Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.

Slides:



Advertisements
Similar presentations
WV High Quality Standards for Schools
Advertisements

CRI- Common Review Initiative Reducing Lender Review Redundancy.
What is District Wide Accreditation? Ensure Desired Results Improve Teaching & Learning Foster a Culture of Improvement A powerful systems approach to.
Gaining Senior Leadership Support for Continuity of Operations
A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)
CSHE & LH Martin Institute Seminar PERFORMANCE INDICATORS AND PERFORMANCE-BASED FUNDING FOR TEACHING AND LEARNING IN AUSTRALIAN HIGHER EDUCATION Contributing.
Professional Services Overview
1. 2 August Recommendation 9.1 of the Strategic Information Technology Advisory Committee (SITAC) report initiated the effort to create an Administrative.
Comparative Emergency Management
Program Management Office (PMO) Design
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Leverage MarkITS for agile solutions delivery that balances strategic thinking with tactical execution for “Business & Technology Convergence” MarkITS.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Lisanne Sison Director ERM Bickmore
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
1 The CMO – One Size Fits All? Jake Julia, Ph.D.Brenda Sprite Northwestern UniversityNavigator Management Partners Session Presented at the Inaugural Global.
Strengthening the Medical Device Clinical Trial Enterprise
U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.
DRAFT Strategic Planning U.S. Department of Energy Rebuild America Business Partners and Deanna Braunlin GAVIN Consulting, Inc. John Deakin Energy Program.
Fiscal Year 2008 Urban Areas Security Initiative Nonprofit Security Grant Program Investment Justification Questions, Criteria, and Prioritization Methodology.
Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.
Security Controls – What Works
Amanda Felix BUS 550 Tuesday, May 24,  Traditional methods are not enough!  Reduce costs, improve efficiency and spur innovation!  Information.
Chapter 8 The Information Systems Planning Process Meeting the Challenges of Information Systems Planning Charles Cohen Presented by: Pablo De Luca.
Capital Planning Update 1 Senate Fiscal Committee/COPE Presentation January 3, 2012.
INSTRUCTIONAL LEADERSHIP FOR DIVERSE LEARNERS Susan Brody Hasazi Katharine S. Furney National Institute of Leadership, Disability, and Students Placed.
Risk Assessment Frameworks
Your High-Level Overview of the Components Provided by ESP Solutions Group Disaster Prevention and Recovery.
Remedy, a BMC Software company Change Management Maximize Speed and Minimize Risk in the Change Process.
Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Enterprise IT Decision Making
The Microsoft Office 2007 Enterprise Project Management Solution:
Version 1.0– June 18, Leveraging the Texas Project Delivery Framework and.
2008 Adobe Systems Incorporated. All Rights Reserved. Developing an eLearning Strategy at a Nigerian University By Jerome Terpase Dooga, Christopher Tony.
Sustainability and Total Cost of Ownership Strategies for Higher Education.
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Region III Activities to Implement National Vision to Improve Water Quality Monitoring National Water Quality Monitoring Council August 20, 2003.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.
FHWA Reorganization Update Program Performance Management Standing Committee on Performance Management Meeting Detroit, MI October 14, 2011 Peter Stephanos.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
GBA IT Project Management Final Project - Establishment of a Project Management Management Office 10 July, 2003.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
Quarterly Update Blue Ribbon Commission’s Recommendations of the 2009 Criterion Referenced Competency Test (CRCT) Erasure Investigation Dr. Beverly L.
General Capacity Building Components for Non Profit and Faith Based Agencies Lakewood Resource and Referral Center nd Street, suite 204 Lakewood,
Data Report July Collect and analyze RtI data Determine effectiveness of RtI in South Dakota in Guide.
WHO EURO In Country Coordination and Strengthening National Interagency Coordinating Committees.
SecSDLC Chapter 2.
United Nations Development Programme Ministry of Labour and Social Policy Local Public Private Partnerships THE BULGARIAN EXPERIENCE.
Kathy Corbiere Service Delivery and Performance Commission
Chapter Seven Understanding the Management Process.
Information Technology Services Strategic Directions Approach and Proposal “Charting Our Course”
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
Loudon County Schools External Review Exit Report February 19-21, 2013.
RISK MANAGEMENT IN THE PUBLIC SECTOR CONVERGING MULTIPLE STAKEHOLDER’S EXPECTATIONS Organised by National Treasury Presented by WELEKAZI DUKUZA CEREBRO.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Cyber Security Phillip Davies Head of Content, Cyber and Investigations.
BruinTech Vendor Meet & Greet December 3, 2015
Information Security Program
BANKING INFORMATION SYSTEMS
ADAPTATION TO CLIMATE CHANGE
Improving Mission Effectiveness By Exploiting the Command’s Implementation Of the DoD Enterprise Services Management Framework - DESMF in the [name the.
By Jeff Burklo, Director
U.Va.’s IT Security Risk Management Program (ITS-RM)
Define Your IT Strategy
Presentation transcript:

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information Technologies University of Virginia Mid-Atlantic EDUCAUSE - January 2005

Why is managing IT security risks important? More colloquially: What’s your institution’s threshold for pain? More colloquially: What’s your institution’s threshold for pain? Do you want failure to deal with a particular risk to end up on the front page of the local – or national – newspaper? Do you want failure to deal with a particular risk to end up on the front page of the local – or national – newspaper?

Why? Financial consequences of failing to do Institutions and their units must protect heavy IT investments Institutions and their units must protect heavy IT investments Increasing reliance on IT to provide mission-critical academic, instructional and administrative functions Increasing reliance on IT to provide mission-critical academic, instructional and administrative functions

Why? Threats to IT assets are only getting worse Higher education’s network infrastructure is both a direct target and a source of hijacked bandwidth Higher education’s network infrastructure is both a direct target and a source of hijacked bandwidth IT security efforts are required at all network levels -- difficult to manage IT security efforts are required at all network levels -- difficult to manage More sophisticated and dangerous exploits and attacks are released daily More sophisticated and dangerous exploits and attacks are released daily Potential for terrorist attacks or natural disasters Potential for terrorist attacks or natural disasters

Solution: IT Security Risk Management Program Strong support of executive management Strong support of executive management Design team composed of members from throughout the University to develop a comprehensive, centralized program Design team composed of members from throughout the University to develop a comprehensive, centralized program Identify common IT security risks and put together a process and templates for departments to use Identify common IT security risks and put together a process and templates for departments to use Individual departments review those common risks, determine what specific risks exist for inclusion into the process Individual departments review those common risks, determine what specific risks exist for inclusion into the process

ITS-RM includes IT Mission Impact Analysis IT Mission Impact Analysis IT Risk Assessment IT Risk Assessment IT Mission Continuity Planning IT Mission Continuity Planning Evaluation and Reassessment Evaluation and Reassessment

Implementation New University policy requires all departments to participate in the program New University policy requires all departments to participate in the program University identified a number of key departments responsible for completing their departments’ process sooner rather than later -- Top 5, Top 10 University identified a number of key departments responsible for completing their departments’ process sooner rather than later -- Top 5, Top 10 Full implementation will take three years Full implementation will take three years

Ownership Although the program includes instructions, templates and guidance, the department needs to own the risk management process Although the program includes instructions, templates and guidance, the department needs to own the risk management process Departments have to do the work of risk management Departments have to do the work of risk management Only departments know their mission, what assets are critical to that mission, how to prioritize resources to address those assets and how best to get back up and functioning following a disaster Only departments know their mission, what assets are critical to that mission, how to prioritize resources to address those assets and how best to get back up and functioning following a disaster

Process Departments complete process and return a report to the central repository Departments complete process and return a report to the central repository High level review of the departments' reports to ensure quality; follow up may be necessary to address key issues High level review of the departments' reports to ensure quality; follow up may be necessary to address key issues Both departmental administrative/business and technical leaders must be involved Both departmental administrative/business and technical leaders must be involved Department head approves final report Department head approves final report Security and Policy Office assists in understanding the process and getting started on completing their report Security and Policy Office assists in understanding the process and getting started on completing their report

Tools, Templates, Guidance The tools, templates and supplemental information created by the University as part of its IT Security Risk Management program are available in Microsoft Word, Adobe PDF and HTML formats at The tools, templates and supplemental information created by the University as part of its IT Security Risk Management program are available in Microsoft Word, Adobe PDF and HTML formats at riskmanagement/ Let’s see what they look like… Let’s see what they look like…

Goals and How We Got There 1. Elevate IT security risk management to a top priority 2. Establish an ongoing series of tactical operational processes that incorporate most current thinking on security threats and appropriate safeguards 3. Provide proactive mechanisms for tracking frequency of assessments and plans and for assuring quality and consistency

Goals and How We Got There 4. Ensure limited resources for IT security across the organization are focused efficiently on most important needs 5. Help comply with various external IT security standards, including HIPAA, GLBA and FERPA 6. Scale a huge scope to a reasonable level of effort for departments

Goals and How We Got There 7. Gain support from management and technical staff 8. Include appropriate stakeholders in the process 9. Form implementation plan 10. Build further awareness of security issues at the management level 11. Incorporate IT risk management thinking more deeply into our culture

Future Directions Committed to routinely enhance the guidance Committed to routinely enhance the guidance Increase automation Increase automation Use the information to help identify needs for new centralized solutions Use the information to help identify needs for new centralized solutions

More information Brian Davis riskmanagement

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.