keyword search: ITC

For:

• Students
• Instructors
• Researchers
• Staff
• IT Professionals

Information Technology Security Risk Management (ITS-RM) Program

ITC’s Information Technology Security Risk Management (ITS-RM) Program is intended to provide University departments with the information and tools they need to manage properly the security risks associated with their information technology assets.

Fire. A fire burns files and melts computers in the University Treasurer's Office. The Physics Department loses its graduate student offices, along with the dissertations of several students.

Flood. The Biology Department’s basement-level server room fills with six feet of water overnight when a pipe in the ceiling breaks. Health System Computing Services responds to a report of a downed server and finds water rushing from the ceiling,

Loss of access. University Hall is closed for several months on 15-minutes notice, after failing a routine structural safety inspection. Several laptops in the College of Arts and Sciences Dean’s Office are stolen in a single night.

Cyber-attack. Machines containing sensitive data are hijacked via the network. Viruses infect computers, and then e-mail random files to random people. These files contain, among other things, grant-related data.

This is just a selection of actual events that occurred at the University in the last ten years. How prepared is your department to mitigate the risks of these types of occurrences and respond appropriately, if any one of these events occur in your area?

Given the serious security risks to information technology (IT) assets, managing those risks effectively is an essential task for the University and its departments. The process is one that will benefit both the individual department and the University as a whole. Completing such a risk management process is extremely important in today’s advanced technological world. It is important that management understand what risks exist in their IT environment, and how those risks can be reduced or even eliminated.

Like fire insurance, ITS-RM is a form of protection that the University simply can not afford not to have. The University has business processes, research and instructional efforts, and legally protected data that depend on IT assets, which UVa cannot afford to lose or have exposed. Unfortunately, these IT assets are subject to an increasing number of threats, attacks and vulnerabilities, against which more protection is continually required. The ITS-RM program is an essential component in this overall effort.

Although the IT Security Risk Management (ITS-RM) program will likely be welcomed by departments that have already experienced loss of mission-critical IT resources, many will not fully appreciate the need for assessment and planning. Consequently, a University policy regarding participation is necessary.

A University policy requiring all departments to participate in the ITS-RM program was approved 11/18/04. This policy is available here. The ITS-RM program will apply to agencies 207 (Academic Division), 209 (Medical Center) and 246 (College at Wise). All departments will complete their first iteration of the process by July 1, 2007, with department heads (or higher) responsible for approving the submitted reports.

Those departments wishing to begin this important task may use the information, templates, and tools provided in this document to initiate the IT security risk management process.

Information, Templates and Tools

• Version 2.0 (08/17/04) is here. Both a short summary and a complete list of the changes since version 1.0 are here.
• University of Virginia Information Technology Security Risk Management Program v. 2.0 packet
  • Full packet: HTML (immediately below) | Microsoft Word format | PDF format
  • Templates required to complete your department’s ITS-RM report (these are spread throughout the full packet intermixed with background and instructions, but are collected in a compact reporting format here): Microsoft Word format | PDF format
• PowerPoint presentation given at April LSP conference explaining the new program. Useful background and explanation of expections for anyone working on this ITS-RM program.
• PowerPoint presentation given at Mid-Atlantic EDUCAUSE meeting on the process involved in creating and implementing a IT security risk management program. Information that may be helpful to other institutions wishing to implement a plan of their own.

For further information, please complete the Risk Management Contact form.

ITS-RM Program Packet

I. Executive Support and Policy Statement

II. Background Information

III. Risk Management Instructions and Templates

• A. Process Overview
• B. Step 1: IT Mission Impact Analysis
• C. Step 2: IT Risk Assessment
  • Step 2.1: Risk Assessment Questions
  • Step 2.1: General Questions
  • Step 2.1: HIPAA Questions
  • Step 2.1: GLBA/FERPA Questions
  • Step 2.2: Threat, Attack and Vulnernability Scenarios
  • Step 2.3: Security Plan Development
• D. Step 3: IT Mission Continuity Planning
• E. Step 4: Evaluation and Reassessment
• F. Reporting Requirements

IV. Appendices

• Appendix A: Sample Analysis and Report
• Appendix B: Systems Supported by ITC
• Appendix C: Systems Supported by HSCS
• Appendix D: Does HIPAA Apply to Our Department?
• Appendix E: Does Gramm-Leach-Bliley Apply to Our Department?
• Appendix F: Does FERPA Apply to Our Department?
• Appendix G: Related Policies and Resources
• Appendix H: Terminology

• Risk Management Program
• Reporting Requirements
• Appendix A
• Appendix B
• Appendix C
• Appendix D
• Appendix E
• Appendix F
• Appendix G
• Appendix H

• Related Links
• IT Security Risk Management
• Reporting a Security Problem
• SANS Top 20 Internet Vulnerabilities
• Choosing Good Passwords
• Operating System Rebuild Guide
• Virus Hot Topics
• Requirements for Securing Electronic Devices
• Security Tip of the Day

--  Rate This Page  -- Informative & well-designed Didn't have info I needed Information is incorrect Information is out of date Poor organization or format