Upload
olivia-ingalls
View
223
Download
4
Tags:
Embed Size (px)
Citation preview
University of Guelph 1
CANHEIT 2012
Building the Digital University
What’s Out There?Building a Central IT Repository
University of Guelph 2
Building a Central IT Repository
Welcome!
Presentation Goal/Format
University of Guelph 3
Building a Central IT Repository
Agenda• Introduction• Learning Objectives• Why have a Central IT Repository?• What are we @Guelph Trying to Do?• How are we Building IT?• Learning Objectives (Details)• Wrap-up
University of Guelph 4
Building a Central IT Repository
University of Guelph 5
Building a Central IT Repository
Introduction
• Guelph’s IT organization/culture• IT Governance• 50% distributed/decentralized
• What about Me?• My portfolio
University of Guelph 6
Building a Central IT Repository
Why are you here?
• Are you thinking about:
– IT Risk management?
– IT contingency planning?
– Compliance (PCI, FIPPA)?
University of Guelph 7
Building a Central IT Repository
Learning Objectives• Recognize the value of a central IT Repository
University of Guelph 8
Building a Central IT Repository
Learning Objectives• Recognize the value of a central IT Repository• Understand the basic requirements for IT risk
management
University of Guelph 9
Building a Central IT Repository
Learning Objectives• Recognize the value of a central IT Repository• Understand the basic requirements for IT risk
management• Learn how Guelph’s approach combines application,
services and people information
University of Guelph 10
Building a Central IT Repository
Learning Objectives• Recognize the value of a central IT Repository• Understand the basic requirements for IT risk
management• Learn how Guelph’s approach combines application,
services and people information• Take away ideas for valuable metrics
University of Guelph 11
Building a Central IT Repository
Learning Objectives• Recognize the value of a central IT Repository• Understand the basic requirements for IT risk
management• Learn how Guelph’s approach combines application,
services and people information• Take away ideas for valuable metrics• Consider visibility and sustainability challenges
University of Guelph 12
Building a Central IT Repository
WHY build a Repository?
• It’s the right thing to do! (if you’re trying to manage risk)
• Inventory of IT Assets is a foundational component of any IT security program!
University of Guelph 13
Building a Central IT Repository
WHY build a Repository?
• It’s the right thing to do! (if you’re trying to manage risk)
• Inventory of IT Assets is a foundational component of any IT security program!– What do we need to protect?
University of Guelph 14
Building a Central IT Repository
WHY build a Repository?
• It’s the right thing to do! (if you’re trying to manage risk)
• Inventory of IT Assets is a foundational component of any IT security program!– What do we need to protect?– Who is responsible?
University of Guelph 15
Building a Central IT Repository
WHY build a Repository?
• It’s the right thing to do! (if you’re trying to manage risk)
• Inventory of IT Assets is a foundational component of any IT security program!– What do we need to protect?– Who is responsible?– Who are we dependent on?
University of Guelph 16
Building a Central IT Repository
WHY build a Repository?• Risk management standards/frameworks• The starting point is always identifying IT assets!
University of Guelph 17
Building a Central IT Repository
WHY build a Repository?• Risk management standards/frameworks• The starting point is always identifying IT assets!
• ISO 27002 (clauses 7.1 & 7.2)• Clause 7.1 Responsibility for Assets• Clause 7.2 Information Classification
University of Guelph 18
Building a Central IT Repository
WHY build a Repository?• Risk management standards/frameworks• The starting point is always identifying IT assets!
• ISO 27002 (clauses 7.1 & 7.2)• Clause 7.1 Responsibility for Assets• Clause 7.2 Information Classification
• SANS “20 critical security controls”– #1 Inventory of authorized devices– #2 Inventory of authorized software
University of Guelph 19
Building a Central IT Repository
WHY build a Repository?• Risk management standards/frameworks• The starting point is always identifying IT assets!
• ISO 27002 (clauses 7.1 & 7.2)• Clause 7.1 Responsibility for Assets• Clause 7.2 Information Classification
• SANS “20 critical security controls”– #1 Inventory of authorized devices– #2 Inventory of authorized software
• NIST SP 800-60
University of Guelph 20
Building a Central IT Repository
WHY build a Repository?• Risk management standards/frameworks• The starting point is always identifying IT assets!
• ISO 27002 (clauses 7.1 & 7.2)• Clause 7.1 Responsibility for Assets• Clause 7.2 Information Classification
• SANS “20 critical security controls”– #1 Inventory of authorized devices– #2 Inventory of authorized software
• NIST SP 800-60• PCI DSS (requirements 9 & 12)
– Where is cardholder data stored?
University of Guelph 21
Building a Central IT Repository
WHAT Are We Building?• What it is: The IT Repository is an on-line web-accessible
inventory of the University’s IT Assets and the human resources who have a specific relationship with the Assets.• A ‘high level’ catalogue of IT application systems and infrastructure
services.
University of Guelph 22
Building a Central IT Repository
WHAT Are We Building?• What it is: The IT Repository is an on-line web-accessible
inventory of the University’s IT Assets and the human resources who have a specific relationship with the Assets.• A ‘high level’ catalogue of IT application systems and infrastructure
services.• What it isn’t: A physical hardware inventory (CMDB) with
device/configuration details, not is it an end-user targeted IT Service Catalogue.• It is not an asset management system for tracking acquisition costs,
licensing, obsolescence, etc.
University of Guelph 23
Building a Central IT Repository
Repository Goals
• Gain University-wide visibility of existing applications and infrastructure services
University of Guelph 24
Building a Central IT Repository
Repository Goals
• Gain University-wide visibility of existing applications and infrastructure services
• Identify system and service ownership and accountability
University of Guelph 25
Building a Central IT Repository
Repository Goals
• Gain University-wide visibility of existing applications and infrastructure services
• Identify system and service ownership and accountability• Identify systems which store sensitive information or have special
compliance requirements (e.g. PCI DSS)
University of Guelph 26
Building a Central IT Repository
Repository Goals
• Gain University-wide visibility of existing applications and infrastructure services
• Identify system and service ownership and accountability• Identify systems which store sensitive information or have special
compliance requirements (e.g. PCI DSS)• Encourage collaboration and leveraging of resources and expertise
University of Guelph 27
Building a Central IT Repository
Repository Goals
• Gain University-wide visibility of existing applications and infrastructure services
• Identify system and service ownership and accountability• Identify systems which store sensitive information or have special
compliance requirements (e.g. PCI DSS)• Encourage collaboration and leveraging of resources and expertise• Identify duplication and redundancy (show interconnections)
University of Guelph 28
Building a Central IT Repository
Repository Goals
• Gain University-wide visibility of existing applications and infrastructure services
• Identify system and service ownership and accountability• Identify systems which store sensitive information or have special
compliance requirements (e.g. PCI DSS)• Encourage collaboration and leveraging of resources and expertise• Identify duplication and redundancy (show interconnections)• (new) Enable improved management responsiveness to potential
disruptions and incidents
University of Guelph 29
Building a Central IT Repository
IT Assets
• Current ‘beta’ Repository has two tables (Assets and People)• Asset table has two types:
• Applications (transaction-processing systems)• Infrastructure ‘services’ (e.g. backup/recovery)
University of Guelph 30
Building a Central IT Repository
IT Assets
• Current ‘beta’ Repository has two tables (Assets and People)• Asset table has two types:
• Applications (transaction-processing systems)• Infrastructure ‘services’ (e.g. backup/recovery)
• I’m Thinking about:• A third asset type for academic/research (e.g. labs)• A third table for documenting IT Controls
University of Guelph 31
Building a Central IT Repository
IT Asset Attributes
• Attributes are chosen for high-level risk management, not for ITSM (service management).
• Currently twenty-two attributes (see hand-out)• Attributes become metrics when summarized, allowing
identification and analysis of areas of risk.• Current list of attributes has been reviewed and accepted by
our senior IT governance committee (ITSC).
University of Guelph 32
Building a Central IT Repository
University of Guelph 33
Building a Central IT Repository
University of Guelph 34
Building a Central IT Repository
IT People Records
• Identify ‘IT People’ who are ‘related’ to Assets (i.e. who is accountable, who/where is IT support).
University of Guelph 35
Building a Central IT Repository
IT People Records
• Identify ‘IT People’ who are ‘related’ to Assets (i.e. who is accountable, who/where is IT support).
• Identifies the individual’s role in relation to IT:• Executive Sponsor• System Owner• Primary (& alternate) Technical Support
University of Guelph 36
Building a Central IT Repository
IT People Records
• Identify ‘IT People’ who are ‘related’ to Assets (i.e. who is accountable, who/where is IT support).
• Identifies the individual’s role in relation to IT:• Executive Sponsor• System Owner• Primary (& alternate) Technical Support
• People record attributes:• Title, department, contact information• Emergency contact info (provided by individual)• Date Last Updated (& updated by)
University of Guelph 37
Building a Central IT Repository
University of Guelph 38
Building a Central IT Repository
HOW Do We Build it?
• Some History• Remember Y2k?
• Initial CIO focus was mainly ‘information architecture’
University of Guelph 39
Building a Central IT Repository
HOW Do We Build it?
• Some History• Remember Y2k?• Initial CIO focus was mainly discovering extent of “inter-connectedness”
• Build vs Buy• CIO keen on trying a SaaS approach• We flip-flopped a couple of times
University of Guelph 40
Building a Central IT Repository
HOW Do We Build it?
• Some History• Remember Y2k?• Initial CIO focus was mainly ‘information architecture’
• Build vs Buy• CIO keen on trying a SaaS approach• We flip-flopped a couple of times
• Low-key; keep it simple
University of Guelph 41
Building a Central IT Repository
HOW Do We Build it?
• Current Status• Stabilizing a ‘beta’ version of code and data structure• Populating the tables based on Central (CIO’s Office) knowledge• Previewing to selected stakeholders• Roll-out on hold pending secure authentication
University of Guelph 42
Building a Central IT Repository
HOW Do We Build it?
• Current Status• Stabilizing a ‘beta’ version of code and data structure• Populating the tables based on Central (CIO’s Office) knowledge• Previewing to selected stakeholders• Roll-out on hold pending secure authentication
• Nice to have’s• Identifying Assets not yet acquired but desired (i.e. IT demand)• Highlighting Assets which are ‘evolving’ (e.g. major upgrades)• Formal executive sponsorship
University of Guelph 43
Building a Central IT Repository
1. Recognize the value of a central IT Repository of IT Assets and IT ‘People’– Enable informed decision-making and information sharing
• Visibility (always a good starting point)– Highlight important risk-related information such as:– Technical support staff and 3rd party dependencies– Storage of sensitive data (compliance requirements)– E-commerce (PCI compliance requirements)
University of Guelph 44
Building a Central IT Repository
1. Recognize the value of a central IT Repository of IT Assets and IT ‘People’– Enable informed decision-making and information sharing
• Visibility (always a good starting point)– Highlight important risk-related information such as:– Technical support staff and 3rd party dependencies– Storage of sensitive data (compliance requirements)– E-commerce (PCI compliance requirements)
• Accountability– Who is responsible? Connect IT Assets and People
University of Guelph 45
Building a Central IT Repository
1. Recognize the value of a central IT Repository of IT Assets and IT ‘People’
• Contingency Planning – Emergency preparedness– Incident response
University of Guelph 46
Building a Central IT Repository
1. Recognize the value of a central IT Repository of IT Assets and IT ‘People’
• Contingency Planning – Emergency preparedness– Incident response
• IT Asset Security ‘Profiling’ (i.e. individual asset risk assessments)– Where is this Asset Hosted?– Who is responsible for technical support?– Are we scanning this Asset for vulnerabilities?
University of Guelph 47
Building a Central IT Repository
2. Understand the basic requirements for IT Risk Management
• Risk Management Defined: A 3-phase process of identifying risk, assessing risk, and taking action to reduce risk to an acceptable (residual) level.
• Risk Defined: The function of the likelihood of a given threat exploiting a vulnerability and the resulting impact of that adverse event.
• Risk assessment starts with characterizing or classifying systems (assets) as to their overall criticality (e.g. financial impact, data sensitivity).
• The risk factors are the ‘attributes’ we want to gather for each system.
University of Guelph 48
Building a Central IT Repository
2. Understand the basic requirements for IT Risk Management
• Requirement #1 = Asset Identification.
University of Guelph 49
Building a Central IT Repository
2. Understand the basic requirements for IT Risk Management
• Requirement #1 = Asset Identification.• Requirement #2 = gather risk-related attributes.
University of Guelph 50
Building a Central IT Repository
2. Understand the basic requirements for IT Risk Management
• Requirement #1 = Asset Identification.• Requirement #2 = gathering risk-related attributes.• Ranking/classifying assets with highest risk impact ‘scores’.
University of Guelph 51
Building a Central IT Repository
2. Understand the basic requirements for IT Risk Management
• Requirement #1 = Asset Identification.• Requirement #2 = gathering risk-related attributes.• Ranking/classifying assets with highest risk impact ‘scores’.• Requirement #3 = identifying applicable controls.
University of Guelph 52
Building a Central IT Repository
2. Understand the basic requirements for IT Risk Management
• Requirement #1 = Asset Identification.• Requirement #2 = gathering risk-related attributes.• Ranking/classifying assets with highest risk impact ‘scores’.• Requirement #3 = identifying applicable controls.• Requirement #4 = estimate likelihood of vulnerabilities being exploited.
University of Guelph 53
Building a Central IT Repository
2. Understand the basic requirements for IT Risk Management
• Requirement #1 = Asset Identification.• Requirement #2 = gathering risk-related attributes.• Ranking/classifying assets with highest risk impact ‘scores’.• Requirement #3 = identifying applicable controls.• Requirement #4 = estimate likelihood of vulnerabilities being exploited.• Requirement #5 = Accept residual risk?
University of Guelph 54
Building a Central IT Repository
3. How Guelph’s approach combines application, infrastructure services and ‘people’ information to enable contingency planning and incident response
• We’ve covered the Why, What, and How.• Contingency planning: executive management responsibility• Disruption of IT services is a major enterprise risk • Repository info informs the contingency planning process• Security ‘Profiling’ (drilling down).
– More Examples (risk attributes)
University of Guelph 55
Building a Central IT Repository
4. Ideas for Valuable Metrics
• # of systems/services utilizing 3rd-party service providers
University of Guelph 56
Building a Central IT Repository
4. Ideas for Valuable Metrics
• # of systems/services utilizing 3rd-party service providers• # of systems hosted remotely or “in the cloud”
University of Guelph 57
Building a Central IT Repository
4. Ideas for Valuable Metrics
• # of systems/services utilizing 3rd-party service providers• # of systems hosted remotely or “in the cloud”• Pct of systems centrally supported
University of Guelph 58
Building a Central IT Repository
4. Ideas for Valuable Metrics
• # of systems/services utilizing 3rd-party service providers• # of systems hosted remotely or “in the cloud”• Pct of systems centrally supported• Pct of systems centrally funded
University of Guelph 59
Building a Central IT Repository
4. Ideas for Valuable Metrics
• # of systems/services utilizing 3rd-party service providers• # of systems hosted remotely or “in the cloud”• Pct of systems centrally supported• Pct of systems centrally funded• # of systems performing ‘e-commerce’
University of Guelph 60
Building a Central IT Repository
4. Ideas for Valuable Metrics
• # of systems/services utilizing 3rd-party service providers• # of systems hosted remotely or “in the cloud”• Pct of systems centrally supported• Pct of systems centrally funded• # of systems performing ‘e-commerce’• # of systems processing/storing “sensitive data”
University of Guelph 61
Building a Central IT Repository
4. Ideas for Valuable Metrics
• # of systems/services utilizing 3rd-party service providers• # of systems hosted remotely or “in the cloud”• Pct of systems centrally supported• Pct of systems centrally funded• # of systems performing ‘e-commerce’• # of systems processing/storing “sensitive data”• # of systems/services supported by vendor ‘x’
University of Guelph 62
Building a Central IT Repository
5. Visibility and Sustainability Challenges
• Political and Cultural:– Pinpointing accountability is not welcomed by some!– Transparency/visibility is not welcomed by some!– Differing views of various stakeholders– Resistance to providing detailed attribute information
University of Guelph 63
Building a Central IT Repository
5. Visibility and Sustainability Challenges
• Political and Cultural:– Pinpointing accountability is not welcomed by some!– Transparency/visibility is not welcomed by some!– Differing views of various stakeholders– Resistance to providing detailed attribute information
• Administrative Challenges:– How to keep contact info up-to-date?– Synchronization with other sources/directories– Identifying individuals by Bargaining Group
University of Guelph 64
Building a Central IT Repository
5. Visibility and Sustainability Challenges
• Responding to Challenges: still a plan/strategy!!
– Provide reasons/value for visiting, utilizing, and updating the Repository– Track (and follow-up) the ‘freshness’ of information in the Repository– Mandate (via Policy)
University of Guelph 65
Building a Central IT Repository
CONCLUSION
• Did I succeed with the five learning objectives?
• Questions?
University of Guelph 66
Building a Central IT Repository
CONTACT
• D. Douglas Badger CGA CISA CGEIT CRISC
– Director, Systems Assurance and IT Portfolio Management– Office of the CIO http://www.uoguelph.ca/cio– http://www.uoguelph.ca/cio/content/portfolio-management-office– Telephone: 519-824-4120 (ext.52830)
University of Guelph 67
Building a Central IT Repository
University of Guelph 68
Building a Central IT Repository
University of Guelph 69
Building a Central IT Repository