Presentation is loading. Please wait.

Presentation is loading. Please wait.

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.

Published byKadin Peele Modified over 9 years ago

Similar presentations

Presentation on theme: "Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information."— Presentation transcript:

1 Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information Technologies University of Virginia Mid-Atlantic EDUCAUSE - January 2005

2 Why is managing IT security risks important? More colloquially: What’s your institution’s threshold for pain? More colloquially: What’s your institution’s threshold for pain? Do you want failure to deal with a particular risk to end up on the front page of the local – or national – newspaper? Do you want failure to deal with a particular risk to end up on the front page of the local – or national – newspaper?

3 Why? Financial consequences of failing to do Institutions and their units must protect heavy IT investments Institutions and their units must protect heavy IT investments Increasing reliance on IT to provide mission-critical academic, instructional and administrative functions Increasing reliance on IT to provide mission-critical academic, instructional and administrative functions

4 Why? Threats to IT assets are only getting worse Higher education’s network infrastructure is both a direct target and a source of hijacked bandwidth Higher education’s network infrastructure is both a direct target and a source of hijacked bandwidth IT security efforts are required at all network levels -- difficult to manage IT security efforts are required at all network levels -- difficult to manage More sophisticated and dangerous exploits and attacks are released daily More sophisticated and dangerous exploits and attacks are released daily Potential for terrorist attacks or natural disasters Potential for terrorist attacks or natural disasters

5 Solution: IT Security Risk Management Program Strong support of executive management Strong support of executive management Design team composed of members from throughout the University to develop a comprehensive, centralized program Design team composed of members from throughout the University to develop a comprehensive, centralized program Identify common IT security risks and put together a process and templates for departments to use Identify common IT security risks and put together a process and templates for departments to use Individual departments review those common risks, determine what specific risks exist for inclusion into the process Individual departments review those common risks, determine what specific risks exist for inclusion into the process

6 ITS-RM includes IT Mission Impact Analysis IT Mission Impact Analysis IT Risk Assessment IT Risk Assessment IT Mission Continuity Planning IT Mission Continuity Planning Evaluation and Reassessment Evaluation and Reassessment

7 Implementation New University policy requires all departments to participate in the program New University policy requires all departments to participate in the program University identified a number of key departments responsible for completing their departments’ process sooner rather than later -- Top 5, Top 10 University identified a number of key departments responsible for completing their departments’ process sooner rather than later -- Top 5, Top 10 Full implementation will take three years Full implementation will take three years

8 Ownership Although the program includes instructions, templates and guidance, the department needs to own the risk management process Although the program includes instructions, templates and guidance, the department needs to own the risk management process Departments have to do the work of risk management Departments have to do the work of risk management Only departments know their mission, what assets are critical to that mission, how to prioritize resources to address those assets and how best to get back up and functioning following a disaster Only departments know their mission, what assets are critical to that mission, how to prioritize resources to address those assets and how best to get back up and functioning following a disaster

9 Process Departments complete process and return a report to the central repository Departments complete process and return a report to the central repository High level review of the departments' reports to ensure quality; follow up may be necessary to address key issues High level review of the departments' reports to ensure quality; follow up may be necessary to address key issues Both departmental administrative/business and technical leaders must be involved Both departmental administrative/business and technical leaders must be involved Department head approves final report Department head approves final report Security and Policy Office assists in understanding the process and getting started on completing their report Security and Policy Office assists in understanding the process and getting started on completing their report

10 Tools, Templates, Guidance The tools, templates and supplemental information created by the University as part of its IT Security Risk Management program are available in Microsoft Word, Adobe PDF and HTML formats at The tools, templates and supplemental information created by the University as part of its IT Security Risk Management program are available in Microsoft Word, Adobe PDF and HTML formats at http://www.itc.virginia.edu/security/ riskmanagement/ Let’s see what they look like… Let’s see what they look like…

11 Goals and How We Got There 1. Elevate IT security risk management to a top priority 2. Establish an ongoing series of tactical operational processes that incorporate most current thinking on security threats and appropriate safeguards 3. Provide proactive mechanisms for tracking frequency of assessments and plans and for assuring quality and consistency

12 Goals and How We Got There 4. Ensure limited resources for IT security across the organization are focused efficiently on most important needs 5. Help comply with various external IT security standards, including HIPAA, GLBA and FERPA 6. Scale a huge scope to a reasonable level of effort for departments

13 Goals and How We Got There 7. Gain support from management and technical staff 8. Include appropriate stakeholders in the process 9. Form implementation plan 10. Build further awareness of security issues at the management level 11. Incorporate IT risk management thinking more deeply into our culture

14 Future Directions Committed to routinely enhance the guidance Committed to routinely enhance the guidance Increase automation Increase automation Use the information to help identify needs for new centralized solutions Use the information to help identify needs for new centralized solutions

15 More information Brian Davis bdavis@virginia.edu bdavis@virginia.edu http://www.itc.virginia.edu/security/ riskmanagement

Download ppt "Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information."

Similar presentations

WV High Quality Standards for Schools

WV High Quality Standards for Schools
CRI- Common Review Initiative Reducing Lender Review Redundancy.

CRI- Common Review Initiative Reducing Lender Review Redundancy.
What is District Wide Accreditation? Ensure Desired Results Improve Teaching & Learning Foster a Culture of Improvement A powerful systems approach to.

What is District Wide Accreditation? Ensure Desired Results Improve Teaching & Learning Foster a Culture of Improvement A powerful systems approach to.
Gaining Senior Leadership Support for Continuity of Operations

Gaining Senior Leadership Support for Continuity of Operations
A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)

A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)
CSHE & LH Martin Institute Seminar PERFORMANCE INDICATORS AND PERFORMANCE-BASED FUNDING FOR TEACHING AND LEARNING IN AUSTRALIAN HIGHER EDUCATION Contributing.

CSHE & LH Martin Institute Seminar PERFORMANCE INDICATORS AND PERFORMANCE-BASED FUNDING FOR TEACHING AND LEARNING IN AUSTRALIAN HIGHER EDUCATION Contributing.
Professional Services Overview

Professional Services Overview
1. 2 August 2009 - Recommendation 9.1 of the Strategic Information Technology Advisory Committee (SITAC) report initiated the effort to create an Administrative.

1. 2 August Recommendation 9.1 of the Strategic Information Technology Advisory Committee (SITAC) report initiated the effort to create an Administrative.
Comparative Emergency Management

Comparative Emergency Management
Program Management Office (PMO) Design

Program Management Office (PMO) Design
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Leverage MarkITS for agile solutions delivery that balances strategic thinking with tactical execution for “Business & Technology Convergence” MarkITS.

Leverage MarkITS for agile solutions delivery that balances strategic thinking with tactical execution for “Business & Technology Convergence” MarkITS.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
1 The CMO – One Size Fits All? Jake Julia, Ph.D.Brenda Sprite Northwestern UniversityNavigator Management Partners Session Presented at the Inaugural Global.

1 The CMO – One Size Fits All? Jake Julia, Ph.D.Brenda Sprite Northwestern UniversityNavigator Management Partners Session Presented at the Inaugural Global.
Strengthening the Medical Device Clinical Trial Enterprise

Strengthening the Medical Device Clinical Trial Enterprise
U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.

U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.
DRAFT Strategic Planning U.S. Department of Energy Rebuild America Business Partners and Deanna Braunlin GAVIN Consulting, Inc. John Deakin Energy Program.

DRAFT Strategic Planning U.S. Department of Energy Rebuild America Business Partners and Deanna Braunlin GAVIN Consulting, Inc. John Deakin Energy Program.

Similar presentations

Ads by Google