ola 2011-boone-moore-risk and continuity in library operations
DESCRIPTION
Library operations are ever-changing as they incorporate new technology, formats and content to better meet service delivery mandates. Changes introduce new risks to library operations and additional challenges to recovery of essential services after a major interruption. This presentation explains the innovative ways in which security threat risk assessment (TRA) and business continuity planning (BCP) have been implemented in one institution, and how their frameworks might provide guidance in your library. This session focuses on how these two security risk management methodologies enhanced the understanding of all participants of library operations. It also touches on the experience of using a hybrid model of external security support (students and experts).TRANSCRIPT
EXPLORING OPERATIONAL
SECURITY RISK AND CONTINUITY IN
LIBRARY OPERATIONS
Ontario Library Association – Super Conference 2011
Pat Moore & Wayne Boone
04 February 2011
AGENDA
Supporting Mission Success
Risks to Operations
Introduction to Risk Management Frameworks
MacOdrum Library Projects
Lessons Learned
Research Program
Conclusions and Way Ahead
Q & A
1
ALL OPERATIONS SUPPORT THE MISSION
What is our mission?
We promote excellence at Carleton University by collecting, preserving and providing access to information resources and services for our teaching, learning, research and administrative communities wherever they are located.
MacOdrum Library – Carleton University (ca. 2003)
2
MISSION ANALYSIS – SUMMARY
Choose
Choose- singles (monographs)
Choose subscriptions
(serials)
Choose suites
Order /receive
Profiled
Check-in
Describe
Catalogue
Classify
Make available
Label
Shelve
Proxy
Find
Search
• OPAC
• Web
Browse
Filtered
• Course
• Subject
Access
ERM licensing
Authentication
Proxy
Use/borrow
Circulation
• Regular
• Media / special formats
• Course reserve
• Laptop
Interlibrary loans
3
MISSION ANALYSIS – SUMMARY
Must ensure the Availability, Integrity and Confidentiality (AIC) of content and services
Must plan and prepare to continue/recover provision of content and services after a major interruption
Service Level Agreements (written and implied) Reciprocal services
Expectations of patrons
Roles in the community (meetings, etc.)
Stewardship of assets
Contribution to learning, economic prosperity
4
DEFINING RISK
Risk is uncertainty of loss expressed in terms of probability of such loss
Chance of a threat exploiting a vulnerability and causing a loss to an asset in terms of:
• Confidentiality
• Integrity
• Availability
Forms of risk: • Classic risk: budgetary, asset protection, service continuity
• Intangible risk: opportunity cost, reputation
5
Identifying Risk
Risk Assessment
Mitigation
Prioritization & Decision Making
UNDERSTANDING RISK
6
Plans
current operations
changes to operations
new projects
WHY CONDUCT RISK ASSESSMENT?
Informed decision for risk management
Fuller understanding of: Operations Asset values Threats Vulnerabilities Risks Safeguards
Due diligence
Accountability
7
“… the TRA, is a particularly
powerful tool to help program and
project managers meet their
responsibilities for due diligence and
sound stewardship while seeking
innovative solutions to enhance
service delivery results and
performance…designed to address
all employees, assets and services
at risk.”
Harmonized Threat & Risk Assessment (HTRA) Methodology, 2007www.cse-cst.gc.ca/documents/publications/tra-emr/tra-emr-1-e.pdf
HOW ARE TRAS PERFORMED? (FROM HTRA)
Establish scope of assessment and identify employees and assets to be safeguarded
Determine threats to employees and assets and assess the likelihood and impact of their occurrence
Assess vulnerabilities of assets
Assess adequacy of existing safeguards
Compute risk
Implement additional safeguards, if necessary, to reduce residual risk to an acceptable level
8
TRA TERMINOLOGY – ASSET
Anything that has value (and must be protected)
Personnel
Materiel
Infrastructure and facilities
Information
Activities
9
MaterielPersonnel
Facilities and Infrastructure Information Activities
Tangible and intangible e.g. reputation, goodwill, market share, legal position
Value expressed in terms of CIA triad
Confidentiality • Integrity • Availability
Valuated by injury test
10
TRA TERMINOLOGY – ASSET (CONTD)
Threat - potential danger to assets that can affect the CIA triad by exploiting vulnerabilities
Vulnerability - weakness or “lack of something” in an asset that could be exploited by a threat
Physical Personnel Technical Procedural
Natural
ALL
(e.g. earthquakes,
volcanoes, storms)
Deliberate Employee sabatogeHacker
AccidentalUnauthorized
software (e.g. game)Cut Cable
TYPE INTERNALEXTERNAL
11
TRA Terminology
TRA TERMINOLOGY – RISK ASSESSMENT
Determination of the likelihood and impact on operational success of a threat exploiting a vulnerability and causing a loss of the value of an asset Both a process and interim result
Part of risk management The total process of identifying, controlling
and eliminating or minimizing uncertain events that might affect system resources
Residual Risk (RR) The risk remaining after implementation of
safeguards
12
TRA TERMINOLOGY
Safeguards - risk-reducing measures that act to detect, prevent, or minimize loss associated with the occurrence of a threat or threat scenario
Reduce either vulnerability or threat
13
Physical Controls
Technical Controls
Administrative Controls
Organizational Assets & Data
Aim is to determine and accept RR
Senior management decision
Options Accept
Mitigate
Transfer
Deny/Avoid
TRA Terminology – Risk Management
14
MACODRUM PROJECTS
Existing environment – preparing for change
Identity Management Framework (TRA)
New project – should we proceed?
CURVE Institutional Repository (TRA)
Continuity planning
Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)
15
IDENTITY MANAGEMENT FRAMEWORK
Analyzing user identity, authentication & access management within MacOdrum Library
Scope: in-depth analysis of Library systems in the larger context of Carleton ID management
CIA requirements
C – Low
I – Moderate
A - Low
16
IDENTITY MANAGEMENT TRA FINDINGSThreats
•Malicious hacking (High)
•Accidental disclosure of sensitive information by employees (High)
•Deliberate disclosure of sensitive information by disgruntled staff (Moderate)
Vulnerabilities •Lack of security awareness and training program
•Lack of Business Continuity Management (BCM) Program
•Ineffective access control mechanisms
Risks•Compromised information or services due to accident or attack by malicious hacker (Very High)
•Loss of Integrity of authentication data and patron’s credentials leading to reduced availability (High)
IDENTITY MANAGEMENT TRA FINDINGS
Recommendations •Develop a formal IT security awareness program
•Develop and test a formal BCP and DRP
•Develop and deploy a Central Authentication system
•Develop and deploy stronger Authentication / Authorization mechanism for Remote Vendor Access
•Implement more stringent IDS / IPS
•Develop security policies for critical day-to-day operations
CURVE INSTITUTIONAL REPOSITORY
Multi-tiered, multifunctional research support and digital archive environment
Scope: E-theses and Dissertations stream
CIA requirements
19
silo authoring committee Processing
-FGS
Processing -
Library
Public/
preservation
ele
ment
conte
nt
Editin
g/
annota
tions
corr
espondence
conte
nt
Com
ments
/
annota
tions
Pro
cess /
Corr
espondence /
Pro
cess
docum
enta
tio
n /
W
aiv
er
/ IP
docs
Conte
nt
Waiv
er
/ IP
docum
enta
tio
meta
data
conte
nt
Meta
data
str
eam
s
Confidentiality M M H M E H M L L H L vL vL
Integrity H H M H M M H E E H H E H
Access H M M M L M M L M L H M–>E H
Monetary E H L M M M H H E H M E M
CURVE TRA FINDINGSCritical Assets
•Theses and dissertations, in digital format •Metadata•Overall reputation of University, Library and Faculty
Threats•Policy changes initiated by the Faculty of Graduate Studies and Research •Deliberate academic espionage•Coding and systems integration errors
Vulnerabilities•Lack of depth of personnel redundancy•Lack of design documents •Lack of a governance structure or partnership agreement with Faculty of Graduate Studies and Research
CURVE TRA FINDINGS
Risks•Reduction of integrity of the University's reputation due to:
• Software/Logic errors (Very High)
• Deliberate academic espionage (Very High).
•Reduction of integrity of content data objects (Very High).
Recommendations•Increase depth of personnel redundancy with respect to technical expertise
•Develop formal governance structure or partnership agreement
•Develop requirements and technical and design documentation
TRA LESSONS LEARNED Takes considerable time for information gathering
Extensive coordination (internal and external) required
Enhanced understanding of operational processes
“Forced” clear articulation by staff
Tested operational assumptions
Identified gaps in procedures and documentation
Useful for making business cases for process change, funding
Increased AP&S awareness of staff
Students - highly motivated, work well in teams, learn significantly more than in passive course
22
RISK MANAGEMENT TOOL –BUSINESS CONTINUITY PLANNING
Umbrella term for strategy to prevent interruptions to normal business activity
Ensures continued provision of key business processes and personnel (A I C)
Framework for building resilience, appropriate response and resumption
Includes BCP and DRP
23
CONTINUITY PLANS
Business Continuity Plan (BCP) Focus on operational business processes Primary objective is to continue/recover all mission-
critical business functions after a major interruption Typically at an alternate site
Restoration of all business functions at the primary site
Disaster Recovery Plan (DRP) Focus on IT Recovery - technical Immediate and temporary actions to restore limited IT
operations within maximum allowable downtime Primary objective
Process mission-critical applications in degraded mode Return to normal mode in reasonable time
24
BCP/DRP DEFINITIONS
Major Interruptions
Disaster – a sudden, unstoppable, unplanned calamitous event that brings about great damage to or loss of life, valuables, environment
• Organization unable to support critical business functions within maximum allowable downtime at the primary site
Catastrophe – a major disaster that destroys the facility altogether
25
WHAT IS CRITICAL?
Critical Business Function (ensured by BCP)
Subset of functions essential to meet minimum service levels (MSLs)
Meets organizational goals
Complies with regulations, laws, and SLAs
Critical Information System (ensured by DRP)
Hardware, software, personnel and communications necessary to ensure the viability of an organization during an interruption in normal data processing support
26
Plan Execution
Continuum of a BCP Program
27
MACODRUM LIBRARY OPERATIONS
Background
Academic Library, expectations of service delivery of students, faculty and staff
Scope
All library operations
Findings (pursuant to research project)
28
FULL RANGE OF LIBRARY PERSONNEL
0 -3 years
4-10 years
11-15 years
16+ years
Experience in Library(or related fields)
0123456789
Areas of responsibility
1 (primary)2 (secondary)
29
APPROPRIATENESS OF SITE
16.7%
50.0%
16.7%
12.5%
4.2%
Very appropriate
Quite appropriate
Somewhat appropriate
Minimally appropriate
Not appropriate
30
4.2%
70.8%
20.8%
4.2%
No impact
Minimal impact
Some impact
Considerable impact
IMPACT OF PARTICIPATION IN BCPON LIBRARY OPERATIONS
31
VALUE OF BCP PRACTICUM & PROGRAM
IN SUPPORTING OPERATIONAL CONTINUITY
32%
56%
12%
Not valuable at all
Somewhat valuable
Quite valuable
Very valuable
32
APPROPRIATENESS OF
SUPERVISED PRACTICUM
50% would recommend without reservation to colleagues to participate in a practicum to produce a BCP
45% would recommend with reservations
“Be aware of the time commitment”
“Release a staff person from all other duties”
“It is not something you can say no to”
33
WORTH OF PARTICIPATION
16%
28%
48%
8%
Worth of participation in BCP practicum
Very worthwhile
Quite worthwhile
Somewhat worthwhile
Minimally worthwhile
Not worthwhile at all
34
CLIENT – KNOWLEDGE GAINED IN BCP/DRP
33%
15%8% 8%
41%
44%
8%
46%
8%
15%
60%
30%
56%
35%
52%
11%
32%
11%
32%
12%
32%
0%
20%
40%
60%
80%
100%
120%
BCP-initial BCP final DRP -initial DRP -final EM - initial EM - final
No knowledge Awareness of concept Some knowledge Considerable knowledge
35
STAFF WILLINGNESS TO SUPPORT BCP PROGRAM
36
SUMMARY COMMENTS
“The pro is the cost but the major con is the time that it took.” Requires project authority to be fully devoted to the practicum
“[She] learned a tremendous amount and is now an excellent resource for the Library, as well as the University”
“I fully support this project and wanted to do anything I could to help”
37
CLIENT PERSPECTIVE – SUMMARY
“Participation validated questions I had about operations and safety”
“It was valuable in getting managers to recognize gaps in documentation and also that the BCP is a library-wide operation which requires commitment and participation from all sections”
“Without seeing it in practice, I am sceptical. Without [staff] comprehension and buy-in, the plan does little”
38
LESSONS LEARNED
Difficult to estimate LoE for a practicum site
Detail
Must plan for inconsistent effort
Must scope the project to time, site complexity and number/experience of students
LoE for Technical Authority was substantial
Dedication and interest
Logistics and learning support
39
LESSONS LEARNED
Need to manage student, consultant and client expectations on LoE
Significant lead time and planning required
Formal Project Management required
40
RESEARCH IN ASSET PROTECTION AND SECURITY
(AP&S) LEARNING
Utility of combining advanced theoretical (academic) and practical (skills) learning toward the production of useful AP&S deliverables for critical infrastructure clients
Private courses
Academic courses (e.g., MIPIS)
Supervised work placements Co-ops
Internships
41
CONCLUSIONS
Overall worthwhile
Appreciate limits on capacity to participate and plan accordingly
42
QUESTIONS?
Pat Moore, AUL and Head of Systems, 613 520-2600 X2745, [email protected]
Wayne Boone, Assistant Professor, IPIS Program, 613 520-2600 X 6672, [email protected]