaches. The campus is at risk because it has not generally revised its basic security practices to guard against current and emerging security threats.
More than half the campus units maintain notice triggering data, some with very limited IT resources. Many unit data systems were meant to be temporary solutions operating in standalone environments, but over time were extended in scope and scale without attention to security.
The number of web applications on campus continues to grow as units strive to increase operational efficiency through the use of technology. However, that growth introduces additional risk to campus data. According to the FBI, web applications have become one of the top vectors for data theft. With over 275 individual developers, most of whom have no formal security training, the campus has a serious risk that if unassessed will remain unaddressed.
Increase Compliance with Payment Card Industry (PCI) Data Security Standards The campus has over 150 units that accept some type of credit card payment which makes them subject to the PCI Data Security Standard. Units must self-assess and attest to their PCI compliance without sufficient awareness of requirements and without adequate
monitoring to ensure compliant behavior. More units are using web applications for credit
1 The Sponsor is defined as one who has authority (often an executive of the organization) to assign resources, help the project manager overcome roadblocks to the successful development of the solution, and enforce decisions regarding the solution.
2 The Functional Owner is defined as one who oversees the ongoing operation of the service or system created by the solution.
3 The Project Manager is defined as the person assigned by the Sponsor to achieve the solution development’s objectives.
card transactions and interfacing to campus enterprise systems. A breach involving PCI data may have devastating financial consequences for the campus. (cont’d)
Increase Effectiveness of Security Solutions
Without good risk assessment data, the campus cannot optimize security investments to address actual campus or unit risks. And, data proprietors need to understand security risks in order to make informed decisions about data management.
B. Describe the solution that is being proposed to meet the identified need(s).
The Campus Security Assessment Program expands the original DSR into a three-tiered approach for conducting data security risk assessments to identify and rate campus systems based on their risk characteristics; review and assess the adequacy of current security practices; recommend actionable plans for remediation; and promote ongoing risk management.
• Tier 1 is a validated self-assessment of general security practices. This method is used to decide whether a more detailed assessment is warranted. It is also a key component of working with unit management to understand and incorporate risk management practices into standard operations.
• Tier 2 is a facilitated (in-person) assessment of risk and control gaps. This tier is used for units that have limited IT support; small footprint systems; or are
launching new applications where the risk profile needs to be established. The key outcomes are a clearly defined risk profile for the unit, a risk register for the data system, and an actionable plan to reduce unnecessary security risk and comply with existing campus security policy.
• Tier 3 is the detailed technical security review. This level is conducted for large pockets of notice triggering data, merchants in higher risk PCI categories, or units that have elevated concerns for data security because of regulation or contractual obligations.
The three-tiered approach allows us to conduct more assessments because the effort level and technical skills are much less for the tier 1 (validated) and 2 (facilitated). For unit management less familiar with security risk management methods, the tiered approach allows us to begin risk discussions at the most appropriate technical level.
We also have integrated Tier 1 and Tier 2 assessments into other security programs managed by SPP. For example, any unit applying for approval to collect and retain SSN data will be required to complete the Tier 1 self-assessment which will be validated by a DSR team member. Based on this high level assessment, SPP will consult with the unit about whether a more detailed level of assessment is warranted. In conjunction with Billing and Payment Services, we will be assessing all campus merchants using Tier 1-2-3 to validate the FY11 Campus PCI Attestation. We are in discussions with the OE PMO to integrate the security assessment methodology into project management procedures to ensure that security risks are identified and addressed in new data projects.
III. Impact and strategic alignment
A. Alignment to OE. Describe how the proposed solution aligns with the Chancellor’s Organizational Effectiveness (OE, http://www.berkeley.edu/oe/) goals.
The Campus Security Assessment Program closely aligns with the Chancellor’s OE initiatives in that risk reduction is a recurring theme embedded in each of the seven individual initiatives.
The Campus Security Assessment Program reduces the likelihood of data breaches by identifying security and data management weaknesses, educates unit management on how to minimize its notice triggering data footprint, supports unit IT staff in identifying effective security practices, and increases overall campus security efficiency and effectiveness by using the consolidated risk assessment results to identify common security needs and compensating solutions.
B. Benefits. Identify any other anticipated benefits in implementing the proposed solution (e.g., Will the solution avert a system failure? Eliminate a compliance risk?).
Key Benefits of a Campus Security Assessment Program
• Focuses unit and campus management attention and security resources on the most critical data security risks
• Helps units become risk aware and mature their understanding of risk management techniques
• Enables better communication of campus security risks across all units
• Provides a platform for building standard security solutions that optimizes costs across data systems and simplifies deployment requirements
• Develops a common language and framework for data management and risk decision making
• Improves compliance with privacy laws, regulations and campus policies
C. Beneficiaries. Describe the constituency that is intended to benefit from the proposed solution (e.g., number of people, systems, or departments).
This program benefits all campus units and all individuals from whom the campus collects personally identifiable information. The program supports both unit management and IT personnel in developing their risk management skills and identifying ways to reduce risk. D. Collaboration. Describe the extent to which this proposed solution is a collaborative effort either within campus or with external partners.
The Campus Security Assessment Program has several prominent campus partners. Billing and Payment Services is assisting the CPSO to introduce risk assessment into the campus merchant community and will be participating in Tier 1 (validated) and Tier 2 (facilitated) assessments by providing payment processing subject matter expertise. Student Services is partnering by utilizing the same risk assessment methodology and integrating risk assessment requirements into new project approvals. The Student Services security officer will be trained and function as a risk assessment team member. The three student clinics—health, optometry, and mental health—will utilize the program to assess its security compliance obligations. Overtures are underway with the
Committee for Protection of Human Subjects to partner with risk assessment activities for the research community and with OE PMOs office to integrate security assessment into new project management.
E. Extensibility. If applicable, describe how this initiative may enable additional projects to be considered (e.g., Could the solution be extended to serve other constituents on campus or could other projects be built on top of this one?).
This proposal describes several areas in which the program is already being integrated into central IT programs. A proven security assessment program consisting of methodology, training materials, procedures, templates, and performance metrics is readily exportable to other campuses.
IV. Work plan and proposed solution design
A. Deliverables and Constraints. Provide a statement of:
• Deliverables — results the solution must deliver to achieve the stated objectives. • Constraints — factors that may limit the options for providing the solution (e.g., an
inflexible deadline). Deliverables
The Campus Security Assessment Program is intended to be a 1 year intensive program to jumpstart campus risk management by assessing at least half of all campus units using the most appropriate tier level. The consolidated assessment data then creates a foundation for defining a multi-year security program and continuing to build risk awareness sensitivity and responsiveness among data owners, data users, and IT support staff.
The specific program deliverables are:
• Fully documented risk assessment methodologies for each of the three tiers • Online self-assessment tool
• A minimum of five trained risk assessment facilitators • 50 Tier 1 validated risk assessments
• 30 Tier 2 facilitated risk assessments • 20 Tier 3 detailed technical assessments
• A fully vetted UC Berkeley 2011 PCI Attestation Report Constraints
Skilled resources
• The program relies on the availability of an outsource contract to acquire sufficient resources to conduct and complete the assessment deliverables. Access to a pool of pre-trained, ready-to-go assessment specialists is critical to accomplishing the planned deliverables in a 12-month time frame.
Campus Cooperation
• The program relies on successfully establishing good working relationships with campus unit management. Risk assessments must be seen as a means to
characterize and manage unit risk and not merely a requirement that carries cost and inconvenience without compensating value delivered.
Unit Mitigation
• Security mitigation responsibility rests with campus units supported by effective security programs and IT support services. This program assists campus units in identifying their most pressing security risks and developing responsive mitigation programs. Ongoing monitoring and mitigation compliance responsibility will be part of ongoing security operations.
B. Milestones. Provide a work plan for the proposed solution with high-level steps to complete the solution, including timeline. (Try to limit your plan to no more than seven steps.)
Milestone Timeline
1. Hire dedicated staff for the assessment program July 2011 2. Contract for external resources August 2011 3. Complete initial facilitator training August 2011 4. Define program communications material and
begin distributing information to unit management.
Sept 2011
5. Conduct tiered assessments Monthly schedule starting in Sept 6. Produce quarterly risk profile reports Oct, Dec, Mar, June
7. Determine funding model for ongoing operational
support Feb 2012
C. Core technology categories are listed in the table below followed by examples for each category. Use the column on the right to describe all technologies (including versions) that are included in the proposed solution.
Core technology category Examples Specific technology proposed for this solution (include version)
Other technology not listed This program will utilize security assessment and remediation software acquired under the DSR program.
It will also evaluate
commercially available security management information systems such as RSA Archer for ongoing security risk
management and metric reporting capability.
D. Staffing. Provide detail on the anticipated staffing for this solution, including the project manager. How will the staffing needs be filled (e.g., from your staff, contract staff, vendor, etc.) If applicable, describe how you will provide backfill for existing staff being assigned to the solution development.
Role How the role will be filled (including backfill) 1. Program Oversight Ann Geyer, CPSO
2 Technical leads SPP security analyst Matt Wolf-existing DSR program staff;
SPP security analyst—new hire
interns are trained as facilitators and conduct security assessments under the guidance of program staff; at end of rotation, return to home units to support and reinforce risk management practices
4. T2-T3 PCI assessment
specialists SPP security analysts and Outsource contract 5. T3 technical specialists, e.g.,
DBA specialist, application development specialist, pen testing
IST recharge; outsource contract
E. Risks. Describe any known risks associated with undertaking this proposed solution (e.g., staff resources have not been identified yet; system involves sensitive data; the technology is new to the campus) and how you plan to reduce or eliminate the risk.
Risk Mitigation plan
1. Unit cooperation Broadly communicate program goals, objectives, and benefits to unit management. Engage support from key Vice Chancellors. Use
testimonials from DSR clients. Use data breach cost data to clarify potential risk savings. ]
2. Partial funding granted Reduce scope of program
3. No funding granted Change course to education program to develop awareness; work with cooperative units on a case by case basis; focus on articulating data stewardship roles and responsibilities. V. Funding model and budget
A. Narrative. Provide a high-level narrative overview of the funding model and expense budget.
This proposal is a one-year intensive assessment program that builds on the previous work and success of the Data Security Review (DSR) program. There are three funding sources for this proposal in FY11: OCIO:SPP contributions ($100K), Billing and Payment Services contributions ($25K), and IT Bank funding ($700K for FY11 and a projected $227K in Carryforward from the FY10 DSR program).
The planning for this proposal included a number of work sessions with key campus stakeholders in IT, Finance, Administration, Compliance, and Student Services. The consensus input was to use centralized funding to launch a campus security assessment program, introduce management to the approach, provide direct value and then move to a risk-based funding model.
B. Partial Funding Implications. Could the proposed solution move forward with partial funding? If yes, describe the revised scope, including the associated dollar impact.
Yes. A reduction in funding would directly impact the scope of the program and the timing of individual assessment deliverables. The most expensive part of the program is the detailed technical security reviews (based on the DSR program). Reduced funding would be addressed by putting more emphasis on using T1 assessments to assign an initial risk category which would be the basis of shifting costs directly onto individual units. An
attempt would be made to identify units to volunteer staff for T2 facilitator training to keep that aspect of the program viable.
If the funding is significantly reduced, the program would be redesigned. It would change to an education and awareness program. Activities would be designed to educate campus data owners and work with existing unit support functions—such as PMO.
C. Sustainable Funding Plan. What is the plan for sustainable funding to support ongoing operations after IT Bank funding ends (i.e., how will ongoing staff support, software
licenses/maintenance/upgrade costs, hardware maintenance, and replacement costs, etc. be funded)?
OCIO:SPP has developed a prototype recharge funding model for supporting campus security operations. This funding model is based on a sliding scale fee structure that decreases in portion to the risk reduction activities of the unit. The model has been reviewed and approved by the IST Budget Office and is ready for implementation once the campus Recharge Committee has approved it.
Once the new Common Good funding model is developed and approved by the campus, we will evaluate whether the ongoing security risk assessment qualifies. The Campus Risk Management, now part of Compliance, is working on non-IT risk assessment funding support and we are interested in developing a common approach for the campus at large. D. Financial (Revenue/Cost) Deliverables. If the proposed solution is expected to realize
savings or revenue, describe the savings or expected increase in revenue (in general, detail is required Section VI below), plans for reinvesting the resources, and How this impacts the funding model.
The proposal does not expect to produce any direct revenue or cost savings.
As a risk reduction program, it will improve the cost-effectiveness of future IT security investments by linking such decisions to risk reduction objectives; it will enable evidence based security decisions that help avoid over or under spending; and it will motivate a proactive attention to risk management that encourages early problem identification that permits resolution before breaches occur or security risks are baked into system design or operations.
Please download and fill out the Funding Model and Budget Excel spreadsheets located at https://technology.berkeley.edu/planning/it-budget/fy-2010-11/ and follow the instructions on the first worksheet in the workbook. Include both completed sheets, the funding model and the line item descriptions, with this packet in your budget submission.
VI. Assessment Plan
Note. This section has been substantially revised this year as part of the campus’ effort to utilize metrics in evaluating the success of activities. For an extensive example, please refer to the sample ITFR application found on the ITFR FY 2010-11 page,
UC Berkeley is currently operating under a severe budget constraint. The campus must give the highest priority to projects that significantly improve its performance as described by the OE initiative. Funded projects must deliver specific and measurable benefits that enable the campus to make the best use of resources to serve our core missions of teaching and
research. In categories VI.A through VI.G, please provide the metrics that describe the current state of the campus operation and the performance improvements that the campus will receive by investing in the project. Also describe the method used to assess each metric. If a metric that is pertinent to your project is not included here, describe it in VI.H.
Use the space below to list describe in detail any assumptions concerning financial data, e.g., salary and benefits expenses. Please specify sources where possible.
A. Assessment Plan and Financial Assumptions Assessment Plan
Program management is committed to tracking the key milestones as a means of
demonstrating the program is achieving its stated objectives. In addition, OCIO:SPP has a separate security measurement program in progress that will be used to evaluate improvements to campus security that are directly or indirectly associated with this proposed program. The metric program will collect and consolidate assessment results and produce management oriented dashboard reports.
Program metrics are one of the proposed milestones and thus are not yet clearly defined; however the metrics are intended to report campus status and trending data in the following areas:
1. Assessment program objectives: Average cost/assessment
Management satisfaction about value and benefits Degree of knowledge transfer to unit operations 2. Risk reduction objectives:
Decreases in critical system and operational vulnerabilities Increase compliance levels to campus security standards
Increased use of security and privacy by design development principles 3. Risk awareness and management orientation
Increased requests for assessments initiated directly by unit management Quality of business and IT communications and jointly engaged decisionmaking (measured via surveys)
Increase unit participation in campus data stewardship and security oversight governance vehicles.
Financial Assumptions
Salaries—actual salaries are used for current SPP program employees; midpoint salary levels are used for new hires; intern salaries are managed as a fixed allotment
Benefits: the FY12 benefit ratio is 37% No of Assessments and Level of Effort
T3 Assessments 125 hrs/average 75 hrs
Infrastructure costs: based on BAIRS actuals for OCIO/IST average costs Software Licenses: renewals based on actual costs
Outsource Contract: cost estimates based on ROI information collected in Jan 2011; as well as analysis data from PCI Council and Gartner Group.
Training Costs: includes training for CISSP certification for unit interns and refresher PCI DSS training for program career staff
Please use the tables below to detail your metrics. Financial savings
Current annual operational expenses N/A New (or expected) annual operational
expense N/A
Net operational savings N/A
Describe what your projected savings are based on, e.g., reduction in X staff @ $, no need for X software/hardware @ $
N/A
Date when savings will be realized, if one-time, and/or dates with amounts over time if savings are on-going
N/A
Increased revenue (please note if the revenue is local with no net gain to the campus, e.g., internal recharge – or if it’s new to the campus – e.g., through contracts, grants and/or auxiliaries)
Current annual revenue N/A
New (or expected) annual revenue N/A
Net increase in revenue N/A
Describe what your projected revenues are based on, e.g., grants and/or contracts for the campus expected by when in what amount(s)
N/A
Date when increased revenues will be realized, if one-time, and/or dates with amounts over time if increases in revenue are on-going
N/A
Current annual number of transactions
processed N/A
Current average processing time per
transaction N/A
Number of members of the campus
community that currently use the service N/A Annual number of transactions processed
after the project is completed N/A Average transaction processing time per
transaction after the project is completed
N/A Number of members of the campus
community that will use or provide the service after project completion
N/A
Improved data security
What data are currently at risk: the types of data, including whether or not there are restricted data; the volume of data, e.g., number of records; and the number and categories of impacted members of the campus community, e.g., students, faculty, and/or staff
The proposed program is intended to assess the security risks to campus data systems containing notice triggering data as well as student, research, and copyrighted data that would negatively impact the campus’s reputation with key stakeholders if a security breach occurred. A
conservative estimate, based on best available data, indicates that more than 2/3 of all campus units maintain such data.
What federal laws, state laws, and/or University policies the campus must comply with to protect these data
Federal Requirements. Security risk assessment is the cornerstone
requirement of most federal data protection requirements. The most prevalent and pervasive data security standards are those promulgated by the FTC and applied to financial data under SOX and GLB; medical data under HIPAA, FDA, and Medicare
Reimbursements; and to individually identified consumer data under FCRA and the FTC Unfair and Deceptive Practices regulations.
FTC Scrutiny. With the campus’s growing dependence on web
applications, any significant data breach of personal information will subject us to FTC scrutiny raising the potential for a long-term consent decree, supervision of our data practices, and significant
transparency to UCOP and campus policy compliance. It incorporates requirements from IS-2; IS-3; IS-11; IS-12 as well as our two Minimum Security Standards for network devices and electronic information.
Improved quality of service to members of the campus community
What campus community satisfaction issues/concerns/needs the project is designed to address
Program expects to increase unit management familiarity with basic security risk awareness and
management provisions. How this information will be gathered, e.g.,
through surveys, user groups, explicit management goals
Information will be collected via the assessment activities and by survey How the campus will measure whether the
quality of the service has improved Quality of service is defined as unit management perception of the benefit and value of security assessments as a management decision making. This will be measured using the metric program previously discussed.
Regulatory compliance
What federal and state laws or policies the new service created by the project will allow the campus to comply with
Same as the data security description.
The number and types of impacted members of the campus community, e.g., students, faculty, and/or staff
Same as the data security description.
Section V.E. Part 1: Multi-Year Sustainable IT Funding Model and Budget
Campus Security Assessment Program (formerly DSR)
FY 07-08 FY 08-09 FY 09-10 FY 10-11 FY 11-12 FY 12-13 FY13-14 FY14-15
1 OCIO 13,000 80,000 100,000 193,000
2 Billing & Payment Services 25,000 25,000
3 IT Loan and payback (project) 0
4 Grant or other (specify) 0
5 IT Bank Funding (project) 700,000 175,000 700,000 1,575,000
6 Other (specify) 0
7 Total funding 0 0 713,000 255,000 825,000 0 0 0 1,793,000
FY 07-08 FY 08-09 FY 09-10 FY 10-11 FY 11-12 FY 12-13 FY13-04 FY14-15
8 Salaries 103,000 293,000 528,000 924,000
9 Benefits @ actual rate 24,000 87,000 205,250 316,250
10 Supply & Expense 22,000 4,000 35,000 61,000
11 Infrastructure services (backup, storage, co-location, network nodes, desktop support, etc.) 10,000 6,000 21,000 37,000
12 Software licenses/upgrades/maintenance 94,000 15,000 75,000 184,000
13 Hardware purchase and refresh 0
14 Hardware maintenance 0
15
Contract/consulting services (project
management, development consultants,
etc.)(non-salary) 41,000 27,000 175,000 243,000
16 Office space 0
17 Training & Travel 5,000 3,000 12,000 20,000
18 Other costs: specify 7,000 7,000
19 Total expenses 0 0 299,000 442,000 1,051,250 0 0 0 1,792,250
20 FUNDING LESS EXPENSES 0 0 414,000 -187,000 -226,250 0 0 0 750
21 Carryforward 0 0 414,000 227,000 0 0
Cumulative Total
Cumulative Total Funding Model: Sources
(round to the nearest $1,000)
Line # Expenses (round to nearest $1,000) PROJECTED ACTUAL ACTUAL PROJECTED
Title Description Line
# Funding Model Sources
1
OCIO:SPP $100K to provide oversight, unit outreach, mitigation management; risk awareness; and performance
metrics;
2 Billing & Payment Services $25K partner contribution to support program initiation
3 IT Loan and payback (project) 4 Grant or other (specify)
5 IT Bank Funding (project) $700K primary funding of baseline campus risk assessment
6 Other (specify) 7 Total Funding
Expense Budget
8 Salaries (including Project Manager, if applicable) $528K -- 2 FTE Security Analyst IV; 3 FTE Data Security Interns
9 Benefits @30% or actual rate $205K--37% - FY11-12
10 Supply & Expense $35K -- general office supplies
11
Infrastructure services (backup, storage,
co-location, network nodes, desktop support, etc.) $21K -- in office equipment, software, & services 12
Software licenses/upgrades/maintenance
$75K in ongoing security software license fees 13 Hardware purchase and refresh
14 Hardware maintenance 15
Contract/consulting services (project management,
development consultants, etc.) $175K for contract resources to supply specialized skillsets 16 Office space
17 Training & Travel $12K for security training
18 Other costs: specify 19 Total Expenses
Funds Less Expenses
20 Funds Less Expenses
21 Carryforward FY 10-11 Carryforward due to key staff leaving the University and related slowdown in implementation. 22 Cumulative Total
Briefly describe the sources and uses specified below. Explain significant changes over time. Reference examples in Instruction worksheet or sample IT Funding Request.
