Issue link: http://uwashington.uberflip.com/i/509241
THE "ASSUMPTION OF BREACH" AND OUR RISK MANAGEMENT FRAMEWORK We are doing things differently in our strategic approach to protecting the University of Washington's information assets. We manage all related risks based on what we term the "assumption of breach." We believe that the smartest and most effective options for protecting information are to deploy practices and measures that anticipate successful attacks against the UW's network-hosted systems and data. Cybersecurity has become the most serious challenge of the information age. We are constantly reminded of it in the news. Sophisticated, persistent, and success - ful cyberattacks that compromise intellectual property, institutional systems, and personal information have become ubiquitous, and they are difficult to thwart. Over the last several years, adversaries have gained significant strategic advan- tages. They are extremely motivated and have effective technical tools. They are highly skilled and well trained. Many of them have considerable resources and funding. They have no laws or rules to follow. Their work is significantly rewarding with little or no risk involved. Those defending information assets are lagging behind their adversaries for many reasons. Frustrating and burdensome compliance requirements and out- of-date operating and technical standards diminish the value and effectiveness of traditional approaches. Additionally, current security programs are largely standards-based and reflect an unrealistic "one size fits all" mentality. To make matters worse, those outdated standards are often used as a blueprint for cyberattacks. Over the last several years the Office of Chief Information Security Officer (CISO) has adopted a new empirical approach based on real conditions, University objectives, and risk appetites. We believe this approach allows us to be more adaptable and nimble, and helps us clearly identify priorities for our limited resources. This pragmatic "assumption of breach" methodology challenges traditional practices. It also requires a new understanding of what constitutes "due care" for both potential institutional liabilities and compliance obligations. UW engages consultant on information security and privacy risks Consultant develops information security and privacy policy 2000 2001 The Office of the CISO's assumption of breach methodology is a pragmatic approach that supports the University by balancing risks and creating situational awareness about critical information assets and sophisticated cyberattacks. It challenges traditional security and privacy practices. 2014 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT 1