u.va.’s it security risk management program ( its-rm)
DESCRIPTION
U.Va.’s IT Security Risk Management Program ( ITS-RM). April 2004 LSP Conference Brian Davis OIT, Security and Policy. IT Security Risk Management Program (ITS-RM). Announcing the roll out of version 1.0 Will assist departments in appropriately protecting their IT assets. Why?. - PowerPoint PPT PresentationTRANSCRIPT
U.Va.’s IT SecurityU.Va.’s IT SecurityRisk Management ProgramRisk Management Program
((ITS-RM)ITS-RM)
April 2004 LSP ConferenceApril 2004 LSP Conference
Brian DavisBrian Davis
OIT, Security and PolicyOIT, Security and Policy
IT Security Risk Management IT Security Risk Management Program (ITS-RM)Program (ITS-RM)
Announcing the roll out of version 1.0Announcing the roll out of version 1.0 Will assist departments in appropriately Will assist departments in appropriately
protecting their IT assetsprotecting their IT assets
Why?Why?
IT Security Risk Management.IT Security Risk Management.
It’s not just a “best practice,”It’s not just a “best practice,”
it’s a good idea!it’s a good idea!
Good NewsGood News
Most of you are already doing most of Most of you are already doing most of what you need to be doingwhat you need to be doing
Program provides tools to make Program provides tools to make identification and prioritization of the rest identification and prioritization of the rest easiereasier
Be prepared when your department’s Be prepared when your department’s administrators come to you for assistanceadministrators come to you for assistance
What’s Risk Management?What’s Risk Management?
Formally defined
“The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of
the protected assets.”
More simply put…
“Determine what your risks are and then decide on a course of action to deal with
those risks.”
Even more colloquially…
What’s your threshold for pain?
Do you want failure to deal with this risk to end up on the front page of the
Daily Progress?
Risk Management PracticesRisk Management Practices
Conduct a mission impact analysis and risk assessment to:
1. Identify various levels of sensitivity associated with information resources
2. Identify potential security threats to those resources
Risk Management PracticesRisk Management Practices(cont.)(cont.)
Conduct a mission impact analysis and risk assessment to:
3.3. Determine the appropriate level of security Determine the appropriate level of security to be implemented to safeguard those to be implemented to safeguard those resourcesresources
4.4. Review, reassess and update as needed or Review, reassess and update as needed or at least every 3 yearsat least every 3 years
Risk Management Practices Risk Management Practices (cont.)(cont.)
Coordinated and integrated with Coordinated and integrated with contingency planning and mission contingency planning and mission resumption activitiesresumption activities
Mission continuity plan that will provide Mission continuity plan that will provide reasonable assurance that critical data reasonable assurance that critical data processing support can be continued or processing support can be continued or resumed within an acceptable time frame resumed within an acceptable time frame if normal operations are interruptedif normal operations are interrupted
University LevelUniversity Level
Design university-wide program for Design university-wide program for analysis, assessment & planninganalysis, assessment & planning
Identify general security threats & provide Identify general security threats & provide other guidance materialother guidance material
Oversee completion of department level Oversee completion of department level analysis, assessment, planning efforts analysis, assessment, planning efforts
Complete yearly analysis & assessment Complete yearly analysis & assessment for enterprise systems; update enterprise for enterprise systems; update enterprise business continuity regularlybusiness continuity regularly
Departmental LevelDepartmental Level
Identify sensitive department system data, Identify sensitive department system data, assets & threats to those data, assetsassets & threats to those data, assets
Determine appropriate safeguards & form Determine appropriate safeguards & form plan for implementing themplan for implementing them
Complete U.Va. templates at least every Complete U.Va. templates at least every three years & when computing three years & when computing environment changes significantlyenvironment changes significantly
Brief DescriptionBrief Description
ITC implementing a University-wide IT ITC implementing a University-wide IT Security Risk Management Program forSecurity Risk Management Program for
IT Mission Impact AnalysisIT Mission Impact Analysis IT Risk AssessmentIT Risk Assessment IT Mission Continuity PlanningIT Mission Continuity Planning Evaluation and ReassessmentEvaluation and Reassessment
What Has Been DoneWhat Has Been Done
ITC conducts a yearly business analysis and risk ITC conducts a yearly business analysis and risk assessment for directly managed resources; assessment for directly managed resources; updates its business continuity plan more oftenupdates its business continuity plan more often
Similar planning occurred across the University as Similar planning occurred across the University as part of the Y2K initiativepart of the Y2K initiative
Comptroller’s Office collects information on the Comptroller’s Office collects information on the existence–but not quality–of security-related plansexistence–but not quality–of security-related plans
Audit Department includes review of security plans Audit Department includes review of security plans during routine departmental auditsduring routine departmental audits
ITC’s departmental security self-assessment ITC’s departmental security self-assessment checklist (part of security awareness program)checklist (part of security awareness program)
Why That’s Not EnoughWhy That’s Not Enough
Y2K business continuity plans not updatedY2K business continuity plans not updated No mechanisms for tracking the frequency No mechanisms for tracking the frequency
of updates, quality and consistencyof updates, quality and consistency No central repository for safeguarding No central repository for safeguarding
assessment and planning documentsassessment and planning documents No university-level procedure dealing No university-level procedure dealing
explicitly with ongoing IT security risk explicitly with ongoing IT security risk managementmanagement
Non-compliant with state standards or Non-compliant with state standards or HIPAA and GLBAHIPAA and GLBA
ResponsibilitiesResponsibilities
ITCITC Health SystemHealth System Audit DepartmentAudit Department Other OfficesOther Offices
The Departments…The Departments…
Executive SupportExecutive Support
Strong executive support has been a key Strong executive support has been a key success factor at other institutionssuccess factor at other institutions
Executives fully behind program at U.Va.Executives fully behind program at U.Va. University policy requiring participation in University policy requiring participation in
the program is comingthe program is coming Encouragement from LSPs will also be Encouragement from LSPs will also be
necessary as many department heads will necessary as many department heads will not fully appreciate the need for IT security not fully appreciate the need for IT security assessment and planningassessment and planning
Step 1 - IdentifyCritical IT Assets
CriticalAssets
List
Step 2 – Assess Risks
For each critical asset:• Weigh likelihood & impact
of threats to each asset• Prioritize threats• Select response strategies• Develop remediation plan
Step 3 – MissionContinuity Planning
Create a response plan touse in the event thatcritical IT assets are lost,unavailable, corrupted ordisclosed
ITS-RM Toolbox:1. threat scenarios2. response strategies3. remediation plan
template & example
RemediationPlan
ITS-RM Toolbox:1. disaster recovery
plan example2. interim manual
proceduresexample
ITS-RM Toolbox:1. Criteria2. Template
DisasterRecovery
PlanInterimManual
Procedures
Step 4 – Evaluation and Reassessment
Required at least once every three years
Let’s look at an example…Let’s look at an example…
It’s good for you!It’s good for you!
Risk management makes you more Risk management makes you more efficientefficient
Risk management helps you make your Risk management helps you make your casecase
Risk management has got your backRisk management has got your back
It’s not as painful as it looks!It’s not as painful as it looks!
No one will be starting from scratchNo one will be starting from scratch Little is expected from those with little, Little is expected from those with little,
more is expected from those with moremore is expected from those with more The templates are designed for the most The templates are designed for the most
complex situations but work for simple complex situations but work for simple solutions, toosolutions, too
ITS-RM Roll OutITS-RM Roll Out
Version 2.0 coming soon…Version 2.0 coming soon… Top 5 by end of yearTop 5 by end of year Next 5 by next summerNext 5 by next summer Encourage other departments to get Encourage other departments to get
movingmoving
You’re Not Alone...You’re Not Alone...
ITC can’t do it for youITC can’t do it for you Available to consultAvailable to consult
Meet to explain processMeet to explain process Service consultations if we have solutions that Service consultations if we have solutions that
fill a gapfill a gap
For More Information...For More Information...
http://www.itc.virginia.edu/security/riskmanagement
Brian Davis Shirley Payne [email protected] [email protected]
243-8707 924-4165