IT GRC in Higher Education

Agenda

• Speaker Introductions

• EDUCAUSE IT GRC Program

• IT Governance• IT Risk• IT Compliance• Get involved!

This presentation leaves copyright of the content to the presenters. Unless otherwise noted in the materials, uploaded content carries the Creative Commons Attribution‐NonCommercial‐ShareAlike license, which grants usage to the general public with the stipulated criteria.

Speaker BioMichael Corn• Deputy CIO, Brandeis

University• 12 years as CISO• Mostly working on governance

and strategy• Career limiting skepticism of

social media (@MichaelAlanCorn)

Speaker Bio

Joanna Grama• Director of Cybersecurity and IT

GRC Programs at EDUCAUSE• Lawyer by training• Credential hoarder by choice

(CISSP, CIPT, CRISC)• Social media addict

(@runforserenity)• (Reformed) helicopter parent

EDUCAUSE IT GRC PROGRAM

• Resources and research to help develop higher education IT GRC programs

• Multi-disciplinary approach: Established relationships with NACUBO (business), ACUA(auditors), URMIA (risk management), NACUA(attorneys)

• 201 IT-GRC discussion list members

The EDUCAUSE IT-GRC program provides resources that help IT professionals define and implement IT GRC activities on their

campuses. Learn more and view additional resources at www.educause.edu/it-grc

The 2015 EDUCAUSE Top 10 IT Issues ListIT GRC Themes

• #5: Demonstrating the business value of information technology and how technology and the IT organization can help the institution achieve its goals

• #6: Increasing the IT organization’s capacity for managing change, despite differing community needs, priorities, and abilities

Governance

• #7: Providing user support in the new normal—mobile, online education, cloud, and BYOD environments

• #9: Developing an enterprise IT architecture that can respond to changing conditions and new opportunities

• #10: Balancing agility, openness, and security

Risk

• #8: Developing mobile, cloud, and digital security policies that work for most of the institutional communityCompliance

IT GRC Definitions--Governance

• Decision‐making processes • Ensure the effective and efficient use of IT • Enable an institution to achieve its strategic goals

Governance

Risk

Compliance

What Does the IT Governance Body Do?

Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐compliance‐higher‐education. 

Evolution of Governance at Brandeis

• Couple technology governance to University Governance• Technology = Technology + Business Process• Data Governance• Rationalize Governance through Integrated Planning

Source for definitions: http://www.riskope.com/2014/04/03/lets‐define‐strategic‐tactical‐and‐operational‐planning/

Questions About IT Governance

• What do you need to govern?• How is IT governance different from making good business

decisions? (Is it?)• Does IT governance fit into and inform already established

institutional governance processes?• Is governance possible if budget money is not attached to

governance decisions?• What does higher education need to effectively govern IT?

IT GRC Definitions--Risk

Governance

• The potential for an unplanned, negative business outcome; IT risk is a business risk

• Events that could potentially impact the entire institution; not just those that would affect IT operations and staff

• Creates challenges in meeting strategic goals 

Risk

Compliance

Balance Between Risk Control and Openness

Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐compliance‐higher‐education. 

Questions About IT Risk

• What are the IT risks that would cause the institution to fail to achieve its goals or operational excellence?

• Who should IT leadership tap to lead its IT risk management efforts? (Security? Infrastructure? Planning? Business Continuity?)

• Is there already a coordinated enterprise-wide risk management initiative at your institution, such as an Enterprise Risk Management (ERM) program? Can IT risk management work within that initiative?

• What is the appropriate balance between risk control and openness in higher education? (Is there an appropriate balance across the board?)

• What does higher education need to effectively identify and respond to IT risk?

IT GRC Definitions--Compliance

Governance

Risk

• Operating IT systems in a way that meets imposed constraints• Laws and regulations; contracts and agreements• Institutional policies

Compliance

IT Compliance Practices

Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐compliance‐higher‐education. 

Questions About IT Compliance

• What are the laws and regulations that impact the operation of institutional IT resources (or the data in those resources)?

• What institutional policies apply to operation of institutional IT resources (or the data in those resources)?

• Do you know what contracts/agreements your institution has made or entered into that impose conditions on the use of institutional IT resources (or the data in those resources)?

• Is there already a coordinated, enterprise-wide compliance initiative at your institution, and can IT compliance activities fit into or help inform the larger program?

• Is IT compliance optional? (And does your institution treat it that way?)

• What does higher education need to effectively identify and respond to IT risk?

SO WHAT NEXT??

•Decision‐making processes •Ensure the effective and efficient use of IT •Enable an institution to achieve its strategic goals

Governance

•The potential for an unplanned, negative business outcome; IT risk is a business risk• Events that could potentially impact the entire institution; not just those that would affect IT operations and staff

• Creates challenges in meeting strategic goals 

Risk

•Operating IT systems in a way that meets constraints imposed on the institution• Laws and regulations; contracts and agreements• Institutional policies

Compliance

EDUCAUSE IT GRC PROGRAM

• 2014 ECAR Research on IT GRC in Higher Ed• EDUCAUSE Review “Good Ideas” articles • Curated EDUCAUSE library resources

Available at: www.educause.edu/it-grc

IT GRC Program Risk Register

• New Resource: IT Risk Register• Intended to help institutional IT departments to get

their strategic IT risk-management programs off the ground

• 34 strategic risks, sortable and with references

IT GRC Program Risk Register

• Sort by risk type:• Compliance• Financial• System/Service/IT Life Cycle• Operational• Reputational• Strategic

IT GRC Program Risk Register

• Sort by IT domain• Based on the EDUCAUSE Core Data

Service for cross-referencing with that tool• 11 domain areas

Get Involved! IT GRC ProgramWebpage with resources: http://www.educause.edu/it‐grc

Join the discussion: ITGRC‐DG@listserv.educause.eduInterested in volunteering?  Email grc@educause.edu