U.Va.

1
U.Va.s IT SecurityRisk Management
Program(ITS-RM)

• April 2004 LSP Conference
• Brian Davis
• OIT, Security and Policy

2
IT Security Risk Management Program (ITS-RM)

• Announcing the roll out of version 1.0
• Will assist departments in appropriately
  protecting their IT assets

3
Why?

• IT Security Risk Management.
• Its not just a best practice,
• its a good idea!

4
Good News

• Most of you are already doing most of what you
  need to be doing
• Program provides tools to make identification and
  prioritization of the rest easier
• Be prepared when your departments administrators
  come to you for assistance

5
Whats Risk Management?

• Formally defined
• The total process to identify, control, and
  manage the impact of uncertain harmful events,
  commensurate with the value of the protected
  assets.

6
More simply put

• Determine what your risks are and then decide on
  a course of action to deal with those risks.

7
Even more colloquially

• Whats your threshold for pain?
• Do you want failure to deal with this risk to end
  up on the front page of the
• Daily Progress?

8
Risk Management Practices

• Conduct a mission impact analysis and risk
  assessment to
• Identify various levels of sensitivity associated
  with information resources
• Identify potential security threats to those
  resources

9
Risk Management Practices(cont.)

• Conduct a mission impact analysis and risk
  assessment to
• Determine the appropriate level of security to be
  implemented to safeguard those resources
• Review, reassess and update as needed or at least
  every 3 years

10
Risk Management Practices (cont.)

• Coordinated and integrated with contingency
  planning and mission resumption activities
• Mission continuity plan that will provide
  reasonable assurance that critical data
  processing support can be continued or resumed
  within an acceptable time frame if normal
  operations are interrupted

11
University Level

• Design university-wide program for analysis,
  assessment planning
• Identify general security threats provide other
  guidance material
• Oversee completion of department level analysis,
  assessment, planning efforts
• Complete yearly analysis assessment for
  enterprise systems update enterprise business
  continuity regularly

12
Departmental Level

• Identify sensitive department system data, assets
  threats to those data, assets
• Determine appropriate safeguards form plan for
  implementing them
• Complete U.Va. templates at least every three
  years when computing environment changes
  significantly

13
Brief Description

• ITC implementing a University-wide IT Security
  Risk Management Program for
• IT Mission Impact Analysis
• IT Risk Assessment
• IT Mission Continuity Planning
• Evaluation and Reassessment

14
What Has Been Done

• ITC conducts a yearly business analysis and risk
  assessment for directly managed resources
  updates its business continuity plan more often
• Similar planning occurred across the University
  as part of the Y2K initiative
• Comptrollers Office collects information on the
  existencebut not qualityof security-related
  plans
• Audit Department includes review of security
  plans during routine departmental audits
• ITCs departmental security self-assessment
  checklist (part of security awareness program)

15
Why Thats Not Enough

• Y2K business continuity plans not updated
• No mechanisms for tracking the frequency of
  updates, quality and consistency
• No central repository for safeguarding assessment
  and planning documents
• No university-level procedure dealing explicitly
  with ongoing IT security risk management
• Non-compliant with state standards or HIPAA and
  GLBA

16
Responsibilities

• ITC
• Health System
• Audit Department
• Other Offices
• The Departments

17
Executive Support

• Strong executive support has been a key success
  factor at other institutions
• Executives fully behind program at U.Va.
• University policy requiring participation in the
  program is coming
• Encouragement from LSPs will also be necessary as
  many department heads will not fully appreciate
  the need for IT security assessment and planning

18
(No Transcript)
19
Lets look at an example
20
Its good for you!

• Risk management makes you more efficient
• Risk management helps you make your case
• Risk management has got your back

21
Its not as painful as it looks!

• No one will be starting from scratch
• Little is expected from those with little, more
  is expected from those with more
• The templates are designed for the most complex
  situations but work for simple solutions, too

22
ITS-RM Roll Out

• Version 2.0 coming soon
• Top 5 by end of year
• Next 5 by next summer
• Encourage other departments to get moving

23
Youre Not Alone...

• ITC cant do it for you
• Available to consult
• Meet to explain process
• Service consultations if we have solutions that
  fill a gap

24
For More Information...
http//www.itc.virginia.edu/security/riskmanagemen
t Brian Davis Shirley Payne
bdavis_at_virginia.edu payne_at_virginia.edu
243-8707 924-4165