Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Guelph1 CANHEIT 2012 Building the Digital University What’s Out There? Building a Central IT Repository.

Similar presentations


Presentation on theme: "University of Guelph1 CANHEIT 2012 Building the Digital University What’s Out There? Building a Central IT Repository."— Presentation transcript:

1 University of Guelph1 CANHEIT 2012 Building the Digital University What’s Out There? Building a Central IT Repository

2 University of Guelph2 Building a Central IT Repository  Welcome!  Presentation Goal/Format

3 University of Guelph3 Building a Central IT Repository Agenda Introduction Learning Objectives Why have a Central IT Repository? What are we @Guelph Trying to Do? How are we Building IT? Learning Objectives (Details) Wrap-up

4 University of Guelph4 Building a Central IT Repository

5 University of Guelph5 Building a Central IT Repository Introduction Guelph’s IT organization/culture IT Governance 50% distributed/decentralized What about Me? My portfolio

6 University of Guelph6 Building a Central IT Repository Why are you here? Are you thinking about: – IT Risk management? – IT contingency planning? – Compliance (PCI, FIPPA)?

7 University of Guelph7 Building a Central IT Repository Learning Objectives Recognize the value of a central IT Repository

8 University of Guelph8 Building a Central IT Repository Learning Objectives Recognize the value of a central IT Repository Understand the basic requirements for IT risk management

9 University of Guelph9 Building a Central IT Repository Learning Objectives Recognize the value of a central IT Repository Understand the basic requirements for IT risk management Learn how Guelph’s approach combines application, services and people information

10 University of Guelph10 Building a Central IT Repository Learning Objectives Recognize the value of a central IT Repository Understand the basic requirements for IT risk management Learn how Guelph’s approach combines application, services and people information Take away ideas for valuable metrics

11 University of Guelph11 Building a Central IT Repository Learning Objectives Recognize the value of a central IT Repository Understand the basic requirements for IT risk management Learn how Guelph’s approach combines application, services and people information Take away ideas for valuable metrics Consider visibility and sustainability challenges

12 University of Guelph12 Building a Central IT Repository WHY build a Repository? It’s the right thing to do! (if you’re trying to manage risk) Inventory of IT Assets is a foundational component of any IT security program!

13 University of Guelph13 Building a Central IT Repository WHY build a Repository? It’s the right thing to do! (if you’re trying to manage risk) Inventory of IT Assets is a foundational component of any IT security program! – What do we need to protect?

14 University of Guelph14 Building a Central IT Repository WHY build a Repository? It’s the right thing to do! (if you’re trying to manage risk) Inventory of IT Assets is a foundational component of any IT security program! – What do we need to protect? – Who is responsible?

15 University of Guelph15 Building a Central IT Repository WHY build a Repository? It’s the right thing to do! (if you’re trying to manage risk) Inventory of IT Assets is a foundational component of any IT security program! – What do we need to protect? – Who is responsible? – Who are we dependent on?

16 University of Guelph16 Building a Central IT Repository WHY build a Repository? Risk management standards/frameworks The starting point is always identifying IT assets!

17 University of Guelph17 Building a Central IT Repository WHY build a Repository? Risk management standards/frameworks The starting point is always identifying IT assets! ISO 27002 (clauses 7.1 & 7.2) Clause 7.1 Responsibility for Assets Clause 7.2 Information Classification

18 University of Guelph18 Building a Central IT Repository WHY build a Repository? Risk management standards/frameworks The starting point is always identifying IT assets! ISO 27002 (clauses 7.1 & 7.2) Clause 7.1 Responsibility for Assets Clause 7.2 Information Classification SANS “20 critical security controls” – #1 Inventory of authorized devices – #2 Inventory of authorized software

19 University of Guelph19 Building a Central IT Repository WHY build a Repository? Risk management standards/frameworks The starting point is always identifying IT assets! ISO 27002 (clauses 7.1 & 7.2) Clause 7.1 Responsibility for Assets Clause 7.2 Information Classification SANS “20 critical security controls” – #1 Inventory of authorized devices – #2 Inventory of authorized software NIST SP 800-60

20 University of Guelph20 Building a Central IT Repository WHY build a Repository? Risk management standards/frameworks The starting point is always identifying IT assets! ISO 27002 (clauses 7.1 & 7.2) Clause 7.1 Responsibility for Assets Clause 7.2 Information Classification SANS “20 critical security controls” – #1 Inventory of authorized devices – #2 Inventory of authorized software NIST SP 800-60 PCI DSS (requirements 9 & 12) – Where is cardholder data stored?

21 University of Guelph21 Building a Central IT Repository WHAT Are We Building? What it is: The IT Repository is an on-line web-accessible inventory of the University’s IT Assets and the human resources who have a specific relationship with the Assets. A ‘high level’ catalogue of IT application systems and infrastructure services.

22 University of Guelph22 Building a Central IT Repository WHAT Are We Building? What it is: The IT Repository is an on-line web-accessible inventory of the University’s IT Assets and the human resources who have a specific relationship with the Assets. A ‘high level’ catalogue of IT application systems and infrastructure services. What it isn’t: A physical hardware inventory (CMDB) with device/configuration details, not is it an end-user targeted IT Service Catalogue. It is not an asset management system for tracking acquisition costs, licensing, obsolescence, etc.

23 University of Guelph23 Building a Central IT Repository Repository Goals Gain University-wide visibility of existing applications and infrastructure services

24 University of Guelph24 Building a Central IT Repository Repository Goals Gain University-wide visibility of existing applications and infrastructure services Identify system and service ownership and accountability

25 University of Guelph25 Building a Central IT Repository Repository Goals Gain University-wide visibility of existing applications and infrastructure services Identify system and service ownership and accountability Identify systems which store sensitive information or have special compliance requirements (e.g. PCI DSS)

26 University of Guelph26 Building a Central IT Repository Repository Goals Gain University-wide visibility of existing applications and infrastructure services Identify system and service ownership and accountability Identify systems which store sensitive information or have special compliance requirements (e.g. PCI DSS) Encourage collaboration and leveraging of resources and expertise

27 University of Guelph27 Building a Central IT Repository Repository Goals Gain University-wide visibility of existing applications and infrastructure services Identify system and service ownership and accountability Identify systems which store sensitive information or have special compliance requirements (e.g. PCI DSS) Encourage collaboration and leveraging of resources and expertise Identify duplication and redundancy (show interconnections)

28 University of Guelph28 Building a Central IT Repository Repository Goals Gain University-wide visibility of existing applications and infrastructure services Identify system and service ownership and accountability Identify systems which store sensitive information or have special compliance requirements (e.g. PCI DSS) Encourage collaboration and leveraging of resources and expertise Identify duplication and redundancy (show interconnections) (new) Enable improved management responsiveness to potential disruptions and incidents

29 University of Guelph29 Building a Central IT Repository IT Assets Current ‘beta’ Repository has two tables (Assets and People) Asset table has two types: Applications (transaction-processing systems) Infrastructure ‘services’ (e.g. backup/recovery)

30 University of Guelph30 Building a Central IT Repository IT Assets Current ‘beta’ Repository has two tables (Assets and People) Asset table has two types: Applications (transaction-processing systems) Infrastructure ‘services’ (e.g. backup/recovery) I’m Thinking about: A third asset type for academic/research (e.g. labs) A third table for documenting IT Controls

31 University of Guelph31 Building a Central IT Repository IT Asset Attributes Attributes are chosen for high-level risk management, not for ITSM (service management). Currently twenty-two attributes (see hand-out) Attributes become metrics when summarized, allowing identification and analysis of areas of risk. Current list of attributes has been reviewed and accepted by our senior IT governance committee (ITSC).

32 University of Guelph32 Building a Central IT Repository

33 University of Guelph33 Building a Central IT Repository

34 University of Guelph34 Building a Central IT Repository IT People Records Identify ‘IT People’ who are ‘related’ to Assets (i.e. who is accountable, who/where is IT support).

35 University of Guelph35 Building a Central IT Repository IT People Records Identify ‘IT People’ who are ‘related’ to Assets (i.e. who is accountable, who/where is IT support). Identifies the individual’s role in relation to IT: Executive Sponsor System Owner Primary (& alternate) Technical Support

36 University of Guelph36 Building a Central IT Repository IT People Records Identify ‘IT People’ who are ‘related’ to Assets (i.e. who is accountable, who/where is IT support). Identifies the individual’s role in relation to IT: Executive Sponsor System Owner Primary (& alternate) Technical Support People record attributes: Title, department, contact information Emergency contact info (provided by individual) Date Last Updated (& updated by)

37 University of Guelph37 Building a Central IT Repository

38 University of Guelph38 Building a Central IT Repository HOW Do We Build it? Some History Remember Y2k? Initial CIO focus was mainly ‘information architecture’

39 University of Guelph39 Building a Central IT Repository HOW Do We Build it? Some History Remember Y2k? Initial CIO focus was mainly discovering extent of “inter-connectedness” Build vs Buy CIO keen on trying a SaaS approach We flip-flopped a couple of times

40 University of Guelph40 Building a Central IT Repository HOW Do We Build it? Some History Remember Y2k? Initial CIO focus was mainly ‘information architecture’ Build vs Buy CIO keen on trying a SaaS approach We flip-flopped a couple of times Low-key; keep it simple

41 University of Guelph41 Building a Central IT Repository HOW Do We Build it? Current Status Stabilizing a ‘beta’ version of code and data structure Populating the tables based on Central (CIO’s Office) knowledge Previewing to selected stakeholders Roll-out on hold pending secure authentication

42 University of Guelph42 Building a Central IT Repository HOW Do We Build it? Current Status Stabilizing a ‘beta’ version of code and data structure Populating the tables based on Central (CIO’s Office) knowledge Previewing to selected stakeholders Roll-out on hold pending secure authentication Nice to have’s Identifying Assets not yet acquired but desired (i.e. IT demand) Highlighting Assets which are ‘evolving’ (e.g. major upgrades) Formal executive sponsorship

43 University of Guelph43 Building a Central IT Repository 1. Recognize the value of a central IT Repository of IT Assets and IT ‘People’ – Enable informed decision-making and information sharing Visibility (always a good starting point) – Highlight important risk-related information such as: – Technical support staff and 3 rd party dependencies – Storage of sensitive data (compliance requirements) – E-commerce (PCI compliance requirements)

44 University of Guelph44 Building a Central IT Repository 1. Recognize the value of a central IT Repository of IT Assets and IT ‘People’ – Enable informed decision-making and information sharing Visibility (always a good starting point) – Highlight important risk-related information such as: – Technical support staff and 3 rd party dependencies – Storage of sensitive data (compliance requirements) – E-commerce (PCI compliance requirements) Accountability – Who is responsible? Connect IT Assets and People

45 University of Guelph45 Building a Central IT Repository 1. Recognize the value of a central IT Repository of IT Assets and IT ‘People’ Contingency Planning – Emergency preparedness – Incident response

46 University of Guelph46 Building a Central IT Repository 1. Recognize the value of a central IT Repository of IT Assets and IT ‘People’ Contingency Planning – Emergency preparedness – Incident response IT Asset Security ‘Profiling’ (i.e. individual asset risk assessments) – Where is this Asset Hosted? – Who is responsible for technical support? – Are we scanning this Asset for vulnerabilities?

47 University of Guelph47 Building a Central IT Repository 2.Understand the basic requirements for IT Risk Management Risk Management Defined: A 3-phase process of identifying risk, assessing risk, and taking action to reduce risk to an acceptable (residual) level. Risk Defined: The function of the likelihood of a given threat exploiting a vulnerability and the resulting impact of that adverse event. Risk assessment starts with characterizing or classifying systems (assets) as to their overall criticality (e.g. financial impact, data sensitivity). The risk factors are the ‘attributes’ we want to gather for each system.

48 University of Guelph48 Building a Central IT Repository 2.Understand the basic requirements for IT Risk Management Requirement #1 = Asset Identification.

49 University of Guelph49 Building a Central IT Repository 2.Understand the basic requirements for IT Risk Management Requirement #1 = Asset Identification. Requirement #2 = gather risk-related attributes.

50 University of Guelph50 Building a Central IT Repository 2.Understand the basic requirements for IT Risk Management Requirement #1 = Asset Identification. Requirement #2 = gathering risk-related attributes. Ranking/classifying assets with highest risk impact ‘scores’.

51 University of Guelph51 Building a Central IT Repository 2.Understand the basic requirements for IT Risk Management Requirement #1 = Asset Identification. Requirement #2 = gathering risk-related attributes. Ranking/classifying assets with highest risk impact ‘scores’. Requirement #3 = identifying applicable controls.

52 University of Guelph52 Building a Central IT Repository 2.Understand the basic requirements for IT Risk Management Requirement #1 = Asset Identification. Requirement #2 = gathering risk-related attributes. Ranking/classifying assets with highest risk impact ‘scores’. Requirement #3 = identifying applicable controls. Requirement #4 = estimate likelihood of vulnerabilities being exploited.

53 University of Guelph53 Building a Central IT Repository 2.Understand the basic requirements for IT Risk Management Requirement #1 = Asset Identification. Requirement #2 = gathering risk-related attributes. Ranking/classifying assets with highest risk impact ‘scores’. Requirement #3 = identifying applicable controls. Requirement #4 = estimate likelihood of vulnerabilities being exploited. Requirement #5 = Accept residual risk?

54 University of Guelph54 Building a Central IT Repository 3. How Guelph’s approach combines application, infrastructure services and ‘people’ information to enable contingency planning and incident response We’ve covered the Why, What, and How. Contingency planning: executive management responsibility Disruption of IT services is a major enterprise risk Repository info informs the contingency planning process Security ‘Profiling’ (drilling down). – More Examples (risk attributes)

55 University of Guelph55 Building a Central IT Repository 4. Ideas for Valuable Metrics # of systems/services utilizing 3 rd -party service providers

56 University of Guelph56 Building a Central IT Repository 4. Ideas for Valuable Metrics # of systems/services utilizing 3 rd -party service providers # of systems hosted remotely or “in the cloud”

57 University of Guelph57 Building a Central IT Repository 4. Ideas for Valuable Metrics # of systems/services utilizing 3 rd -party service providers # of systems hosted remotely or “in the cloud” Pct of systems centrally supported

58 University of Guelph58 Building a Central IT Repository 4. Ideas for Valuable Metrics # of systems/services utilizing 3 rd -party service providers # of systems hosted remotely or “in the cloud” Pct of systems centrally supported Pct of systems centrally funded

59 University of Guelph59 Building a Central IT Repository 4. Ideas for Valuable Metrics # of systems/services utilizing 3 rd -party service providers # of systems hosted remotely or “in the cloud” Pct of systems centrally supported Pct of systems centrally funded # of systems performing ‘e-commerce’

60 University of Guelph60 Building a Central IT Repository 4. Ideas for Valuable Metrics # of systems/services utilizing 3 rd -party service providers # of systems hosted remotely or “in the cloud” Pct of systems centrally supported Pct of systems centrally funded # of systems performing ‘e-commerce’ # of systems processing/storing “sensitive data”

61 University of Guelph61 Building a Central IT Repository 4. Ideas for Valuable Metrics # of systems/services utilizing 3 rd -party service providers # of systems hosted remotely or “in the cloud” Pct of systems centrally supported Pct of systems centrally funded # of systems performing ‘e-commerce’ # of systems processing/storing “sensitive data” # of systems/services supported by vendor ‘x’

62 University of Guelph62 Building a Central IT Repository 5. Visibility and Sustainability Challenges Political and Cultural: – Pinpointing accountability is not welcomed by some! – Transparency/visibility is not welcomed by some! – Differing views of various stakeholders – Resistance to providing detailed attribute information

63 University of Guelph63 Building a Central IT Repository 5. Visibility and Sustainability Challenges Political and Cultural: – Pinpointing accountability is not welcomed by some! – Transparency/visibility is not welcomed by some! – Differing views of various stakeholders – Resistance to providing detailed attribute information Administrative Challenges: – How to keep contact info up-to-date? – Synchronization with other sources/directories – Identifying individuals by Bargaining Group

64 University of Guelph64 Building a Central IT Repository 5. Visibility and Sustainability Challenges Responding to Challenges: still a plan/strategy!! – Provide reasons/value for visiting, utilizing, and updating the Repository – Track (and follow-up) the ‘freshness’ of information in the Repository – Mandate (via Policy)

65 University of Guelph65 Building a Central IT Repository CONCLUSION Did I succeed with the five learning objectives? Questions?

66 University of Guelph66 Building a Central IT Repository CONTACT D. Douglas Badger CGA CISA CGEIT CRISC – Director, Systems Assurance and IT Portfolio Management – Office of the CIO http://www.uoguelph.ca/cio http://www.uoguelph.ca/cio – http://www.uoguelph.ca/cio/content/portfolio-management-office http://www.uoguelph.ca/cio/content/portfolio-management-office – Telephone: 519-824-4120 (ext.52830)

67 University of Guelph67 Building a Central IT Repository

68 University of Guelph68 Building a Central IT Repository

69 University of Guelph69 Building a Central IT Repository


Download ppt "University of Guelph1 CANHEIT 2012 Building the Digital University What’s Out There? Building a Central IT Repository."

Similar presentations


Ads by Google