it compliance and risk brian markham director, dit compliance and risk services may 1, 2014
TRANSCRIPT
IT Compliance and Risk
Brian Markham
Director, DIT Compliance and Risk Services
May 1, 2014
IT Compliance and Risk
• UMD grad (BA and MBA)• Seven years in IT at UMD • Seven years in consulting (KPMG, PwC)• New-ish to GW (November ’13)
Introduction
IT Compliance and Risk
Three things:• The business of IT (an overview)• Compliance• Risk
Agenda
The Business of IT
IT Compliance and Risk
Why do we have IT?
You
IT Compliance and Risk
Why do we have IT?
You IT Awesome!
IT Compliance and Risk
How do we succeed?
Customer Support OperationsApplication
DevelopmentStrategic PlanningSecurity
RiskCompliance
Governance
• Users/Customers• Understanding the business• Understanding requirements• Implementing technology that meets
requirements to enable the business• Perspective/vision of the future• Planning, strategy, execution• Fun!
IT Compliance and Risk
IT is about…
• IT is complicated• IT folks aren’t experts in all things• Different users have different needs• Business/requirements change• Technology changes (fast)
IT Compliance and Risk
But…
• Meet requirements (contracts, laws, policy)• Ensure that confidentiality data is protected• Ensure that data cannot be altered• Ensure that systems are available• Understand and manage risk• Ensure that services can be offered that
are secure and meet requirements• Services are “fit for use”
IT Compliance and Risk
Role of Compliance and Risk
Compliance
• Federal Educational Rights and Privacy Act (FERPA)
• Federal Information Security Management Act (FISMA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)
• University Policies• Contracts and Agreements
IT Compliance and Risk
GW and Compliance
• Understand the requirements• Identify stakeholders• Review controls and the “as-is” state• Reference control guidance and best practices• Assess controls
– Test of Design– Test of Operating Effectiveness
• Document gaps, identify corrective actions• Continuous monitoring
IT Compliance and Risk
How Do We Achieve Compliance?
IT Compliance and Risk
In other words…
Plan for Compliance
Implement Controls
Assess Controls
Corrective Actions
Deming Cycle – Plan, Do, Check, Act
• Understanding• Expensive• It’s hard• Compliance ≠ Security!
IT Compliance and Risk
Compliance Challenges
Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Impact X Probability = Risk Priority
IT Compliance and Risk
What is Risk?
• It’s not easy• Data-driven “gut feel”• Use data where possible:
– Outages/Downtime– Revenue Lost– Performance vs. SLAs– Performance of KPIs– Historical Data
IT Compliance and Risk
Quantifying Risk
• Compliance Risk• Financial Risk• Human Resource Risk• Operations Risk (Availability)• Project Risk• Reputation Risk • Safety Risk • Security Risk • Vendor Risk
IT Compliance and Risk
Lots of Risk!
• Governance!• Process and documentation• Outreach and buy-in• Identify, track and mitigate risks
– Prioritize
• Continuous improvement
IT Compliance and Risk
Where do we start?
IT Compliance and Risk
Risk Management Challenges
• You don’t know what you don’t know• Incentives to not report• Risks can be expensive• IT is complicated
IT Compliance and Risk
Risk Management Tools
• Governance Risk & Compliance (GRC) tool
• Risk Register• Assessment methodologies• Risk Assessments• Control catalogs• Configuration Management Database
(CMDB)
IT Compliance and Risk
Summary
• Compliance and risk management is a critical piece of IT management
• Understand the compliance landscape• Understand the risk landscape• We are all risk managers!
IT Compliance and Risk
For More Information
Contact Brian Markham at 571-553-0189 or [email protected].