Page 1
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 1/58
IT Risk Assessment: TwoUniversities Share Their
Methodologies
Nadine Stern
Associate CIO for Operations and Planning
Paul W Jeffreys
Director of IT Risk Management
Page 2
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 2/58
Introduction
Page 3
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 3/58
Objectives of Session:
u Overview management of IT risk
u Compare and contrast how Princeton and Oxford universitiesmanage IT risk
u Review experiences from other universities, based on EDUCAUSEreview
u Understand how risks should be managed - within an IT risk
management framework
u Sprinkle in the EDUCAUSE top-ten IT issues to serve as referencepoint
u Poll session attendees to appraise strategic risk entries
3
Page 4
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 4/58
IT Risk Management Overview
u IT risk management: identifies, assesses and responds to IT risks – … threat (should be) measured against IT objectives
u Technology now permeates: L&T, research, administration
– … so an IT risk is a threat to institutional objectives
– … becoming increasingly important
u IT risk management helps to:
– Strengthen alignment between IT and institutional strategy
– Identify IT priorities and connect with IT Strategic Plan
– Influence capital investment
– Direct resource allocation to meet users’ requirements
u However, not all institutions have formal initiatives
u ECAR 2013 IT Risk Management poll*
– Some results shown later …
Slide 4
Page 5
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 5/58
EDUCAUSE Top 10 Issues
u To help inform risk management practices at our institutions, have
used the EDUCAUSE Top 10 IT Issues (2013)* as a guide
u Cross-referencing provides a worthwhile external comparison toadd assurance that an institution has identified a full set of
strategic IT threats
u Comparison shown later, and will be used to undertake our
attendee poll to give a full strategic risk appraisal
5
Page 6
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 6/58
Princeton and Oxford Approaches
u Princeton: – Aiming to align its IT Risk Assessment with institutional Executive Risk
Assessment
– Not interested in using an industry standard
– Committed to input and buy-in from IT leadership and contributors
– IT Risk assessment in distributed responsibility model
u Oxford:
– Follows ISO31000 / M_o_R standard
– Three ‘perspectives’: Strategic / Project / Operational
– Assess risks against departmental objectives as objectively as possible
– Bottom-up (work shops) and top-down (senior management)
– Well developed process to mitigate risks
– Beginning to show benefits from programme
6
Page 7
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 7/58
IT Risk Assessment at Princeton
University
u About me:u VP for IT and Enrollment Services at The College of New Jersey for
15 years
– About 60 IT staff; About 65 Enrollment Services staff
u Associate CIO in the Office of Information Technology at Princeton
since April 2011 – 280 central OIT staff
– About 150 departmental IT staff
– My department: IT Security officer, Budget and Finance,
Organizational Effectiveness, technology Consulting, Contract
management, Strategic Planning, Associate CIO role
Page 8
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 8/58
What I found at Princeton
u My role includes liaison to Office of Audit andCompliance
u Office of Audit and Compliance – relatively new
IT Audit functionu Yearly audits but no overall risk assessment
methodology
u OIT has decentralized Information Security
organization and planning
Page 9
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 9/58
Evolution of IT Risk Assessment
u University had conducted a University Risk Assessment in 2009
– Information Security identified as one of the
Risk Areas, but not well defined
u OAC interested in creating their audit universe
u OIT needing to have a plan around
Information Security initiatives
– Need to develop a mechanism for yearlyupdates
Page 10
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 10/58
Risk Matrix
u OAC gave first pass to create an IT Risk matrix
u I organized it differently; added sections of
Policy, campus awareness and compliance,Industry Trends, Educause Top 10 Issues
u Spoke to Paul Jeffreys, Oxford University
Page 11
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 11/58
Ranking Risk
ITRiskFactors
Availability- Ensuringtimelyandreliableaccesstoanduseofinformation.
Alossofavailabilityisthedisruptionofaccesstooruseofinformationoraninformationsystem.
Systemsandcriticalinformationisavailablewhenneededinordertomaintaintheorganization'scriticaloperationsandprocesses.
Includestheabilitytorecoverfromlosses,disruption,orcorruptionofdataandITservices,aswellasfromamajordisasterwherethe
informationwaslocated.
Integrity- Guardingagainstimproperinformationmodificationordestruction,andincludesenduringinformationnon-repudiationandauthenticity.
Alossofintegrityistheunauthorizedmodificationordestructionofinformation.
Datausedformakingmanagementdecisions,recordinginformation,andreportingfinancialactivityisaccruate,complete,andreliable.
Confidentiality- Preservingauthorizedrestrictionsoninformationaccessanddisclosure,includingmeansforprotectingpersonalprivacyandproprietaryinformation.
Alossofconfidentialityistheunauthorizeddisclosureofinformation.
Therighttoviewormanipulatedataiscarefullygrantedandmonitoredtopreventthemishandlingofdata
Confidentialinformationmustonlybedivulgedasappropriateandmustbeprotectedfromunauthorizeddisclosureorinterception.
Compliance- Compliancewithregulations,contracts,andpoliciesandprocedures
LikelihoodScale
3 Highprobabilitythatidentifiedriskwilloccur.
2 Mediumprobabilitythatidentifiedriskwilloccur.
1 Lowprobabilitythatidentifiedriskwilloccur.
ImpactScale
3 PotentialsignificantimpacttotheUniversity'smission,stewardshipofassets,reputation,orstakeholders.
2 PotentialsignificantimpacttotheriskareabutmoderatetotheUniversity'smission,stewardshipofassets,reputation,orstakeholders.
1 PotentialimpactontheUniversityisminororlimitedinscope.
FinancialImpact
3 Potentialfinancialimpact>$XXX
2 Potentialfinancialimpact>$YYYbutlessthan$XXX
1 Potentialfinancialimpact$ZZZorless
Page 12
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 12/58
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
Page 13
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 13/58
ITRISKFACTORS
Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact
6 Backup,Recovery,andRetention
7
Network
UNIX
Linux
Windows
Databases
BusinessApplications
I ntegri ty Confidential ity/ Re li abi li ty Compl iance
Backup,Recovery,andRetention-Network
Backup,Recovery,andRetention-UNIX
RiskArea/Universe FinancialImpact Availability
Backup,Recovery,andRetention-Linux
Backup,Recovery,andRetention-Windows
Backup,Recovery,andRetention-Databases
Backup,Recovery,andRetention-Business
Backup,Recovery,andRetention-Desktop/Laptop
IdentityandAccessManagement/LogicalSecurity/Security
Page 14
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 14/58
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
Page 15
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 15/58
ITRISKFACTORS
Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact
10 “DataCenterOperations”–JobScheduling
11 ConfigurationManagement
UNIX
Linux
Windows
Database
Application
Desktop/Laptop
Database
BusinessApplications
Network
Reliabil ity Compliance
Network
UNIX
Linux
Windows
RiskArea/Universe Financial Impact Avai labi li ty Integrity Confidentiality/
Page 16
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 16/58
ITRISKFACTORS
Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact
E1
E2
E3
E4
E5
E6
E7
E8
E9E10
F IPv6
G
H Protection/SecurityofResearchData
SupportingthetrendstowardITconsumerizationand
RiskArea/Universe FinancialImpact Confidentiality/ Reliability Compliance
2012EducauseTopTenITIssues
UpdatingITprofessionals'skillsandrolesto
Avai labi li ty Integri ty
Supportingtheresearchmissionthroughhigh-EstablishingandimplementingITgovernance
Cybersecurity
Developinganinstitution-widecloudstrategy
Improvingtheinstitution'soperationalefficiency
Integratinginformationtechnologyintoinstitutional
Usinganalyticstosupportcriticalinstitutional
Fundinginformationtechnologystrategically
Transformingtheinstitution'sbusinesswith
Page 17
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 17/58
Business Unit interviews
Universityand
Department
Policies
EducationandTraining
Laws,Regulations,
Compliance
Privacy,
Confidentiality,
DataClassification
SpecificIPP
Projects
Emerging
Technologies:
Cloudcomputing,
SocialMedia,
Mobility
Constituent
specificconcerns
(students,faculty,
staff)
Missed
Opportunities
ITRiskCategories
Page 18
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 18/58
1st year results
u Less than popular with OIT
u We realized it was too granular – and did not
really reflect priority of risk which would lead tosecurity initiative selection and prioritization
u Continued to seek other resources from other
peer institutions, Educause
Page 19
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 19/58
Maturation
u Read many articles on risk from various sources:
NIST, Educause, Coursera course
u Gartner: good resources for assessing security
program, concepts of risks assessment: but notemplates
u IBM: mostly around penetration testing
u New CIO/VP for IT
u Realization that Audit will only focus on IT general
Controls
u Discussions with our Internal Audit group and EVPresponsible for Enterprise Risk management
u Clarification that we need to use the University Risk
Map to “INFORM” our yearly process
Page 20
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 20/58
Developing Princeton’s IT Risk Map
20
Page 21
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 21/58
Developing Princeton’s IT Risk Map
21
Page 22
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 22/58
Next steps for Princeton
u Close work with our ERMC (Executive RiskManagement Committee) efforts
u Refine Matrix approach
– Add feedback loop from incident evaluations
– Periodic updating incorporating industry
trends and University’s enterprise risk
assessment process
– Creating new CISO position to focus on Risk Assessment, Security Strategy, Outreach,
Business Continuity
Page 23
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 23/58
IT Risk Assessment atUniversity of Oxford
Professor Paul W Jeffreys
Director of IT Risk Management
Page 24
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 24/58
IT Risk Management Framework
u Office of Government Commerce: Management_of_Risk*
– Uses International standard: ISO31000:2009
u Same standard adopted by University*
u Definition of risk (OGC):
– “An uncertain event or set of events that, should it occur, will have an effect on the
achievement of objectives.
– A risk is measured by the combination of the probability of a perceived threat or
opportunity occurring and the magnitude of its impact on objectives.”
u M_o_R Steps:
– Identify key strategic risks that would prevent the achievement of objectives;
– Assign ownership;
– Evaluate significance of each risk (classify);
– Identify suitable responses to each risk;
– Ensure internal control system manages the risk;
– Regular review
Slide 24
Page 25
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 25/58
Organizational Perspectives
Slide 25
Long-term / beyond
department
Medium-term / bring
about business change
Short-term / ensure on-
going continuity of
business services
Page 26
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 26/58
Define Risk Syntax and Risk Register Structure
u Syntax used to describe risk: – If - we do not ensure that IT Services' information assets are managed
correctly and securely - then - there is a possibility of information loss
and corruption AND major security breach - resulting in a risk of -
damage to reputation of department and University, possible criminal or civil proceedings, and loss or corruption of information
u Risk Register (managed in SharePoint)
– Risk identifier, Classification (Perspective), Risk description (usingsyntax), Risk probability, Risk Impact, Risk Response, Owner,
Actionees,…
u Focus on Strategic perspective here….
– ‘That which not within scope of IT Services to mitigate’
Slide 26
Page 27
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 27/58
Assessment of (Strategic) Risk
u Goal: prioritize individual risks so that it is clear which risks are mostimportant for IT Services to address -
– Must measure against organizational objectives
– Measure as objectively as possible
u Measure using two parameters:
– Impact: estimated effect of a particular threat occurring – Probability: estimated chance of it actually occurring against the impact
specified (within the period of the activity)
u Reproducibility
– Requires definition of terms
– Four impact measures: reputation, timing, financial, availability
u Overall Risk Assessment
– Not linear combination of impact and probability
Slide 27
Page 28
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 28/58
1. Impact (Reputation and Outputs)
Slide 28
Strategic - Reputation & Outputs – impact of threats on image, standing and output quality
Measure Level Effect
Publicity
and media
interestgenerated /
effect upon
rankings
Critical EITHER sustained or ongoing negative national media publicity OR a
negative change across all national or international HE sector rankings
Major EITHER one-off negative national, or ongoing local, media publicity OR
a negative change across the majority of national or international HE
sector rankings
Moderate EITHER negative media publicity likely, but avoidable or controllable
with management OR a negative view of IT Services at Council level
Minor Negative publicity limited to within IT Services
Insignificant Negative publicity limited to within part of IT Services
Page 29
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 29/58
2. Impact (Timing)
Slide 29
Strategic - Timing – impact of threats on slipping timescales
Measure Level Effect
Escalation of
compliance
issues,
including legal
matters
Critical EITHER delays in significant governance issues or decision-making processes
exceeding 24 months OR the matter is brought to Council OR break in service for
more than a week
Major EITHER delays in significant governance issues or decision-making processes of 12
to 24 months OR the matter is brought to the Capital Steering Group OR break in
key service for greater than a day
Moderate EITHER delays in significant governance issues or decision-making processes of
6to- 12 months OR the matter is brought to the IT Committee OR break in key IT
service for greater than two hours
Minor EITHER delays in significant governance issues or decision-making processes of
3to- 6 months OR the matter is brought to the IT Services Executive Management
Team OR break in key service for greater than 15 minutes
Insignific
ant
EITHER delays in significant governance issues or decision-making processes of up
to 3 months OR complaint limited to within IT Services’ processes OR break in
service for greater than two minutes
Page 30
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 30/58
3. Impact (Finances and Funding)
Slide 30
Strategic - Finances & Funding – impact of threats on sustainability, funding and financial control
Measure Level Effect
Financial scale
of effect
Critical Financial loss or impact exceeding £1m
Major EITHER financial loss or impact of £100k to £1m OR negative effect on
financial controls in general
Moderate EITHER Financial loss or impact of £20k to £100k OR negative effect on
financial controls in more than one area for up to six months OR ongoing
negative effect on financial controls in one area
Minor EITHER Financial loss or impact of £1k to £20k OR negative effect on
financial controls in one area for up to six months
Insignificant
Financial loss or impact up to £1k and no lasting negative effect on financialcontrols
Page 31
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 31/58
4. Impact (Availability and user Impact)
Slide 31
Strategic - Availability and User Impact – impact of threats on availability of services and userexperience
Measure Level Effect
Availability
and user
experience
Critical The majority or whole of the University is negatively affected for a
period of longer than one month
Major The majority or whole of University, or IT Services' capability ingeneral is negatively affected for a period of up to one month
Moderate EITHER individuals or a small number of teams are affected on an on-
going basis OR IT Services' capability for the University is negatively
affected for a period of up to one day
Minor EITHER individuals or a small number of teams are affected on an on-
going basis OR IT Services' capability for the University is negatively
affected for a period of up to one day
Insignificant Individuals or single teams only are negatively affected and IT Servics'e
capability in general is not affected
Page 32
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 32/58
Probability or Likelihood
Slide 32
• Consistent with University approach
Likelihood Frequency Monthly
Probability
VeryHigh Verylikely:isconsideredtohaveachanceofoccurringeverymonth Upto100%
High Probable: i s considered tohavea chanceof occurringoncewithin the
nexttwomonths,oruptosixtimesayear
Upto50%
Moderate Possible:isconsideredtohaveachanceofoccurringoncewithinthenext
sixmonths,oruptotwiceayear
Upto16.7%
Low Unlikely: isconsideredtohaveachanceofoccurringoncewithinthenext
year,oruptotwiceintwoyears
Upto8.3%
VeryLow Exceptional:isconsideredtohaveachanceofoccurringoncewithinthe
nexttwoyears
Upto4.2%
Page 33
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 33/58
Ask you to assess an Oxford risk…
If - we do not ensure that IT Services' information assets are managed
correctly and securely - then - there is a possibility of information loss
and corruption AND major security breach - resulting in a risk of -damage to reputation of department and University, possible criminal
or civil proceedings, and loss or corruption of information
Which type of ‘Impact’ assessment likely to have biggest impact?
Slide 33
Page 34
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 34/58
1. Impact (Reputation and Outputs)
Slide 34
Strategic - Reputation & Outputs – impact of threats on image, standing and output quality
Measure Level Effect
Publicity
and media
interest
generated /effect upon
rankings
Critical EITHER sustained or ongoing negative national media publicity OR a
negative change across all national or international HE sector rankings
Major EITHER one-off negative national, or ongoing local, media publicity OR a negative change across the majority of national or international HE
sector rankings
Moderate EITHER negative media publicity likely, but avoidable or controllable
with management OR a negative view of IT Services at Council level
Minor Negative publicity limited to within IT Services
Insignificant Negative publicity limited to within part of IT Services
Page 35
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 35/58
Probability of Likelihood
Slide 35
Likelihood Frequency Monthly
Probability
VeryHigh Verylikely:isconsideredtohaveachanceofoccurringeverymonth Upto100%
High Probable: isconsideredtohavea chanceof occurringoncewithin the
nexttwomonths,oruptosixtimesayear
Upto50%
Moderate Possible:isconsideredtohaveachanceofoccurringoncewithinthenext
sixmonths,oruptotwiceayear
Upto16.7%
Low Unlikely: isconsideredtohaveachanceofoccurringoncewithinthenext
year,oruptotwiceintwoyears
Upto8.3%
VeryLow Exceptional:isconsideredtohaveachanceofoccurringoncewithinthe
nexttwoyears
Upto4.2%
{Critical impact * Moderate probability} = 20 classification
Page 36
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 36/58
Oxford’s Strategic Risk Register
u Creating a strategic risk register is challenging
– Bottom-up (workshops) combined with top-down (senior management)
– Referenced against EDUCAUSE top-ten issues
– Entries becoming relatively stable (after 6 months)
Slide 36
I M P A C T
Critical 5 2
Major 4 1 8 2 2
Moderate 3 1 5
Minor 2
Insignificant 1
1 2 3 4 5
VeryLow Low Moderate High Very
High
LIKELIHOOD
Page 37
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 37/58
Strategic risk threat mitigation
u
Each risk has a ‘Response’, ‘Risk Proximity’ and ‘% complete’;actions and controls detailed for mitigation
u Reviewed by IT Committee termly
u Objective: get all risks to ‘amber’ or less by end of academic year
u Also, process for introducing new Strategic risks
Slide 37
Page 38
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 38/58
Oxford Summary
u
Risk management programme working – Reducing threat against departmental objectives
– Directing priorities
u Strategic risk register still being refined…
– Strategic risk register entries stable
– Risk classifications reducing as a result of concerted efforts to mitigate – Will update strategic risk again after conference…
u Top-down meets bottom-up meets EDUCAUSE top ten
– Management of strategic risks certainly delivering benefits
u Still to be connected with University of Oxford risk fully (cf Princeton)
u Still to be connected with IT Strategic Plan fully
Slide 38
Page 39
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 39/58
Princeton / OxfordComparison
Page 40
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 40/58
Learning While Doing – Judith Pirani*
40
Princeton OxfordStrengths Institutional Outreach
• Non-IT leaders’ input solicited
from start
• Works closely with Audit and
Compliance
•
Institutional perspective• CIO member of the President’s
Cabinet
• CIO encouraging alignment of
IT risk management with
institutional goals
Stratified Risk Model
Inclusive IT Risk Identification
Repeatable and Relatively
Objective Risk Assessment
Method
Process and Policies• Well-documented processes,
definitions, and models
• Linkage of risk and response
processes
• Monitoring risk response
Weaves IT risk into IT planning
and IT governance
Weakness Initial risk assessment too
granular?
Too much formality?
Page 41
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 41/58
ECAR Results and Live Poll
Page 42
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 42/58
ECAR results
u Most of the responses came from four year institutions (58% doctoral, 17%baccalaureate, and 15% master’s)
Has your institution adopted an IT risk management program or methodology?
42
Yes No, planning toimplement
No, wouldlike guidance
No
Page 43
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 43/58
43
Page 44
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 44/58
EDUCAUSE Conference Poll
u Identified set of top 10 strategic risks*, based on Princeton andOxford registers, and cross-referenced to the EDUCAUSE Top Ten
Issues (2013)*
u Consider each one in turn, and ask attendees two questions:
– For those who have strategic IT risk registers in their universities dothey have a similar risk included in their own top set?
– For those who do not have strategic IT risk registers in their universities
would it be likely that they would have a similar risk included in their own top set?
u Then ask which top risks are missing?
Slide 44
Page 45
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 45/58
Risk 1
u Business Continuity: If departments delivering services inpartnership with central IT do not make adequate plans for
continuation of their business processes in the event of an outage
of IT or other utility services, then IT might not be able to deliver
services required by the university
u This could result in a risk of major academic disruption and potential
financial loss (e.g. Hurricane Katrina in New Orleans)
– 2013 issue #5 — Facilitating a better understanding of information
security and finding appropriate balance between infrastructure andsecurity
– 2013 issue #6 — Funding information technology strategically
Slide 45
Page 46
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 46/58
Risk 2
u Emerging Technologies — Cloud Computing, Social Media,Mobility: If students, faculty, and staff use consumer-oriented and
easily accessible technologies without appropriate consultation with
central IT, then there could be serious information security
implications: loss of control of university data, problematic contract
issues, lack of attention to privacy concerns, etc
u This could result in a risk to institutional data integrity,
confidentiality, and availability, and thus a risk of institutional
financial obligation
– 2013 issue #1 — Leveraging the wireless and device explosion on
campus
– 2013 issue #3 — Developing an institution-wide cloud strategy to help
the institution select the right sourcing and solution strategies
Slide 46
Page 47
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 47/58
Risk 3
u Privacy, Confidentiality, Data Classification: If departments donot understand the legal, regulatory, and university policies around
categories of data, then the university might suffer from
inappropriate exposure of private data, resulting in a risk of
lawsuits, loss of institutional intellectual property, loss of institutional
reputation, and financial penalties
– 2013 issue #5 — Facilitating a better understanding of information
security and finding appropriate balance between infrastructure and
security
– 2013 issue #10 — Using analytics to support critical institutional
outcomes
Slide 47
Page 48
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 48/58
Risk 4
u Inadequate Investment in IT Services: If a convincing case for adequate investment in IT cannot be made, then we might not be
able to deliver projects and services required by the university,
resulting in a risk of failing to provide services required to run the
business of the university
– 2013 issue #4 — Developing a staffing and organizational model to
accommodate the changing IT environment and facilitate openness and
agility
– 2013 issue #6 — Funding information technology strategically
– 2013 issue #9 — Transforming the institution's business with
information technology
Slide 48
Page 49
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 49/58
Risk 5
u Failure to Recognize and Meet User Expectations: If we fail to identify user requirements and expectations and assess the extent to which we are meeting
them, then our services might not align with the university's needs. Thismisalignment could result in a risk of customers who have lost confidence in IT, a
waste of resources, damage to the IT department's reputation, and failure todeliver services required by the university
– 2013 issue #8 — Supporting the trends toward IT consumerization and bring-your-own
device
– 2013 issue #4 — Developing a staffing and organizational model to accommodate the
changing IT environment and facilitate openness and agility
– 2013 issue #1 — Access demand: wireless and device explosion, new digital divide,
demand for institutional mobile apps – 2013 issue #2 — Improving student outcomes through an approach that leverages
technology
– 2013 issue #9 — Transforming the institution's business with information technology
Slide 49
Page 50
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 50/58
Risk 6
u Failure to Address Funding Shortages over Many Years: If wedo not recognize the recurring costs of infrastructure services and
resource appropriately, then there is the possibility that service
improvements, including essential upgrades and enhancements,
will not occur in a timely fashion — or at all. As a result, we risk
service degradation or major failure and therefore compromise to
university business operation
– 2013 issue #6 — Funding information technology strategically
– 2013 issue #9 — Transforming the institution's business with
information technology
Slide 50
Page 51
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 51/58
Risk 7
u Inadequate Program and Project Coordination: If adequateproject and program controls and management strategies are not in
place, then there may be significant over-runs in budget
expenditures or even failure to deliver, resulting in a risk of failure to
deliver important programs and projects for the university
– 2013 issue #6 — Funding information technology strategically
Slide 51
Page 52
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 52/58
Risk 8
u Failure to Manage Information Assets Securely: If we do notensure that information assets are managed correctly and securely,
then there is a possibility of information loss and corruption or of a
major security breach. These could result in a risk of damage to the
reputation of the IT department and the university, possible criminal
or civil proceedings, and loss or corruption of information
– 2013 issue #5 — Facilitating a better understanding of information
security and finding appropriate balance between infrastructure
openness and security
Slide 52
Page 53
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 53/58
Risk 9
u Learning and Teaching Support Inadequately Resourced: If theenvironment used by the university to support many aspects of
learning and teaching is not resourced and prioritized adequately,
then the service might not be sufficiently robust or developed to
support use, demand, and user expectations, resulting in a risk of
high-profile failure or widespread dissatisfaction with tools and
inability of the university to deliver high-quality teaching
– 2013 issue #2 — Improving student outcomes through an approach
that leverages technology
– 2013 issue #7 — Determining the role of online learning and
developing a sustainable strategy for that role
Slide 53
Page 54
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 54/58
Risk 10
u Failure to Operate Capital Investment Approvals andPrioritization: If a clearly defined project and program approvals
process is not followed, and a framework is not set up to define and
agree on the most important capital investment areas, then projects
and programs might not be prioritized correctly or adequately
controlled and resourced, resulting in a risk of inappropriate
allocation of resources, missed university objectives, and
unnecessary expenditure and delays
– 2013 issue #6 — Funding information technology strategically
Slide 54
Page 55
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 55/58
Summary
u Any top level strategic risks not covered
…
..? – State regulation
– Insufficient resources to recruit / keep best staff
– Cloud based services
u Results from poll:
– For those with strategic risk registers, no of risks appearing in more
than half
– For those without strategic risk registers, no of risks that would appear
in more than half
Slide 55
Page 56
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 56/58
Results from Conference Poll
Slide 56
No contributing to poll: c. 120No with top-level risk register: c. 25
Those with risk register: 4 of 10 risks included
Those without risk register: 2 out of 10 risks included
Page 57
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 57/58
Session Summary and Conclusions
u Overviewed management of IT risk
u Compared and contrasted Princeton and Oxford approaches
u Reviewed other universities
u Understood how risks should be managed - within an IT riskmanagement framework
u Compared with EDUCAUSE top ten issues
u Undertaken poll to determine whether a consensus is being
reached on what should be included in a strategic risk register
Slide 57
Page 58
7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)
http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 58/58
Thank you
References
u ECAR 2013 IT Risk Management poll:
http://net.educause.edu/ir/library/pdf/ECARpollAPR2013.pdf
u EDUCAUSE Top 10 IT Issues (2013):
http://www.educause.edu/research-and-publications/research/top-10-it-issues
u Judith Pirani’s research paper: Two Institutions Practical IT Risk Management Experiences:
http://net.educause.edu/ir/library/pdf/ecar_so/erb/ERB1306.pdf
u Strategic IT Risks Matched with EDUCAUSE Top 10 IT Issues: IT Risk management : Try this at
exercises your institution:
http://www.educause.edu/ero/article/it-risk-management-try-exercise-your-institution
u Office of Government Commerce: Management_of_Risk -
http://www.mor-officialsite.com/home/home.aspx
u UoO Risk Management policy: http://www.admin.ox.ac.uk/riskmgt/
u Learning While Doing; Two Institution’s Practical IT Risk Management Experiences, ECAR
Research Bulletin; Judith A Pirani