IT Governance & Information Security Program...University of North Carolina at Charlotte 12/6/2012...
Transcript of IT Governance & Information Security Program...University of North Carolina at Charlotte 12/6/2012...
12/6/2012 • 1 University of North Carolina at Charlotte
The Role of IT Governance for Effective Information Security Management
Sanjeev Sah
Chief Information Security Officer
The University of North Carolina at Charlotte
December 6, 2012
12/6/2012 • 2 University of North Carolina at Charlotte
1.2 billion users
2.4 billion users Internet
122 million Tablets
1.7 billion Phones
Source: HP.com
12/6/2012 • 3 University of North Carolina at Charlotte
Virtualization has transformed Data Centers.
Consumer Cloud Services are more powerful than what IT provides.
Bring Your Own Device (BYOD) is the new strategy for end point services.
12/6/2012 • 4 University of North Carolina at Charlotte
Societal
• Accommodating the globalized service economy spurs "education inflation".
Political
• Politicians are retreating from their responsibility for education.
Environment
• Uncertainty about future energy sources is heightened.
Economy
• In the aftermath of the global financial crisis, cost control remains a focus.
Nexus
Social
Mobile
Cloud
Information
Source: Gartner
12/6/2012 • 5 University of North Carolina at Charlotte
People & Forums
Administrative, Technical & Non-Technical
Process & Procedures
Governance
Policies, Regulations,
Requirements & Guidelines
Information Security Program
Safeguards & Controls
12/6/2012 • 6 University of North Carolina at Charlotte
IT Governance Forums & Functions @ UNC Charlotte
Information Technology Executive Steering Committee (ITESC)
Chancellor
Board of Trustees
Information Technology Advisory Committee (ITAC)
Information Assurance
IT Infrastructure Enterprise Applications
Client Facing Technology
ITESC has strategy level governance of Information Technology, such as resource allocation, policy review and Information
Security oversight for the whole university.
ITAC has operational level governance of Information Technology including Portfolio Activities and Information Security.
Ensure the effective and efficient uses of Information Technology, and monitor
that Information Security Risks are being addressed.
Ensure that Information Technology Strategy is aligned with University’s mission.
12/6/2012 • 7 University of North Carolina at Charlotte
Program Governance – Forums, Scope/Functions & Outcomes
CISO
Chancellor
Board of Trustees
ITESC
ITAC
Information
Assurance
Information Security
IS Compliance
Campus Data
Security Officers
Forum:
High-Level Council / Executive Sponsor
Scope/Function:
• Set Accountability & Authority
• Program oversight
• Budget allocation
• Policy & strategy definition
• Conciliation / Arbitration
• Approval and exemptions
Outcomes:
• Policy legitimacy and awareness
• Authority of the IT Governance & ISP
• Budgets
• Policy and strategy
• Priorities
Forum:
Mid-Level Council
Scope/Function:
• Project oversight
• Local policy definition
• Reporting
Outcomes:
• Local policies
• Reports
Forum:
Information Security Teams
Scope/Function:
• Project oversight
• Operations oversight
• Policy compliance monitoring
• Reporting
Outcomes:
• Compliance certifications and
exceptions
• Reports
12/6/2012 • 8 University of North Carolina at Charlotte
Key IT Issues – Higher Education
How is IT changing the global education ecosystem and impacting the future workforce in society?
How should higher education institutions invest in applications, systems and infrastructure?
How should higher education institutions strategize and govern to make the most out of IT?
How can we balance regulatory, commercial and organizational compliance?
What are the characteristics of a successful information security program?
What are the components of a successful enterprise privacy program?
How can business continuity management and operational risk management be aligned to achieve business resilience?
How can risk management activities be aligned to University’s performance?
Key Security & Risk Management Issues
Sources: Gartner & Educause, 2012