OLA 2011-boone-moore-risk and continuity in library operations
description
Transcript of OLA 2011-boone-moore-risk and continuity in library operations
![Page 1: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/1.jpg)
EXPLORING OPERATIONAL
SECURITY RISK AND CONTINUITY IN
LIBRARY OPERATIONS
Ontario Library Association – Super Conference 2011
Pat Moore & Wayne Boone
04 February 2011
![Page 2: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/2.jpg)
AGENDA
Supporting Mission Success
Risks to Operations
Introduction to Risk Management Frameworks
MacOdrum Library Projects
Lessons Learned
Research Program
Conclusions and Way Ahead
Q & A
1
![Page 3: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/3.jpg)
ALL OPERATIONS SUPPORT THE MISSION
What is our mission?
We promote excellence at Carleton University by collecting, preserving and providing access to information resources and services for our teaching, learning, research and administrative communities wherever they are located.
MacOdrum Library – Carleton University (ca. 2003)
2
![Page 4: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/4.jpg)
MISSION ANALYSIS – SUMMARY
Choose
Choose- singles (monographs)
Choose subscriptions
(serials)
Choose suites
Order /receive
Profiled
Check-in
Describe
Catalogue
Classify
Make available
Label
Shelve
Proxy
Find
Search
• OPAC
• Web
Browse
Filtered
• Course
• Subject
Access
ERM licensing
Authentication
Proxy
Use/borrow
Circulation
• Regular
• Media / special formats
• Course reserve
• Laptop
Interlibrary loans
3
![Page 5: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/5.jpg)
MISSION ANALYSIS – SUMMARY
Must ensure the Availability, Integrity and Confidentiality (AIC) of content and services
Must plan and prepare to continue/recover provision of content and services after a major interruption
Service Level Agreements (written and implied) Reciprocal services
Expectations of patrons
Roles in the community (meetings, etc.)
Stewardship of assets
Contribution to learning, economic prosperity
4
![Page 6: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/6.jpg)
DEFINING RISK
Risk is uncertainty of loss expressed in terms of probability of such loss
Chance of a threat exploiting a vulnerability and causing a loss to an asset in terms of:
• Confidentiality
• Integrity
• Availability
Forms of risk: • Classic risk: budgetary, asset protection, service continuity
• Intangible risk: opportunity cost, reputation
5
![Page 7: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/7.jpg)
Identifying Risk
Risk Assessment
Mitigation
Prioritization & Decision Making
UNDERSTANDING RISK
6
Plans
current operations
changes to operations
new projects
![Page 8: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/8.jpg)
WHY CONDUCT RISK ASSESSMENT?
Informed decision for risk management
Fuller understanding of: Operations Asset values Threats Vulnerabilities Risks Safeguards
Due diligence
Accountability
7
“… the TRA, is a particularly
powerful tool to help program and
project managers meet their
responsibilities for due diligence and
sound stewardship while seeking
innovative solutions to enhance
service delivery results and
performance…designed to address
all employees, assets and services
at risk.”
Harmonized Threat & Risk Assessment (HTRA) Methodology, 2007www.cse-cst.gc.ca/documents/publications/tra-emr/tra-emr-1-e.pdf
![Page 9: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/9.jpg)
HOW ARE TRAS PERFORMED? (FROM HTRA)
Establish scope of assessment and identify employees and assets to be safeguarded
Determine threats to employees and assets and assess the likelihood and impact of their occurrence
Assess vulnerabilities of assets
Assess adequacy of existing safeguards
Compute risk
Implement additional safeguards, if necessary, to reduce residual risk to an acceptable level
8
![Page 10: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/10.jpg)
TRA TERMINOLOGY – ASSET
Anything that has value (and must be protected)
Personnel
Materiel
Infrastructure and facilities
Information
Activities
9
MaterielPersonnel
Facilities and Infrastructure Information Activities
![Page 11: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/11.jpg)
Tangible and intangible e.g. reputation, goodwill, market share, legal position
Value expressed in terms of CIA triad
Confidentiality • Integrity • Availability
Valuated by injury test
10
TRA TERMINOLOGY – ASSET (CONTD)
![Page 12: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/12.jpg)
Threat - potential danger to assets that can affect the CIA triad by exploiting vulnerabilities
Vulnerability - weakness or “lack of something” in an asset that could be exploited by a threat
Physical Personnel Technical Procedural
Natural
ALL
(e.g. earthquakes,
volcanoes, storms)
Deliberate Employee sabatogeHacker
AccidentalUnauthorized
software (e.g. game)Cut Cable
TYPE INTERNALEXTERNAL
11
TRA Terminology
![Page 13: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/13.jpg)
TRA TERMINOLOGY – RISK ASSESSMENT
Determination of the likelihood and impact on operational success of a threat exploiting a vulnerability and causing a loss of the value of an asset Both a process and interim result
Part of risk management The total process of identifying, controlling
and eliminating or minimizing uncertain events that might affect system resources
Residual Risk (RR) The risk remaining after implementation of
safeguards
12
![Page 14: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/14.jpg)
TRA TERMINOLOGY
Safeguards - risk-reducing measures that act to detect, prevent, or minimize loss associated with the occurrence of a threat or threat scenario
Reduce either vulnerability or threat
13
Physical Controls
Technical Controls
Administrative Controls
Organizational Assets & Data
![Page 15: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/15.jpg)
Aim is to determine and accept RR
Senior management decision
Options Accept
Mitigate
Transfer
Deny/Avoid
TRA Terminology – Risk Management
14
![Page 16: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/16.jpg)
MACODRUM PROJECTS
Existing environment – preparing for change
Identity Management Framework (TRA)
New project – should we proceed?
CURVE Institutional Repository (TRA)
Continuity planning
Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)
15
![Page 17: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/17.jpg)
IDENTITY MANAGEMENT FRAMEWORK
Analyzing user identity, authentication & access management within MacOdrum Library
Scope: in-depth analysis of Library systems in the larger context of Carleton ID management
CIA requirements
C – Low
I – Moderate
A - Low
16
![Page 18: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/18.jpg)
IDENTITY MANAGEMENT TRA FINDINGSThreats
•Malicious hacking (High)
•Accidental disclosure of sensitive information by employees (High)
•Deliberate disclosure of sensitive information by disgruntled staff (Moderate)
Vulnerabilities •Lack of security awareness and training program
•Lack of Business Continuity Management (BCM) Program
•Ineffective access control mechanisms
Risks•Compromised information or services due to accident or attack by malicious hacker (Very High)
•Loss of Integrity of authentication data and patron’s credentials leading to reduced availability (High)
![Page 19: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/19.jpg)
IDENTITY MANAGEMENT TRA FINDINGS
Recommendations •Develop a formal IT security awareness program
•Develop and test a formal BCP and DRP
•Develop and deploy a Central Authentication system
•Develop and deploy stronger Authentication / Authorization mechanism for Remote Vendor Access
•Implement more stringent IDS / IPS
•Develop security policies for critical day-to-day operations
![Page 20: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/20.jpg)
CURVE INSTITUTIONAL REPOSITORY
Multi-tiered, multifunctional research support and digital archive environment
Scope: E-theses and Dissertations stream
CIA requirements
19
silo authoring committee Processing
-FGS
Processing -
Library
Public/
preservation
ele
ment
conte
nt
Editin
g/
annota
tions
corr
espondence
conte
nt
Com
ments
/
annota
tions
Pro
cess /
Corr
espondence /
Pro
cess
docum
enta
tio
n /
W
aiv
er
/ IP
docs
Conte
nt
Waiv
er
/ IP
docum
enta
tio
meta
data
conte
nt
Meta
data
str
eam
s
Confidentiality M M H M E H M L L H L vL vL
Integrity H H M H M M H E E H H E H
Access H M M M L M M L M L H M–>E H
Monetary E H L M M M H H E H M E M
![Page 21: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/21.jpg)
CURVE TRA FINDINGSCritical Assets
•Theses and dissertations, in digital format •Metadata•Overall reputation of University, Library and Faculty
Threats•Policy changes initiated by the Faculty of Graduate Studies and Research •Deliberate academic espionage•Coding and systems integration errors
Vulnerabilities•Lack of depth of personnel redundancy•Lack of design documents •Lack of a governance structure or partnership agreement with Faculty of Graduate Studies and Research
![Page 22: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/22.jpg)
CURVE TRA FINDINGS
Risks•Reduction of integrity of the University's reputation due to:
• Software/Logic errors (Very High)
• Deliberate academic espionage (Very High).
•Reduction of integrity of content data objects (Very High).
Recommendations•Increase depth of personnel redundancy with respect to technical expertise
•Develop formal governance structure or partnership agreement
•Develop requirements and technical and design documentation
![Page 23: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/23.jpg)
TRA LESSONS LEARNED Takes considerable time for information gathering
Extensive coordination (internal and external) required
Enhanced understanding of operational processes
“Forced” clear articulation by staff
Tested operational assumptions
Identified gaps in procedures and documentation
Useful for making business cases for process change, funding
Increased AP&S awareness of staff
Students - highly motivated, work well in teams, learn significantly more than in passive course
22
![Page 24: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/24.jpg)
RISK MANAGEMENT TOOL –BUSINESS CONTINUITY PLANNING
Umbrella term for strategy to prevent interruptions to normal business activity
Ensures continued provision of key business processes and personnel (A I C)
Framework for building resilience, appropriate response and resumption
Includes BCP and DRP
23
![Page 25: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/25.jpg)
CONTINUITY PLANS
Business Continuity Plan (BCP) Focus on operational business processes Primary objective is to continue/recover all mission-
critical business functions after a major interruption Typically at an alternate site
Restoration of all business functions at the primary site
Disaster Recovery Plan (DRP) Focus on IT Recovery - technical Immediate and temporary actions to restore limited IT
operations within maximum allowable downtime Primary objective
Process mission-critical applications in degraded mode Return to normal mode in reasonable time
24
![Page 26: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/26.jpg)
BCP/DRP DEFINITIONS
Major Interruptions
Disaster – a sudden, unstoppable, unplanned calamitous event that brings about great damage to or loss of life, valuables, environment
• Organization unable to support critical business functions within maximum allowable downtime at the primary site
Catastrophe – a major disaster that destroys the facility altogether
25
![Page 27: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/27.jpg)
WHAT IS CRITICAL?
Critical Business Function (ensured by BCP)
Subset of functions essential to meet minimum service levels (MSLs)
Meets organizational goals
Complies with regulations, laws, and SLAs
Critical Information System (ensured by DRP)
Hardware, software, personnel and communications necessary to ensure the viability of an organization during an interruption in normal data processing support
26
![Page 28: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/28.jpg)
Plan Execution
Continuum of a BCP Program
27
![Page 29: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/29.jpg)
MACODRUM LIBRARY OPERATIONS
Background
Academic Library, expectations of service delivery of students, faculty and staff
Scope
All library operations
Findings (pursuant to research project)
28
![Page 30: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/30.jpg)
FULL RANGE OF LIBRARY PERSONNEL
0 -3 years
4-10 years
11-15 years
16+ years
Experience in Library(or related fields)
0123456789
Areas of responsibility
1 (primary)2 (secondary)
29
![Page 31: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/31.jpg)
APPROPRIATENESS OF SITE
16.7%
50.0%
16.7%
12.5%
4.2%
Very appropriate
Quite appropriate
Somewhat appropriate
Minimally appropriate
Not appropriate
30
![Page 32: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/32.jpg)
4.2%
70.8%
20.8%
4.2%
No impact
Minimal impact
Some impact
Considerable impact
IMPACT OF PARTICIPATION IN BCPON LIBRARY OPERATIONS
31
![Page 33: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/33.jpg)
VALUE OF BCP PRACTICUM & PROGRAM
IN SUPPORTING OPERATIONAL CONTINUITY
32%
56%
12%
Not valuable at all
Somewhat valuable
Quite valuable
Very valuable
32
![Page 34: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/34.jpg)
APPROPRIATENESS OF
SUPERVISED PRACTICUM
50% would recommend without reservation to colleagues to participate in a practicum to produce a BCP
45% would recommend with reservations
“Be aware of the time commitment”
“Release a staff person from all other duties”
“It is not something you can say no to”
33
![Page 35: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/35.jpg)
WORTH OF PARTICIPATION
16%
28%
48%
8%
Worth of participation in BCP practicum
Very worthwhile
Quite worthwhile
Somewhat worthwhile
Minimally worthwhile
Not worthwhile at all
34
![Page 36: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/36.jpg)
CLIENT – KNOWLEDGE GAINED IN BCP/DRP
33%
15%8% 8%
41%
44%
8%
46%
8%
15%
60%
30%
56%
35%
52%
11%
32%
11%
32%
12%
32%
0%
20%
40%
60%
80%
100%
120%
BCP-initial BCP final DRP -initial DRP -final EM - initial EM - final
No knowledge Awareness of concept Some knowledge Considerable knowledge
35
![Page 37: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/37.jpg)
STAFF WILLINGNESS TO SUPPORT BCP PROGRAM
36
![Page 38: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/38.jpg)
SUMMARY COMMENTS
“The pro is the cost but the major con is the time that it took.” Requires project authority to be fully devoted to the practicum
“[She] learned a tremendous amount and is now an excellent resource for the Library, as well as the University”
“I fully support this project and wanted to do anything I could to help”
37
![Page 39: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/39.jpg)
CLIENT PERSPECTIVE – SUMMARY
“Participation validated questions I had about operations and safety”
“It was valuable in getting managers to recognize gaps in documentation and also that the BCP is a library-wide operation which requires commitment and participation from all sections”
“Without seeing it in practice, I am sceptical. Without [staff] comprehension and buy-in, the plan does little”
38
![Page 40: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/40.jpg)
LESSONS LEARNED
Difficult to estimate LoE for a practicum site
Detail
Must plan for inconsistent effort
Must scope the project to time, site complexity and number/experience of students
LoE for Technical Authority was substantial
Dedication and interest
Logistics and learning support
39
![Page 41: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/41.jpg)
LESSONS LEARNED
Need to manage student, consultant and client expectations on LoE
Significant lead time and planning required
Formal Project Management required
40
![Page 42: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/42.jpg)
RESEARCH IN ASSET PROTECTION AND SECURITY
(AP&S) LEARNING
Utility of combining advanced theoretical (academic) and practical (skills) learning toward the production of useful AP&S deliverables for critical infrastructure clients
Private courses
Academic courses (e.g., MIPIS)
Supervised work placements Co-ops
Internships
41
![Page 43: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/43.jpg)
CONCLUSIONS
Overall worthwhile
Appreciate limits on capacity to participate and plan accordingly
42
![Page 44: OLA 2011-boone-moore-risk and continuity in library operations](https://reader034.fdocuments.in/reader034/viewer/2022052621/557cb078d8b42a826c8b541a/html5/thumbnails/44.jpg)
QUESTIONS?
Pat Moore, AUL and Head of Systems, 613 520-2600 X2745, [email protected]
Wayne Boone, Assistant Professor, IPIS Program, 613 520-2600 X 6672, [email protected]