EXPLORING OPERATIONAL

SECURITY RISK AND CONTINUITY IN

LIBRARY OPERATIONS

Ontario Library Association – Super Conference 2011

Pat Moore & Wayne Boone

04 February 2011

AGENDA

Supporting Mission Success

Risks to Operations

Introduction to Risk Management Frameworks

MacOdrum Library Projects

Lessons Learned

Research Program

Conclusions and Way Ahead

Q & A

1

ALL OPERATIONS SUPPORT THE MISSION

What is our mission?

We promote excellence at Carleton University by collecting, preserving and providing access to information resources and services for our teaching, learning, research and administrative communities wherever they are located.

MacOdrum Library – Carleton University (ca. 2003)

2

MISSION ANALYSIS – SUMMARY

Choose

Choose- singles (monographs)

Choose subscriptions

(serials)

Choose suites

Order /receive

Profiled

Check-in

Describe

Catalogue

Classify

Make available

Label

Shelve

Proxy

Find

Search

• OPAC

• Web

Browse

Filtered

• Course

• Subject

Access

ERM licensing

Authentication

Proxy

Use/borrow

Circulation

• Regular

• Media / special formats

• Course reserve

• Laptop

Interlibrary loans

3

MISSION ANALYSIS – SUMMARY

Must ensure the Availability, Integrity and Confidentiality (AIC) of content and services

Must plan and prepare to continue/recover provision of content and services after a major interruption

Service Level Agreements (written and implied) Reciprocal services

Expectations of patrons

Roles in the community (meetings, etc.)

Stewardship of assets

Contribution to learning, economic prosperity

4

DEFINING RISK

Risk is uncertainty of loss expressed in terms of probability of such loss

Chance of a threat exploiting a vulnerability and causing a loss to an asset in terms of:

• Confidentiality

• Integrity

• Availability

Forms of risk: • Classic risk: budgetary, asset protection, service continuity

• Intangible risk: opportunity cost, reputation

5

Identifying Risk

Risk Assessment

Mitigation

Prioritization & Decision Making

UNDERSTANDING RISK

6

Plans

current operations

changes to operations

new projects

WHY CONDUCT RISK ASSESSMENT?

Informed decision for risk management

Fuller understanding of: Operations Asset values Threats Vulnerabilities Risks Safeguards

Due diligence

Accountability

7

“… the TRA, is a particularly

powerful tool to help program and

project managers meet their

responsibilities for due diligence and

sound stewardship while seeking

innovative solutions to enhance

service delivery results and

performance…designed to address

all employees, assets and services

at risk.”

Harmonized Threat & Risk Assessment (HTRA) Methodology, 2007www.cse-cst.gc.ca/documents/publications/tra-emr/tra-emr-1-e.pdf

HOW ARE TRAS PERFORMED? (FROM HTRA)

Establish scope of assessment and identify employees and assets to be safeguarded

Determine threats to employees and assets and assess the likelihood and impact of their occurrence

Assess vulnerabilities of assets

Assess adequacy of existing safeguards

Compute risk

Implement additional safeguards, if necessary, to reduce residual risk to an acceptable level

8

TRA TERMINOLOGY – ASSET

Anything that has value (and must be protected)

Personnel

Materiel

Infrastructure and facilities

Information

Activities

9

MaterielPersonnel

Facilities and Infrastructure Information Activities

Tangible and intangible e.g. reputation, goodwill, market share, legal position

Value expressed in terms of CIA triad

Confidentiality • Integrity • Availability

Valuated by injury test

10

TRA TERMINOLOGY – ASSET (CONTD)

Threat - potential danger to assets that can affect the CIA triad by exploiting vulnerabilities

Vulnerability - weakness or “lack of something” in an asset that could be exploited by a threat

Physical Personnel Technical Procedural

Natural

ALL

(e.g. earthquakes,

volcanoes, storms)

Deliberate Employee sabatogeHacker

AccidentalUnauthorized

software (e.g. game)Cut Cable

TYPE INTERNALEXTERNAL

11

TRA Terminology

TRA TERMINOLOGY – RISK ASSESSMENT

Determination of the likelihood and impact on operational success of a threat exploiting a vulnerability and causing a loss of the value of an asset Both a process and interim result

Part of risk management The total process of identifying, controlling

and eliminating or minimizing uncertain events that might affect system resources

Residual Risk (RR) The risk remaining after implementation of

safeguards

12

TRA TERMINOLOGY

Safeguards - risk-reducing measures that act to detect, prevent, or minimize loss associated with the occurrence of a threat or threat scenario

Reduce either vulnerability or threat

13

Physical Controls

Technical Controls

Administrative Controls

Organizational Assets & Data

Aim is to determine and accept RR

Senior management decision

Options Accept

Mitigate

Transfer

Deny/Avoid

TRA Terminology – Risk Management

14

MACODRUM PROJECTS

Existing environment – preparing for change

Identity Management Framework (TRA)

New project – should we proceed?

CURVE Institutional Repository (TRA)

Continuity planning

Business Continuity Plan (BCP)

Disaster Recovery Plan (DRP)

15

IDENTITY MANAGEMENT FRAMEWORK

Analyzing user identity, authentication & access management within MacOdrum Library

Scope: in-depth analysis of Library systems in the larger context of Carleton ID management

CIA requirements

C – Low

I – Moderate

A - Low

16

IDENTITY MANAGEMENT TRA FINDINGSThreats

•Malicious hacking (High)

•Accidental disclosure of sensitive information by employees (High)

•Deliberate disclosure of sensitive information by disgruntled staff (Moderate)

Vulnerabilities •Lack of security awareness and training program

•Lack of Business Continuity Management (BCM) Program

•Ineffective access control mechanisms

Risks•Compromised information or services due to accident or attack by malicious hacker (Very High)

•Loss of Integrity of authentication data and patron’s credentials leading to reduced availability (High)

IDENTITY MANAGEMENT TRA FINDINGS

Recommendations •Develop a formal IT security awareness program

•Develop and test a formal BCP and DRP

•Develop and deploy a Central Authentication system

•Develop and deploy stronger Authentication / Authorization mechanism for Remote Vendor Access

•Implement more stringent IDS / IPS

•Develop security policies for critical day-to-day operations

CURVE INSTITUTIONAL REPOSITORY

Multi-tiered, multifunctional research support and digital archive environment

Scope: E-theses and Dissertations stream

CIA requirements

19

silo authoring committee Processing

-FGS

Processing -

Library

Public/

preservation

ele

ment

conte

nt

Editin

g/

annota

tions

corr

espondence

conte

nt

Com

ments

/

annota

tions

Pro

cess /

Corr

espondence /

Pro

cess

docum

enta

tio

n /

W

aiv

er

/ IP

docs

Conte

nt

Waiv

er

/ IP

docum

enta

tio

meta

data

conte

nt

Meta

data

str

eam

s

Confidentiality M M H M E H M L L H L vL vL

Integrity H H M H M M H E E H H E H

Access H M M M L M M L M L H M–>E H

Monetary E H L M M M H H E H M E M

CURVE TRA FINDINGSCritical Assets

•Theses and dissertations, in digital format •Metadata•Overall reputation of University, Library and Faculty

Threats•Policy changes initiated by the Faculty of Graduate Studies and Research •Deliberate academic espionage•Coding and systems integration errors

Vulnerabilities•Lack of depth of personnel redundancy•Lack of design documents •Lack of a governance structure or partnership agreement with Faculty of Graduate Studies and Research

CURVE TRA FINDINGS

Risks•Reduction of integrity of the University's reputation due to:

• Software/Logic errors (Very High)

• Deliberate academic espionage (Very High).

•Reduction of integrity of content data objects (Very High).

Recommendations•Increase depth of personnel redundancy with respect to technical expertise

•Develop formal governance structure or partnership agreement

•Develop requirements and technical and design documentation

TRA LESSONS LEARNED Takes considerable time for information gathering

Extensive coordination (internal and external) required

Enhanced understanding of operational processes

“Forced” clear articulation by staff

Tested operational assumptions

Identified gaps in procedures and documentation

Useful for making business cases for process change, funding

Increased AP&S awareness of staff

Students - highly motivated, work well in teams, learn significantly more than in passive course

22

RISK MANAGEMENT TOOL –BUSINESS CONTINUITY PLANNING

Umbrella term for strategy to prevent interruptions to normal business activity

Ensures continued provision of key business processes and personnel (A I C)

Framework for building resilience, appropriate response and resumption

Includes BCP and DRP

23

CONTINUITY PLANS

Business Continuity Plan (BCP) Focus on operational business processes Primary objective is to continue/recover all mission-

critical business functions after a major interruption Typically at an alternate site

Restoration of all business functions at the primary site

Disaster Recovery Plan (DRP) Focus on IT Recovery - technical Immediate and temporary actions to restore limited IT

operations within maximum allowable downtime Primary objective

Process mission-critical applications in degraded mode Return to normal mode in reasonable time

24

BCP/DRP DEFINITIONS

Major Interruptions

Disaster – a sudden, unstoppable, unplanned calamitous event that brings about great damage to or loss of life, valuables, environment

• Organization unable to support critical business functions within maximum allowable downtime at the primary site

Catastrophe – a major disaster that destroys the facility altogether

25

WHAT IS CRITICAL?

Critical Business Function (ensured by BCP)

Subset of functions essential to meet minimum service levels (MSLs)

Meets organizational goals

Complies with regulations, laws, and SLAs

Critical Information System (ensured by DRP)

Hardware, software, personnel and communications necessary to ensure the viability of an organization during an interruption in normal data processing support

26

Plan Execution

Continuum of a BCP Program

27

MACODRUM LIBRARY OPERATIONS

Background

Academic Library, expectations of service delivery of students, faculty and staff

Scope

All library operations

Findings (pursuant to research project)

28

FULL RANGE OF LIBRARY PERSONNEL

0 -3 years

4-10 years

11-15 years

16+ years

Experience in Library(or related fields)

0123456789

Areas of responsibility

1 (primary)2 (secondary)

29

APPROPRIATENESS OF SITE

16.7%

50.0%

16.7%

12.5%

4.2%

Very appropriate

Quite appropriate

Somewhat appropriate

Minimally appropriate

Not appropriate

30

4.2%

70.8%

20.8%

4.2%

No impact

Minimal impact

Some impact

Considerable impact

IMPACT OF PARTICIPATION IN BCPON LIBRARY OPERATIONS

31

VALUE OF BCP PRACTICUM & PROGRAM

IN SUPPORTING OPERATIONAL CONTINUITY

32%

56%

12%

Not valuable at all

Somewhat valuable

Quite valuable

Very valuable

32

APPROPRIATENESS OF

SUPERVISED PRACTICUM

50% would recommend without reservation to colleagues to participate in a practicum to produce a BCP

45% would recommend with reservations

“Be aware of the time commitment”

“Release a staff person from all other duties”

“It is not something you can say no to”

33

WORTH OF PARTICIPATION

16%

28%

48%

8%

Worth of participation in BCP practicum

Very worthwhile

Quite worthwhile

Somewhat worthwhile

Minimally worthwhile

Not worthwhile at all

34

CLIENT – KNOWLEDGE GAINED IN BCP/DRP

33%

15%8% 8%

41%

44%

8%

46%

8%

15%

60%

30%

56%

35%

52%

11%

32%

11%

32%

12%

32%

0%

20%

40%

60%

80%

100%

120%

BCP-initial BCP final DRP -initial DRP -final EM - initial EM - final

No knowledge Awareness of concept Some knowledge Considerable knowledge

35

STAFF WILLINGNESS TO SUPPORT BCP PROGRAM

36

SUMMARY COMMENTS

“The pro is the cost but the major con is the time that it took.” Requires project authority to be fully devoted to the practicum

“[She] learned a tremendous amount and is now an excellent resource for the Library, as well as the University”

“I fully support this project and wanted to do anything I could to help”

37

CLIENT PERSPECTIVE – SUMMARY

“Participation validated questions I had about operations and safety”

“It was valuable in getting managers to recognize gaps in documentation and also that the BCP is a library-wide operation which requires commitment and participation from all sections”

“Without seeing it in practice, I am sceptical. Without [staff] comprehension and buy-in, the plan does little”

38

LESSONS LEARNED

Difficult to estimate LoE for a practicum site

Detail

Must plan for inconsistent effort

Must scope the project to time, site complexity and number/experience of students

LoE for Technical Authority was substantial

Dedication and interest

Logistics and learning support

39

LESSONS LEARNED

Need to manage student, consultant and client expectations on LoE

Significant lead time and planning required

Formal Project Management required

40

RESEARCH IN ASSET PROTECTION AND SECURITY

(AP&S) LEARNING

Utility of combining advanced theoretical (academic) and practical (skills) learning toward the production of useful AP&S deliverables for critical infrastructure clients

Private courses

Academic courses (e.g., MIPIS)

Supervised work placements Co-ops

Internships

41

CONCLUSIONS

Overall worthwhile

Appreciate limits on capacity to participate and plan accordingly

42

QUESTIONS?

Pat Moore, AUL and Head of Systems, 613 520-2600 X2745, pat_moore@carleton.ca

Wayne Boone, Assistant Professor, IPIS Program, 613 520-2600 X 6672, wayne_boone@carleton.ca