Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov.

Similar presentations


Presentation on theme: "1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov."— Presentation transcript:

1 1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,

2 2 Agenda Introduction Background –Virginia Information Technologies Agency –Commonwealth Security and Risk Management –Information Security and Reporting Measuring Commonwealth Risk Governance, Risk Management, and Compliance

3 3 Virginia Information Technologies Agency Statewide IT infrastructure for in-scope government entities Prior to VITA there were 90+ independent autonomous IT shops IT infrastructure partnership (Commonwealth of Virginia & Northrop Grumman) Appx. 58,000 PCs, 3500 servers, 60,000 accounts, over 2000 circuits and 2 Data Centers Centralized oversight of IT projects, security, procurement, standards, policy and procedures

4 4 Commonwealth Security and Risk Management Security Operations Operations and architectural design Security Governance Policies, standards and procedures IT security audit program VITA ISO duties Risk Management Commonwealth Risk Management program Business impact analysis Risk assessments IT security incident response

5 5 § § Additional duties of the CIO relating to security of government information. C. The CIO shall annually report to the Governor, the Secretary, and General Assembly those executive branch and independent agencies and institutions of higher education that have not implemented acceptable policies, procedures, and standards to control unauthorized uses, intrusions, or other security threats. For any executive branch or independent agency or institution of higher education whose security audit results and plans for corrective action are unacceptable, the CIO shall report such results to (i) the Secretary, (ii) any other affected cabinet secretary, (iii) the Governor, and (iv) the Auditor of Public Accounts. Upon review of the security audit results in question, the CIO may take action to suspend the public body's information technology projects pursuant to § , limit additional information technology investments pending acceptable corrective actions, and recommend to the Governor and Secretary any other appropriate actions. The CIO shall also include in this report (a) results of security audits, including those state agencies, independent agencies, and institutions of higher education that have not implemented acceptable regulations, standards, policies, and guidelines to control unauthorized uses, intrusions, or other security threats and (b) the extent to which security standards and guidelines have been adopted by state agencies.

6 6 Annual Report on Information Security Assessment of the Commonwealth information security program: Legislative requirement beginning in 2008 CIO annually reports to the Governor, Cabinet Secretaries, and General Assembly on: –Agency Information Security Programs –Agency Risk Management Programs –Agency IT Security Audit Programs –Commonwealth Operational Security –IT Security Incidents

7 7 Understanding Commonwealth Risk Business Impact Analysis: –Identify primary and critical organizational business processes –Identify IT systems that those business processes rely on –Identify Recovery Time Objectives (RTO) –Identify Recover Point Objectives (RPO) –Rate the business process for Availability Impact on life, safety, legal requirements, regulations, customer service and sensitive data if the business process or IT systems supporting the process is unavailable.

8 8 Risk Assessments: –Identify sensitivity of IT system(Confidentiality, integrity, and/or availability) –Assess the implementation of controls –Identify threats and potential risks –Rate the risks –Determine the probability of threat occurrence –Determine the potential impact if the threat occurs –Identify mitigating controls –Determine and implement mitigating controls –Determine Residual Risk: Create findings and corrective actions when residual risk is too high Understanding Commonwealth Risk

9 9 IT Security Audits Internal Audit, APA Audit, External (contractor) –Identify security audit findings –Create corrective action/remediation plans for findings –Track the remediation of the findings until closed –Validate remediation Vulnerability Scanning Operational findings

10 10 What have we learned from the Annual Report? IT Security and Audit resources are not adequate across the Commonwealth as a whole Agencies are not properly planning for information security requirements Unless agency executives understand the impact of the risk carried, decisions made could potentially result in adverse consequences

11 11 Next steps for CSRM Moving to a risk based information security program Currently implementing a Governance, Risk Management and Compliance (GRC) tool Make risk recommendations for where to invest resources across the Commonwealth Adhere to a set level of risk tolerance across the Commonwealth

12 12 How Does CSRM Measure Agency Risk? Risk levels are primarily based on findings –Can come from any source Security audit, risk assessment, operational data, etc. Finding criticality level is based on several factors, examples include: –Business processes criticality level –Confidentiality of the data –Criticality of the application affected –Likelihood of occurrence –Magnitude of impact –Length of time finding open

13 13 Governance, Risk Management and Compliance (GRC) Tool Why GRC? Integrate the existing IT Security programs & processes into a single centralized tool Provide a better understanding of the risks that Commonwealth Agencies carry Provide Agency and Commonwealth Executives understanding of where resources should be allocated to manage risk

14 14 Governance, Risk Management and Compliance (GRC) Tool What is captured in the GRC tool? Business Processes Applications IT Security Audit Program Information Risk Assessments Findings Remediation Plans IT Security Incidents Security Exceptions

15 15 Additional Benefits of a GRC tool Advanced Reporting Dashboards IT Asset Inventory Control & Policy Library Questionnaires/Assessments

16 16 What will CSRM do with the tool? Enhance reporting capabilities –Identify agencies carrying too much risk –Monitor remediation of risk at agencies –Show progress of agencies remediating risk –Identify operational issues increasing agency risk Make recommendations based on risk –Recommendations to AITR, ISO, agency head, secretary, and/or Commonwealth CIO –Can include recommendation to restrict IT investments until acceptable remediation is in place, underway, planned, or complete

17 17 What Challenges Has CSRM Faced? Normalizing data –Data comes from multiple sources Agency ISO Agency Internal Audit Agency Information Technology Department Infrastructure partnership Other VITA data sets Agency Buy-in User training

18 18 Questions? Jonathan Smith Senior Risk Manager Commonwealth Security and Risk Management Virginia Information Technologies Agency (VITA)


Download ppt "1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov."

Similar presentations


Ads by Google