U.Va.

s IT Security Risk Management Program (ITS-RM)

April 2004 LSP Conference Brian Davis OIT, Security and Policy

IT Security Risk Management Program (ITS-RM)

Announcing the roll out of version 1.0 Will assist departments in appropriately protecting their IT assets

Why?

IT Security Risk Management. Its not just a best practice, its a good idea!

Good News

Most of you are already doing most of what you need to be doing Program provides tools to make identification and prioritization of the rest easier Be prepared when your departments administrators come to you for assistance

Whats Risk Management?

Formally defined The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.

More simply put

Determine what your risks are and then decide on a course of action to deal with those risks.

Even more colloquially

Whats your threshold for pain? Do you want failure to deal with this risk to end up on the front page of the Daily Progress?

Risk Management Practices

Conduct a mission impact analysis and risk assessment to:
1. Identify various levels of sensitivity associated with information resources 2. Identify potential security threats to those resources

Risk Management Practices (cont.)

Conduct a mission impact analysis and risk assessment to:
3. Determine the appropriate level of security to be implemented to safeguard those resources 4. Review, reassess and update as needed or at least every 3 years

Risk Management Practices (cont.)

Coordinated and integrated with contingency planning and mission resumption activities Mission continuity plan that will provide reasonable assurance that critical data processing support can be continued or resumed within an acceptable time frame if normal operations are interrupted

University Level

Design university-wide program for analysis, assessment & planning Identify general security threats & provide other guidance material Oversee completion of department level analysis, assessment, planning efforts Complete yearly analysis & assessment for enterprise systems; update enterprise business continuity regularly

Departmental Level

Identify sensitive department system data, assets & threats to those data, assets Determine appropriate safeguards & form plan for implementing them Complete U.Va. templates at least every three years & when computing environment changes significantly

Brief Description
ITC implementing a University-wide IT Security Risk Management Program for IT Mission Impact Analysis IT Risk Assessment IT Mission Continuity Planning Evaluation and Reassessment

What Has Been Done

ITC conducts a yearly business analysis and risk assessment for directly managed resources; updates its business continuity plan more often Similar planning occurred across the University as part of the Y2K initiative Comptrollers Office collects information on the existencebut not qualityof security-related plans Audit Department includes review of security plans during routine departmental audits ITCs departmental security self-assessment checklist (part of security awareness program)

Why Thats Not Enough

Y2K business continuity plans not updated No mechanisms for tracking the frequency of updates, quality and consistency No central repository for safeguarding assessment and planning documents No university-level procedure dealing explicitly with ongoing IT security risk management Non-compliant with state standards or HIPAA and GLBA

Responsibilities

ITC Health System Audit Department Other Offices The Departments

Executive Support

Strong executive support has been a key success factor at other institutions Executives fully behind program at U.Va. University policy requiring participation in the program is coming Encouragement from LSPs will also be necessary as many department heads will not fully appreciate the need for IT security assessment and planning

Step 1 - Identify Critical IT Assets

ITS-RM Toolbox: 1. Criteria 2. Template

Critical Assets List

Step 2 Assess Risks

For each critical asset: Weigh likelihood & impact of threats to each asset Prioritize threats Select response strategies Develop remediation plan

ITS-RM Toolbox: 1. threat scenarios 2. response strategies 3. remediation plan template & example

Remediation Plan

Step 3 Mission Continuity Planning

Create a response plan to use in the event that critical IT assets are lost, unavailable, corrupted or disclosed Disaster Recovery Plan Interim Manual Procedures

ITS-RM Toolbox: 1. disaster recovery plan example 2. interim manual procedures example

Step 4 Evaluation and Reassessment

Required at least once every three years

Lets look at an example

Its good for you!

Risk management makes you more efficient Risk management helps you make your case Risk management has got your back

Its not as painful as it looks!

No one will be starting from scratch Little is expected from those with little, more is expected from those with more The templates are designed for the most complex situations but work for simple solutions, too

ITS-RM Roll Out

Version 2.0 coming soon Top 5 by end of year Next 5 by next summer Encourage other departments to get moving

Youre Not Alone...

ITC cant do it for you Available to consult

Meet to explain process Service consultations if we have solutions that fill a gap

For More Information...

http://www.itc.virginia.edu/security/riskmanagement

Brian Davis bdavis@virginia.edu 243-8707

Shirley Payne payne@virginia.edu 924-4165