U.Va.’s IT Security
Risk Management Program
(ITS-RM)
April 2004 LSP Conference
Brian Davis
OIT, Security and Policy
IT Security Risk Management
Program (ITS-RM)


Announcing the roll out of version 1.0
Will assist departments in appropriately
protecting their IT assets
Why?
IT Security Risk Management.
It’s not just a “best practice,”
it’s a good idea!
Good News



Most of you are already doing most of
what you need to be doing
Program provides tools to make
identification and prioritization of the rest
easier
Be prepared when your department’s
administrators come to you for assistance
What’s Risk Management?
Formally defined
“The total process to identify, control, and
manage the impact of uncertain harmful
events, commensurate with the value of
the protected assets.”
More simply put…
“Determine what your risks are and then
decide on a course of action to deal with
those risks.”
Even more colloquially…
What’s your threshold for pain?
Do you want failure to deal with this risk to
end up on the front page of the
Daily Progress?
Risk Management Practices
Conduct a mission impact analysis and risk
assessment to:
1. Identify various levels of sensitivity
associated with information resources
2. Identify potential security threats to those
resources
Risk Management Practices
(cont.)
Conduct a mission impact analysis and risk
assessment to:
3. Determine the appropriate level of security
to be implemented to safeguard those
resources
4. Review, reassess and update as needed or
at least every 3 years
Risk Management Practices
(cont.)


Coordinated and integrated with
contingency planning and mission
resumption activities
Mission continuity plan that will provide
reasonable assurance that critical data
processing support can be continued or
resumed within an acceptable time frame
if normal operations are interrupted
University Level




Design university-wide program for
analysis, assessment & planning
Identify general security threats & provide
other guidance material
Oversee completion of department level
analysis, assessment, planning efforts
Complete yearly analysis & assessment
for enterprise systems; update enterprise
business continuity regularly
Departmental Level



Identify sensitive department system data,
assets & threats to those data, assets
Determine appropriate safeguards & form
plan for implementing them
Complete U.Va. templates at least every
three years & when computing
environment changes significantly
Brief Description
ITC implementing a University-wide IT
Security Risk Management Program for
 IT Mission Impact Analysis
 IT Risk Assessment
 IT Mission Continuity Planning
 Evaluation and Reassessment
What Has Been Done





ITC conducts a yearly business analysis and risk
assessment for directly managed resources;
updates its business continuity plan more often
Similar planning occurred across the University as
part of the Y2K initiative
Comptroller’s Office collects information on the
existence–but not quality–of security-related plans
Audit Department includes review of security plans
during routine departmental audits
ITC’s departmental security self-assessment
checklist (part of security awareness program)
Why That’s Not Enough





Y2K business continuity plans not updated
No mechanisms for tracking the frequency
of updates, quality and consistency
No central repository for safeguarding
assessment and planning documents
No university-level procedure dealing
explicitly with ongoing IT security risk
management
Non-compliant with state standards or
HIPAA and GLBA
Responsibilities

ITC
Health System
Audit Department
Other Offices

The Departments…



Executive Support




Strong executive support has been a key
success factor at other institutions
Executives fully behind program at U.Va.
University policy requiring participation in
the program is coming
Encouragement from LSPs will also be
necessary as many department heads will
not fully appreciate the need for IT security
assessment and planning
Step 1 - Identify
Critical IT Assets
Critical
Assets
List
ITS-RM Toolbox:
1. Criteria
2. Template
Step 2 Р Assess Risks
ITS-RM Toolbox:
1. threat scenarios
2. response strategies
3. remediation plan
template & example
For each c ritical asset:
Ґ Weigh likelihood & impact
of threats to each asset
Ґ Prioritize thre ats
Ґ Select response strategies
Ґ Develop remediation plan
Remediation
Plan
Step 3 Р Mission
Continuity Planning
ITS-RM Toolbox:
1. disaster recovery
plan example
2. interim manual
procedures
example
Create a response plan to
use in the e vent th at
critical I T assets are lost,
unavailable, corrupted or
disclosed
Disaster
Recovery
Plan
Interim
Manual
Procedures
Step 4 Р Evaluation and Reassessment
Required at l east once every thre e years
Let’s look at an example…
It’s good for you!



Risk management makes you more
efficient
Risk management helps you make your
case
Risk management has got your back
It’s not as painful as it looks!



No one will be starting from scratch
Little is expected from those with little,
more is expected from those with more
The templates are designed for the most
complex situations but work for simple
solutions, too
ITS-RM Roll Out




Version 2.0 coming soon…
Top 5 by end of year
Next 5 by next summer
Encourage other departments to get
moving
You’re Not Alone...


ITC can’t do it for you
Available to consult


Meet to explain process
Service consultations if we have solutions that
fill a gap
For More Information...
http://www.itc.virginia.edu/security/riskmanagement
Brian Davis
bdavis@virginia.edu
243-8707
Shirley Payne
payne@virginia.edu
924-4165