U.Va. - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

U.Va.

Description:

... for directly managed resources; updates its business continuity plan more often ... The templates are designed for the most complex situations but work for ... – PowerPoint PPT presentation

Number of Views:13
Avg rating:3.0/5.0
Slides: 25
Provided by: uva
Category:
Tags: business | plan

less

Transcript and Presenter's Notes

Title: U.Va.


1
U.Va.s IT SecurityRisk Management
Program(ITS-RM)
  • April 2004 LSP Conference
  • Brian Davis
  • OIT, Security and Policy

2
IT Security Risk Management Program (ITS-RM)
  • Announcing the roll out of version 1.0
  • Will assist departments in appropriately
    protecting their IT assets

3
Why?
  • IT Security Risk Management.
  • Its not just a best practice,
  • its a good idea!

4
Good News
  • Most of you are already doing most of what you
    need to be doing
  • Program provides tools to make identification and
    prioritization of the rest easier
  • Be prepared when your departments administrators
    come to you for assistance

5
Whats Risk Management?
  • Formally defined
  • The total process to identify, control, and
    manage the impact of uncertain harmful events,
    commensurate with the value of the protected
    assets.

6
More simply put
  • Determine what your risks are and then decide on
    a course of action to deal with those risks.

7
Even more colloquially
  • Whats your threshold for pain?
  • Do you want failure to deal with this risk to end
    up on the front page of the
  • Daily Progress?

8
Risk Management Practices
  • Conduct a mission impact analysis and risk
    assessment to
  • Identify various levels of sensitivity associated
    with information resources
  • Identify potential security threats to those
    resources

9
Risk Management Practices(cont.)
  • Conduct a mission impact analysis and risk
    assessment to
  • Determine the appropriate level of security to be
    implemented to safeguard those resources
  • Review, reassess and update as needed or at least
    every 3 years

10
Risk Management Practices (cont.)
  • Coordinated and integrated with contingency
    planning and mission resumption activities
  • Mission continuity plan that will provide
    reasonable assurance that critical data
    processing support can be continued or resumed
    within an acceptable time frame if normal
    operations are interrupted

11
University Level
  • Design university-wide program for analysis,
    assessment planning
  • Identify general security threats provide other
    guidance material
  • Oversee completion of department level analysis,
    assessment, planning efforts
  • Complete yearly analysis assessment for
    enterprise systems update enterprise business
    continuity regularly

12
Departmental Level
  • Identify sensitive department system data, assets
    threats to those data, assets
  • Determine appropriate safeguards form plan for
    implementing them
  • Complete U.Va. templates at least every three
    years when computing environment changes
    significantly

13
Brief Description
  • ITC implementing a University-wide IT Security
    Risk Management Program for
  • IT Mission Impact Analysis
  • IT Risk Assessment
  • IT Mission Continuity Planning
  • Evaluation and Reassessment

14
What Has Been Done
  • ITC conducts a yearly business analysis and risk
    assessment for directly managed resources
    updates its business continuity plan more often
  • Similar planning occurred across the University
    as part of the Y2K initiative
  • Comptrollers Office collects information on the
    existencebut not qualityof security-related
    plans
  • Audit Department includes review of security
    plans during routine departmental audits
  • ITCs departmental security self-assessment
    checklist (part of security awareness program)

15
Why Thats Not Enough
  • Y2K business continuity plans not updated
  • No mechanisms for tracking the frequency of
    updates, quality and consistency
  • No central repository for safeguarding assessment
    and planning documents
  • No university-level procedure dealing explicitly
    with ongoing IT security risk management
  • Non-compliant with state standards or HIPAA and
    GLBA

16
Responsibilities
  • ITC
  • Health System
  • Audit Department
  • Other Offices
  • The Departments

17
Executive Support
  • Strong executive support has been a key success
    factor at other institutions
  • Executives fully behind program at U.Va.
  • University policy requiring participation in the
    program is coming
  • Encouragement from LSPs will also be necessary as
    many department heads will not fully appreciate
    the need for IT security assessment and planning

18
(No Transcript)
19
Lets look at an example
20
Its good for you!
  • Risk management makes you more efficient
  • Risk management helps you make your case
  • Risk management has got your back

21
Its not as painful as it looks!
  • No one will be starting from scratch
  • Little is expected from those with little, more
    is expected from those with more
  • The templates are designed for the most complex
    situations but work for simple solutions, too

22
ITS-RM Roll Out
  • Version 2.0 coming soon
  • Top 5 by end of year
  • Next 5 by next summer
  • Encourage other departments to get moving

23
Youre Not Alone...
  • ITC cant do it for you
  • Available to consult
  • Meet to explain process
  • Service consultations if we have solutions that
    fill a gap

24
For More Information...
http//www.itc.virginia.edu/security/riskmanagemen
t Brian Davis Shirley Payne
bdavis_at_virginia.edu payne_at_virginia.edu
243-8707 924-4165
Write a Comment
User Comments (0)
About PowerShow.com