Announcing the roll out of version 1.0 Will assist departments in appropriately protecting their IT assets
Why?
IT Security Risk Management. Its not just a best practice, its a good idea!
Good News
Most of you are already doing most of what you need to be doing Program provides tools to make identification and prioritization of the rest easier Be prepared when your departments administrators come to you for assistance
Coordinated and integrated with contingency planning and mission resumption activities Mission continuity plan that will provide reasonable assurance that critical data processing support can be continued or resumed within an acceptable time frame if normal operations are interrupted
University Level
Design university-wide program for analysis, assessment & planning Identify general security threats & provide other guidance material Oversee completion of department level analysis, assessment, planning efforts Complete yearly analysis & assessment for enterprise systems; update enterprise business continuity regularly
Departmental Level
Identify sensitive department system data, assets & threats to those data, assets Determine appropriate safeguards & form plan for implementing them Complete U.Va. templates at least every three years & when computing environment changes significantly
Brief Description
ITC implementing a University-wide IT Security Risk Management Program for IT Mission Impact Analysis IT Risk Assessment IT Mission Continuity Planning Evaluation and Reassessment
ITC conducts a yearly business analysis and risk assessment for directly managed resources; updates its business continuity plan more often Similar planning occurred across the University as part of the Y2K initiative Comptrollers Office collects information on the existencebut not qualityof security-related plans Audit Department includes review of security plans during routine departmental audits ITCs departmental security self-assessment checklist (part of security awareness program)
Y2K business continuity plans not updated No mechanisms for tracking the frequency of updates, quality and consistency No central repository for safeguarding assessment and planning documents No university-level procedure dealing explicitly with ongoing IT security risk management Non-compliant with state standards or HIPAA and GLBA
Responsibilities
Executive Support
Strong executive support has been a key success factor at other institutions Executives fully behind program at U.Va. University policy requiring participation in the program is coming Encouragement from LSPs will also be necessary as many department heads will not fully appreciate the need for IT security assessment and planning
ITS-RM Toolbox: 1. threat scenarios 2. response strategies 3. remediation plan template & example
Remediation Plan
ITS-RM Toolbox: 1. disaster recovery plan example 2. interim manual procedures example
Risk management makes you more efficient Risk management helps you make your case Risk management has got your back
No one will be starting from scratch Little is expected from those with little, more is expected from those with more The templates are designed for the most complex situations but work for simple solutions, too
Version 2.0 coming soon Top 5 by end of year Next 5 by next summer Encourage other departments to get moving
Meet to explain process Service consultations if we have solutions that fill a gap