university technology risks assessment and management april 2010 pati milligan, phd professor,...
TRANSCRIPT
University Technology University Technology RisksRisksAssessment and Assessment and ManagementManagement
April 2010
Pati Milligan, PhDProfessor, Baylor UniversityWaco, Texas
IssuesIssues
What are Academic Technology Risks?
How do we Assess and Manage?
Where do we fail?
Future focus?
Private vs Public University Risk Assessments
As so aptly stated in the ACFE presentation:
In the initial stages,fraud and stupiditybear a close resemblance.
Most universities are not for profit and limited staff/budget
Academia is an open learning environmentSo what’s the big deal?
Every component of the university is dependent on automation and integration
We must integrate business and academic technology solutions to attain proper risk management
Why Care About IT-related Why Care About IT-related Risk? Risk?
IT Risk Must Manage and IT Risk Must Manage and Capitalize on Business RiskCapitalize on Business Risk
Some universities try to eliminate the very risks that drive research and education
Guidance is needed on how to manage risk effectively
©2009 ISACA/ITGI. All rights reserved.
A Balance is EssentialA Balance is Essential
Risk and value are two sides of the same coin
Risk is inherent to all enterprisesAcademic risk and industry risk are
the sameBut…Need to ensure opportunities for
value creation provided by Academia are not missed by trying to eliminate all risk
So How to Assess So How to Assess Technology Risk?Technology Risk?Scope definition
◦Business process identification, including Roles within business process Interest groups (internal and external)
◦Academic needs ??◦Assets that need protection??
Analysis◦Qualitative risk assessment
methodology◦Identification of conflicts of interest◦Business need for access for identified
roles vs Academic need for autonomy◦Issues with current access system
Risk DomainsRisk DomainsGovernance
◦Responsibility and accountability for risk◦Risk appetite and tolerance◦Awareness and communication◦Risk culture
Evaluation◦Risk scenarios◦Business impact descriptions
Response◦Key risk indicators (KRIs)◦Risk response definition and
prioritization©2009 ISACA/ITGI. All rights reserved.
Potential Academic Potential Academic ExposuresExposuresLoss of competitive researchOpposition research from other
universitiesLoss of personal data
IT-related Risk IT-related Risk EvaluationEvaluation
©2009 ISACA/ITGI. All rights reserved.
Technology risk is not limited to information security. It covers all IT-related risks, including:
• Late project delivery• Not achieving enough value from IT• Compliance (FERPA, PFIA, SOX)??• Misalignment of business responsibilities• Obsolete or inflexible IT architecture• IT service delivery problems• Autonomy for research and teaching
Approach and InterviewsApproach and InterviewsPublic and Private UniversitiesU.S. and GlobalPersonal interviews with IT
Auditors and Risk Management Officers
On-site Observance
Questions to ask…….Questions to ask…….1. How do you determine the level of risk to the university
administrative functions in the following areas:
a. Network Access
b. Web Applications
c. Online email
2. What is the current IT infrastructure and the applications supporting major business processes (complete ISO levels if possible). How frequently does this change?
Who supports this infrastructure, i.e. do the departments support any of the teaching and research nodes?
3. External Environment -- Do you outsource any of the IT Services?
4. Regulatory environment -- which compliance areas pose risk to the university ?
Questions to ask……. Questions to ask……. (cont.)(cont.)5. What is the Strategic importance of the technology network
for the university? 6. What is the Operational importance of the networks for the
university? Could the university sustain a network outage of 7 days? 7. Do you have a Risk management philosophy, process, and
operating model? 8. Who manages Risk Governance (RG), Risk Evaluation (RE),
and Risk Response (RR) for the university systems?9. How are Technology decisions made? 10. Does the university offer online courses for credit?
How is that managed? What is the risk if the system is unavailable or if the system is breached?
11. How is the Technology Investment (money for function) managed? Is technology (cost and value) a component of the Board of Director's meetings, risk and budget discussions?
12. What are the top five risk factors for the university?
Questions to ask……. Questions to ask……. (cont.)(cont.)13. What are the top-five IT risk scenarios?
14. Does the university experience any of the following issues?
a. Late project delivery
b. Not achieving enough value from IT
c. Compliance
d. Misalignment
e. Obsolete or inflexible IT architecture
f. IT service delivery problems
15. How often do you evaluate sunset legacy systems?
16. Describe your information security protection program?
17. Data Retention Policy ?
18. Consistency of Patch management?
19. Does IT use standard builds?
20. To what extent do you rely on in-house applications?
21. How much do you rely on contractors?
22. Do you global nationals working with sensitive data?
23. Data Ownership……
Where do we generally Where do we generally fail?fail?
◦ Impairing ability to “Publish or Perish" ◦ Burning bridges with research sponsors and
partners◦ Inadequate tenure track reviews◦ Teaching and research effectiveness reviews◦ Staff and Faculty training◦ Decentralized survey administration –
integrity of results◦ Not all School/Department goals are met◦ Academic vs. Business resource allocation not
evaluated
January 2009
Where do we commonly fail? Where do we commonly fail? (cont.)(cont.) Failure to monitor service (business) Relinquishing control/oversight (business) Failure to review any Outsource Service
Providers’ internal controls Failure to audit all critical areas (network
security) Failure to routinely review providers’
financial statements Failure to validate the destruction of
confidential (proprietary, research, performance) data when no longer required
Inadequate regulatory framework Business employees and faculty may not
have the tools necessary to perform their duties effectively and efficiently?
Areas of ConcernAreas of ConcernAd-hoc access provisionToo strict or too loose accessLack of or inadequate access policyLack of integration with business
processesInsufficient separation of dutiesFormer employees or vendors with
accessBlurred network perimeter
For Those using Outsourced For Those using Outsourced ServicesServices
Don’t …… Don’t …… Negotiate too hard for a least cost
scenario Misplace haste to get a contract in place Forget an exit strategy Fail to control legal compliance Fail to plan for a long-term strong
relationship Negotiate and manage from an “Ivory
Tower” Ignore performance details
January 2009
©2009 ISACA/ITGI. All rights reserved.
Always connect to university system objectivesAlign the management of IT-related business risk
with overall university risk managementBalance the costs and benefits of managing riskPromote fair and open communication of IT riskEstablish the right tone from the top while
defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels
Understand that this is a continuous process and an important part of daily activities
In Conclusion: In Conclusion: Guiding Principles of Risk Guiding Principles of Risk ITIT
Benefits and OutcomesBenefits and Outcomes
Accurate view on current and near-future IT-related events
End-to-end guidance on managing IT-related risksUnderstanding the investments made in
technology for both business, research, and teaching
Integration with the overall risk and compliance structures within the university
Common language to help manage the relationships
Promotion of risk ownership throughout the organization
©2009 ISACA/ITGI. All rights reserved.
January 2009
For More Information:For More Information:
ISACA IT Risk Toolkit www.isaca.org ISACA/ITGI Risk Model (see model file)OCEG Burgandy Book Executive Summary
www.oceg.org