Today’s IT environment is changing more rapidly than at any time before. In fact many of the technologies that we now take for granted were not in existence even 5 years ago. Consider the iPad and the wireless device
onslaught of these years since we installed wireless across campus. We built a high capacity infrastructure that is now crippled by BYOD. Everyone has more than one wireless device and they are all “on” at the same time. We have over 100,000 devices that connect to our network and that is rather troublesome. It affects not only our performance but is a significant security risk. This brings me to a point for consideration because not only has our IT infrastructure become more taxed but our security responsibilities have become much broader.
In order to address the security concerns OIT, last fall, hired Paco Diaz who came to us with an extensive IT auditing background. We immediately began the process of evaluation of our IT security risks through a process of Risk Management and Assessment. This represents a strategy to detect and prevent, or at least minimize the effects of serious risks associated with the management of information assets, proprietary information and intellectual property. The process is rather detailed and involves assessing and evaluating risks, implementing risk mitigation based upon severity, and measuring the results of the mitigation. It is a process that becomes an on-going part of the development of a critical security tool within our organization.
It is important for all of us to understand the value of this risk assessment. Failure of any institution to perform a thorough and honest risk assessment or to act appropriately on the findings of an assessment represents a breach of responsibility for the executive leadership of OIT as well as UA. One of the most critical elements of an assessment such as this is that it does not represent a direct cost but rather an indirect one; i.e. at least for UA. We have heavily invested in security and networking jointly as well as in our data centers. As an indirect cost it will weigh heavily on you, the staff of OIT. Documentation of processes, the development of policies and
procedures, and the implementation of these means a change in the culture and an added mandate from the Executive Team.
We have completed a first phase draft of the Risk Assessment tool and populated it with 302 risk scenarios that map into NIST (the National Institute of Standards) and CCA (Consortium for Cyber Security Action) critical control elements. These are the control elements defined by NSA, CIA, FBI, and SANS. We have also identified contributing and mitigating risk factors and the estimated mitigation efforts for the scenarios.
An estimate of residual risk is used to indicate how effective the mitigation is expected to be. The distribution of risks is indicated below and is based on the Risk Management process.
Notice that the security, compliance, and operational risks are predominate and that many of these relate to the need for the establishment of enforceable policies and procedures.
Our assessment will be presented to the Property and Causalities Committee of The Board of Trustees for the February meeting. It is an exciting and demanding time and I know we are willing to be at the forefront on IT Security!