Background Information

[Jun 28, 2008 8:06] Email phishing scam targeting WebMail users has been reported. More Information

The U.Va. Information Technology Security Risk Management program is intended to provide University departments with the information and tools they need to properly manage the security risks associated with their information technology assets.

A. Why Security is Important

Why is managing IT security risks important?

First, the financial consequences of failing to do so can be significant.

  • The University and its units must protect the heavy investments they have made in IT and personnel that support technology.
  • Given the increasing reliance on IT to provide mission-critical academic, instructional and administrative functions, loss or interruption of IT-based functions is not merely an inconvenience but could lead to the inability of a unit to perform its core mission.

Second, the threats to IT assets are only getting worse.

  • The invaluable, fast, direct connection to the Internet at U.Va. makes us both a direct target and a tempting source of hijacked bandwidth.
  • IT security efforts are required at all network levels, meaning that responsibility for security is highly distributed, and therefore difficult to manage.
  • More sophisticated and dangerous exploits and attacks are released almost daily, via viruses and worms, intentional compromises that threaten the privacy and integrity of legally protected data, and denial of network service.
  • The potential for terrorist attacks or natural disasters to strike exists.

Fire. The University’s Treasurer’s Office is left with burned files and melted computers. The Physics Department loses its graduate student offices, along with the dissertations of several students.

Flood. The Biology Department’s basement-level server room suffers a broken pipe from above, filling with six feet of water overnight. Health System Computing Services responds to a report of a down server and finds water rushing from the ceiling.

Loss of access. University Hall is closed for several months on 15-minutes’ notice after failing a routine structural safety inspection. Several laptops in the College of Arts and Sciences Dean’s office are stolen in a single night.

Cyber-attack. Machines containing sensitive data are hijacked via the network. Viruses infect computers and then e-mail random files (containing, e.g., grant-related data) from the device to random people.
This is just a selection of actual events that occurred at the University during the last ten years. How prepared is your department to mitigate the risks of these types of occurrences and respond appropriately should they strike?

  • Will your department have the money to deal with any clean up, including the replacement of expensive hardware?
  • How will your department respond to the legal and public relations consequences if private data is released or your devices are commandeered and used to attack other people’s machines?
  • What are the financial consequences if research is delayed (or destroyed) or if other mission-critical functions are interrupted?

B. What’s a Risk Management Program? Why It’s a Best Practice

Given the serious security risks to IT assets outlined above, managing those risks effectively is an essential task for the University and its departments.[1] Risk management has been defined formally as “The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.”[2] More simply put: “Determine what your risks are and then decide on a course of action to deal with those risks.” Even more colloquially: What’s your department’s threshold for pain? Do you want failure to deal with a particular risk to end up on the front page of TheDaily Progress or Washington Post?

Why do the work entailed in identifying your mission-critical IT assets, analyzing the associated security risks and developing both security and mission continuity plans? Who will it benefit? The process is one that will benefit both the individual department and the University as a whole. It is important that departments and their IT users understand what risks exist in their IT environment and how those risks can be reduced or even eliminated.[3] The aim of risk managementis “to aid managers to strike an economic balance between the costs associated with the risks and the costs of protective measures to lessen those risks.” It is both prudent practice and, in many cases, a legal necessity.

C. U.Va.’s IT Security Risk Management Program

A design team composed of members from throughout the University has identified some common risks and put together a process and templates for departments to use in their risk management effort. Individual departments are encouraged to review those common risks to see which might apply to their specific environment. They should then review their own surroundings to determine what specific risks exist for inclusion into the process.

The University is implementing a University-wide IT Security Risk Management Program for:

  1. IT Mission Impact Analysis – The identification of information, computing hardware and software, and associated personnel that require protection against unavailability, unauthorized access, modification, disclosure or other security breaches.

  2. IT Risk Assessment – The determination and evaluation of threats to the resources identified through a mission impact analysis.

  3. IT Mission Continuity Planning – The development of a plan for restoration of resources identified in the mission impact analysis and for interim manual processes for continuing critical mission functions during the restoration process.

  4. Evaluation and Reassessment – The reiteration of these steps at least every three years, or when there are significant changes to departmental IT assets or risk environment.

The ITS-RM Program includes agencies 207 (Academic Division), 209 (Medical Center) and 246 (College at Wise).

Why is such a program needed?

  • Mission impact analysis, risk assessment, and mission continuity planning are not one-time projects, but rather tactical operational processes that incorporate the most current thinking on security threats and appropriate safeguards.

  • The University needs proactive mechanisms for tracking the frequency with which assessments and plans are updated and for assuring quality and consistency as they are developed.

    The University needs a central repository for safeguarding assessment and planning documents.

  • The University needs the assurance that available resources for IT security across the organization are being focused on the most important needs; resources are limited, so they should be targeted as efficiently as possible.

  • Several internal University standards can be addressed through ITS-RM. On the Internal Controls Questionnaire, approximately ten percent of the questions concern issues addressed by this program,[4] including completion of an IT risk analysis and departmental security plan. In addition, the University’s Critical Incident Management Plan (CIMP) requires departmental planning to protect departmental assets, with specific reference to IT assets and IT security measures.
  • A risk management program helps the University comply with various external IT security standards that may apply to individual departments, including HIPAA (Health Insurance Portability and Accountability Act), FERPA (Family Educational Rights and Privacy Act), GLBA (Gramm-Leach-Bliley Act, common title of the Financial Services Modernization Act (FSMA)) and NIST (National Institute of Standards and Technology), as well as state security standards that apply to the University.

D. Responsibilities

U.Va. has a highly complex and resource rich computing environment, without which the University simply could not accomplish its mission. The management structure for this environment is necessarily complex as well. While the central IT organization manages the network infrastructure and other enterprise-wide computing services, there are many servers, desktops and databases managed by various departments and research projects. Additionally, the University’s hospital has its own central computing center.

The Office of Information Technologies’ (OIT) Director for Security Coordination & Policy, who reports to the University’s Vice President & CIO, has, among other functions, the responsibility for coordinating security activities at the University, excluding the hospital, for which security is handled by Health System Computing Services (HS/CS). Various divisions within the Information Technology and Communication (ITC) Department, also reporting to the VP/CIO, implement and support security-related infrastructure and provide security-related services. Personnel in individual departments are responsible for assessing risks and choosing and implementing appropriate safeguards to mitigate unacceptable risks to departmental IT assets, i.e. those not centrally managed by ITC. Individual departments are also responsible for the security of data records not in electronic form.

ITC has assumed primary responsibility for ITS-RM program design and implementation supported by HS/CS, Internal Audit, Risk Management, U.Va. Police and the University Development Office. (The University Development Office and Madison Hall served as pilot projects.) ITC and HS/CS, where appropriate, will provide ongoing support. Ongoing support will include compilation of completed assessments and plans into a repository, consulting and guidance where appropriate, and monitoring compliance and progress with the overall program.

Input from the Internal Audit Department was essential to the design and implementation planning processes. It is not expected the program would in any way alter the need for review of security plans during routine department audits. In fact, several of the ITS-RM program templates employ questions used by Audit for that purpose.

Because risk assessment and mission continuity planning are included in the security standards for HIPAA, the HIPAA Initiative Office and HS/CS have participated in design and implementation to avoid duplication of effort and inconsistency in approach.

Although the program includes instructions, templates and guidance, the department needs to own the risk management process. Departments have to do the work of risk management: only they know their mission, what assets are critical to that mission, how to prioritize resources to address those assets and how best to get back up and functioning following a disaster (big or small).

If your department has one fileserver that is well-configured and professionally maintained (with regular backups with off-site rotation), uses central services (which someone else is responsible for protecting) for everything else and hosts no legally protected data, this process is easy. Of course, if you have a dozen servers, including e-mail, multiple research projects and protected data, the process will require more work.

Expectations for Departments

  • Departments are expected to complete this process and return a report to the University’s central repository for these documents.
  • After initial completion of the required analysis and planning, additional follow up may be necessary to address key issues.
  • Both administrative/business and technical leaders from the department must be involved in the process.
  • The department head will sign off on the completed report.

Reporting requirements are fully explained in section III.F. below.

Any department that has questions concerning the process should contact OIT’s Security and Policy office:

Brian Davis <bdavis@virginia.edu>, 3-8707
Shirley Payne <payne@virginia.edu>, 4-4165
Messenger mail: ITC-Cresap, P.O. Box 400217
http://www.itc.virginia.edu/security/riskmanagement/

This office is available to assist departments in understanding the process and getting started on completing their report. Each department should send their completed reports (as well as updates) to this office so that a central repository can be maintained.

E. Terminology

Adoption of a reference for terminology associated with this program ensures that all the participants have a common understanding as we seek to educate departmental leaders about risk management issues and elicit responses from them that are both appropriate for a specific department and comparable across departments. Please see Appendix H.

[1] Throughout this document, the term “department” is used generically to refer to any organizational unit with some level of autonomy within the University, including schools, departments, centers, units, etc.

[2] National Information Systems Security Glossary, NSTISSI No. 4009 and AFR 205-16, AFR 700-10. Unless otherwise noted, all definitions in quotation marks are appropriated from a National Security Agency (NSA) curriculum used by the National Colloquium for Information System Security Education (NCISSE) <http://www.ncisse.org/>. See Appendix H for definitions of key terms and a full reference to the original sources.

[3] Much of this paragraph is adapted from “Introduction to the Business Impact Analysis/Risk Assessment Process,” <http://security.vt.edu/playitsafe/riskanalysis/RA-Dept01-ReadFirst.doc>.

[4] As of this date, questions 1.5, 1.6, 1.7, 1.17, 7.5, 7.6, and 9.8.

 

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.