1 / 15

Institutional Insurance : Creating a Comprehensive Campus-wide IT Security Risk Management Program

Institutional Insurance : Creating a Comprehensive Campus-wide IT Security Risk Management Program. Brian Davis IT Security & Policy Office of Information Technologies University of Virginia. Mid-Atlantic EDUCAUSE - January 2005. Why is managing IT security risks important? .

novia
Download Presentation

Institutional Insurance : Creating a Comprehensive Campus-wide IT Security Risk Management Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian DavisIT Security & Policy Office of Information TechnologiesUniversity of Virginia Mid-Atlantic EDUCAUSE - January 2005

  2. Why is managing IT security risks important? • More colloquially: What’s your institution’s threshold for pain? • Do you want failure to deal with a particular risk to end up on the front page of the local – or national – newspaper?

  3. Why? Financial consequences of failing to do • Institutions and their units must protect heavy IT investments • Increasing reliance on IT to provide mission-critical academic, instructional and administrative functions

  4. Why? Threats to IT assets are only getting worse • Higher education’s network infrastructure is both a direct target and a source of hijacked bandwidth • IT security efforts are required at all network levels -- difficult to manage • More sophisticated and dangerous exploits and attacks are released daily • Potential for terrorist attacks or natural disasters

  5. Solution: IT Security Risk Management Program • Strong support of executive management • Design team composed of members from throughout the University to develop a comprehensive, centralized program • Identify common IT security risks and put together a process and templates for departments to use • Individual departments review those common risks, determine what specific risks exist for inclusion into the process

  6. ITS-RM includes • IT Mission Impact Analysis • IT Risk Assessment • IT Mission Continuity Planning • Evaluation and Reassessment

  7. Implementation • New University policy requires all departments to participate in the program • University identified a number of key departments responsible for completing their departments’ process sooner rather than later -- Top 5, Top 10 • Full implementation will take three years

  8. Ownership • Although the program includes instructions, templates and guidance, the department needs to own the risk management process • Departments have to do the work of risk management • Only departments know their mission, what assets are critical to that mission, how to prioritize resources to address those assets and how best to get back up and functioning following a disaster

  9. Process • Departments complete process and return a report to the central repository • High level review of the departments' reports to ensure quality; follow up may be necessary to address key issues • Both departmental administrative/business and technical leaders must be involved • Department head approves final report • Security and Policy Office assists in understanding the process and getting started on completing their report

  10. Tools, Templates, Guidance • The tools, templates and supplemental information created by the University as part of its IT Security Risk Management program are available in Microsoft Word, Adobe PDF and HTML formats at http://www.itc.virginia.edu/security/riskmanagement/ • Let’s see what they look like…

  11. Goals and How We Got There • Elevate IT security risk management to a top priority • Establish an ongoing series of tactical operational processes that incorporate most current thinking on security threats and appropriate safeguards • Provide proactive mechanisms for tracking frequency of assessments and plans and for assuring quality and consistency

  12. Goals and How We Got There • Ensure limited resources for IT security across the organization are focused efficiently on most important needs • Help comply with various external IT security standards, including HIPAA, GLBA and FERPA • Scale a huge scope to a reasonable level of effort for departments

  13. Goals and How We Got There • Gain support from management and technical staff • Include appropriate stakeholders in the process • Form implementation plan • Build further awareness of security issues at the management level • Incorporate IT risk management thinking more deeply into our culture

  14. Future Directions • Committed to routinely enhance the guidance • Increase automation • Use the information to help identify needs for new centralized solutions

  15. More information Brian Davisbdavis@virginia.edu http://www.itc.virginia.edu/security/riskmanagement

More Related