150 likes | 249 Views
Institutional Insurance : Creating a Comprehensive Campus-wide IT Security Risk Management Program. Brian Davis IT Security & Policy Office of Information Technologies University of Virginia. Mid-Atlantic EDUCAUSE - January 2005. Why is managing IT security risks important? .
E N D
Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian DavisIT Security & Policy Office of Information TechnologiesUniversity of Virginia Mid-Atlantic EDUCAUSE - January 2005
Why is managing IT security risks important? • More colloquially: What’s your institution’s threshold for pain? • Do you want failure to deal with a particular risk to end up on the front page of the local – or national – newspaper?
Why? Financial consequences of failing to do • Institutions and their units must protect heavy IT investments • Increasing reliance on IT to provide mission-critical academic, instructional and administrative functions
Why? Threats to IT assets are only getting worse • Higher education’s network infrastructure is both a direct target and a source of hijacked bandwidth • IT security efforts are required at all network levels -- difficult to manage • More sophisticated and dangerous exploits and attacks are released daily • Potential for terrorist attacks or natural disasters
Solution: IT Security Risk Management Program • Strong support of executive management • Design team composed of members from throughout the University to develop a comprehensive, centralized program • Identify common IT security risks and put together a process and templates for departments to use • Individual departments review those common risks, determine what specific risks exist for inclusion into the process
ITS-RM includes • IT Mission Impact Analysis • IT Risk Assessment • IT Mission Continuity Planning • Evaluation and Reassessment
Implementation • New University policy requires all departments to participate in the program • University identified a number of key departments responsible for completing their departments’ process sooner rather than later -- Top 5, Top 10 • Full implementation will take three years
Ownership • Although the program includes instructions, templates and guidance, the department needs to own the risk management process • Departments have to do the work of risk management • Only departments know their mission, what assets are critical to that mission, how to prioritize resources to address those assets and how best to get back up and functioning following a disaster
Process • Departments complete process and return a report to the central repository • High level review of the departments' reports to ensure quality; follow up may be necessary to address key issues • Both departmental administrative/business and technical leaders must be involved • Department head approves final report • Security and Policy Office assists in understanding the process and getting started on completing their report
Tools, Templates, Guidance • The tools, templates and supplemental information created by the University as part of its IT Security Risk Management program are available in Microsoft Word, Adobe PDF and HTML formats at http://www.itc.virginia.edu/security/riskmanagement/ • Let’s see what they look like…
Goals and How We Got There • Elevate IT security risk management to a top priority • Establish an ongoing series of tactical operational processes that incorporate most current thinking on security threats and appropriate safeguards • Provide proactive mechanisms for tracking frequency of assessments and plans and for assuring quality and consistency
Goals and How We Got There • Ensure limited resources for IT security across the organization are focused efficiently on most important needs • Help comply with various external IT security standards, including HIPAA, GLBA and FERPA • Scale a huge scope to a reasonable level of effort for departments
Goals and How We Got There • Gain support from management and technical staff • Include appropriate stakeholders in the process • Form implementation plan • Build further awareness of security issues at the management level • Incorporate IT risk management thinking more deeply into our culture
Future Directions • Committed to routinely enhance the guidance • Increase automation • Use the information to help identify needs for new centralized solutions
More information Brian Davisbdavis@virginia.edu http://www.itc.virginia.edu/security/riskmanagement