University Technology Risks Assessment and Management April 2010 Pati Milligan, PhD Professor, Baylor University Waco, Texas Issues What are Academic Technology Risks? How do we Assess and Manage? Where do we fail? Future focus? Private vs Public University Risk Assessments As so aptly stated in the ACFE presentation: In the initial stages, fraud and stupidity bear a close resemblance. Why Care About IT-related Risk? Most universities are not for profit and limited staff/budget Academia is an open learning environment So what’s the big deal? Every component of the university is dependent on automation and integration We must integrate business and academic technology solutions to attain proper risk management IT Risk (more than meets the eye) Support Telecommunications Mobile Devices Cyber Security Data Management Business Process Application Collaboration Contracts Vendor Selection Existing Solutions Guiding Principles Network Architecture IT Risk Must Manage and Capitalize on Business Risk Some universities try to eliminate the very risks that drive research and education Guidance is needed on how to manage risk effectively ©2009 ISACA/ITGI. All rights reserved. A Balance is Essential Risk and value are two sides of the same coin Risk is inherent to all enterprises Academic risk and industry risk are the same But… Need to ensure opportunities for value creation provided by Academia are not missed by trying to eliminate all risk So How to Assess Technology Risk? Scope definition ◦ Business process identification, including Roles within business process Interest groups (internal and external) ◦ Academic needs ?? ◦ Assets that need protection?? Analysis ◦ Qualitative risk assessment methodology ◦ Identification of conflicts of interest ◦ Business need for access for identified roles vs Academic need for autonomy ◦ Issues with current access system ISACA’s IT Risk Model Risk Assessment to Risk Governance Risk Domains Governance ◦ ◦ ◦ ◦ Responsibility and accountability for risk Risk appetite and tolerance Awareness and communication Risk culture Evaluation ◦ Risk scenarios ◦ Business impact descriptions Response ◦ Key risk indicators (KRIs) ◦ Risk response definition and prioritization ©2009 ISACA/ITGI. All rights reserved. As you know..... E unavoidable D C B A improbable A Low B C D E Critical Potential Academic Exposures Loss of competitive research Opposition research from other universities Loss of personal data IT-related Risk Evaluation Technology risk is not limited to information security. It covers all IT-related risks, including: • • • • • • • Late project delivery Not achieving enough value from IT Compliance (FERPA, PFIA, SOX)?? Misalignment of business responsibilities Obsolete or inflexible IT architecture IT service delivery problems Autonomy for research and teaching ©2009 ISACA/ITGI. All rights reserved. Approach and Interviews Public and Private Universities U.S. and Global Personal interviews with IT Auditors and Risk Management Officers On-site Observance Questions to ask……. 1. How do you determine the level of risk to the university administrative functions in the following areas: a. Network Access b. Web Applications c. Online email 2. What is the current IT infrastructure and the applications supporting major business processes (complete ISO levels if possible). How frequently does this change? Who supports this infrastructure, i.e. do the departments support any of the teaching and research nodes? 3. External Environment -- Do you outsource any of the IT Services? 4. Regulatory environment -- which compliance areas pose risk to the university ? Questions to ask……. (cont.) 5. What is the Strategic importance of the technology network for the university? 6. What is the Operational importance of the networks for the university? Could the university sustain a network outage of 7 days? 7. Do you have a Risk management philosophy, process, and operating model? 8. Who manages Risk Governance (RG), Risk Evaluation (RE), and Risk Response (RR) for the university systems? 9. How are Technology decisions made? 10. Does the university offer online courses for credit? How is that managed? What is the risk if the system is unavailable or if the system is breached? 11. How is the Technology Investment (money for function) managed? Is technology (cost and value) a component of the Board of Director's meetings, risk and budget discussions? 12. What are the top five risk factors for the university? Questions to ask……. (cont.) 13. What are the top-five IT risk scenarios? 14. Does the university experience any of the following issues? a. Late project delivery b. Not achieving enough value from IT c. Compliance d. Misalignment e. Obsolete or inflexible IT architecture f. IT service delivery problems 15. How often do you evaluate sunset legacy systems? 16. Describe your information security protection program? 17. Data Retention Policy ? 18. Consistency of Patch management? 19. Does IT use standard builds? 20. To what extent do you rely on in-house applications? 21. How much do you rely on contractors? 22. Do you global nationals working with sensitive data? 23. Data Ownership…… Where do we generally fail? ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ Impairing ability to “Publish or Perish" Burning bridges with research sponsors and partners Inadequate tenure track reviews Teaching and research effectiveness reviews Staff and Faculty training Decentralized survey administration – integrity of results Not all School/Department goals are met Academic vs. Business resource allocation not evaluated Where do we commonly fail? (cont.) Failure to monitor service (business) Relinquishing control/oversight (business) Failure to review any Outsource Service Providers’ internal controls Failure to audit all critical areas (network security) Failure to routinely review providers’ financial statements Failure to validate the destruction of confidential (proprietary, research, performance) data when no longer required Inadequate regulatory framework Business employees and faculty may not have the tools necessary to perform their duties effectively and efficiently? January 2009 Areas of Concern Ad-hoc access provision Too strict or too loose access Lack of or inadequate access policy Lack of integration with business processes Insufficient separation of duties Former employees or vendors with access Blurred network perimeter For Those using Outsourced Services Don’t …… Negotiate too hard for a least cost scenario Misplace haste to get a contract in place Forget an exit strategy Fail to control legal compliance Fail to plan for a long-term strong relationship Negotiate and manage from an “Ivory Tower” Ignore performance details January 2009 In Conclusion: Guiding Principles of Risk IT Always connect to university system objectives Align the management of IT-related business risk with overall university risk management Balance the costs and benefits of managing risk Promote fair and open communication of IT risk Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels Understand that this is a continuous process and an important part of daily activities ©2009 ISACA/ITGI. All rights reserved. Benefits and Outcomes Accurate view on current and near-future IT-related events End-to-end guidance on managing IT-related risks Understanding the investments made in technology for both business, research, and teaching Integration with the overall risk and compliance structures within the university Common language to help manage the relationships Promotion of risk ownership throughout the organization ©2009 ISACA/ITGI. All rights reserved. For More Information: ISACA IT Risk Toolkit www.isaca.org ISACA/ITGI Risk Model (see model file) OCEG Burgandy Book Executive Summary www.oceg.org January 2009 Questions? Thank You! ©2009 ISACA/ITGI. All rights reserved.