Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov.

Published byJustin Maldonado Modified over 10 years ago

Similar presentations

Presentation on theme: "1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov."— Presentation transcript:

1 1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov 1

2 2 Agenda Introduction Background –Virginia Information Technologies Agency –Commonwealth Security and Risk Management –Information Security and Reporting Measuring Commonwealth Risk Governance, Risk Management, and Compliance

3 3 Virginia Information Technologies Agency Statewide IT infrastructure for in-scope government entities Prior to VITA there were 90+ independent autonomous IT shops IT infrastructure partnership (Commonwealth of Virginia & Northrop Grumman) Appx. 58,000 PCs, 3500 servers, 60,000 accounts, over 2000 circuits and 2 Data Centers Centralized oversight of IT projects, security, procurement, standards, policy and procedures www.vita.virginia.gov

4 4 Commonwealth Security and Risk Management Security Operations Operations and architectural design Security Governance Policies, standards and procedures IT security audit program VITA ISO duties Risk Management Commonwealth Risk Management program Business impact analysis Risk assessments IT security incident response www.vita.virginia.gov

5 5 § 2.2-2009 www.vita.virginia.gov § 2.2-2009. Additional duties of the CIO relating to security of government information. C. The CIO shall annually report to the Governor, the Secretary, and General Assembly those executive branch and independent agencies and institutions of higher education that have not implemented acceptable policies, procedures, and standards to control unauthorized uses, intrusions, or other security threats. For any executive branch or independent agency or institution of higher education whose security audit results and plans for corrective action are unacceptable, the CIO shall report such results to (i) the Secretary, (ii) any other affected cabinet secretary, (iii) the Governor, and (iv) the Auditor of Public Accounts. Upon review of the security audit results in question, the CIO may take action to suspend the public body's information technology projects pursuant to § 2.2-2015, limit additional information technology investments pending acceptable corrective actions, and recommend to the Governor and Secretary any other appropriate actions. The CIO shall also include in this report (a) results of security audits, including those state agencies, independent agencies, and institutions of higher education that have not implemented acceptable regulations, standards, policies, and guidelines to control unauthorized uses, intrusions, or other security threats and (b) the extent to which security standards and guidelines have been adopted by state agencies.

6 6 Annual Report on Information Security Assessment of the Commonwealth information security program: Legislative requirement beginning in 2008 CIO annually reports to the Governor, Cabinet Secretaries, and General Assembly on: –Agency Information Security Programs –Agency Risk Management Programs –Agency IT Security Audit Programs –Commonwealth Operational Security –IT Security Incidents www.vita.virginia.gov

7 7 Understanding Commonwealth Risk Business Impact Analysis: –Identify primary and critical organizational business processes –Identify IT systems that those business processes rely on –Identify Recovery Time Objectives (RTO) –Identify Recover Point Objectives (RPO) –Rate the business process for Availability Impact on life, safety, legal requirements, regulations, customer service and sensitive data if the business process or IT systems supporting the process is unavailable. www.vita.virginia.gov

8 8 Risk Assessments: –Identify sensitivity of IT system(Confidentiality, integrity, and/or availability) –Assess the implementation of controls –Identify threats and potential risks –Rate the risks –Determine the probability of threat occurrence –Determine the potential impact if the threat occurs –Identify mitigating controls –Determine and implement mitigating controls –Determine Residual Risk: Create findings and corrective actions when residual risk is too high www.vita.virginia.gov Understanding Commonwealth Risk

9 9 IT Security Audits Internal Audit, APA Audit, External (contractor) –Identify security audit findings –Create corrective action/remediation plans for findings –Track the remediation of the findings until closed –Validate remediation Vulnerability Scanning Operational findings www.vita.virginia.gov

10 10 What have we learned from the Annual Report? www.vita.virginia.gov IT Security and Audit resources are not adequate across the Commonwealth as a whole Agencies are not properly planning for information security requirements Unless agency executives understand the impact of the risk carried, decisions made could potentially result in adverse consequences

11 11 Next steps for CSRM Moving to a risk based information security program Currently implementing a Governance, Risk Management and Compliance (GRC) tool Make risk recommendations for where to invest resources across the Commonwealth Adhere to a set level of risk tolerance across the Commonwealth www.vita.virginia.gov

12 12 How Does CSRM Measure Agency Risk? Risk levels are primarily based on findings –Can come from any source Security audit, risk assessment, operational data, etc. Finding criticality level is based on several factors, examples include: –Business processes criticality level –Confidentiality of the data –Criticality of the application affected –Likelihood of occurrence –Magnitude of impact –Length of time finding open www.vita.virginia.gov

13 13 Governance, Risk Management and Compliance (GRC) Tool Why GRC? Integrate the existing IT Security programs & processes into a single centralized tool Provide a better understanding of the risks that Commonwealth Agencies carry Provide Agency and Commonwealth Executives understanding of where resources should be allocated to manage risk www.vita.virginia.gov

14 14 Governance, Risk Management and Compliance (GRC) Tool What is captured in the GRC tool? Business Processes Applications IT Security Audit Program Information Risk Assessments Findings Remediation Plans IT Security Incidents Security Exceptions www.vita.virginia.gov

15 15 Additional Benefits of a GRC tool Advanced Reporting Dashboards IT Asset Inventory Control & Policy Library Questionnaires/Assessments www.vita.virginia.gov

16 16 What will CSRM do with the tool? Enhance reporting capabilities –Identify agencies carrying too much risk –Monitor remediation of risk at agencies –Show progress of agencies remediating risk –Identify operational issues increasing agency risk Make recommendations based on risk –Recommendations to AITR, ISO, agency head, secretary, and/or Commonwealth CIO –Can include recommendation to restrict IT investments until acceptable remediation is in place, underway, planned, or complete www.vita.virginia.gov

17 17 What Challenges Has CSRM Faced? Normalizing data –Data comes from multiple sources Agency ISO Agency Internal Audit Agency Information Technology Department Infrastructure partnership Other VITA data sets Agency Buy-in User training www.vita.virginia.gov

18 18 Questions? Jonathan Smith Senior Risk Manager Commonwealth Security and Risk Management Virginia Information Technologies Agency (VITA) Jonathan.M.Smith@Vita.Virginia.Gov CommonwealthSecurity@Vita.Virginia.Gov www.vita.virginia.gov

Download ppt "1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov."

Similar presentations

Module 7 National Incident Management System:

Module 7 National Incident Management System:
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
1 Introduction to Safety Management April 2006. 2 Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.

1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
1 Documentation Legal Framework Air Navigation Orders Guidelines ATS Manual Airport Manual Safety Management Manual ICAO Annexes Licenses / Certificates.

1 Documentation Legal Framework Air Navigation Orders Guidelines ATS Manual Airport Manual Safety Management Manual ICAO Annexes Licenses / Certificates.
1 SAFETY ORGANISATION. 2 Safety Organisation 3 Safety Organisation - Regulator.

1 SAFETY ORGANISATION. 2 Safety Organisation 3 Safety Organisation - Regulator.
1 Regulation. 2 Organisational separation 3 Functional Separation.

1 Regulation. 2 Organisational separation 3 Functional Separation.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
0 - 0.

0 - 0.
1 IT Security in the Commonwealth A high-level review Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Governors Secure Commonwealth Panel.

1 IT Security in the Commonwealth A high-level review Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Governors Secure Commonwealth Panel.
IndicatorDescriptionProcurement Issues PI-4 Stock and monitoring of expenditure payment arrears (i) Stock of expenditure payment arrears (as a percentage.

IndicatorDescriptionProcurement Issues PI-4 Stock and monitoring of expenditure payment arrears (i) Stock of expenditure payment arrears (as a percentage.
EMS Checklist (ISO model)

EMS Checklist (ISO model)
1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.

1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.
Abstract To provide efficient and effective access to enterprise information that meets stakeholder needs and supports mission success, NASA is implementing.

Abstract To provide efficient and effective access to enterprise information that meets stakeholder needs and supports mission success, NASA is implementing.
January 10, 2008www.infosecurity.ca.gov/1 Role, Responsibility and Authority of New Office Presented by Colleen Pedroza, State Chief Information Security.

January 10, 2008www.infosecurity.ca.gov/1 Role, Responsibility and Authority of New Office Presented by Colleen Pedroza, State Chief Information Security.
SAI Performance Measurement Framework

SAI Performance Measurement Framework
Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]

Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Security metrics in SCADA system Master of Computer and Information Science Student: Nguyen Duc Nam Supervisor: Elena Sitnikova.

Security metrics in SCADA system Master of Computer and Information Science Student: Nguyen Duc Nam Supervisor: Elena Sitnikova.
Internal Control–Integrated Framework

Internal Control–Integrated Framework
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

Similar presentations

Ads by Google