1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov.

Slides:



Advertisements
Similar presentations
Module 7 National Incident Management System:
Advertisements

Internal Control in a Financial Statement Audit
1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
1 Documentation Legal Framework Air Navigation Orders Guidelines ATS Manual Airport Manual Safety Management Manual ICAO Annexes Licenses / Certificates.
1 SAFETY ORGANISATION. 2 Safety Organisation 3 Safety Organisation - Regulator.
1 Regulation. 2 Organisational separation 3 Functional Separation.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
0 - 0.
1 IT Security in the Commonwealth A high-level review Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Governors Secure Commonwealth Panel.
IndicatorDescriptionProcurement Issues PI-4 Stock and monitoring of expenditure payment arrears (i) Stock of expenditure payment arrears (as a percentage.
EMS Checklist (ISO model)
1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.
Abstract To provide efficient and effective access to enterprise information that meets stakeholder needs and supports mission success, NASA is implementing.
January 10, 2008www.infosecurity.ca.gov/1 Role, Responsibility and Authority of New Office Presented by Colleen Pedroza, State Chief Information Security.
SAI Performance Measurement Framework
Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Security metrics in SCADA system Master of Computer and Information Science Student: Nguyen Duc Nam Supervisor: Elena Sitnikova.
Internal Control–Integrated Framework
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Internal Control and Control Risk
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
Chapter 10 Accounting Information Systems and Internal Controls
Data Ownership Responsibilities & Procedures
Service Design – Section 4.5 Service Continuity Management.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Information Systems Controls for System Reliability -Information Security-
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Virginia Department of Minority Business Enterprise (DMBE) 8/24/2015 “Leading By Example” 1 New DMBE TAKE A LOOK at the New Department of Minority Business.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
Auditor of Public Accounts1 How Safe is Your State’s Data? Virginia’s Common-Sense approach to Assessing Security.
Evolving IT Framework Standards (Compliance and IT)
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
Internal Control in a Financial Statement Audit
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Agency Risk Management & Internal Control Standards (ARMICS)
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
1 Commonwealth Project Management Division Bob Haugh Project Management Division November 15, 2010 Revision of.
5/18/2006 Department of Technology Services Security Architecture.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
An Overview on Risk Management
CPA Gilberto Rivera, VP Compliance and Operational Risk
IS4680 Security Auditing for Compliance
Making Information Security Manageable with GRC
CompTIA Security+ Study Guide (SY0-501)
#IASACFO.
Cybersecurity ATD technical
IS Risk Management Framework Overview
IS4680 Security Auditing for Compliance
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Good practices for risk assessment and control activities
Enterprise Cybersecurity Initiative Department of Information Technology Vince Martinez, State CIO, Executive Sponsor Lorenzo Ornelas, Managing Director.
Presentation transcript:

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,

2 Agenda Introduction Background –Virginia Information Technologies Agency –Commonwealth Security and Risk Management –Information Security and Reporting Measuring Commonwealth Risk Governance, Risk Management, and Compliance

3 Virginia Information Technologies Agency Statewide IT infrastructure for in-scope government entities Prior to VITA there were 90+ independent autonomous IT shops IT infrastructure partnership (Commonwealth of Virginia & Northrop Grumman) Appx. 58,000 PCs, 3500 servers, 60,000 accounts, over 2000 circuits and 2 Data Centers Centralized oversight of IT projects, security, procurement, standards, policy and procedures

4 Commonwealth Security and Risk Management Security Operations Operations and architectural design Security Governance Policies, standards and procedures IT security audit program VITA ISO duties Risk Management Commonwealth Risk Management program Business impact analysis Risk assessments IT security incident response

5 § § Additional duties of the CIO relating to security of government information. C. The CIO shall annually report to the Governor, the Secretary, and General Assembly those executive branch and independent agencies and institutions of higher education that have not implemented acceptable policies, procedures, and standards to control unauthorized uses, intrusions, or other security threats. For any executive branch or independent agency or institution of higher education whose security audit results and plans for corrective action are unacceptable, the CIO shall report such results to (i) the Secretary, (ii) any other affected cabinet secretary, (iii) the Governor, and (iv) the Auditor of Public Accounts. Upon review of the security audit results in question, the CIO may take action to suspend the public body's information technology projects pursuant to § , limit additional information technology investments pending acceptable corrective actions, and recommend to the Governor and Secretary any other appropriate actions. The CIO shall also include in this report (a) results of security audits, including those state agencies, independent agencies, and institutions of higher education that have not implemented acceptable regulations, standards, policies, and guidelines to control unauthorized uses, intrusions, or other security threats and (b) the extent to which security standards and guidelines have been adopted by state agencies.

6 Annual Report on Information Security Assessment of the Commonwealth information security program: Legislative requirement beginning in 2008 CIO annually reports to the Governor, Cabinet Secretaries, and General Assembly on: –Agency Information Security Programs –Agency Risk Management Programs –Agency IT Security Audit Programs –Commonwealth Operational Security –IT Security Incidents

7 Understanding Commonwealth Risk Business Impact Analysis: –Identify primary and critical organizational business processes –Identify IT systems that those business processes rely on –Identify Recovery Time Objectives (RTO) –Identify Recover Point Objectives (RPO) –Rate the business process for Availability Impact on life, safety, legal requirements, regulations, customer service and sensitive data if the business process or IT systems supporting the process is unavailable.

8 Risk Assessments: –Identify sensitivity of IT system(Confidentiality, integrity, and/or availability) –Assess the implementation of controls –Identify threats and potential risks –Rate the risks –Determine the probability of threat occurrence –Determine the potential impact if the threat occurs –Identify mitigating controls –Determine and implement mitigating controls –Determine Residual Risk: Create findings and corrective actions when residual risk is too high Understanding Commonwealth Risk

9 IT Security Audits Internal Audit, APA Audit, External (contractor) –Identify security audit findings –Create corrective action/remediation plans for findings –Track the remediation of the findings until closed –Validate remediation Vulnerability Scanning Operational findings

10 What have we learned from the Annual Report? IT Security and Audit resources are not adequate across the Commonwealth as a whole Agencies are not properly planning for information security requirements Unless agency executives understand the impact of the risk carried, decisions made could potentially result in adverse consequences

11 Next steps for CSRM Moving to a risk based information security program Currently implementing a Governance, Risk Management and Compliance (GRC) tool Make risk recommendations for where to invest resources across the Commonwealth Adhere to a set level of risk tolerance across the Commonwealth

12 How Does CSRM Measure Agency Risk? Risk levels are primarily based on findings –Can come from any source Security audit, risk assessment, operational data, etc. Finding criticality level is based on several factors, examples include: –Business processes criticality level –Confidentiality of the data –Criticality of the application affected –Likelihood of occurrence –Magnitude of impact –Length of time finding open

13 Governance, Risk Management and Compliance (GRC) Tool Why GRC? Integrate the existing IT Security programs & processes into a single centralized tool Provide a better understanding of the risks that Commonwealth Agencies carry Provide Agency and Commonwealth Executives understanding of where resources should be allocated to manage risk

14 Governance, Risk Management and Compliance (GRC) Tool What is captured in the GRC tool? Business Processes Applications IT Security Audit Program Information Risk Assessments Findings Remediation Plans IT Security Incidents Security Exceptions

15 Additional Benefits of a GRC tool Advanced Reporting Dashboards IT Asset Inventory Control & Policy Library Questionnaires/Assessments

16 What will CSRM do with the tool? Enhance reporting capabilities –Identify agencies carrying too much risk –Monitor remediation of risk at agencies –Show progress of agencies remediating risk –Identify operational issues increasing agency risk Make recommendations based on risk –Recommendations to AITR, ISO, agency head, secretary, and/or Commonwealth CIO –Can include recommendation to restrict IT investments until acceptable remediation is in place, underway, planned, or complete

17 What Challenges Has CSRM Faced? Normalizing data –Data comes from multiple sources Agency ISO Agency Internal Audit Agency Information Technology Department Infrastructure partnership Other VITA data sets Agency Buy-in User training

18 Questions? Jonathan Smith Senior Risk Manager Commonwealth Security and Risk Management Virginia Information Technologies Agency (VITA)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.