its-rm lsp apr2004
TRANSCRIPT
-
7/30/2019 Its-rm Lsp Apr2004
1/24
U.Va.s IT SecurityU.Va.s IT Security
Risk Management ProgramRisk Management Program
((ITS-RM)ITS-RM)
April 2004 LSP ConferenceApril 2004 LSP ConferenceBrian DavisBrian Davis
OIT, Security and PolicyOIT, Security and Policy
-
7/30/2019 Its-rm Lsp Apr2004
2/24
IT Security Risk ManagementIT Security Risk Management
Program (ITS-RM)Program (ITS-RM)
Announcing the roll out of version 1.0Announcing the roll out of version 1.0
Will assist departments in appropriatelyWill assist departments in appropriatelyprotecting their IT assetsprotecting their IT assets
-
7/30/2019 Its-rm Lsp Apr2004
3/24
Why?Why?
IT Security Risk Management.IT Security Risk Management.
Its not just a best practice,Its not just a best practice,
its a good idea!its a good idea!
-
7/30/2019 Its-rm Lsp Apr2004
4/24
Good NewsGood News
Most of you are already doing most ofMost of you are already doing most of
what you need to be doingwhat you need to be doing
Program provides tools to makeProgram provides tools to makeidentification and prioritization of the restidentification and prioritization of the rest
easiereasier
Be prepared when your departmentsBe prepared when your departments
administrators come to you for assistanceadministrators come to you for assistance
-
7/30/2019 Its-rm Lsp Apr2004
5/24
Whats Risk Management?Whats Risk Management?
Formally defined
The total process to identify, control, andmanage the impact of uncertain harmful
events, commensurate with the value of
the protected assets.
-
7/30/2019 Its-rm Lsp Apr2004
6/24
More simply put
Determine what your risks are and then
decide on a course of action to deal withthose risks.
-
7/30/2019 Its-rm Lsp Apr2004
7/24
Even more colloquially
Whats your threshold for pain?
Do you want failure to deal with this risk to
end up on the front page of the
Daily Progress?
-
7/30/2019 Its-rm Lsp Apr2004
8/24
Risk Management PracticesRisk Management Practices
Conduct a mission impact analysis and risk
assessment to:
1. Identify various levels of sensitivity
associated with information resources
2. Identify potential security threats to those
resources
-
7/30/2019 Its-rm Lsp Apr2004
9/24
Risk Management PracticesRisk Management Practices
(cont.)(cont.)Conduct a mission impact analysis and risk
assessment to:
3.3. Determine the appropriate level of securityDetermine the appropriate level of security
to be implemented to safeguard thoseto be implemented to safeguard those
resourcesresources
4.4. Review, reassess and update as needed orReview, reassess and update as needed or
at least every 3 yearsat least every 3 years
-
7/30/2019 Its-rm Lsp Apr2004
10/24
-
7/30/2019 Its-rm Lsp Apr2004
11/24
University LevelUniversity Level
Design university-wide program forDesign university-wide program foranalysis, assessment & planninganalysis, assessment & planning
Identify general security threats & provideIdentify general security threats & provide
other guidance materialother guidance material Oversee completion of department levelOversee completion of department level
analysis, assessment, planning effortsanalysis, assessment, planning efforts Complete yearly analysis & assessmentComplete yearly analysis & assessment
for enterprise systems; update enterprisefor enterprise systems; update enterprisebusiness continuity regularlybusiness continuity regularly
-
7/30/2019 Its-rm Lsp Apr2004
12/24
Departmental LevelDepartmental Level
Identify sensitive department system data,Identify sensitive department system data,
assets & threats to those data, assetsassets & threats to those data, assets
Determine appropriate safeguards & formDetermine appropriate safeguards & form
plan for implementing themplan for implementing them
Complete U.Va. templates at least everyComplete U.Va. templates at least every
three years & when computingthree years & when computing
environment changes significantlyenvironment changes significantly
-
7/30/2019 Its-rm Lsp Apr2004
13/24
Brief DescriptionBrief Description
ITC implementing a University-wide ITITC implementing a University-wide IT
Security Risk Management Program forSecurity Risk Management Program for
IT Mission Impact AnalysisIT Mission Impact Analysis
IT Risk AssessmentIT Risk Assessment
IT Mission Continuity PlanningIT Mission Continuity Planning
Evaluation and ReassessmentEvaluation and Reassessment
-
7/30/2019 Its-rm Lsp Apr2004
14/24
What Has Been DoneWhat Has Been Done
ITC conducts a yearly business analysis and riskITC conducts a yearly business analysis and riskassessment for directly managed resources;assessment for directly managed resources;updates its business continuity plan more oftenupdates its business continuity plan more often
Similar planning occurred across the University asSimilar planning occurred across the University aspart of the Y2K initiativepart of the Y2K initiative Comptrollers Office collects information on theComptrollers Office collects information on the
existencebut not qualityof security-related plansexistencebut not qualityof security-related plans
Audit Department includes review of security plansAudit Department includes review of security plansduring routine departmental auditsduring routine departmental audits
ITCs departmental security self-assessmentITCs departmental security self-assessmentchecklist (part of security awareness program)checklist (part of security awareness program)
-
7/30/2019 Its-rm Lsp Apr2004
15/24
Why Thats Not EnoughWhy Thats Not Enough
Y2K business continuity plans not updatedY2K business continuity plans not updated No mechanisms for tracking the frequencyNo mechanisms for tracking the frequency
of updates, quality and consistencyof updates, quality and consistency No central repository for safeguardingNo central repository for safeguarding
assessment and planning documentsassessment and planning documents No university-level procedure dealingNo university-level procedure dealing
explicitly with ongoing IT security riskexplicitly with ongoing IT security riskmanagementmanagement
Non-compliant with state standards orNon-compliant with state standards or
HIPAA and GLBAHIPAA and GLBA
-
7/30/2019 Its-rm Lsp Apr2004
16/24
ResponsibilitiesResponsibilities
ITCITC
Health SystemHealth System
Audit DepartmentAudit Department Other OfficesOther Offices
The DepartmentsThe Departments
-
7/30/2019 Its-rm Lsp Apr2004
17/24
Executive SupportExecutive Support
Strong executive support has been a keyStrong executive support has been a keysuccess factor at other institutionssuccess factor at other institutions
Executives fully behind program at U.Va.Executives fully behind program at U.Va. University policy requiring participation inUniversity policy requiring participation in
the program is comingthe program is coming Encouragement from LSPs will also beEncouragement from LSPs will also be
necessary as many department heads willnecessary as many department heads willnot fully appreciate the need for IT securitynot fully appreciate the need for IT securityassessment and planningassessment and planning
-
7/30/2019 Its-rm Lsp Apr2004
18/24
Step 1 - IdentifyCritical IT Assets
CriticalAssetsList
Step 2 Assess Risks
For each critical asset: Weigh likelihood & impact
of threats to each asset Prioritize threats Select response strategies Develop remediation plan
Step 3 MissionContinuity Planning
Create a response plan touse in the event thatcritical IT assets are lost,
unavailable, corrupted ordisclosed
ITS-RM Toolbox:1. threat scenarios2. response strategies3. remediation plan
template & example
RemediationPlan
ITS-RM Toolbox:1. disaster recovery
plan example2. interim manual
proceduresexample
ITS-RM Toolbox:1. Criteria2. Template
DisasterRecovery
Plan
InterimManual
Procedures
Step 4 Evaluation and Reassessment
Required at least once every three years
-
7/30/2019 Its-rm Lsp Apr2004
19/24
Lets look at an exampleLets look at an example
-
7/30/2019 Its-rm Lsp Apr2004
20/24
Its good for you!Its good for you!
Risk management makes you moreRisk management makes you more
efficientefficient
Risk management helps you make yourRisk management helps you make your
casecase
Risk management has got your backRisk management has got your back
-
7/30/2019 Its-rm Lsp Apr2004
21/24
Its not as painful as it looks!Its not as painful as it looks!
No one will be starting from scratchNo one will be starting from scratch
Little is expected from those with little,Little is expected from those with little,
more is expected from those with moremore is expected from those with more
The templates are designed for the mostThe templates are designed for the most
complex situations but work for simplecomplex situations but work for simple
solutions, toosolutions, too
-
7/30/2019 Its-rm Lsp Apr2004
22/24
ITS-RM Roll OutITS-RM Roll Out
Version 2.0 coming soonVersion 2.0 coming soon
Top 5 by end of yearTop 5 by end of year
Next 5 by next summerNext 5 by next summer Encourage other departments to getEncourage other departments to get
movingmoving
-
7/30/2019 Its-rm Lsp Apr2004
23/24
Youre Not Alone...Youre Not Alone...
ITC cant do it for youITC cant do it for you
Available to consultAvailable to consult
Meet to explain processMeet to explain process
Service consultations if we have solutions thatService consultations if we have solutions that
fill a gapfill a gap
-
7/30/2019 Its-rm Lsp Apr2004
24/24
For More Information...For More Information...
http://www.itc.virginia.edu/security/riskmanagement
Brian Davis Shirley Payne
[email protected] [email protected]
243-8707 924-4165
http://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.htmlhttp://www.itc.virginia.edu/security/checklist/checklist_intro.html