Information Technology Security

The University’s Information Technology Security Risk Management (ITS-RM) Program is intended to provide departments with the information and tools they need to manage properly the security risks associated with their information technology assets.

Some examples of real events that have happened at the University include:

Fire. The University’s Treasurer’s Office is left with burned files and melted computers.

Flood. Health System Computing Services responds to a report of a down server and finds water rushing from the ceiling.

Loss of access. University Hall is closed for several months on 15-minutes’ notice after failing a routine structural safety inspection.

Cyber-attack. Machines containing sensitive data are hijacked via the network.

How prepared is your department to mitigate these risks and respond appropriately, if any one of these events occur in your area?

Given the serious security risks to information technology (IT) assets, managing those risks effectively is an essential task for the University and its departments. The process will benefit both the individual departments and the University as a whole. It is important that management understand what risks exist in their IT environment, and how those risks can be reduced or eliminated.

The University has business processes, research and instructional efforts, and legally protected data that depend on IT assets, which UVa cannot afford to lose or have exposed. Unfortunately, these IT assets are subject to an increasing number of threats, attacks and vulnerabilities, against which more protection is continually required. The ITS-RM program is an essential component in this overall effort.

University policy  requires the management of each University department to complete the process outlined in the University's ITS-RM Program at least once every three years, when there are significant changes to departmental IT assets, or when there are significant changes to the risk environment. The department head will sign off on the deliverables from this process and file these deliverables in the University's central repository for these documents. The ITS-RM program applies to agencies 207 (Academic Division), 209 (Medical Center) and 246 (College at Wise).

All departments should have completed their first iteration of the process during 2007. The second iteration is due March 1, 2011.

IT Risk Management

Seperti kita bersama-sama pahami, pemanfaatan Teknologi Informasi (TI) selain mendatangkan benefit bagi perusahaan juga menghadirkan risiko.

Risiko ini tentunya dapat mengakibatkan kerugian baik materiil (seperti kerugian finansial) ataupun immateriil (hancurnya image, hilangnya loyalitas pelanggan dll.) bagi bisnis perusahaan. Bahkan tidak mustahil risiko tersebut bisa berdampak pada ditutupnya perusahaan.

Risiko yang timbul akibat penggunaan TI ini seringkali tidak dapat dihindari atau ditiadakan sama sekali, sehingga yang dapat dilakukan adalah bagaimana kita mengelola risiko tersebut sehingga dampaknya masih dapat diterima oleh perusahaan. Di sini fokus dari IT Risk Management, dimana perusahaan berupaya mengelola setiap potensi risiko akibat penggunaan TI dengan mempertimbangkan cost and benefit dari setiap solusi terkait risiko tersebut.

Berbagai macam risiko dapat timbul akibat dari penggunaan TI biasanya disebabkan karena adanya sumber ancaman, kesempatan/ancaman itu sendiri dan jugakerentanan (vulnerability) yang dimiliki TI yang diimplementasikan.

iValueIT memiliki sumber daya manusia yang memiliki wawasan luas dan berpengalaman dalam membangun dan menerapkan IT Risk Management ini di perusahaan-perusahaan dengan berdasarkan standard/best practices yang berlaku. Pengalaman tersebut antara lain sebagai berikut:

Pekerjaan ini merupakan s alah satu track record SDM utama kami.
Pekerjaan ini ditujukan untuk melakukan kajian terhadap kondisi risiko TI PT Pupuk Kaltim dengan menggunakan perspektif proses TI dan bidang-bidang yang menurut best atau good practices seharusnya menjadi perhatian dari manajemen TI PT Pupuk Kaltim.
Selain untuk mendapatkan profil risiko TI yang dipetakan ke dalam bidang-bidang utama yang menurut best practice menjadi perhatian dari manajemen TI, hasil dari kegiatan ini juga menjadi pertimbangan penting dalam pengembangan rencana-rencana strategis TI serta perbaikan kondisi TI eksisting.

http://ivitc.com/index.php?option=com_content&view=article&id=19:it-risk-analysis-pupuk-kaltim&catid=6:it-risk-management&Itemid=15

IT risk management

The IT risk management is the application of risk management to Information technology context in order to manage IT risk, i.e.:

The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise

IT risk management can be considered a component of a wider Enterprise risk management system.^[1]

The establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks.^[2]

Different methodologies have been proposed to manage IT risks, each of them divided in processes and steps.^[3]

According to Risk IT,^[1] it encompasses not just only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit\value enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact.

Because risk is strictly tied to uncertainty, Decision theory should be applied to manage risk as a science, i.e. rationally making choices under uncertainty.

Generally speaking, risk is the product of likelihood times impact (Risk = Likelihood * Impact).^[4]

The measure of a IT risk can be determined as a product of threat, vulnerability and asset values:^[5]

Risk = Threat * Vulnerability * Asset

Definitions

The CISA Review Manual 2006 provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization."^[6]

There are two things in this definition that may need some clarification. First, the process of risk management is an ongoing iterative process. It must be repeated indefinitely. The business environment is constantly changing and new threats and vulnerability emerge every day. Second, the choice of countermeasure (computer)s (controls) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected.

Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions. This process is not unique to the IT environment; indeed it pervades decision-making in all areas of our daily lives.^[7]

The head of an organizational unit must ensure that the organization has the capabilities needed to accomplish its mission. These mission owners must determine the security capabilities that their IT systems must have to provide the desired level of mission support in the face of real world threats. Most organizations have tight budgets for IT security; therefore, IT security spending must be reviewed as thoroughly as other management decisions. A well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities.^[7]

Risk management in the IT world is quite a complex, multi faced activity, with a lot of relations with other complex activities. The picture show the relationships between different related terms.

National Information Assurance Training and Education Center defines risk in the IT field as:^[8]

1.    The total process to identify, control, and minimize the impact of uncertain events. The objective of the risk management program is to reduce risk and obtain and maintain DAA approval. The process facilitates the management of security risks by each level of management throughout the system life cycle. The approval process consists of three elements: risk analysis, certification, and approval.

2.    An element of managerial science concerned with the identification, measurement, control, and minimization of uncertain events. An effective risk management program encompasses the following four phases:

1.   a Risk assessment, as derived from an evaluation of threats and vulnerabilities.

2.   Management decision.

3.   Control implementation.

4.   Effectiveness review.

3.    The total process of identifying, measuring, and minimizing uncertain events affecting AIS resources. It includes risk analysis, cost benefit analysis, safeguard selection, security test and evaluation, safeguard implementation, and systems review.

4.    The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. lt indudes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review.

[edit]Risk management as part of enterprise risk management

Some organizations have, and many others should have, a comprehensive Enterprise risk management (ERM) in place. The four objectives categories addressed, according to COSO are:

§  Strategy - high-level goals, aligned with and supporting the organization's mission

§  Operations - effective and efficient use of resources

§  Financial Reporting - reliability of operational and financial reporting

§  Compliance - compliance with applicable laws and regulations

According to Risk It framework by ISACA,^[9] IT risk is transversal to all four categories. The IT risk should be managed in the framework of Enterprise risk management: Risk appetite and Risk sensitivity of the whole enterprise should guide the IT risk management process. ERM should provide the context and business objectives to IT risk management

 http://en.wikipedia.org/wiki/IT_risk_management

Information Technology Security

The University’s Information Technology Security Risk Management (ITS-RM) Program is intended to provide departments with the information and tools they need to manage properly the security risks associated with their information technology assets.

Some examples of real events that have happened at the University include:

Fire. The University’s Treasurer’s Office is left with burned files and melted computers.

Flood. Health System Computing Services responds to a report of a down server and finds water rushing from the ceiling.

Loss of access. University Hall is closed for several months on 15-minutes’ notice after failing a routine structural safety inspection.

Cyber-attack. Machines containing sensitive data are hijacked via the network.

How prepared is your department to mitigate these risks and respond appropriately, if any one of these events occur in your area?

Given the serious security risks to information technology (IT) assets, managing those risks effectively is an essential task for the University and its departments. The process will benefit both the individual departments and the University as a whole. It is important that management understand what risks exist in their IT environment, and how those risks can be reduced or eliminated.

The University has business processes, research and instructional efforts, and legally protected data that depend on IT assets, which UVa cannot afford to lose or have exposed. Unfortunately, these IT assets are subject to an increasing number of threats, attacks and vulnerabilities, against which more protection is continually required. The ITS-RM program is an essential component in this overall effort.

University policy  requires the management of each University department to complete the process outlined in the University's ITS-RM Program at least once every three years, when there are significant changes to departmental IT assets, or when there are significant changes to the risk environment. The department head will sign off on the deliverables from this process and file these deliverables in the University's central repository for these documents. The ITS-RM program applies to agencies 207 (Academic Division), 209 (Medical Center) and 246 (College at Wise).

All departments should have completed their first iteration of the process during 2007. The second iteration is due March 1, 2011.

Information, Templates and Tools

• University of Virginia Information Technology Security Risk Management Program v. 3.0 packet (August 3, 2010)
  • Full packet: Microsoft Word format | PDF format
  • Templates required to complete your department’s ITS-RM report (these are spread throughout the full packet intermixed with background and instructions, but are collected in a compact reporting format here): Microsoft Word format | PDF format
• PowerPoint presentation given at a 2004 LSP conference explaining the initial version of the program. Useful background and explanation of expectations for anyone working on this ITS-RM program.
• PowerPoint presentation given at a 2005 Mid-Atlantic EDUCAUSE meeting on the process involved in creating and implementing a IT security risk management program.

For further information, please contact us at its-rm@virginia.edu.