University Technology Risks
Assessment and Management
April 2010
Pati Milligan, PhD
Professor, Baylor University
Waco, Texas
Issues

What are Academic Technology Risks?

How do we Assess and Manage?

Where do we fail?

Future focus?

Private vs Public University Risk Assessments
As so aptly stated in the ACFE presentation:
In the initial stages,
fraud and stupidity
bear a close resemblance.
Why Care About IT-related Risk?
Most universities are not for profit and
limited staff/budget
 Academia is an open learning environment
 So what’s the big deal?

Every component of the university is
dependent on automation and integration
 We must integrate business and academic
technology solutions to attain proper risk
management

IT Risk (more than meets the eye)
Support
Telecommunications
Mobile Devices
Cyber Security
Data Management
Business Process
Application
Collaboration
Contracts
Vendor
Selection
Existing
Solutions
Guiding
Principles
Network
Architecture
IT Risk Must Manage and
Capitalize on Business Risk
Some universities try to eliminate the
very risks that drive research and
education
 Guidance is needed on how to manage
risk effectively

©2009 ISACA/ITGI. All rights reserved.
A Balance is Essential
Risk and value are two sides of the same
coin
 Risk is inherent to all enterprises
 Academic risk and industry risk are the
same
But…
 Need to ensure opportunities for value
creation provided by Academia are not
missed by trying to eliminate all risk

So How to Assess Technology Risk?

Scope definition
◦ Business process identification, including
 Roles within business process
 Interest groups (internal and external)
◦ Academic needs ??
◦ Assets that need protection??

Analysis
◦ Qualitative risk assessment methodology
◦ Identification of conflicts of interest
◦ Business need for access for identified roles vs
Academic need for autonomy
◦ Issues with current access system
ISACA’s IT Risk Model
Risk Assessment to Risk Governance
Risk Domains

Governance
◦
◦
◦
◦

Responsibility and accountability for risk
Risk appetite and tolerance
Awareness and communication
Risk culture
Evaluation
◦ Risk scenarios
◦ Business impact descriptions

Response
◦ Key risk indicators (KRIs)
◦ Risk response definition and prioritization
©2009 ISACA/ITGI. All rights reserved.
As you know.....
E
unavoidable
D
C
B
A
improbable
A
Low
B
C
D
E
Critical
Potential Academic Exposures
Loss of competitive research
 Opposition research from other
universities
 Loss of personal data

IT-related Risk Evaluation
Technology risk is not limited to information security.
It covers all IT-related risks, including:
•
•
•
•
•
•
•
Late project delivery
Not achieving enough value from IT
Compliance (FERPA, PFIA, SOX)??
Misalignment of business responsibilities
Obsolete or inflexible IT architecture
IT service delivery problems
Autonomy for research and teaching
©2009 ISACA/ITGI. All rights reserved.
Approach and Interviews
Public and Private Universities
 U.S. and Global
 Personal interviews with IT Auditors and
Risk Management Officers
 On-site Observance

Questions to ask…….
1. How do you determine the level of risk to the university administrative
functions in the following areas:
a. Network Access
b. Web Applications
c. Online email
2. What is the current IT infrastructure and the applications supporting major
business processes (complete ISO levels if possible). How frequently does
this change?
Who supports this infrastructure, i.e. do the departments support any of
the teaching and research nodes?
3. External Environment -- Do you outsource any of the IT Services?
4. Regulatory environment -- which compliance areas pose risk to the
university ?
Questions to ask……. (cont.)
5. What is the Strategic importance of the technology network for the
university?
6. What is the Operational importance of the networks for the university?
Could the university sustain a network outage of 7 days?
7. Do you have a Risk management philosophy, process, and operating model?
8. Who manages Risk Governance (RG), Risk Evaluation (RE), and Risk
Response (RR) for the university systems?
9. How are Technology decisions made?
10. Does the university offer online courses for credit?
How is that managed?
What is the risk if the system is unavailable or if the system is breached?
11. How is the Technology Investment (money for function) managed? Is
technology (cost and value) a component of the Board of Director's
meetings, risk and budget discussions?
12. What are the top five risk factors for the university?
Questions to ask……. (cont.)
13. What are the top-five IT risk scenarios?
14. Does the university experience any of the following issues?
a. Late project delivery
b. Not achieving enough value from IT
c. Compliance
d. Misalignment
e. Obsolete or inflexible IT architecture
f. IT service delivery problems
15. How often do you evaluate sunset legacy systems?
16. Describe your information security protection program?
17. Data Retention Policy ?
18. Consistency of Patch management?
19. Does IT use standard builds?
20. To what extent do you rely on in-house applications?
21. How much do you rely on contractors?
22. Do you global nationals working with sensitive data?
23. Data Ownership……
Where do we generally fail?
◦
◦
◦
◦
◦
◦
◦
◦
Impairing ability to “Publish or Perish"
Burning bridges with research sponsors and partners
Inadequate tenure track reviews
Teaching and research effectiveness reviews
Staff and Faculty training
Decentralized survey administration – integrity of results
Not all School/Department goals are met
Academic vs. Business resource allocation not evaluated
Where do we commonly fail? (cont.)








Failure to monitor service (business)
Relinquishing control/oversight (business)
Failure to review any Outsource Service Providers’
internal controls
Failure to audit all critical areas (network security)
Failure to routinely review providers’ financial
statements
Failure to validate the destruction of confidential
(proprietary, research, performance) data when no
longer required
Inadequate regulatory framework
Business employees and faculty may not have the
tools necessary to perform their duties effectively
and efficiently?
January 2009
Areas of Concern
Ad-hoc access provision
 Too strict or too loose access
 Lack of or inadequate access policy
 Lack of integration with business processes
 Insufficient separation of duties
 Former employees or vendors with access
 Blurred network perimeter

For Those using Outsourced Services
Don’t ……

Negotiate too hard for a least cost scenario

Misplace haste to get a contract in place

Forget an exit strategy

Fail to control legal compliance

Fail to plan for a long-term strong relationship

Negotiate and manage from an “Ivory Tower”

Ignore performance details
January 2009
In Conclusion:
Guiding Principles of Risk IT






Always connect to university system objectives
Align the management of IT-related business risk
with overall university risk management
Balance the costs and benefits of managing risk
Promote fair and open communication of IT risk
Establish the right tone from the top while defining
and enforcing personal accountability for operating
within acceptable and well-defined tolerance levels
Understand that this is a continuous process and an
important part of daily activities
©2009 ISACA/ITGI. All rights reserved.
Benefits and Outcomes
Accurate view on current and near-future IT-related events
 End-to-end guidance on managing IT-related risks
 Understanding the investments made in technology for
both business, research, and teaching
 Integration with the overall risk and compliance structures
within the university
 Common language to help manage the relationships
 Promotion of risk ownership throughout the organization

©2009 ISACA/ITGI. All rights reserved.
For More Information:
ISACA IT Risk Toolkit www.isaca.org
 ISACA/ITGI Risk Model (see model file)
 OCEG Burgandy Book Executive Summary
www.oceg.org

January 2009
Questions?
Thank You!
©2009 ISACA/ITGI. All rights reserved.