Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brian Markham Director, DIT Compliance and Risk Services May 1, 2014

Published byPeter Boone Modified over 8 years ago

Similar presentations

Presentation on theme: "Brian Markham Director, DIT Compliance and Risk Services May 1, 2014"— Presentation transcript:

1 Brian Markham Director, DIT Compliance and Risk Services May 1, 2014

2 Introduction UMD grad (BA and MBA) Seven years in IT at UMD
IT Compliance and Risk Introduction UMD grad (BA and MBA) Seven years in IT at UMD Seven years in consulting (KPMG, PwC) New-ish to GW (November ’13)

3 Agenda Three things: The business of IT (an overview) Compliance Risk
IT Compliance and Risk Agenda Three things: The business of IT (an overview) Compliance Risk

4 The Business of IT

5 IT Compliance and Risk Why do we have IT? You

6 IT Compliance and Risk Why do we have IT? You IT Awesome!

7 Application Development
IT Compliance and Risk How do we succeed? Compliance Risk Application Development Customer Support Operations Security Strategic Planning Governance

8 Understanding the business Understanding requirements
IT Compliance and Risk IT is about… Users/Customers Understanding the business Understanding requirements Implementing technology that meets requirements to enable the business Perspective/vision of the future Planning, strategy, execution Fun!

9 IT folks aren’t experts in all things
IT Compliance and Risk But… IT is complicated IT folks aren’t experts in all things Different users have different needs Business/requirements change Technology changes (fast)

10 Role of Compliance and Risk
IT Compliance and Risk Role of Compliance and Risk Meet requirements (contracts, laws, policy) Ensure that confidentiality data is protected Ensure that data cannot be altered Ensure that systems are available Understand and manage risk Ensure that services can be offered that are secure and meet requirements Services are “fit for use”

11 Compliance

12 GW and Compliance Federal Educational Rights and Privacy Act (FERPA)
IT Compliance and Risk GW and Compliance Federal Educational Rights and Privacy Act (FERPA) Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS) University Policies Contracts and Agreements

13 How Do We Achieve Compliance?
IT Compliance and Risk How Do We Achieve Compliance? Understand the requirements Identify stakeholders Review controls and the “as-is” state Reference control guidance and best practices Assess controls Test of Design Test of Operating Effectiveness Document gaps, identify corrective actions Continuous monitoring

14 Plan for Compliance Implement Controls Assess Controls
IT Compliance and Risk In other words… Deming Cycle – Plan, Do, Check, Act Plan for Compliance Implement Controls Assess Controls Corrective Actions

15 Compliance Challenges
IT Compliance and Risk Compliance Challenges Understanding Expensive It’s hard Compliance ≠ Security!

16 Risk

17 IT Compliance and Risk What is Risk? A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Impact X Probability = Risk Priority

18 Data-driven “gut feel” Use data where possible:
IT Compliance and Risk Quantifying Risk It’s not easy Data-driven “gut feel” Use data where possible: Outages/Downtime Revenue Lost Performance vs. SLAs Performance of KPIs Historical Data

19 Lots of Risk! Compliance Risk Financial Risk Human Resource Risk
IT Compliance and Risk Lots of Risk! Compliance Risk Financial Risk Human Resource Risk Operations Risk (Availability) Project Risk Reputation Risk Safety Risk Security Risk Vendor Risk

20 Process and documentation Outreach and buy-in
IT Compliance and Risk Where do we start? Governance! Process and documentation Outreach and buy-in Identify, track and mitigate risks Prioritize Continuous improvement

21 Risk Management Challenges
IT Compliance and Risk Risk Management Challenges You don’t know what you don’t know Incentives to not report Risks can be expensive IT is complicated

22 Governance Risk & Compliance (GRC) tool Risk Register
IT Compliance and Risk Risk Management Tools Governance Risk & Compliance (GRC) tool Risk Register Assessment methodologies Risk Assessments Control catalogs Configuration Management Database (CMDB)

23 Compliance and risk management is a critical piece of IT management
IT Compliance and Risk Summary Compliance and risk management is a critical piece of IT management Understand the compliance landscape Understand the risk landscape We are all risk managers!

24 IT Compliance and Risk For More Information Contact Brian Markham at or

Download ppt "Brian Markham Director, DIT Compliance and Risk Services May 1, 2014"

Similar presentations

Tales from the Lab: Experiences and Methodology Demand Technology User Group December 5, 2005 Ellen Friedman SRM Associates, Ltd.

Tales from the Lab: Experiences and Methodology Demand Technology User Group December 5, 2005 Ellen Friedman SRM Associates, Ltd.
1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov.

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
A Joint Code of Practice Objectives and Summary Presentation

A Joint Code of Practice Objectives and Summary Presentation
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Project Risk Management

Project Risk Management
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
1 Risk management and Investigation Peter Roberts

1 Risk management and Investigation Peter Roberts
DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.

DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Risk-Based Inspection Program Best Practice – Executive Summary

Risk-Based Inspection Program Best Practice – Executive Summary

Similar presentations

Ads by Google