TACUA 2010 IT Risk
Download
Report
Transcript TACUA 2010 IT Risk
University Technology Risks
Assessment and Management
April 2010
Pati Milligan, PhD
Professor, Baylor University
Waco, Texas
Issues
What are Academic Technology Risks?
How do we Assess and Manage?
Where do we fail?
Future focus?
Private vs Public University Risk Assessments
As so aptly stated in the ACFE presentation:
In the initial stages,
fraud and stupidity
bear a close resemblance.
Why Care About IT-related Risk?
Most universities are not for profit and
limited staff/budget
Academia is an open learning environment
So what’s the big deal?
Every component of the university is
dependent on automation and integration
We must integrate business and academic
technology solutions to attain proper risk
management
IT Risk (more than meets the eye)
Support
Telecommunications
Mobile Devices
Cyber Security
Data Management
Business Process
Application
Collaboration
Contracts
Vendor
Selection
Existing
Solutions
Guiding
Principles
Network
Architecture
IT Risk Must Manage and
Capitalize on Business Risk
Some universities try to eliminate the
very risks that drive research and
education
Guidance is needed on how to manage
risk effectively
©2009 ISACA/ITGI. All rights reserved.
A Balance is Essential
Risk and value are two sides of the same
coin
Risk is inherent to all enterprises
Academic risk and industry risk are the
same
But…
Need to ensure opportunities for value
creation provided by Academia are not
missed by trying to eliminate all risk
So How to Assess Technology Risk?
Scope definition
◦ Business process identification, including
Roles within business process
Interest groups (internal and external)
◦ Academic needs ??
◦ Assets that need protection??
Analysis
◦ Qualitative risk assessment methodology
◦ Identification of conflicts of interest
◦ Business need for access for identified roles vs
Academic need for autonomy
◦ Issues with current access system
ISACA’s IT Risk Model
Risk Assessment to Risk Governance
Risk Domains
Governance
◦
◦
◦
◦
Responsibility and accountability for risk
Risk appetite and tolerance
Awareness and communication
Risk culture
Evaluation
◦ Risk scenarios
◦ Business impact descriptions
Response
◦ Key risk indicators (KRIs)
◦ Risk response definition and prioritization
©2009 ISACA/ITGI. All rights reserved.
As you know.....
E
unavoidable
D
C
B
A
improbable
A
Low
B
C
D
E
Critical
Potential Academic Exposures
Loss of competitive research
Opposition research from other
universities
Loss of personal data
IT-related Risk Evaluation
Technology risk is not limited to information security.
It covers all IT-related risks, including:
•
•
•
•
•
•
•
Late project delivery
Not achieving enough value from IT
Compliance (FERPA, PFIA, SOX)??
Misalignment of business responsibilities
Obsolete or inflexible IT architecture
IT service delivery problems
Autonomy for research and teaching
©2009 ISACA/ITGI. All rights reserved.
Approach and Interviews
Public and Private Universities
U.S. and Global
Personal interviews with IT Auditors and
Risk Management Officers
On-site Observance
Questions to ask…….
1. How do you determine the level of risk to the university administrative
functions in the following areas:
a. Network Access
b. Web Applications
c. Online email
2. What is the current IT infrastructure and the applications supporting major
business processes (complete ISO levels if possible). How frequently does
this change?
Who supports this infrastructure, i.e. do the departments support any of
the teaching and research nodes?
3. External Environment -- Do you outsource any of the IT Services?
4. Regulatory environment -- which compliance areas pose risk to the
university ?
Questions to ask……. (cont.)
5. What is the Strategic importance of the technology network for the
university?
6. What is the Operational importance of the networks for the university?
Could the university sustain a network outage of 7 days?
7. Do you have a Risk management philosophy, process, and operating model?
8. Who manages Risk Governance (RG), Risk Evaluation (RE), and Risk
Response (RR) for the university systems?
9. How are Technology decisions made?
10. Does the university offer online courses for credit?
How is that managed?
What is the risk if the system is unavailable or if the system is breached?
11. How is the Technology Investment (money for function) managed? Is
technology (cost and value) a component of the Board of Director's
meetings, risk and budget discussions?
12. What are the top five risk factors for the university?
Questions to ask……. (cont.)
13. What are the top-five IT risk scenarios?
14. Does the university experience any of the following issues?
a. Late project delivery
b. Not achieving enough value from IT
c. Compliance
d. Misalignment
e. Obsolete or inflexible IT architecture
f. IT service delivery problems
15. How often do you evaluate sunset legacy systems?
16. Describe your information security protection program?
17. Data Retention Policy ?
18. Consistency of Patch management?
19. Does IT use standard builds?
20. To what extent do you rely on in-house applications?
21. How much do you rely on contractors?
22. Do you global nationals working with sensitive data?
23. Data Ownership……
Where do we generally fail?
◦
◦
◦
◦
◦
◦
◦
◦
Impairing ability to “Publish or Perish"
Burning bridges with research sponsors and partners
Inadequate tenure track reviews
Teaching and research effectiveness reviews
Staff and Faculty training
Decentralized survey administration – integrity of results
Not all School/Department goals are met
Academic vs. Business resource allocation not evaluated
Where do we commonly fail? (cont.)
Failure to monitor service (business)
Relinquishing control/oversight (business)
Failure to review any Outsource Service Providers’
internal controls
Failure to audit all critical areas (network security)
Failure to routinely review providers’ financial
statements
Failure to validate the destruction of confidential
(proprietary, research, performance) data when no
longer required
Inadequate regulatory framework
Business employees and faculty may not have the
tools necessary to perform their duties effectively
and efficiently?
January 2009
Areas of Concern
Ad-hoc access provision
Too strict or too loose access
Lack of or inadequate access policy
Lack of integration with business processes
Insufficient separation of duties
Former employees or vendors with access
Blurred network perimeter
For Those using Outsourced Services
Don’t ……
Negotiate too hard for a least cost scenario
Misplace haste to get a contract in place
Forget an exit strategy
Fail to control legal compliance
Fail to plan for a long-term strong relationship
Negotiate and manage from an “Ivory Tower”
Ignore performance details
January 2009
In Conclusion:
Guiding Principles of Risk IT
Always connect to university system objectives
Align the management of IT-related business risk
with overall university risk management
Balance the costs and benefits of managing risk
Promote fair and open communication of IT risk
Establish the right tone from the top while defining
and enforcing personal accountability for operating
within acceptable and well-defined tolerance levels
Understand that this is a continuous process and an
important part of daily activities
©2009 ISACA/ITGI. All rights reserved.
Benefits and Outcomes
Accurate view on current and near-future IT-related events
End-to-end guidance on managing IT-related risks
Understanding the investments made in technology for
both business, research, and teaching
Integration with the overall risk and compliance structures
within the university
Common language to help manage the relationships
Promotion of risk ownership throughout the organization
©2009 ISACA/ITGI. All rights reserved.
For More Information:
ISACA IT Risk Toolkit www.isaca.org
ISACA/ITGI Risk Model (see model file)
OCEG Burgandy Book Executive Summary
www.oceg.org
January 2009
Questions?
Thank You!
©2009 ISACA/ITGI. All rights reserved.