Friday, February 12, 2010

TRAC: C3.1: Risk assessment

C3.1 Repository maintains a systematic analysis of such factors as data, systems, personnel, physical plant, and security needs.

Regular risk assessment should address external threats and denial of service attacks. These analyses are likely to be documented in several different places, and need not be comprehensively contained in a single document.

Evidence: ISO 17799 certification; documentation describing analysis and risk assessments undertaken and their outputs; logs from environmental recorders; confirmation of successful staff vetting.

ICPSR performs regular risk assessment using a variety of techniques.

One, on a purely technological level, ICPSR analyzes its security exposure through regular vulnerability scans that are conducted by the University of Michigan's Information Technology Security Services (ITSS) team. This includes participation in a mandatory, quarterly, campus-wide scan, and also an optional, monthly, detailed scan of our own network.

Two, ICPSR and its parent organization, the Institute for Social Research (ISR), undergo periodic Information Technology audits that are conducted by the University of Michigan's Office of University Audits. These are comprehensive assessments of physical and electronic security.

Three, ICPSR and its parent organization, ISR, conduct two risk evaluation projects each year to assess risks and vulnerabilities in IT infrastructure. The most recent one undertaken by ICPSR was in 2009, and the focus was on research data security.

Four, again, ICPSR along with ISR, participate in an annual review and refresh of an organization-wide IT security plan. This is a comprehensive evaluation of vulnerabilities, strengths, and resources related to security, and flows into a University of Michigan central repository of security plans, and is also reviewed by the leadership of ISR.

Five, ICPSR also participated in the Center for Research Libraries Auditing and Certification of Digital Archives Project "test audit" in 2005-2006. This audit reviewed a broad spectrum of functions and services at ICPSR (including IT), and produced a publicly available report. The report was very favorable to ICPSR:
Auditors found an organization with a mature, fully operational archive. ICPSR as an organization has a 44-year history of growing and managing a large (at the time of the audit 2.3 Terabytes) data archive of valuable content with a virtually unblemished record in data management and access. The future prospects of both the organization and the data appear favorable, due to a combination of sound financial management and planning, multiple sources of revenue, robust reporting and accountability mechanisms, and sound technical decisions related to processes, procedures, and formats.
In summary, ICPSR conducts risk assessment - particularly technological risk assessment - in a variety of ways on a routine basis.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.