Presentation is loading. Please wait.

Presentation is loading. Please wait.

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.

Similar presentations


Presentation on theme: "Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information."— Presentation transcript:

1 Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information Technologies University of Virginia Mid-Atlantic EDUCAUSE - January 2005

2 Why is managing IT security risks important? More colloquially: What’s your institution’s threshold for pain? More colloquially: What’s your institution’s threshold for pain? Do you want failure to deal with a particular risk to end up on the front page of the local – or national – newspaper? Do you want failure to deal with a particular risk to end up on the front page of the local – or national – newspaper?

3 Why? Financial consequences of failing to do Institutions and their units must protect heavy IT investments Institutions and their units must protect heavy IT investments Increasing reliance on IT to provide mission-critical academic, instructional and administrative functions Increasing reliance on IT to provide mission-critical academic, instructional and administrative functions

4 Why? Threats to IT assets are only getting worse Higher education’s network infrastructure is both a direct target and a source of hijacked bandwidth Higher education’s network infrastructure is both a direct target and a source of hijacked bandwidth IT security efforts are required at all network levels -- difficult to manage IT security efforts are required at all network levels -- difficult to manage More sophisticated and dangerous exploits and attacks are released daily More sophisticated and dangerous exploits and attacks are released daily Potential for terrorist attacks or natural disasters Potential for terrorist attacks or natural disasters

5 Solution: IT Security Risk Management Program Strong support of executive management Strong support of executive management Design team composed of members from throughout the University to develop a comprehensive, centralized program Design team composed of members from throughout the University to develop a comprehensive, centralized program Identify common IT security risks and put together a process and templates for departments to use Identify common IT security risks and put together a process and templates for departments to use Individual departments review those common risks, determine what specific risks exist for inclusion into the process Individual departments review those common risks, determine what specific risks exist for inclusion into the process

6 ITS-RM includes IT Mission Impact Analysis IT Mission Impact Analysis IT Risk Assessment IT Risk Assessment IT Mission Continuity Planning IT Mission Continuity Planning Evaluation and Reassessment Evaluation and Reassessment

7 Implementation New University policy requires all departments to participate in the program New University policy requires all departments to participate in the program University identified a number of key departments responsible for completing their departments’ process sooner rather than later -- Top 5, Top 10 University identified a number of key departments responsible for completing their departments’ process sooner rather than later -- Top 5, Top 10 Full implementation will take three years Full implementation will take three years

8 Ownership Although the program includes instructions, templates and guidance, the department needs to own the risk management process Although the program includes instructions, templates and guidance, the department needs to own the risk management process Departments have to do the work of risk management Departments have to do the work of risk management Only departments know their mission, what assets are critical to that mission, how to prioritize resources to address those assets and how best to get back up and functioning following a disaster Only departments know their mission, what assets are critical to that mission, how to prioritize resources to address those assets and how best to get back up and functioning following a disaster

9 Process Departments complete process and return a report to the central repository Departments complete process and return a report to the central repository High level review of the departments' reports to ensure quality; follow up may be necessary to address key issues High level review of the departments' reports to ensure quality; follow up may be necessary to address key issues Both departmental administrative/business and technical leaders must be involved Both departmental administrative/business and technical leaders must be involved Department head approves final report Department head approves final report Security and Policy Office assists in understanding the process and getting started on completing their report Security and Policy Office assists in understanding the process and getting started on completing their report

10 Tools, Templates, Guidance The tools, templates and supplemental information created by the University as part of its IT Security Risk Management program are available in Microsoft Word, Adobe PDF and HTML formats at The tools, templates and supplemental information created by the University as part of its IT Security Risk Management program are available in Microsoft Word, Adobe PDF and HTML formats at riskmanagement/ Let’s see what they look like… Let’s see what they look like…

11 Goals and How We Got There 1. Elevate IT security risk management to a top priority 2. Establish an ongoing series of tactical operational processes that incorporate most current thinking on security threats and appropriate safeguards 3. Provide proactive mechanisms for tracking frequency of assessments and plans and for assuring quality and consistency

12 Goals and How We Got There 4. Ensure limited resources for IT security across the organization are focused efficiently on most important needs 5. Help comply with various external IT security standards, including HIPAA, GLBA and FERPA 6. Scale a huge scope to a reasonable level of effort for departments

13 Goals and How We Got There 7. Gain support from management and technical staff 8. Include appropriate stakeholders in the process 9. Form implementation plan 10. Build further awareness of security issues at the management level 11. Incorporate IT risk management thinking more deeply into our culture

14 Future Directions Committed to routinely enhance the guidance Committed to routinely enhance the guidance Increase automation Increase automation Use the information to help identify needs for new centralized solutions Use the information to help identify needs for new centralized solutions

15 More information Brian Davis riskmanagement


Download ppt "Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information."

Similar presentations


Ads by Google