Managing Risk in IT

Slide 1 Managing Risk in IT

Richard D. Wollenberger Jay L. Seagren

Managing Risk in IT

#12NTCRISK

Slide 2 Managing Risk in IT

Each entry is a chance to win an NTEN engraved iPad!

or Online using <#NTC12RISK> at www.nten.org/ntc/eval

Evaluate This Session!

Slide 3 Managing Risk in IT

Managing IT Risk in a small-

medium sized organization

Slide 4 Managing Risk in IT

Managing Risk in IT

• Introductions

• What is risk management?

• Budgets

• Integration with business needs

• Managing Staff

• Managing the computing environment

Slide 5 Managing Risk in IT

Who are we?

Richard Wollenberger

Director of Information Technology Parents as Teachers national office richard.wollenberger@parentsasteachers.org

Jay Seagren

Senior Manager, Enterprise Systems, The Pew Charitable Trusts jseagren@pewtrusts.org

Slide 6 Managing Risk in IT

Who’s here today

• Organization size?

• Accidental techie?

• # of IT staff?

Slide 7 Managing Risk in IT

IT Resources

Slide 8 Managing Risk in IT

What is Risk Management?

• Origins of risks

– From the ancient Italian word riscare

– The study of risk began during the

Renaissance

– Daniel Bernoulli

– Harry Markowitz

Slide 9 Managing Risk in IT

What does this have to do with IT?

• Every decision you make is about

managing some kind of risk

– Which AV system will protect your staff?

– Which backup system will be easy to use

(restore from) during an emergency situation?

– MS vs. Google?

– Voice/data connections

– Firewall

Slide 10 Managing Risk in IT

Budgets

• Every penny you spend in IT is NOT spent

on your mission

– Track every expense related to:

• Computer hw/sw

• Internet connectivity

• Telephone & fax

• Printing & copying

• Training

– end user

– Tech staff (yes, you need ongoing training)

Slide 11 Managing Risk in IT

Budget Resources

• www.itlever.com

– (search for budget or budgeting)

• IT Management

– (http://itmanagerinstitute.com/free-ebook)

• Tech Republic

– (link in slide show)

Slide 12 Managing Risk in IT

Integration with the business

• You have to sit at the table

• Strategic planning

• You are there to support them

• You are there to improve processes and

make it easier

• You are there to look for cost efficiencies

– Hard and soft dollar

• Business continuity (disaster planning)

Slide 13 Managing Risk in IT

Sit at the table

• Be a partner with the business

• Have a Service Level Agreement (SLA) so your “customers” know what to expect

Slide 14 Managing Risk in IT

Strategic planning

• Why is this important?

– Strategic planning drives the business, and

you need to be helping steer.

Slide 15 Managing Risk in IT

Who they gonna call?

Slide 16 Managing Risk in IT

What do you need to do?

• Improve business processes

• Find hard and soft dollar cost efficiencies

Slide 17 Managing Risk in IT

Staffing

• Are you an

“Accidental Techie?”

• Do you manage

other IT staff?

Slide 18 Managing Risk in IT

Slide 19 Managing Risk in IT

Outsourcing vs. Insourcing

Services

• Office and Collaboration

• Help desk

• Constituent Management

• Security

• Server and Network

Slide 20 Managing Risk in IT

Office and Collaboration

• Google Apps (Low Risk)

– Free for non-profits <3000 users

– Now online and offline (Chrome)

– Bonus: Postini spam filter

Slide 21 Managing Risk in IT

Office and Collaboration

• Office 365 (Medium Risk)

– Requires desktop client

– Per seat costs ($6-$27/user/month)

– Bonus: SharePoint

Slide 22 Managing Risk in IT

Help Desk

• (low risk – it’s free)

• (med risk - about $20/seat/month)

• (med risk – new version

not available yet – check for pricing with Techsoup.org)

Slide 23 Managing Risk in IT

Constituent Management

• (low risk)

– $200 - $475/month

• (medium risk)

– 10 licenses free, >10 80% discount

– Nonprofit Starter pack (free)

Slide 24 Managing Risk in IT

Security

• Virus protection

– Symantec ($25/yr)

– McAfee ($30/yr)

– Microsoft System Essentials

• Free for <10 PCs

– Microsoft Forefront Endpoint

($20/seat)

Slide 25 Managing Risk in IT

Disaster Planning

• This is not good:

Slide 26 Managing Risk in IT

Disaster Planning and Recovery

• Disaster Planning

– Scope of plan

• Room, building, city, region

• Disaster Recovery

– Online backup and recovery

– Pricing terms

– Amazon Web Services • (http://media.amazonwebservices.com/AWS

_Pricing_Overview.pdf)

Slide 27 Managing Risk in IT

Server and Network

• Specs

– What you want vs. what you need

• Tools

– Is the cloud right for your organization?

• Processes

• Procedures

• Change management

• Regulation and law compliance

Slide 28 Managing Risk in IT

Server and Network – cont.

• Duplicate and mirrored services

• 2 separate data centers

• Different geographic and power grid

zones

• Carbon copying between the two

• 3rd Party DNS can route to different data

centers upon failure

Slide 29 Managing Risk in IT

3rd Party Providers

Slide 30 Managing Risk in IT

3rd Party Providers

• Financial pressure and offsite delivery

model drive the need

• Risk Management starts with Sourcing,

continues with Contracting and finally

Vendor Management

• Extend your in-house staff seamlessly if

managed well

Slide 31 Managing Risk in IT

3rd Party Providers – cont.

• Growing number of delivery models, specialized services and budget pressure are driving more reliance on 3rd party service providers

• 25% of IT budgets are now going to 3rd party providers

• Over 50% of IT managers surveyed will increase their budget

on SAAS providers.

Slide 32 Managing Risk in IT

3rd Party Providers – cont.

• Areas of Risk and Mitigation:

– Data Security

– Stability of provider and their service

– Your brand and reputation

– Legal and Professional liability

Slide 33 Managing Risk in IT

3rd Party Providers – cont.

• Data Security • Privacy policies in contract

• Vendor audit

• Internal training on Data Security

awareness

• Sensitive information (e.g. High

Wealth Donors) may warrant DLP

Slide 34 Managing Risk in IT

3rd Party Providers – cont.

• Stability of provider • Basic Balance sheet and Cash Flow analysis

• Bankruptcy, M and A

• Stability of service • Service Levels objectives in contract

• Incentives and discounts/refunds

• Vendor Scorecards

Slide 35 Managing Risk in IT

3rd Party Providers – cont.

Slide 36 Managing Risk in IT

3rd Party Providers – cont.

• Brand reputation • Brand usage built in to contracts

• On site risk assessment

• Deliverable reviews

Slide 37 Managing Risk in IT

3rd Party Providers – cont.

• Legal and Professional

liability • Business Continuity plan review

• Standardized best practices

• Standard Legal Terms and

Conditions

Slide 38 Managing Risk in IT

Managing Risk in IT

Conclusion

• Be partner with business

• Make risk management strategic

• Evaluate outsourced and cloud offerings

• Follow Best Practices

• Use Best of Breed

• Utilize 3rd party providers wisely

Slide 39 Managing Risk in IT

Managing IT Risk in a small-

medium sized organization

Slide 40 Managing Risk in IT

Each entry is a chance to win an NTEN engraved iPad!

or Online using <#NTC12RISK> at www.nten.org/ntc/eval

Evaluate This Session!