1 / 24

U.Va.’s IT Security Risk Management Program ( ITS-RM)

U.Va.’s IT Security Risk Management Program ( ITS-RM). April 2004 LSP Conference Brian Davis OIT, Security and Policy. IT Security Risk Management Program (ITS-RM). Announcing the roll out of version 1.0 Will assist departments in appropriately protecting their IT assets. Why?.

Download Presentation

U.Va.’s IT Security Risk Management Program ( ITS-RM)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. U.Va.’s IT SecurityRisk Management Program(ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy

  2. IT Security Risk Management Program (ITS-RM) • Announcing the roll out of version 1.0 • Will assist departments in appropriately protecting their IT assets

  3. Why? IT Security Risk Management. It’s not just a “best practice,” it’s a good idea!

  4. Good News • Most of you are already doing most of what you need to be doing • Program provides tools to make identification and prioritization of the rest easier • Be prepared when your department’s administrators come to you for assistance

  5. What’s Risk Management? Formally defined “The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.”

  6. More simply put… “Determine what your risks are and then decide on a course of action to deal with those risks.”

  7. Even more colloquially… What’s your threshold for pain? Do you want failure to deal with this risk to end up on the front page of the Daily Progress?

  8. Risk Management Practices Conduct a mission impact analysis and risk assessment to: • Identify various levels of sensitivity associated with information resources • Identify potential security threats to those resources

  9. Risk Management Practices(cont.) Conduct a mission impact analysis and risk assessment to: • Determine the appropriate level of security to be implemented to safeguard those resources • Review, reassess and update as needed or at least every 3 years

  10. Risk Management Practices (cont.) • Coordinated and integrated with contingency planning and mission resumption activities • Mission continuity plan that will provide reasonable assurance that critical data processing support can be continued or resumed within an acceptable time frame if normal operations are interrupted

  11. University Level • Design university-wide program for analysis, assessment & planning • Identify general security threats & provide other guidance material • Oversee completion of department level analysis, assessment, planning efforts • Complete yearly analysis & assessment for enterprise systems; update enterprise business continuity regularly

  12. Departmental Level • Identify sensitive department system data, assets & threats to those data, assets • Determine appropriate safeguards & form plan for implementing them • Complete U.Va. templates at least every three years & when computing environment changes significantly

  13. Brief Description ITC implementing a University-wide IT Security Risk Management Program for • IT Mission Impact Analysis • IT Risk Assessment • IT Mission Continuity Planning • Evaluation and Reassessment

  14. What Has Been Done • ITC conducts a yearly business analysis and risk assessment for directly managed resources; updates its business continuity plan more often • Similar planning occurred across the University as part of the Y2K initiative • Comptroller’s Office collects information on the existence–but not quality–of security-related plans • Audit Department includes review of security plans during routine departmental audits • ITC’s departmental security self-assessment checklist (part of security awareness program)

  15. Why That’s Not Enough • Y2K business continuity plans not updated • No mechanisms for tracking the frequency of updates, quality and consistency • No central repository for safeguarding assessment and planning documents • No university-level procedure dealing explicitly with ongoing IT security risk management • Non-compliant with state standards or HIPAA and GLBA

  16. Responsibilities • ITC • Health System • Audit Department • Other Offices • The Departments…

  17. Executive Support • Strong executive support has been a key success factor at other institutions • Executives fully behind program at U.Va. • University policy requiring participation in the program is coming • Encouragement from LSPs will also be necessary as many department heads will not fully appreciate the need for IT security assessment and planning

  18. Let’s look at an example…

  19. It’s good for you! • Risk management makes you more efficient • Risk management helps you make your case • Risk management has got your back

  20. It’s not as painful as it looks! • No one will be starting from scratch • Little is expected from those with little, more is expected from those with more • The templates are designed for the most complex situations but work for simple solutions, too

  21. ITS-RM Roll Out • Version 2.0 coming soon… • Top 5 by end of year • Next 5 by next summer • Encourage other departments to get moving

  22. You’re Not Alone... • ITC can’t do it for you • Available to consult • Meet to explain process • Service consultations if we have solutions that fill a gap

  23. For More Information... http://www.itc.virginia.edu/security/riskmanagement Brian Davis Shirley Payne bdavis@virginia.edu payne@virginia.edu 243-8707 924-4165

More Related