Published on January 15, 2009
Strategy for Managing Information Technology (IT) Risks in Higher Education : Strategy for Managing Information Technology (IT) Risks in Higher Education Praveen Panchal, CIO John Jay College of Criminal Justice Slide 2: Risk is any event that would negatively impact an institution’s ability to meet its stated mission An IT risk is a failure in any aspect of the IT environment causing exposure to loss for the institution Failure of network services causing a loss of productivity Failure to keep student, faculty and staff data private leading to legal liability Reputation damage caused by identity theft Revenue losses stemming from non-functioning ERP systems Computer hacking due to malicious activities causing distributed denial-of-service (DDOS) attacks What is IT risk? 2 Why manage risks? ...Because : Why manage risks? ...Because Natural Disasters Terrorism Data Breach & Identity Theft …and others 3 Risk Categories : Strategic risk: long-term threats that may impact the institution’s ability to meet its goals and objectives (e.g. failure to take advantages of possibilities, changes in delivery of teaching, impact of technology, keeping up with changing technologies, etc.) Operational risk: risk of error or fraud within manual or systems environments (e.g. information accuracy, information accessibility and confidentiality, data integrity and security, hardware reliability and obsolescence, software licensing, communication infrastructure reliability and capacity, system connectivity and compatibility, disaster recovery and business continuity, backup and retrieval, physical security, environmental controls, web pages control and content management, and equipment maintenance) Risk Categories 4 Risk Categories : Financial risk: any threat involving the potential loss of tangible assets, investments or revenue Legal risk: relates to compliance with laws and regulations as well as with local ordinance (e.g. externally imposed laws and regulations and internal policies and procedures) Reputational risk: involves external perception and its effects on the institution’s reputation and brand or both (this risk may result from an institution’s failure to effectively manage any or all of the other risk types) Risk Categories 5 Risk Management Process : Risk Assessment: process includes identifying and evaluating risks and risk impacts Risk Mitigation: process refers to prioritizing, implementing, and maintaining the appropriate risk-reducing measures Continuous Evaluation: process includes ongoing evaluation and assessment of risk management processes Risk Management Process 6 IT Risk Assessment : Asset Assessment – What are you safeguarding? Threat Assessment – What undesirable events could take place? Vulnerability Assessment – What are your deficiencies and limitations? Impact Assessment – What happens if security measures failed? Risk Analysis – What does it all add up to? IT Risk Assessment 7 Asset Assessment : Hardware and Software System interfaces (e.g. internal and external connectivity) Data and information Persons who support and use the IT system System mission (e.g. the processes performed by the IT system) System and data criticality (e.g. the system’s value of importance to the institution) System and data sensitivity (the level of protection required to maintain system and data integrity, confidentiality, and availability) Asset Assessment 8 Asset Categories : Critical - loss of asset’s function would result in the institution ceasing to function as a “business” entity Essential - loss of asset’s function would cripple the institution’s capacity to function, but it could survive for a week or so without it Normal - loss of asset would cause some inconvenience Asset Categories 9 Threat Assessment : Natural Threats – Floods, wildfires, earthquakes, tornadoes, hurricanes, landslides, avalanches, electrical storms, and other such events Human Threats – Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry error or shutdown of a server) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential data, sabotage, hacking, cracking, computer viruses, etc.) Environmental Threats – Events such as long-term power outage, hardware failure, pollution, chemical hazard, liquid leakage, air conditioner failure, etc. Threat Assessment 10 Vulnerability Assessment : Vulnerability is an inadequacy or flaw in system security design, procedures, implementation, configuration, or internal controls that could be exploited (intentionally or unintentionally) and will result in a security breach or violation of system’s security policy Vulnerability assessment determines how vulnerable institutional assets are to the threats The IT risk manager should identify and characterize vulnerabilities related to specific assets or undesirable events and look for exploitable situations created by inappropriate design, deficient or missing security procedures, inadequate equipment, lacking security measures, suspicious personal behavior Methods for identifying system vulnerabilities - use of vulnerability sources, the performance of system security testing, and the development of a security requirement checklist Vulnerability Assessment 11 Impact Assessment : Potential adverse impact of loss from a successful attack or an undesirable event What would be the consequences if a particular asset was lost, damaged, or destroyed and if the institution was temporarily prevented from carrying out its day-to-day functions or if its ability to perform those functions were severely weakened? Prioritize the impact levels associated with the compromise of an institution’s IT assets Categorize and quantify the risk from a threat at hand Impact Assessment 12 Risk Analysis : Earlier assessments (Asset, Threat, Vulnerability, and Impact) are combined and evaluated To evaluate how these assessments interact to arrive at a level of risk for each asset A risk analysis worksheet is extremely helpful in aligning all of this information into a readable and easily understood format that summarizes the previously collected information Using the risk analysis worksheet as a guide, the IT risk manager should review all of the important factors associated with that single asset The manager can make an informed decision about the major risks as well as which of these risks require immediate attention Risk Analysis 13 IT Risk Mitigation: Options : Risk assumption – accept the potential risk and implement measures to lower the risk to an acceptable level Risk limitation – take action to lower the probability of occurrence and consequences by implementing measures to minimize threat impact exploiting a vulnerability (e.g. improve the process, perform inspections, install monitoring systems, add system redundancy Risk planning – develop risk mitigation; plan to transform current process to eliminate the likelihood of a particular risk (e.g. redesign the process or adopt a different technology) Risk avoidance – abandon the process, forgo certain functions or shut down the system with high likelihood of an occurrence or the adverse impact of a particular risk Risk transference – use options such as purchasing an insurance to compensate for the loss IT Risk Mitigation: Options 14 Effective Risk Mitigation : Prioritize actions – give top priority to risks with unacceptably high risk ranking requiring immediate corrective action Evaluate recommended countermeasures - select the most appropriate safeguard that is feasible (e.g. compatible, acceptable) and effective (e.g. degree of protections, level of risk mitigation) for minimizing risk Conduct cost-benefit analysis - recommend cost-effective safeguard for senior management to justify Select appropriate safeguard – select safeguard with appropriate technical, operational, and management control elements to ensure adequate security for the system and institution Assign responsibility – make personnel (internal or external) with appropriate expertise and skill-sets responsible for implementation Develop a safeguard implementation plan – the plan prioritizes the implementation actions and projects the start and completion dates which will aid and expedite the risk mitigation process Implement selected safeguards – depending upon individual circumstances, the safeguards selected may lower the risk level but may not eliminate it Effective Risk Mitigation 15 Risk Management Success Factors : Attain senior leadership’s commitment and support Integrate IT risk management in institutional goals and objectives Promote risk management culture at all levels Get user buy-in, cooperation, and involvement Organize training and awareness programs for all key stakeholders Effectively communicate risk management program to constituents Seek full participation and support of IT staff Create competent risk assessment team to analyze risks and apply safeguards Perform regular vigilance, appraisal, and assessment Risk Management Success Factors 16 Continuous Evaluation : Evaluate network, systems, and processes for hardware components, configuration changes, and software updates Keep yourself informed of personnel changes Update policies and procedures regularly Keep track of vendors and their offerings Keep abreast of facilities, and other resources Repeat and revisit Continuous Evaluation 17 Conclusion : Conclusion Requires strong support and involvement from senior leadership Employ the concept of a dedicated risk management team Implement policies and procedures for better accountability Consider IT risks as integral part of the institutional risk management and align it with institutional mission and culture Effective IT risk management requires a comprehensive approach Consider enterprise view of risk management rather than just specific area IT risk managers should categorize, quantify, and control IT risks involving assessment of assets, threats, vulnerabilities, safeguards and continuous evaluation 18 Questions? : Questions? 19 Slide 20: 20
http://media.centerdigitaled.com/CenterEvents/Presentations/cuny_2008_-_managing_info_tech_risks.ppt. Preview. Download. Filesize: 5086 KB | Format : .PPT .