Upload
educause
View
219
Download
0
Embed Size (px)
Citation preview
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 1/58
IT Risk Assessment: TwoUniversities Share Their Methodologies
Nadine Stern Associate CIO for Operations and Planning
Paul W JeffreysDirector of IT Risk Management
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 2/58
Introduction
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 3/58
Objectives of Session:
Overview management of IT risk
Compare and contrast how Princeton and Oxford universitiesmanage IT risk
Review experiences from other universities, based on EDUCAUSEreview
Understand how risks should be managed - within an IT riskmanagement framework
Sprinkle in the EDUCAUSE top-ten IT issues to serve as referencepoint
Poll session attendees to appraise strategic risk entries
3
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 4/58
IT Risk Management Overview
IT risk management: identifies, assesses and responds to IT risks – … threat (should be) measured against IT objectives
Technology now permeates: L&T, research, administration – … so an IT risk is a threat to institutional objectives – … becoming increasingly important
IT risk management helps to: – Strengthen alignment between IT and institutional strategy – Identify IT priorities and connect with IT Strategic Plan – Influence capital investment – Direct resource allocation to meet users’ requirements
However, not all institutions have formal initiativesECAR 2013 IT Risk Management poll* – First plot from poll showing adoption of methodology:
Slide 4
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 5/58
ECAR Risk Management Poll*
Slide 5
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 6/58
EDUCAUSE Top 10 Issues
To help inform risk management practices at our institutions, haveused the EDUCAUSE Top 10 IT Issues (2013)* as a guide
Cross-referencing provides a worthwhile external comparison toadd assurance that an institution has identified a full set of strategic IT threats
Comparison shown later, and will be used to undertake our attendee poll to give a full strategic risk appraisal
6
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 7/58
Princeton and Oxford Approaches
Princeton: – Aiming to align its IT Risk Assessment with institutional Executive Risk
Assessment – Not interested in using an industry standard – Committed to input and buy-in from IT leadership and contributors
– IT Risk assessment in distributed responsibility model
Oxford: – Follows ISO31000 / M_o_R standard – Three ‘perspectives’: Strategic / Project / Operational
– Assess risks against departmental objectives as objectively as possible – Bottom-up (work shops) and top-down (senior management) – Well developed process to mitigate risks – Beginning to show benefits from programme
7
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 8/58
IT Risk Assessment at PrincetonUniversity
About me:VP for IT and Enrollment Services at The College of New Jersey for 15 years – About 60 IT staff; About 65 Enrollment Services staff
Associate CIO in the Office of Information Technology at Princetonsince April 2011 – 280 central OIT staff – About 150 departmental IT staff – My department: IT Security officer, Budget and Finance,
Organizational Effectiveness, technology Consulting, Contract
management, Strategic Planning, Associate CIO role
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 9/58
What I found at Princeton
My role includes liaison to Office of Audit andComplianceOffice of Audit and Compliance – relatively new
IT Audit functionYearly audits but no overall risk assessmentmethodologyOIT has decentralized Information Securityorganization and planning
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 10/58
Evolution of IT Risk Assessment
University had conducted a University Risk Assessment in 2009 – Information Security identified as one of the
Risk Areas, but not well definedOAC interested in creating their audit universe
OIT needing to have a plan aroundInformation Security initiatives – Need to develop a mechanism for yearly
updates
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 11/58
Risk Matrix
OAC gave first pass to create an IT Risk matrix
I organized it differently; added sections of
Policy, campus awareness and compliance,Industry Trends, Educause Top 10 Issues
Spoke to Paul Jeffreys, Oxford University
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 12/58
Ranking RiskIT Risk FactorsAvailability - Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or an information system.Systems and critical information is available when needed in order to maintain the organization's critical operations and processes.Includes the ability to recover from losses, disruption, or corruption of data and IT services, as well as from a major disaster where theinformation was located.
Integrity - Guarding against improper information modification or destruction, and includes enduring information non-repudiation and authenticity.A loss of integrity is the unauthorized modification or destruction of information.Data used for making management decisions, recording information, and reporting financial activity is accruate, complete, and reliable.
Confidentiality - Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.A loss of confidentiality is the unauthorized disclosure of i nformation.The right to view or manipulate data is carefully granted and monitored to prevent the mishandling of dataConfidential information must only be divulged as appropriate and must be protected from unauthorized disclosure or interception.
Compliance - Compliance with regulations, contracts, and policies and procedures
Likelihood Scale3 High probability that identified risk will occur.2 Medium probability that identified risk will occur.1 Low probability that identified risk will occur.
Impact Scale3 Potential significant impact to the University's mission, stewardship of assets, reputation, or stakeholders.2 Potential significant impact to the risk area but moderate to the University's mission, stewardship of assets, reputation, or stakeholders.1 Potential impact on the University is minor or limited in scope.
Financial Impact3 Potential financial impact > $XXX2 Potential f inancial impact > $YYY but less than $XXX1 Potential financial impact $ZZZ or less
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 13/58
IT RISK FACTORS
Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact Likelihood ImpactIT Policy and Governance
1 University-level Policies
2 Department level Policies
3 Data Classification
4 Education and Communication
IT General Controls / "Computer Operations"5 Change and Patch Management
Change and Patch Management - Network
Change and Patch Management - Desktop / Anti-Virus
Change and Patch Management - UNIX
Change and Patch Management - Linux
Change and Patch Management - Windows
Change and Patch Management - Business
Change and Patch Management - Database
Change and Patch Management - BusinessApplications
Change and Patch Management - Hardware /Software
ComplianceAvailability IntegrityRisk Area/Universe
Confidentiality /Access
Financial Impact
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 14/58
IT RISK FACTORS
Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact6 Backup, Recovery, and Retention
7NetworkUNIXLinuxWindowsDatabasesBusiness Applications
Integrity Confidentiality / Reliability Comp
Backup, Recovery, and Retention - NetworkBackup, Recovery, and Retention - UNIX
Risk Area/Universe Financial Impact Availability
Backup, Recovery, and Retention - LinuxBackup, Recovery, and Retention - WindowsBackup, Recovery, and Retention - DatabasesBackup, Recovery, and Retention - BusinessBackup, Recovery, and Retention - Desktop / Laptop
Identity and Access Management / Logical Security / Security
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 15/58
IT RISK FACTORS
Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact8Security Logging and Monitoring
9
WindowsDatabasesDesktop/Laptop
Security Logging and Monitoring – DatabasesSecurity Logging and Monitoring – Business
Systems Administration/Support/MonitoringNetwork
UNIXLinux
Reliability Compliance
Security Logging and Monitoring – NetworkSecurity Logging and Monitoring - UNIXSecurity Logging and Monitoring – LinuxSecurity Logging and Monitoring – Windows
Risk Area/Universe Financial Impact Availability Integrity Confidentiality /
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 16/58
IT RISK FACTORS
Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact10“Data Center Operations” –Job Scheduling
11 Configuration Management
UNIXLinuxWindowsDatabaseApplicationDesktop/Laptop
DatabaseBusiness Applications
Network
Reliability Compliance
NetworkUNIXLinux
Windows
Risk Area/Universe Financial Impact Availability Integrity Confidentiality /
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 17/58
IT RISK FACTORS
Likelihood Impact Likelihood Impact Likelihood Impact Likelihood
E1E2E3E4E5E6E7E8
E9E10F IPv6GH Protection/Security of Research Data
Supporting the trends toward IT consumerization and
Risk Area/Universe Financial Impact Confidentiality / Reliabil
2012 Educause Top Ten IT IssuesUpdating IT professionals' skills and roles to
Availability Integrity
Supporting the research mission through high-Establishing and implementing IT governance
Cybersecurity
Developing an institution-wide cloud strategy
Improving the institution's operational efficiencyIntegrating information technology into institutionalUsing analytics to support critical institutionalFunding information technology strategicallyTransforming the institution's business with
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 18/58
Business Unit interviews
University andDepartment
Policies
Education andTraining
Laws, Regulations,Compliance
Privacy,Confidentiality,
Data Classification
Specific IPPProjects
EmergingTechnologies:
Cloud computing,Social Media,
Mobility
Constituentspecific concerns(students, faculty,
staff)
MissedOpportunities
IT Risk Categories
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 19/58
1 st year results
Less than popular with OIT
We realized it was too granular – and did not
really reflect priority of risk which would lead tosecurity initiative selection and prioritization
Continued to seek other resources from other peer institutions, Educause
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 20/58
Maturation Read many articles on risk from various sources:NIST, Educause, Coursera courseGartner: good resources for assessing securityprogram, concepts of risks assessment: but notemplates
IBM: mostly around penetration testingNew CIO/VP for ITRealization that Audit will only focus on IT generalControlsDiscussions with our Internal Audit group and EVPresponsible for Enterprise Risk managementClarification that we need to use the University RiskMap to “INFORM” our yearly process
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 21/58
Developing Princeton’s IT Risk Map
21
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 22/58
Developing Princeton’s IT Risk Map
22
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 23/58
Next steps for Princeton
Close work with our ERMC (Executive RiskManagement Committee) effortsRefine Matrix approach – Add feedback loop from incident evaluations – Periodic updating incorporating industry
trends and University’s enterprise riskassessment process
– Creating new CISO position to focus on Risk Assessment, Security Strategy, Outreach,Business Continuity
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 24/58
IT Risk Assessment atUniversity of Oxford
Professor Paul W JeffreysDirector of IT Risk Management
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 25/58
IT Risk Management Framework
Office of Government Commerce: Management_of_Risk* – Uses International standard: ISO31000:2009
Same standard adopted by University*Definition of risk (OGC): – “An uncertain event or set of events that, should it occur, will have an effect on the
achievement of objec t ives . – A risk is measured by the combination of the probability of a perceived threat or
opportunity occurring and the magnitude of its impact on objectives .”
M_o_R Steps: – Identify key strategic risks that would prevent the achievement of objectives;
– Assign ownership; – Evaluate significance of each risk (classify); – Identify suitable responses to each risk; – Ensure internal control system manages the risk; – Regular review
Slide 25
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 26/58
Organizational Perspectives
Slide 26
Long-term / beyonddepartment
Medium-term / bringabout business change
Short-term / ensure on-going continuity of business services
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 27/58
Define Risk Syntax and Risk Register Structure
Syntax used to describe risk: – If - we do not ensure that IT Services' information assets are managed
correctly and securely - then - there is a possibility of information lossand corruption AND major security breach - resulting in a risk of -damage to reputation of department and University, possible criminal or civil proceedings, and loss or corruption of information
Risk Register (managed in SharePoint) – Risk identifier, Classification (Perspective), Risk description (using
syntax), Risk probability, Risk Impact, Risk Response, Owner, Actionees, …
Focus on Strategic perspective here…. – ‘That which not within scope of IT Services to mitigate’
Slide 27
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 28/58
Assessment of (Strategic) Risk
Goal: prioritize individual risks so that it is clear which risks are mostimportant for IT Services – Must measure against organizational objectives – Measure as objectively as possible
Measure using two parameters:
– Impact: estimated effect of a particular threat occurring – Probability: estimated chance of it actually occurring against the impact
specified (within the period of the activity)
Reproducibility – Requires definition of terms
– Impact measured by: reputation, timing, financial, availabilityOverall Risk Assessment – Not linear combination of impact and probability
Slide 28
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 29/58
1. Impact (Reputation and Outputs)
Slide 29
Strategic - Reputation & Outputs – impact of threats on image, standing and output quality
Measure Level Effect
Publicityand media
interestgenerated /effect uponrankings
Critical EITHER sustained or ongoing negative national media publicity OR anegative change across all national or international HE sector rankings
Major EITHER one-off negative national, or ongoing local, media publicity OR a negative change across the majority of national or international HEsector rankings
Moderate EITHER negative media publicity likely, but avoidable or controllablewith management OR a negative view of IT Services at Council level
Minor Negative publicity limited to within IT Services
Insignificant Negative publicity limited to within part of IT Services
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 30/58
2. Impact (Timing)
Slide 30
Strategic - Timing – impact of threats on slipping timescales
Measure Level Effect
Escalation of complianceissues,including legalmatters
Critical EITHER delays in significant governance issues or decision-making processesexceeding 24 months OR the matter is brought to Council OR break in service formore than a week
Major EITHER delays in significant governance issues or decision-making processes of 12to 24 months OR the matter is brought to the Capital Steering Group OR break inkey service for greater than a day
Moderate EITHER delays in significant governance issues or decision-making processes of 6to- 12 months OR the matter is brought to the IT Committee OR break in key ITservice for greater than two hours
Minor EITHER delays in significant governance issues or decision-making processes of 3to- 6 months OR the matter is brought to the IT Services Executive ManagementTeam OR break in key service for greater than 15 minutes
Insignificant
EITHER delays in significant governance issues or decision-making processes of upto 3 months OR complaint limited to within IT Services’ processes OR break inservice for greater than two minutes
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 31/58
3. Impact (Finances and Funding)
Slide 31
Strategic - Finances & Funding – impact of threats on sustainability, funding and financial control
Measure Level Effect
Financial scaleof effect
Critical Financial loss or impact exceeding £1m
Major EITHER financial loss or impact of £100k to £1m OR negative effect onfinancial controls in general
Moderate EITHER Financial loss or impact of £20k to £100k OR negative effect onfinancial controls in more than one area for up to six months OR ongoingnegative effect on financial controls in one area
Minor EITHER Financial loss or impact of £1k to £20k OR negative effect onfinancial controls in one area for up to six months
Insignificant
Financial loss or impact up to £1k and no lasting negative effect on financialcontrols
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 32/58
4. Impact (Availability and user Impact)
Slide 32
Strategic - Availability and User Impact – impact of threats on availability of services and userexperience
Measure Level Effect
Availabilityand userexperience
Critical The majority or whole of the University is negatively affected for aperiod of longer than one month
Major The majority or whole of University, or IT Services' capability ingeneral is negatively affected for a period of up to one month
Moderate EITHER individuals or a small number of teams are affected on an on-going basis OR IT Services' capability for the University is negativelyaffected for a period of up to one day
Minor EITHER individuals or a small number of teams are affected on an on-going basis OR IT Services' capability for the University is negativelyaffected for a period of up to one day
Insignificant Individuals or single teams only are negatively affected and IT Servics'ecapability in general is not affected
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 33/58
Probability or Likelihood
Slide 33
• Consistent with University approach
Likelihood Frequency MonthlyProbability
Very High Very likely: is considered to have a chance of occurring every month Up to 100%
High Probable: is considered to have a chance of occurring once within the
next two months, or up to six times a year
Up to 50%
Moderate Possible: is considered to have a chance of occurring once within the next
six months, or up to twice a year
Up to 16.7%
Low Unlikely: is considered to have a chance of occurring once within the next
year, or up to twice in two years
Up to 8.3%
Very Low Exceptional: is considered to have a chance of occurring once within thenext two years
Up to 4.2%
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 34/58
Ask you to assess an Oxford risk…
If - we do not ensure that IT Services' information assets are managedcorrectly and securely - then - there is a possibility of information loss
and corruption AND major security breach - resulting in a risk of -damage to reputation of department and University, possible criminalor civil proceedings, and loss or corruption of information
Which type of ‘Impact’ assessment likely to have biggest impact?
Slide 34
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 35/58
1. Impact (Reputation and Outputs)
Slide 35
Strategic - Reputation & Outputs – impact of threats on image, standing and output quality
Measure Level Effect
Publicityand mediainterest
generated /effect uponrankings
Critical EITHER sustained or ongoing negative national media publicity OR anegative change across all national or international HE sector rankings
Major EITHER one-off negative national, or ongoing local, media publicity OR a negative change across the majority of national or international HEsector rankings
Moderate EITHER negative media publicity likely, but avoidable or controllablewith management OR a negative view of IT Services at Council level
Minor Negative publicity limited to within IT Services
Insignificant Negative publicity limited to within part of IT Services
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 36/58
Probability of Likelihood
Slide 36
Likelihood Frequency MonthlyProbability
Very High Very likely: is considered to have a chance of occurring every month Up to 100%
High Probable: is considered to have a chance of occurring once within the
next two months, or up to six times a year
Up to 50%
Moderate Possible: is considered to have a chance of occurring once within the nextsix months, or up to twice a year
Up to 16.7%
Low Unlikely: is considered to have a chance of occurring once within the next
year, or up to twice in two years
Up to 8.3%
Very Low Exceptional: is considered to have a chance of occurring once within the
next two years
Up to 4.2%
{Critical impact * Moderate probability} = 20 classification
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 37/58
Oxford’s Strategic Risk Register
Creating a strategic risk register is challenging – Bottom-up (workshops) combined with top-down (senior management) – Referenced against EDUCAUSE top-ten issues – Entries becoming relatively stable (after 6 months)
Slide 37
I M P A C T
Critical 5 2
Major 4 1 8 2 2
Moderate 3 1 5
Minor 2
Insignificant 1
1 2 3 4 5
Very Low Low Moderate High Very
High
LIKELIHOOD
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 38/58
Strategic risk mitigation
Each risk has a ‘Response’, ‘Risk Proximity’ and ‘% complete’;actions and controls detailed for mitigation
Reviewed by IT Committee termly
Objective: get all risks to ‘amber’ or less by end of academic year
Also, process for introducing new Strategic risks
Slide 38
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 39/58
Oxford Summary
Risk management programme working – Reducing threat against departmental objectives – Directing priorities
Strategic risk register still being refined… – Strategic risk register entries stable
– Risk classifications reducing as a result of concerted efforts to mitigate – Will update strategic risk again after conference…
Top-down meets bottom-up meets EDUCAUSE top ten – Management of strategic risks certainly delivering benefits
Still to be connected with University of Oxford risk fullyStill to be connected with IT Strategic Plan fully
Slide 39
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 40/58
Princeton / OxfordComparison
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 41/58
Learning While Doing – Judith Pirani*
41
Princeton OxfordStrengths Institutional Outreach
• Non- IT leaders’ input solicitedfrom start
• Works closely with Audit andCompliance
• Institutional perspective• CIO member of the President’sCabinet
• CIO encouraging alignment of IT risk management withinstitutional goals
Stratified Risk ModelInclusive IT Risk IdentificationRepeatable and RelativelyObjective Risk AssessmentMethod
Process and Policies• Well-documented processes,definitions, and models
• Linkage of risk and responseprocesses
• Monitoring risk responseWeaves IT risk into IT planning
and IT governance
Weakness Initial risk assessment toogranular?
Too much formality?
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 42/58
ECAR Results and Live Poll
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 43/58
ECAR results
Most of the responses to our poll came from four year institutions (58%doctoral, 17% baccalaureate, and 15% master’s)
Has your institution adopted an IT risk management program or methodology?
43
NO No, planning toimplement
No, wouldlike guidance
No
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 44/58
44
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 45/58
EDUCAUSE Conference Poll
Identified set of top 10 strategic risks*, based on Princeton andOxford registers, and cross-referenced to the EDUCAUSE Top TenIssues (2013)*
Consider each one in turn, and ask attendees two questions:
– For those who have strategic IT risk registers in their universities dothey have a similar risk included in their own top set?
– For those who do not have strategic IT risk registers in their universitieswould it be likely that they would have a similar risk included in their own top set?
Then ask which top risks are missing?
Slide 45
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 46/58
Risk 1
Business Continuity: If departments delivering services inpartnership with central IT do not make adequate plans for continuation of their business processes in the event of an outageof IT or other utility services, then IT might not be able to deliver services required by the university
This could result in a risk of major academic disruption and potentialfinancial loss (e.g. Hurricane Katrina in New Orleans)
– 2013 issue #5 — Facilitating a better understanding of information
security and finding appropriate balance between infrastructure andsecurity – 2013 issue #6 — Funding information technology strategically
Slide 46
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 47/58
Risk 2
Emerging Technologies—
Cloud Computing, Social Media,Mobility: If students, faculty, and staff use consumer-oriented andeasily accessible technologies without appropriate consultation withcentral IT, then there could be serious information securityimplications: loss of control of university data, problematic contractissues, lack of attention to privacy concerns, etc
This could result in a risk to institutional data integrity,confidentiality, and availability, and thus a risk of institutionalfinancial obligation
– 2013 issue #1 — Leveraging the wireless and device explosion oncampus
– 2013 issue #3 — Developing an institution-wide cloud strategy to helpthe institution select the right sourcing and solution strategies
Slide 47
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 48/58
Risk 3
Privacy, Confidentiality, Data Classification: If departments donot understand the legal, regulatory, and university policies aroundcategories of data, then the university might suffer frominappropriate exposure of private data, resulting in a risk of lawsuits, loss of institutional intellectual property, loss of institutionalreputation, and financial penalties
– 2013 issue #5 — Facilitating a better understanding of informationsecurity and finding appropriate balance between infrastructure andsecurity
– 2013 issue #10 — Using analytics to support critical institutionaloutcomes
Slide 48
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 49/58
Risk 4
Inadequate Investment in IT Services: If a convincing case for adequate investment in IT cannot be made, then we might not beable to deliver projects and services required by the university,resulting in a risk of failing to provide services required to run thebusiness of the university
– 2013 issue #4 — Developing a staffing and organizational model toaccommodate the changing IT environment and facilitate openness andagility
– 2013 issue #6 — Funding information technology strategically – 2013 issue #9 — Transforming the institution's business with
information technology
Slide 49
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 50/58
Risk 5
Failure to Recognize and Meet User Expectations: If we fail to identify user requirements and expectations and assess the extent to which we are meetingthem, then our services might not align with the university's needs. Thismisalignment could result in a risk of customers who have lost confidence in IT, awaste of resources, damage to the IT department's reputation, and failure todeliver services required by the university
– 2013 issue #8 — Supporting the trends toward IT consumerization and bring-your-owndevice
– 2013 issue #4 — Developing a staffing and organizational model to accommodate thechanging IT environment and facilitate openness and agility
– 2013 issue #1 — Access demand: wireless and device explosion, new digital divide,
demand for institutional mobile apps – 2013 issue #2 — Improving student outcomes through an approach that leverages
technology – 2013 issue #9 — Transforming the institution's business with information technology
Slide 50
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 51/58
Risk 6
Failure to Address Funding Shortages over Many Years: If wedo not recognize the recurring costs of infrastructure services andresource appropriately, then there is the possibility that serviceimprovements, including essential upgrades and enhancements,will not occur in a timely fashion — or at all. As a result, we riskservice degradation or major failure and therefore compromise touniversity business operation
– 2013 issue #6 — Funding information technology strategically – 2013 issue #9 — Transforming the institution's business with
information technology
Slide 51
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 52/58
Risk 7
Inadequate Program and Project Coordination: If adequateproject and program controls and management strategies are not inplace, then there may be significant over-runs in budgetexpenditures or even failure to deliver, resulting in a risk of failure todeliver important programs and projects for the university
– 2013 issue #6 — Funding information technology strategically
Slide 52
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 53/58
Risk 8
Failure to Manage Information Assets Securely: If we do notensure that information assets are managed correctly and securely,then there is a possibility of information loss and corruption or of amajor security breach. These could result in a risk of damage to thereputation of the IT department and the university, possible criminalor civil proceedings, and loss or corruption of information
– 2013 issue #5 — Facilitating a better understanding of informationsecurity and finding appropriate balance between infrastructureopenness and security
Slide 53
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 54/58
Risk 9
Learning and Teaching Support Inadequately Resourced: If theenvironment used by the university to support many aspects of learning and teaching is not resourced and prioritized adequately,then the service might not be sufficiently robust or developed tosupport use, demand, and user expectations, resulting in a risk of high-profile failure or widespread dissatisfaction with tools andinability of the university to deliver high-quality teaching
– 2013 issue #2 — Improving student outcomes through an approachthat leverages technology
– 2013 issue #7 — Determining the role of online learning anddeveloping a sustainable strategy for that role
Slide 54
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 55/58
Risk 10
Failure to Operate Capital Investment Approvals andPrioritization: If a clearly defined project and program approvalsprocess is not followed, and a framework is not set up to define andagree on the most important capital investment areas, then projectsand programs might not be prioritized correctly or adequatelycontrolled and resourced, resulting in a risk of inappropriateallocation of resources, missed university objectives, andunnecessary expenditure and delays
– 2013 issue #6 — Funding information technology strategically
Slide 55
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 56/58
Summary
Any top level strategic risks not covered… ..?
Results from poll:
– For those with strategic risk registers, no of risks appearing in morethan half:
– For those without strategic risk registers, no of risks that would appear in more than half:
Slide 56
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 57/58
Session Summary and Conclusions
Overviewed management of IT risk
Compared and contrasted Princeton and Oxford approaches
Reviewed other universities
Understood how risks should be managed - within an IT riskmanagement framework
Compared with EDUCAUSE top ten issues
Undertaken poll to determine whether a consensus is beingreached on what should be included in a strategic risk register
Slide 57
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (175075067)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-175075067 58/58
Thank youReferences
ECAR 2013 IT Risk Management poll:http://net.educause.edu/ir/library/pdf/ECARpollAPR2013.pdf
EDUCAUSE Top 10 IT Issues (2013): http://www.educause.edu/research-and-publications/research/top-10-it-issues
Judith Piriana’s research paper: Two Institutions Practical IT Risk Management Experiences:http://net.educause.edu/ir/library/pdf/ecar_so/erb/ERB1306.pdf
Strategic IT Risks Matched with EDUCAUSE Top 10 IT Issues: IT Risk management : Try this atexercises your institution: http://www.educause.edu/ero/article/it-risk-management-try-exercise-your-institution
Office of Government Commerce: Management_of_Risk - http://www.mor-officialsite.com/home/home.aspx
UoO Risk Management policy: http://www.admin.ox.ac.uk/riskmgt/
Learning While Doing ; Two Institution’s Practical IT Risk Management Experiences, ECARResearch Bulletin; Judith A Pirani