Using Service Supportability for IT Risk ManagementStraightforward Enterprise Risk

Identification for Diverse Organizations: A Case Study at the University of Colorado

Introductions

• Chirag Joshi, M.S.,CISA, CISM, CRISC Assistant ISO and HIPAA Security Officer chirag.joshi@cu.edu (https://www.cu.edu/ois)

• Jim Dillon, M.S., CISA, CISSP Director of IT Audit Servicesjim.dillon@cu.edu (https://www.cu.edu/audit)

IT Service Supportability

• Portfolio Risk Conversation in Diverse Context• Survey Matrix: Obtaining Portfolio Risk by

“Commendable Practice” Assessment• SUPPORTABILITY: “The attribute of a service domain reflecting

reduced risk and operational stability due to the widespread deployment of commendable practices”

• Results Matrix: Visualizing Risk• Outcome: Successes and Shortcomings• Expanding Supportability: Supporting an ERM

Framework

Portfolio Risk: IdentificationEnvironment: Multiple Campuses, Many Providers, Many Diverse Services, Widely Distributed Responsibility

Problem 1: No Uniform IT Service Portfolio/ Catalog

Problem 2: Lacking Standard Risk Approach, Apples and Oranges

Problem 3: Complexity in Common Risk Approaches (Given Environment)

Portfolio Risk: Institutional View• Objective: Strategic Alignment of Services• Objective: Systemic Risk Identification – Critical and

“Significant” Services• Objective: Approachable Discussion – Reduce technical and risk-language complexity

• Objective: Data-Driven Discussion– Reduce reliance on anecdotal, instinctive, or occurrence

based risk identification• Objective: SERVICE Risk Orientation– Business discussion not “system” or “technology”

discussion

Chirag Joshi - OIS 6

• Consistency of definitions: Impact and Risk definitions, Common Security Standards, Data Classifications, Shared services

• Assurance process integration: Coordination between OIS, University Risk Management (URM), Legal, Internal Audit, Campus stakeholders

Building Blocks

Chirag Joshi - OIS 7

Data Classifications• Highly Confidential– Protected by law or contract– Examples: Protected Health Information, credit card

information, Social Security Numbers or associated personally identifiable information

• Confidential– Could cause harm or embarrassment– Data owner has a reasonable expectation that the data should

not be disclosed– Example: personnel information

• Public– Example: directory information

Criticality and ImpactHigh: severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions

◦ Financial: direct or indirect monetary costs to the institution where liability must be transferred to an organization which is external to the campus, as the institution is unable to incur the assessed high end of the cost for the risk; this would include for e.g. use of an insurance carrier

◦ Reputation: the impact results in negative press coverage and/or major political pressure on institutional reputation on a national or international scale

◦ Safety: the impact places campus community members at imminent risk for injury

◦ Legal: the impact results in significant legal and/or regulatory compliance action against the institution or business.

Chirag Joshi - OIS 8

Moderate: significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced

◦ Financial: direct or indirect monetary costs where liability is transferred to the campus as the business unit/school is unable pay the assessed high end cost for the risk

◦ Reputation: impact results in negative press coverage and/or minor political pressure on institutional reputation on a local scale

◦ Safety: impact noticeably increases likelihood of injury to community member(s)

◦ Legal: impact results in comparatively lower but not insignificant legal and/or regulatory compliance action against the institution or business.

Chirag Joshi - OIS 9

Low: degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced

◦ Financial: impact results in direct or indirect monetary costs to the institution where business unit/school can solely pay the assessed high end of the cost for the risk

◦ Reputation: impact has a nominal impact and/or negligible political pressure on institutional reputation on a local scale

◦ Safety: impact has nominal impact on safety of campus community members

◦ Legal: impact results in none or insignificant legal and/or regulatory compliance action against the institution or business.

Chirag Joshi - OIS 10

Risk Governance: Strategic business function that help ensure that risk management activities align with the enterprise’s opportunity and loss capacity.

◦ Clarity of Roles and Responsibilities: Who should respond to a certain level of risk?

◦ Risk Appetite: The amount of risk that an entity is willing to accept in the pursuit of its mission

Key Risk Indicators (KRIs): Metrics capable of showing that enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the risk appetite

Risk Tolerance: The acceptable level of variation allowed for any particular risk as enterprise pursues its business objectives

Key Concepts

Chirag Joshi - OIS 11

Survey Matrix

• Design: MS Excel to Ensure Accessibility• Design: Categorize Services, Capture Service Level, Criticality, Data

Classification• Design: Cover the OSI Model but Simplify

– 3+1 areas = 7+1 OSI Model plus personnel– Infrastructure, Network/Communication, Application, Personnel

• Design: Utilize 6 or 7 “Best Practice” Guidelines Per Area– Identify sub-optimal practice as increased risk

• Design: Simple Judgment– High, Medium, Low, Unknown, and Managed– Characterize each rating to support consistent reporting– Treat unknown as “High Risk”– Identify vendor, cloud, and other “managed” services

Survey Matrix: Simplicity

Drop Downs

Survey Matrix: Linkage

Link to Policy

Simple SLA

Survey Matrix: Key Data

• Infrastructure• Networking/Communications• Application, and • Personnel (Skills, Availability)

• Consider the entire service stack• Managed Solution, Supportable,

Partially Supportable, Not Supportable, Unknown

• “Service” conclusion

Survey Matrix: Definitions (Thank You Paragon Audit and Consulting)

Supportable:

• Version is up-to-date and patched

Partially Supportable:

• Version is supported by vendor but may not be latest version…

Not Supportable

• Version is no longer supported by vendor

Results Matrix

• Combine All Survey Matrix Submissions• Create Catalog By Service Type– Manual service duplication investigation

• Demonstrate Risk Inflection Points– Central IT, other IT, combined– Eventually entire institution– Utilize graphs for visualization

• Report Using Service Types, Criticality, Availability, etc.

Results: Catalog

Results: By Service Type

Visual Queues

Area and Stack Component

Results: By Criticality

Staffing forHigh Criticality

InfrastructureStable

Results: By Availability

Apps and SupportChallenged

Results: By # Users

Small Shops StruggleWith High User #

Results: Other

• Provided Analysis/Observations of Systemic Issues

• Also Included Results by:– User type (Fac, Admin, Rsch, Stu)– Definable parameters– Data Risk (Rest, Motion, Privacy) – All Service Provider Data and Combined Data

Delivered

Outcome: Successes• All Campuses Continuing Practice, Catalog Expansion• Systemic Conditions Highlighted for Action• Some Critical/Significant Services Being Absorbed into

Central IT• Duplicate Services Under Discussion (e.g. Desktop

Support, VM Services)• Security and Recovery Risks Being Investigated• Practice Expansion for Enterprise Risk Identification Being

Tested• Combination of All Campuses’ Data, Institutional

Reporting TBD

Outcome: Challenges• Methodology for Vendor/Cloud Services• Interpretation: Variation Based on Service Provider Size,

Maturity• Identifying Root Cause – Work TBD• Need for Consistency in Definitions, Measures

– Optimistic smaller service providers– Smaller providers less diligent considering the “stack”,

depending on external services– Still depends on subjective judgment (performance, SLA not

standardized, completeness?)• Matrix Still A Manual Effort• Not the Complete Risk Picture

Chirag Joshi - OIS 26

Risk Management Framework

Chirag Joshi - OIS 27

Risk Management Framework

Chirag Joshi - OIS 28

Risk Management Framework

Chirag Joshi - OIS 29

Risk Management Framework

Financial Customer Internal Processes/Operations Learning and Innovation

Chirag Joshi - OIS 30

Based on Balanced Scorecard, COSO and COBIT

Financial and Legal CustomersInternal Processes and

Operations Learning and Innovation2-Partially Supportable 2-Partially Supportable 3-Supportable 3-Supportable

Expanding Supportability: ERM Framework

Financial and Legal

• Financial resources are sufficient to maintain service at an expected level beyond the next fiscal year

• The investments and resources allocated to the service are based on formal business cases that take into account stakeholder expectations, cost and benefits and set specific objectives

• The service complies with applicable laws and regulations in a formal documented manner

Customer

• Business continuity plans are documented, implemented, tested and monitored in a formal manner.

• Problem and incident management processes are documented, implemented, tested and monitored in a formal manner.

• Customer satisfaction with the service is actively obtained, reviewed and monitored in a consistent and measurable manner

Internal Processes and Operations

• Service is optimized (documented, monitored and improved) to be delivered consistently on time and within budget (not relying on any external funds).

• The service complies with university policies and standards in a formal documented manner

• Change management processes are documented, implemented and monitored in a formal manner

Learning and Innovation

• Personnel supporting the service are adequate, have the required skills and complete the required training for the roles

• Process exists to improve services through innovative ideas based on interaction with industry leaders, peers, customers, and benchmarking

ERM Steps

• Pilot Projects• Campus-wide Policy• Roles and Responsibilities• Project Implementation• Training

Questions?

THANK YOU!