Presentation is loading. Please wait.

Presentation is loading. Please wait.

University Technology Risks Assessment and Management April 2010 Pati Milligan, PhD Professor, Baylor University Waco, Texas.

Published byCamron Randall Modified over 8 years ago

Similar presentations

Presentation on theme: "University Technology Risks Assessment and Management April 2010 Pati Milligan, PhD Professor, Baylor University Waco, Texas."— Presentation transcript:

1 University Technology Risks Assessment and Management April 2010 Pati Milligan, PhD Professor, Baylor University Waco, Texas

2 Issues  What are Academic Technology Risks?  How do we Assess and Manage?  Where do we fail?  Future focus?  Private vs Public University Risk Assessments

3 As so aptly stated in the ACFE presentation: In the initial stages, fraud and stupidity bear a close resemblance.

4 Most universities are not for profit and limited staff/budget Academia is an open learning environment So what’s the big deal? Every component of the university is dependent on automation and integration We must integrate business and academic technology solutions to attain proper risk management Why Care About IT-related Risk?

5 IT Risk (more than meets the eye)

6 IT Risk Must Manage and Capitalize on Business Risk Some universities try to eliminate the very risks that drive research and education Guidance is needed on how to manage risk effectively ©2009 ISACA/ITGI. All rights reserved.

7 A Balance is Essential Risk and value are two sides of the same coin Risk is inherent to all enterprises Academic risk and industry risk are the same But… Need to ensure opportunities for value creation provided by Academia are not missed by trying to eliminate all risk

8 So How to Assess Technology Risk? Scope definition ◦ Business process identification, including  Roles within business process  Interest groups (internal and external) ◦ Academic needs ?? ◦ Assets that need protection?? Analysis ◦ Qualitative risk assessment methodology ◦ Identification of conflicts of interest ◦ Business need for access for identified roles vs Academic need for autonomy ◦ Issues with current access system

9 ISACA’s IT Risk Model

10 Risk Assessment to Risk Governance

11 Risk Domains Governance ◦ Responsibility and accountability for risk ◦ Risk appetite and tolerance ◦ Awareness and communication ◦ Risk culture Evaluation ◦ Risk scenarios ◦ Business impact descriptions Response ◦ Key risk indicators (KRIs) ◦ Risk response definition and prioritization ©2009 ISACA/ITGI. All rights reserved.

12 As you know..... Critical Low E D C B A A improbable B C D E unavoidable

13 Potential Academic Exposures Loss of competitive research Opposition research from other universities Loss of personal data

14 IT-related Risk Evaluation ©2009 ISACA/ITGI. All rights reserved. Technology risk is not limited to information security. It covers all IT-related risks, including: Late project delivery Not achieving enough value from IT Compliance ( FERPA, PFIA, SOX)?? Misalignment of business responsibilities Obsolete or inflexible IT architecture IT service delivery problems Autonomy for research and teaching

15 Approach and Interviews Public and Private Universities U.S. and Global Personal interviews with IT Auditors and Risk Management Officers On-site Observance

16 Questions to ask……. 1. How do you determine the level of risk to the university administrative functions in the following areas: a. Network Access b. Web Applications c. Online email 2. What is the current IT infrastructure and the applications supporting major business processes (complete ISO levels if possible). How frequently does this change? Who supports this infrastructure, i.e. do the departments support any of the teaching and research nodes? 3. External Environment -- Do you outsource any of the IT Services? 4. Regulatory environment -- which compliance areas pose risk to the university ?

17 Questions to ask……. (cont.) 5. What is the Strategic importance of the technology network for the university? 6. What is the Operational importance of the networks for the university? Could the university sustain a network outage of 7 days? 7. Do you have a Risk management philosophy, process, and operating model? 8. Who manages Risk Governance (RG), Risk Evaluation (RE), and Risk Response (RR) for the university systems? 9. How are Technology decisions made? 10. Does the university offer online courses for credit? How is that managed? What is the risk if the system is unavailable or if the system is breached? 11. How is the Technology Investment (money for function) managed? Is technology (cost and value) a component of the Board of Director's meetings, risk and budget discussions? 12. What are the top five risk factors for the university?

18 Questions to ask……. (cont.) 13. What are the top-five IT risk scenarios? 14. Does the university experience any of the following issues? a. Late project delivery b. Not achieving enough value from IT c. Compliance d. Misalignment e. Obsolete or inflexible IT architecture f. IT service delivery problems 15. How often do you evaluate sunset legacy systems? 16. Describe your information security protection program? 17. Data Retention Policy ? 18. Consistency of Patch management? 19. Does IT use standard builds? 20. To what extent do you rely on in-house applications? 21. How much do you rely on contractors? 22. Do you global nationals working with sensitive data? 23. Data Ownership ……

19 Where do we generally fail? ◦ Impairing ability to “Publish or Perish" ◦ Burning bridges with research sponsors and partners ◦ Inadequate tenure track reviews ◦ Teaching and research effectiveness reviews ◦ Staff and Faculty training ◦ Decentralized survey administration – integrity of results ◦ Not all School/Department goals are met ◦ Academic vs. Business resource allocation not evaluated

20 January 2009 Where do we commonly fail? (cont.) Failure to monitor service (business) Relinquishing control/oversight (business) Failure to review any Outsource Service Providers’ internal controls Failure to audit all critical areas (network security) Failure to routinely review providers’ financial statements Failure to validate the destruction of confidential (proprietary, research, performance) data when no longer required Inadequate regulatory framework Business employees and faculty may not have the tools necessary to perform their duties effectively and efficiently?

21 Areas of Concern Ad-hoc access provision Too strict or too loose access Lack of or inadequate access policy Lack of integration with business processes Insufficient separation of duties Former employees or vendors with access Blurred network perimeter

22 For Those using Outsourced Services Don’t …… Negotiate too hard for a least cost scenario Misplace haste to get a contract in place Forget an exit strategy Fail to control legal compliance Fail to plan for a long-term strong relationship Negotiate and manage from an “Ivory Tower” Ignore performance details January 2009

23 ©2009 ISACA/ITGI. All rights reserved. Always connect to university system objectives Align the management of IT-related business risk with overall university risk management Balance the costs and benefits of managing risk Promote fair and open communication of IT risk Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels Understand that this is a continuous process and an important part of daily activities In Conclusion: Guiding Principles of Risk IT

24 Benefits and Outcomes Accurate view on current and near-future IT-related events End-to-end guidance on managing IT-related risks Understanding the investments made in technology for both business, research, and teaching Integration with the overall risk and compliance structures within the university Common language to help manage the relationships Promotion of risk ownership throughout the organization ©2009 ISACA/ITGI. All rights reserved.

25 January 2009 For More Information: ISACA IT Risk Toolkit www.isaca.orgwww.isaca.org ISACA/ITGI Risk Model (see model file) OCEG Burgandy Book Executive Summary www.oceg.org www.oceg.org

26 ©2009 ISACA/ITGI. All rights reserved. Questions? Thank You!

Download ppt "University Technology Risks Assessment and Management April 2010 Pati Milligan, PhD Professor, Baylor University Waco, Texas."

Similar presentations

Governance, Risk Management and Compliance: Summary of Basic Concepts & Program Goals Bob Kotic Chief Financial Officer University of Sydney.

Governance, Risk Management and Compliance: Summary of Basic Concepts & Program Goals Bob Kotic Chief Financial Officer University of Sydney.
Organizational Governance

Organizational Governance
©2009 ISACA/ITGI. All rights reserved.. ISACA At-a-Glance Founded in 1969; non-profit, independent association that helps members achieve greater trust.

©2009 ISACA/ITGI. All rights reserved.. ISACA At-a-Glance Founded in 1969; non-profit, independent association that helps members achieve greater trust.
ISACA Guidance and Practices Committee

ISACA Guidance and Practices Committee
Auditing Governance Functions

Auditing Governance Functions
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Risk Management and Internal Controls ASSAL 20 November 2014 Annick Teubner Chair, IAIS Governance Working Group.

Risk Management and Internal Controls ASSAL 20 November 2014 Annick Teubner Chair, IAIS Governance Working Group.
9 th Annual Public Health Finance Roundtable November 3, 2012 Boston, MA Peggy Honoré.

9 th Annual Public Health Finance Roundtable November 3, 2012 Boston, MA Peggy Honoré.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Enterprise IT Governance with COBIT – Part V

Enterprise IT Governance with COBIT – Part V
CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.

CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
PAINTING THE FULL PICTURE

PAINTING THE FULL PICTURE
MGT-555 PERFORMANCE AND CAREER MANAGEMENT

MGT-555 PERFORMANCE AND CAREER MANAGEMENT

Similar presentations

Ads by Google