U.Va.’s IT SecurityU.Va.’s IT SecurityRisk Management ProgramRisk Management Program

((ITS-RM)ITS-RM)

April 2004 LSP ConferenceApril 2004 LSP Conference

Brian DavisBrian Davis

OIT, Security and PolicyOIT, Security and Policy

IT Security Risk Management IT Security Risk Management Program (ITS-RM)Program (ITS-RM)

Announcing the roll out of version 1.0Announcing the roll out of version 1.0 Will assist departments in appropriately Will assist departments in appropriately

protecting their IT assetsprotecting their IT assets

Why?Why?

IT Security Risk Management.IT Security Risk Management.

It’s not just a “best practice,”It’s not just a “best practice,”

it’s a good idea!it’s a good idea!

Good NewsGood News

Most of you are already doing most of Most of you are already doing most of what you need to be doingwhat you need to be doing

Program provides tools to make Program provides tools to make identification and prioritization of the rest identification and prioritization of the rest easiereasier

Be prepared when your department’s Be prepared when your department’s administrators come to you for assistanceadministrators come to you for assistance

What’s Risk Management?What’s Risk Management?

Formally defined

“The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of

the protected assets.”

More simply put…

“Determine what your risks are and then decide on a course of action to deal with

those risks.”

Even more colloquially…

What’s your threshold for pain?

Do you want failure to deal with this risk to end up on the front page of the

Daily Progress?

Risk Management PracticesRisk Management Practices

Conduct a mission impact analysis and risk assessment to:

1. Identify various levels of sensitivity associated with information resources

2. Identify potential security threats to those resources

Risk Management PracticesRisk Management Practices(cont.)(cont.)

Conduct a mission impact analysis and risk assessment to:

3.3. Determine the appropriate level of security Determine the appropriate level of security to be implemented to safeguard those to be implemented to safeguard those resourcesresources

4.4. Review, reassess and update as needed or Review, reassess and update as needed or at least every 3 yearsat least every 3 years

Risk Management Practices Risk Management Practices (cont.)(cont.)

Coordinated and integrated with Coordinated and integrated with contingency planning and mission contingency planning and mission resumption activitiesresumption activities

Mission continuity plan that will provide Mission continuity plan that will provide reasonable assurance that critical data reasonable assurance that critical data processing support can be continued or processing support can be continued or resumed within an acceptable time frame resumed within an acceptable time frame if normal operations are interruptedif normal operations are interrupted

University LevelUniversity Level

Design university-wide program for Design university-wide program for analysis, assessment & planninganalysis, assessment & planning

Identify general security threats & provide Identify general security threats & provide other guidance materialother guidance material

Oversee completion of department level Oversee completion of department level analysis, assessment, planning efforts analysis, assessment, planning efforts

Complete yearly analysis & assessment Complete yearly analysis & assessment for enterprise systems; update enterprise for enterprise systems; update enterprise business continuity regularlybusiness continuity regularly

Departmental LevelDepartmental Level

Identify sensitive department system data, Identify sensitive department system data, assets & threats to those data, assetsassets & threats to those data, assets

Determine appropriate safeguards & form Determine appropriate safeguards & form plan for implementing themplan for implementing them

Complete U.Va. templates at least every Complete U.Va. templates at least every three years & when computing three years & when computing environment changes significantlyenvironment changes significantly

Brief DescriptionBrief Description

ITC implementing a University-wide IT ITC implementing a University-wide IT Security Risk Management Program forSecurity Risk Management Program for

IT Mission Impact AnalysisIT Mission Impact Analysis IT Risk AssessmentIT Risk Assessment IT Mission Continuity PlanningIT Mission Continuity Planning Evaluation and ReassessmentEvaluation and Reassessment

What Has Been DoneWhat Has Been Done

ITC conducts a yearly business analysis and risk ITC conducts a yearly business analysis and risk assessment for directly managed resources; assessment for directly managed resources; updates its business continuity plan more oftenupdates its business continuity plan more often

Similar planning occurred across the University as Similar planning occurred across the University as part of the Y2K initiativepart of the Y2K initiative

Comptroller’s Office collects information on the Comptroller’s Office collects information on the existence–but not quality–of security-related plansexistence–but not quality–of security-related plans

Audit Department includes review of security plans Audit Department includes review of security plans during routine departmental auditsduring routine departmental audits

ITC’s departmental security self-assessment ITC’s departmental security self-assessment checklist (part of security awareness program)checklist (part of security awareness program)

Why That’s Not EnoughWhy That’s Not Enough

Y2K business continuity plans not updatedY2K business continuity plans not updated No mechanisms for tracking the frequency No mechanisms for tracking the frequency

of updates, quality and consistencyof updates, quality and consistency No central repository for safeguarding No central repository for safeguarding

assessment and planning documentsassessment and planning documents No university-level procedure dealing No university-level procedure dealing

explicitly with ongoing IT security risk explicitly with ongoing IT security risk managementmanagement

Non-compliant with state standards or Non-compliant with state standards or HIPAA and GLBAHIPAA and GLBA

ResponsibilitiesResponsibilities

ITCITC Health SystemHealth System Audit DepartmentAudit Department Other OfficesOther Offices

The Departments…The Departments…

Executive SupportExecutive Support

Strong executive support has been a key Strong executive support has been a key success factor at other institutionssuccess factor at other institutions

Executives fully behind program at U.Va.Executives fully behind program at U.Va. University policy requiring participation in University policy requiring participation in

the program is comingthe program is coming Encouragement from LSPs will also be Encouragement from LSPs will also be

necessary as many department heads will necessary as many department heads will not fully appreciate the need for IT security not fully appreciate the need for IT security assessment and planningassessment and planning

Step 1 - IdentifyCritical IT Assets

CriticalAssets

List

Step 2 – Assess Risks

For each critical asset:• Weigh likelihood & impact

of threats to each asset• Prioritize threats• Select response strategies• Develop remediation plan

Step 3 – MissionContinuity Planning

Create a response plan touse in the event thatcritical IT assets are lost,unavailable, corrupted ordisclosed

ITS-RM Toolbox:1. threat scenarios2. response strategies3. remediation plan

template & example

RemediationPlan

ITS-RM Toolbox:1. disaster recovery

plan example2. interim manual

proceduresexample

ITS-RM Toolbox:1. Criteria2. Template

DisasterRecovery

PlanInterimManual

Procedures

Step 4 – Evaluation and Reassessment

Required at least once every three years

Let’s look at an example…Let’s look at an example…

It’s good for you!It’s good for you!

Risk management makes you more Risk management makes you more efficientefficient

Risk management helps you make your Risk management helps you make your casecase

Risk management has got your backRisk management has got your back

It’s not as painful as it looks!It’s not as painful as it looks!

No one will be starting from scratchNo one will be starting from scratch Little is expected from those with little, Little is expected from those with little,

more is expected from those with moremore is expected from those with more The templates are designed for the most The templates are designed for the most

complex situations but work for simple complex situations but work for simple solutions, toosolutions, too

ITS-RM Roll OutITS-RM Roll Out

Version 2.0 coming soon…Version 2.0 coming soon… Top 5 by end of yearTop 5 by end of year Next 5 by next summerNext 5 by next summer Encourage other departments to get Encourage other departments to get

movingmoving

You’re Not Alone...You’re Not Alone...

ITC can’t do it for youITC can’t do it for you Available to consultAvailable to consult

Meet to explain processMeet to explain process Service consultations if we have solutions that Service consultations if we have solutions that

fill a gapfill a gap

For More Information...For More Information...

http://www.itc.virginia.edu/security/riskmanagement

Brian Davis Shirley Payne bdavis@virginia.edu payne@virginia.edu

243-8707 924-4165