IT GRC in Higher Education (286866068)
description
Transcript of IT GRC in Higher Education (286866068)
IT GRC in Higher Education
Agenda
• Speaker Introductions
• EDUCAUSE IT GRC Program
• IT Governance• IT Risk• IT Compliance• Get involved!
This presentation leaves copyright of the content to the presenters. Unless otherwise noted in the materials, uploaded content carries the Creative Commons Attribution‐NonCommercial‐ShareAlike license, which grants usage to the general public with the stipulated criteria.
Speaker BioMichael Corn• Deputy CIO, Brandeis
University• 12 years as CISO• Mostly working on governance
and strategy• Career limiting skepticism of
social media (@MichaelAlanCorn)
Speaker Bio
Joanna Grama• Director of Cybersecurity and IT
GRC Programs at EDUCAUSE• Lawyer by training• Credential hoarder by choice
(CISSP, CIPT, CRISC)• Social media addict
(@runforserenity)• (Reformed) helicopter parent
EDUCAUSE IT GRC PROGRAM
• Resources and research to help develop higher education IT GRC programs
• Multi-disciplinary approach: Established relationships with NACUBO (business), ACUA(auditors), URMIA (risk management), NACUA(attorneys)
• 201 IT-GRC discussion list members
The EDUCAUSE IT-GRC program provides resources that help IT professionals define and implement IT GRC activities on their
campuses. Learn more and view additional resources at www.educause.edu/it-grc
The 2015 EDUCAUSE Top 10 IT Issues ListIT GRC Themes
• #5: Demonstrating the business value of information technology and how technology and the IT organization can help the institution achieve its goals
• #6: Increasing the IT organization’s capacity for managing change, despite differing community needs, priorities, and abilities
Governance
• #7: Providing user support in the new normal—mobile, online education, cloud, and BYOD environments
• #9: Developing an enterprise IT architecture that can respond to changing conditions and new opportunities
• #10: Balancing agility, openness, and security
Risk
• #8: Developing mobile, cloud, and digital security policies that work for most of the institutional communityCompliance
IT GRC Definitions--Governance
• Decision‐making processes • Ensure the effective and efficient use of IT • Enable an institution to achieve its strategic goals
Governance
Risk
Compliance
What Does the IT Governance Body Do?
Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐compliance‐higher‐education.
Evolution of Governance at Brandeis
• Couple technology governance to University Governance• Technology = Technology + Business Process• Data Governance• Rationalize Governance through Integrated Planning
Source for definitions: http://www.riskope.com/2014/04/03/lets‐define‐strategic‐tactical‐and‐operational‐planning/
Questions About IT Governance
• What do you need to govern?• How is IT governance different from making good business
decisions? (Is it?)• Does IT governance fit into and inform already established
institutional governance processes?• Is governance possible if budget money is not attached to
governance decisions?• What does higher education need to effectively govern IT?
IT GRC Definitions--Risk
Governance
• The potential for an unplanned, negative business outcome; IT risk is a business risk
• Events that could potentially impact the entire institution; not just those that would affect IT operations and staff
• Creates challenges in meeting strategic goals
Risk
Compliance
Balance Between Risk Control and Openness
Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐compliance‐higher‐education.
Questions About IT Risk
• What are the IT risks that would cause the institution to fail to achieve its goals or operational excellence?
• Who should IT leadership tap to lead its IT risk management efforts? (Security? Infrastructure? Planning? Business Continuity?)
• Is there already a coordinated enterprise-wide risk management initiative at your institution, such as an Enterprise Risk Management (ERM) program? Can IT risk management work within that initiative?
• What is the appropriate balance between risk control and openness in higher education? (Is there an appropriate balance across the board?)
• What does higher education need to effectively identify and respond to IT risk?
IT GRC Definitions--Compliance
Governance
Risk
• Operating IT systems in a way that meets imposed constraints• Laws and regulations; contracts and agreements• Institutional policies
Compliance
IT Compliance Practices
Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐compliance‐higher‐education.
Questions About IT Compliance
• What are the laws and regulations that impact the operation of institutional IT resources (or the data in those resources)?
• What institutional policies apply to operation of institutional IT resources (or the data in those resources)?
• Do you know what contracts/agreements your institution has made or entered into that impose conditions on the use of institutional IT resources (or the data in those resources)?
• Is there already a coordinated, enterprise-wide compliance initiative at your institution, and can IT compliance activities fit into or help inform the larger program?
• Is IT compliance optional? (And does your institution treat it that way?)
• What does higher education need to effectively identify and respond to IT risk?
SO WHAT NEXT??
•Decision‐making processes •Ensure the effective and efficient use of IT •Enable an institution to achieve its strategic goals
Governance
•The potential for an unplanned, negative business outcome; IT risk is a business risk• Events that could potentially impact the entire institution; not just those that would affect IT operations and staff
• Creates challenges in meeting strategic goals
Risk
•Operating IT systems in a way that meets constraints imposed on the institution• Laws and regulations; contracts and agreements• Institutional policies
Compliance
EDUCAUSE IT GRC PROGRAM
• 2014 ECAR Research on IT GRC in Higher Ed• EDUCAUSE Review “Good Ideas” articles • Curated EDUCAUSE library resources
Available at: www.educause.edu/it-grc
IT GRC Program Risk Register
• New Resource: IT Risk Register• Intended to help institutional IT departments to get
their strategic IT risk-management programs off the ground
• 34 strategic risks, sortable and with references
IT GRC Program Risk Register
• Sort by risk type:• Compliance• Financial• System/Service/IT Life Cycle• Operational• Reputational• Strategic
IT GRC Program Risk Register
• Sort by IT domain• Based on the EDUCAUSE Core Data
Service for cross-referencing with that tool• 11 domain areas
Get Involved! IT GRC ProgramWebpage with resources: http://www.educause.edu/it‐grc
Join the discussion: ITGRC‐[email protected] in volunteering? Email [email protected]