Presentation is loading. Please wait.

Presentation is loading. Please wait.

U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.

Published byVeronica Harrell Modified over 9 years ago

Similar presentations

Presentation on theme: "U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy."— Presentation transcript:

1 U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy

2 IT Security Risk Management Program (ITS-RM) Announcing the roll out of version 1.0 Announcing the roll out of version 1.0 Will assist departments in appropriately protecting their IT assets Will assist departments in appropriately protecting their IT assets

3 Why? IT Security Risk Management. It’s not just a “best practice,” it’s a good idea!

4 Good News Most of you are already doing most of what you need to be doing Most of you are already doing most of what you need to be doing Program provides tools to make identification and prioritization of the rest easier Program provides tools to make identification and prioritization of the rest easier Be prepared when your department’s administrators come to you for assistance Be prepared when your department’s administrators come to you for assistance

5 What’s Risk Management? Formally defined “The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.”

6 More simply put… “Determine what your risks are and then decide on a course of action to deal with those risks.”

7 Even more colloquially… What’s your threshold for pain? Do you want failure to deal with this risk to end up on the front page of the Daily Progress?

8 Risk Management Practices Conduct a mission impact analysis and risk assessment to: 1. 1.Identify various levels of sensitivity associated with information resources 2. 2.Identify potential security threats to those resources

9 Risk Management Practices (cont.) Conduct a mission impact analysis and risk assessment to: 3.Determine the appropriate level of security to be implemented to safeguard those resources 4.Review, reassess and update as needed or at least every 3 years

10 Risk Management Practices (cont.) Coordinated and integrated with contingency planning and mission resumption activities Coordinated and integrated with contingency planning and mission resumption activities Mission continuity plan that will provide reasonable assurance that critical data processing support can be continued or resumed within an acceptable time frame if normal operations are interrupted Mission continuity plan that will provide reasonable assurance that critical data processing support can be continued or resumed within an acceptable time frame if normal operations are interrupted

11 University Level Design university-wide program for analysis, assessment & planning Design university-wide program for analysis, assessment & planning Identify general security threats & provide other guidance material Identify general security threats & provide other guidance material Oversee completion of department level analysis, assessment, planning efforts Oversee completion of department level analysis, assessment, planning efforts Complete yearly analysis & assessment for enterprise systems; update enterprise business continuity regularly Complete yearly analysis & assessment for enterprise systems; update enterprise business continuity regularly

12 Departmental Level Identify sensitive department system data, assets & threats to those data, assets Identify sensitive department system data, assets & threats to those data, assets Determine appropriate safeguards & form plan for implementing them Determine appropriate safeguards & form plan for implementing them Complete U.Va. templates at least every three years & when computing environment changes significantly Complete U.Va. templates at least every three years & when computing environment changes significantly

13 Brief Description ITC implementing a University-wide IT Security Risk Management Program for IT Mission Impact Analysis IT Mission Impact Analysis IT Risk Assessment IT Risk Assessment IT Mission Continuity Planning IT Mission Continuity Planning Evaluation and Reassessment Evaluation and Reassessment

14 What Has Been Done ITC conducts a yearly business analysis and risk assessment for directly managed resources; updates its business continuity plan more often ITC conducts a yearly business analysis and risk assessment for directly managed resources; updates its business continuity plan more often Similar planning occurred across the University as part of the Y2K initiative Similar planning occurred across the University as part of the Y2K initiative Comptroller’s Office collects information on the existence–but not quality–of security-related plans Comptroller’s Office collects information on the existence–but not quality–of security-related plans Audit Department includes review of security plans during routine departmental audits Audit Department includes review of security plans during routine departmental audits ITC’s departmental security self-assessment checklist (part of security awareness program) ITC’s departmental security self-assessment checklist (part of security awareness program)

15 Why That’s Not Enough Y2K business continuity plans not updated Y2K business continuity plans not updated No mechanisms for tracking the frequency of updates, quality and consistency No mechanisms for tracking the frequency of updates, quality and consistency No central repository for safeguarding assessment and planning documents No central repository for safeguarding assessment and planning documents No university-level procedure dealing explicitly with ongoing IT security risk management No university-level procedure dealing explicitly with ongoing IT security risk management Non-compliant with state standards or HIPAA and GLBA Non-compliant with state standards or HIPAA and GLBA

16 Responsibilities ITC ITC Health System Health System Audit Department Audit Department Other Offices Other Offices The Departments… The Departments…

17 Executive Support Strong executive support has been a key success factor at other institutions Strong executive support has been a key success factor at other institutions Executives fully behind program at U.Va. Executives fully behind program at U.Va. University policy requiring participation in the program is coming University policy requiring participation in the program is coming Encouragement from LSPs will also be necessary as many department heads will not fully appreciate the need for IT security assessment and planning Encouragement from LSPs will also be necessary as many department heads will not fully appreciate the need for IT security assessment and planning

18

19 Let’s look at an example…

20 It’s good for you! Risk management makes you more efficient Risk management makes you more efficient Risk management helps you make your case Risk management helps you make your case Risk management has got your back Risk management has got your back

21 It’s not as painful as it looks! No one will be starting from scratch No one will be starting from scratch Little is expected from those with little, more is expected from those with more Little is expected from those with little, more is expected from those with more The templates are designed for the most complex situations but work for simple solutions, too The templates are designed for the most complex situations but work for simple solutions, too

22 ITS-RM Roll Out Version 2.0 coming soon… Version 2.0 coming soon… Top 5 by end of year Top 5 by end of year Next 5 by next summer Next 5 by next summer Encourage other departments to get moving Encourage other departments to get moving

23 You’re Not Alone... ITC can’t do it for you ITC can’t do it for you Available to consult Available to consult Meet to explain process Meet to explain process Service consultations if we have solutions that fill a gap Service consultations if we have solutions that fill a gap

24 For More Information... http://www.itc.virginia.edu/security/riskmanagement Brian DavisShirley Payne bdavis@virginia.edupayne@virginia.edu 243-8707 924-4165

Download ppt "U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy."

Similar presentations

Ways to Improve the Hazard Management Process

Ways to Improve the Hazard Management Process
Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
EMS Checklist (ISO model)

EMS Checklist (ISO model)
Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.
SOP Melody Lin, Ph.D. Deputy Director, Office for Human Research Protections Director, International Activities Santiago, Chile August.

SOP Melody Lin, Ph.D. Deputy Director, Office for Human Research Protections Director, International Activities Santiago, Chile August.
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory.

Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory.
Internal Control.

Internal Control.
Building a Better Business Model Start with a discussion of Risk Higher Education Policy Commission Board of Governors Summit August 2, 2014.

Building a Better Business Model Start with a discussion of Risk Higher Education Policy Commission Board of Governors Summit August 2, 2014.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.

Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
1. Failure is when users do not feel they get what they paid for. 2. Failure is when the overall organization fails to adopt the solution.

1. Failure is when users do not feel they get what they paid for. 2. Failure is when the overall organization fails to adopt the solution.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Assessment Frameworks

Risk Assessment Frameworks
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.

Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.
Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.

Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Similar presentations

Ads by Google