using service supportability for risk management
TRANSCRIPT
Using Service Supportability for IT Risk ManagementStraightforward Enterprise Risk
Identification for Diverse Organizations: A Case Study at the University of Colorado
Introductions
• Chirag Joshi, M.S.,CISA, CISM, CRISC Assistant ISO and HIPAA Security Officer [email protected] (https://www.cu.edu/ois)
• Jim Dillon, M.S., CISA, CISSP Director of IT Audit [email protected] (https://www.cu.edu/audit)
IT Service Supportability
• Portfolio Risk Conversation in Diverse Context• Survey Matrix: Obtaining Portfolio Risk by
“Commendable Practice” Assessment• SUPPORTABILITY: “The attribute of a service domain reflecting
reduced risk and operational stability due to the widespread deployment of commendable practices”
• Results Matrix: Visualizing Risk• Outcome: Successes and Shortcomings• Expanding Supportability: Supporting an ERM
Framework
Portfolio Risk: IdentificationEnvironment: Multiple Campuses, Many Providers, Many Diverse Services, Widely Distributed Responsibility
Problem 1: No Uniform IT Service Portfolio/ Catalog
Problem 2: Lacking Standard Risk Approach, Apples and Oranges
Problem 3: Complexity in Common Risk Approaches (Given Environment)
Portfolio Risk: Institutional View• Objective: Strategic Alignment of Services• Objective: Systemic Risk Identification – Critical and
“Significant” Services• Objective: Approachable Discussion – Reduce technical and risk-language complexity
• Objective: Data-Driven Discussion– Reduce reliance on anecdotal, instinctive, or occurrence
based risk identification• Objective: SERVICE Risk Orientation– Business discussion not “system” or “technology”
discussion
Chirag Joshi - OIS 6
• Consistency of definitions: Impact and Risk definitions, Common Security Standards, Data Classifications, Shared services
• Assurance process integration: Coordination between OIS, University Risk Management (URM), Legal, Internal Audit, Campus stakeholders
Building Blocks
Chirag Joshi - OIS 7
Data Classifications• Highly Confidential– Protected by law or contract– Examples: Protected Health Information, credit card
information, Social Security Numbers or associated personally identifiable information
• Confidential– Could cause harm or embarrassment– Data owner has a reasonable expectation that the data should
not be disclosed– Example: personnel information
• Public– Example: directory information
Criticality and ImpactHigh: severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions
◦ Financial: direct or indirect monetary costs to the institution where liability must be transferred to an organization which is external to the campus, as the institution is unable to incur the assessed high end of the cost for the risk; this would include for e.g. use of an insurance carrier
◦ Reputation: the impact results in negative press coverage and/or major political pressure on institutional reputation on a national or international scale
◦ Safety: the impact places campus community members at imminent risk for injury
◦ Legal: the impact results in significant legal and/or regulatory compliance action against the institution or business.
Chirag Joshi - OIS 8
Moderate: significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced
◦ Financial: direct or indirect monetary costs where liability is transferred to the campus as the business unit/school is unable pay the assessed high end cost for the risk
◦ Reputation: impact results in negative press coverage and/or minor political pressure on institutional reputation on a local scale
◦ Safety: impact noticeably increases likelihood of injury to community member(s)
◦ Legal: impact results in comparatively lower but not insignificant legal and/or regulatory compliance action against the institution or business.
Chirag Joshi - OIS 9
Low: degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced
◦ Financial: impact results in direct or indirect monetary costs to the institution where business unit/school can solely pay the assessed high end of the cost for the risk
◦ Reputation: impact has a nominal impact and/or negligible political pressure on institutional reputation on a local scale
◦ Safety: impact has nominal impact on safety of campus community members
◦ Legal: impact results in none or insignificant legal and/or regulatory compliance action against the institution or business.
Chirag Joshi - OIS 10
Risk Governance: Strategic business function that help ensure that risk management activities align with the enterprise’s opportunity and loss capacity.
◦ Clarity of Roles and Responsibilities: Who should respond to a certain level of risk?
◦ Risk Appetite: The amount of risk that an entity is willing to accept in the pursuit of its mission
Key Risk Indicators (KRIs): Metrics capable of showing that enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the risk appetite
Risk Tolerance: The acceptable level of variation allowed for any particular risk as enterprise pursues its business objectives
Key Concepts
Chirag Joshi - OIS 11
Survey Matrix
• Design: MS Excel to Ensure Accessibility• Design: Categorize Services, Capture Service Level, Criticality, Data
Classification• Design: Cover the OSI Model but Simplify
– 3+1 areas = 7+1 OSI Model plus personnel– Infrastructure, Network/Communication, Application, Personnel
• Design: Utilize 6 or 7 “Best Practice” Guidelines Per Area– Identify sub-optimal practice as increased risk
• Design: Simple Judgment– High, Medium, Low, Unknown, and Managed– Characterize each rating to support consistent reporting– Treat unknown as “High Risk”– Identify vendor, cloud, and other “managed” services
Survey Matrix: Simplicity
Drop Downs
Survey Matrix: Linkage
Link to Policy
Simple SLA
Survey Matrix: Key Data
• Infrastructure• Networking/Communications• Application, and • Personnel (Skills, Availability)
• Consider the entire service stack• Managed Solution, Supportable,
Partially Supportable, Not Supportable, Unknown
• “Service” conclusion
Survey Matrix: Definitions (Thank You Paragon Audit and Consulting)
Supportable:
• Version is up-to-date and patched
Partially Supportable:
• Version is supported by vendor but may not be latest version…
Not Supportable
• Version is no longer supported by vendor
Results Matrix
• Combine All Survey Matrix Submissions• Create Catalog By Service Type– Manual service duplication investigation
• Demonstrate Risk Inflection Points– Central IT, other IT, combined– Eventually entire institution– Utilize graphs for visualization
• Report Using Service Types, Criticality, Availability, etc.
Results: Catalog
Results: By Service Type
Visual Queues
Area and Stack Component
Results: By Criticality
Staffing forHigh Criticality
InfrastructureStable
Results: By Availability
Apps and SupportChallenged
Results: By # Users
Small Shops StruggleWith High User #
Results: Other
• Provided Analysis/Observations of Systemic Issues
• Also Included Results by:– User type (Fac, Admin, Rsch, Stu)– Definable parameters– Data Risk (Rest, Motion, Privacy) – All Service Provider Data and Combined Data
Delivered
Outcome: Successes• All Campuses Continuing Practice, Catalog Expansion• Systemic Conditions Highlighted for Action• Some Critical/Significant Services Being Absorbed into
Central IT• Duplicate Services Under Discussion (e.g. Desktop
Support, VM Services)• Security and Recovery Risks Being Investigated• Practice Expansion for Enterprise Risk Identification Being
Tested• Combination of All Campuses’ Data, Institutional
Reporting TBD
Outcome: Challenges• Methodology for Vendor/Cloud Services• Interpretation: Variation Based on Service Provider Size,
Maturity• Identifying Root Cause – Work TBD• Need for Consistency in Definitions, Measures
– Optimistic smaller service providers– Smaller providers less diligent considering the “stack”,
depending on external services– Still depends on subjective judgment (performance, SLA not
standardized, completeness?)• Matrix Still A Manual Effort• Not the Complete Risk Picture
Chirag Joshi - OIS 26
Risk Management Framework
Chirag Joshi - OIS 27
Risk Management Framework
Chirag Joshi - OIS 28
Risk Management Framework
Chirag Joshi - OIS 29
Risk Management Framework
Financial Customer Internal Processes/Operations Learning and Innovation
Chirag Joshi - OIS 30
Based on Balanced Scorecard, COSO and COBIT
Financial and Legal CustomersInternal Processes and
Operations Learning and Innovation2-Partially Supportable 2-Partially Supportable 3-Supportable 3-Supportable
Expanding Supportability: ERM Framework
Financial and Legal
• Financial resources are sufficient to maintain service at an expected level beyond the next fiscal year
• The investments and resources allocated to the service are based on formal business cases that take into account stakeholder expectations, cost and benefits and set specific objectives
• The service complies with applicable laws and regulations in a formal documented manner
Customer
• Business continuity plans are documented, implemented, tested and monitored in a formal manner.
• Problem and incident management processes are documented, implemented, tested and monitored in a formal manner.
• Customer satisfaction with the service is actively obtained, reviewed and monitored in a consistent and measurable manner
Internal Processes and Operations
• Service is optimized (documented, monitored and improved) to be delivered consistently on time and within budget (not relying on any external funds).
• The service complies with university policies and standards in a formal documented manner
• Change management processes are documented, implemented and monitored in a formal manner
Learning and Innovation
• Personnel supporting the service are adequate, have the required skills and complete the required training for the roles
• Process exists to improve services through innovative ideas based on interaction with industry leaders, peers, customers, and benchmarking
ERM Steps
• Pilot Projects• Campus-wide Policy• Roles and Responsibilities• Project Implementation• Training
Questions?
THANK YOU!