it compliance and risk brian markham director, dit compliance and risk services may 1, 2014

IT Compliance and Risk

Brian Markham

Director, DIT Compliance and Risk Services

May 1, 2014


• UMD grad (BA and MBA)• Seven years in IT at UMD • Seven years in consulting (KPMG, PwC)• New-ish to GW (November ’13)

Introduction


Three things:• The business of IT (an overview)• Compliance• Risk

Agenda

The Business of IT


Why do we have IT?

You


Why do we have IT?

You IT Awesome!


How do we succeed?

Customer Support OperationsApplication

DevelopmentStrategic PlanningSecurity

RiskCompliance

Governance

• Users/Customers• Understanding the business• Understanding requirements• Implementing technology that meets

requirements to enable the business• Perspective/vision of the future• Planning, strategy, execution• Fun!


IT is about…

• IT is complicated• IT folks aren’t experts in all things• Different users have different needs• Business/requirements change• Technology changes (fast)


But…

• Meet requirements (contracts, laws, policy)• Ensure that confidentiality data is protected• Ensure that data cannot be altered• Ensure that systems are available• Understand and manage risk• Ensure that services can be offered that

are secure and meet requirements• Services are “fit for use”


Role of Compliance and Risk

Compliance

• Federal Educational Rights and Privacy Act (FERPA)

• Federal Information Security Management Act (FISMA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Payment Card Industry Data Security Standard (PCI DSS)

• University Policies• Contracts and Agreements


GW and Compliance

• Understand the requirements• Identify stakeholders• Review controls and the “as-is” state• Reference control guidance and best practices• Assess controls

– Test of Design– Test of Operating Effectiveness

• Document gaps, identify corrective actions• Continuous monitoring


How Do We Achieve Compliance?


In other words…

Plan for Compliance

Implement Controls

Assess Controls

Corrective Actions

Deming Cycle – Plan, Do, Check, Act

• Understanding• Expensive• It’s hard• Compliance ≠ Security!


Compliance Challenges

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Impact X Probability = Risk Priority


What is Risk?

• It’s not easy• Data-driven “gut feel”• Use data where possible:

– Outages/Downtime– Revenue Lost– Performance vs. SLAs– Performance of KPIs– Historical Data


Quantifying Risk

• Compliance Risk• Financial Risk• Human Resource Risk• Operations Risk (Availability)• Project Risk• Reputation Risk • Safety Risk • Security Risk • Vendor Risk


Lots of Risk!

• Governance!• Process and documentation• Outreach and buy-in• Identify, track and mitigate risks

– Prioritize

• Continuous improvement


Where do we start?


Risk Management Challenges

• You don’t know what you don’t know• Incentives to not report• Risks can be expensive• IT is complicated


Risk Management Tools

• Governance Risk & Compliance (GRC) tool

• Risk Register• Assessment methodologies• Risk Assessments• Control catalogs• Configuration Management Database

(CMDB)


Summary

• Compliance and risk management is a critical piece of IT management

• Understand the compliance landscape• Understand the risk landscape• We are all risk managers!


For More Information

Contact Brian Markham at 571-553-0189 or [email protected].

it compliance and risk brian markham director, dit compliance and risk services may 1, 2014

Documents

compliance slide

risk quantifying risk

risk role of compliance

risk compliance challenges

risk services

risk gw

risk priority

dit compliance