University Technology University Technology RisksRisksAssessment and Assessment and ManagementManagement

April 2010

Pati Milligan, PhDProfessor, Baylor UniversityWaco, Texas

IssuesIssues

What are Academic Technology Risks?

How do we Assess and Manage?

Where do we fail?

Future focus?

Private vs Public University Risk Assessments

As so aptly stated in the ACFE presentation:

In the initial stages,fraud and stupiditybear a close resemblance.

Most universities are not for profit and limited staff/budget

Academia is an open learning environmentSo what’s the big deal?

Every component of the university is dependent on automation and integration

We must integrate business and academic technology solutions to attain proper risk management

Why Care About IT-related Why Care About IT-related Risk? Risk?

IT Risk (more than meets the eye)

IT Risk Must Manage and IT Risk Must Manage and Capitalize on Business RiskCapitalize on Business Risk

Some universities try to eliminate the very risks that drive research and education

Guidance is needed on how to manage risk effectively

©2009 ISACA/ITGI. All rights reserved.

A Balance is EssentialA Balance is Essential

Risk and value are two sides of the same coin

Risk is inherent to all enterprisesAcademic risk and industry risk are

the sameBut…Need to ensure opportunities for

value creation provided by Academia are not missed by trying to eliminate all risk

So How to Assess So How to Assess Technology Risk?Technology Risk?Scope definition

◦Business process identification, including Roles within business process Interest groups (internal and external)

◦Academic needs ??◦Assets that need protection??

Analysis◦Qualitative risk assessment

methodology◦Identification of conflicts of interest◦Business need for access for identified

roles vs Academic need for autonomy◦Issues with current access system

ISACA’s IT Risk ModelISACA’s IT Risk Model

Risk Assessment to Risk Risk Assessment to Risk GovernanceGovernance

Risk DomainsRisk DomainsGovernance

◦Responsibility and accountability for risk◦Risk appetite and tolerance◦Awareness and communication◦Risk culture

Evaluation◦Risk scenarios◦Business impact descriptions

Response◦Key risk indicators (KRIs)◦Risk response definition and

prioritization©2009 ISACA/ITGI. All rights reserved.

As you know..... As you know.....

Critical Low  

E D C B A  

      A

improbable

      B

      C

      D

      E

unavoidable

Potential Academic Potential Academic ExposuresExposuresLoss of competitive researchOpposition research from other

universitiesLoss of personal data

IT-related Risk IT-related Risk EvaluationEvaluation

©2009 ISACA/ITGI. All rights reserved.

Technology risk is not limited to information security. It covers all IT-related risks, including:

• Late project delivery• Not achieving enough value from IT• Compliance (FERPA, PFIA, SOX)??• Misalignment of business responsibilities• Obsolete or inflexible IT architecture• IT service delivery problems• Autonomy for research and teaching

Approach and InterviewsApproach and InterviewsPublic and Private UniversitiesU.S. and GlobalPersonal interviews with IT

Auditors and Risk Management Officers

On-site Observance

Questions to ask…….Questions to ask…….1. How do you determine the level of risk to the university

administrative functions in the following areas:

a. Network Access

b. Web Applications

c. Online email

2. What is the current IT infrastructure and the applications supporting major business processes (complete ISO levels if possible). How frequently does this change?

Who supports this infrastructure, i.e. do the departments support any of the teaching and research nodes?

3. External Environment -- Do you outsource any of the IT Services?

4. Regulatory environment -- which compliance areas pose risk to the university ?

 

Questions to ask……. Questions to ask……. (cont.)(cont.)5. What is the Strategic importance of the technology network

for the university? 6. What is the Operational importance of the networks for the

university? Could the university sustain a network outage of 7 days? 7. Do you have a Risk management philosophy, process, and

operating model? 8. Who manages Risk Governance (RG), Risk Evaluation (RE),

and Risk Response (RR) for the university systems?9. How are Technology decisions made? 10. Does the university offer online courses for credit?

How is that managed? What is the risk if the system is unavailable or if the system is breached?

11. How is the Technology Investment (money for function) managed? Is technology (cost and value) a component of the Board of Director's meetings, risk and budget discussions?  

12. What are the top five risk factors for the university?

Questions to ask……. Questions to ask……. (cont.)(cont.)13. What are the top-five IT risk scenarios?

14. Does the university experience any of the following issues?

a. Late project delivery

b. Not achieving enough value from IT

c. Compliance

d. Misalignment

e. Obsolete or inflexible IT architecture

f. IT service delivery problems

15. How often do you evaluate sunset legacy systems?

16. Describe your information security protection program?

17. Data Retention Policy ?

18. Consistency of Patch management?

19. Does IT use standard builds?

20. To what extent do you rely on in-house applications?

21. How much do you rely on contractors?

22. Do you global nationals working with sensitive data?

23. Data Ownership……

Where do we generally Where do we generally fail?fail?

◦ Impairing ability to “Publish or Perish" ◦ Burning bridges with research sponsors and

partners◦ Inadequate tenure track reviews◦ Teaching and research effectiveness reviews◦ Staff and Faculty training◦ Decentralized survey administration –

integrity of results◦ Not all School/Department goals are met◦ Academic vs. Business resource allocation not

evaluated

January 2009

Where do we commonly fail? Where do we commonly fail? (cont.)(cont.) Failure to monitor service (business) Relinquishing control/oversight (business) Failure to review any Outsource Service

Providers’ internal controls Failure to audit all critical areas (network

security) Failure to routinely review providers’

financial statements Failure to validate the destruction of

confidential (proprietary, research, performance) data when no longer required

Inadequate regulatory framework Business employees and faculty may not

have the tools necessary to perform their duties effectively and efficiently?

Areas of ConcernAreas of ConcernAd-hoc access provisionToo strict or too loose accessLack of or inadequate access policyLack of integration with business

processesInsufficient separation of dutiesFormer employees or vendors with

accessBlurred network perimeter

For Those using Outsourced For Those using Outsourced ServicesServices

Don’t …… Don’t …… Negotiate too hard for a least cost

scenario Misplace haste to get a contract in place Forget an exit strategy Fail to control legal compliance Fail to plan for a long-term strong

relationship Negotiate and manage from an “Ivory

Tower” Ignore performance details

January 2009

©2009 ISACA/ITGI. All rights reserved.

Always connect to university system objectivesAlign the management of IT-related business risk

with overall university risk managementBalance the costs and benefits of managing riskPromote fair and open communication of IT riskEstablish the right tone from the top while

defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels

Understand that this is a continuous process and an important part of daily activities

In Conclusion: In Conclusion: Guiding Principles of Risk Guiding Principles of Risk ITIT

Benefits and OutcomesBenefits and Outcomes

Accurate view on current and near-future IT-related events

End-to-end guidance on managing IT-related risksUnderstanding the investments made in

technology for both business, research, and teaching

Integration with the overall risk and compliance structures within the university

Common language to help manage the relationships

Promotion of risk ownership throughout the organization

©2009 ISACA/ITGI. All rights reserved.

January 2009

For More Information:For More Information:

ISACA IT Risk Toolkit www.isaca.org ISACA/ITGI Risk Model (see model file)OCEG Burgandy Book Executive Summary

www.oceg.org

©2009 ISACA/ITGI. All rights reserved.

Questions?Questions?

Thank You!