Information Technology Security Risk Management Program ITSRM - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

Information Technology Security Risk Management Program ITSRM

Description:

Information Technology Security Risk Management Program (ITS-RM) October 7, 2004 ... requiring participation in the program is coming. For More Information... – PowerPoint PPT presentation

Number of Views:1597
Avg rating:3.0/5.0
Slides: 13
Provided by: brian630
Category:

less

Transcript and Presenter's Notes

Title: Information Technology Security Risk Management Program ITSRM


1
Information Technology Security Risk Management
Program (ITS-RM)
  • October 7, 2004
  • Brian Davis Shirley Payne
  • Office of Information Technologies
  • Security Policy

2
Whats Risk Management?
  • Formally defined
  • The total process to identify, control, and
    manage the impact of uncertain harmful events,
    commensurate with the value of the protected
    assets.

3
More simply put
  • Determine what your risks are and then decide on
    a course of action to deal with those risks.

4
Even more colloquially
  • Whats your threshold for pain?
  • Do you want failure to deal with this risk to end
    up on the front page of the
  • Daily Progress?

5
Effectively Managing Risk Means
  • Knowing what needs to be protected
  • Understanding threats and determining the level
    of risk they pose to critical assets
  • Pursuing strategies to mitigate unacceptable
    risks
  • Having a contingency plan for operating without
    critical assets temporarily

6
Why?
  • Best practice (and a good idea)
  • Reasonable approach to a complex task
  • Not just HIPAA -- other regulations
  • General process with a HIPAA component

7
Planned IT Security Risk Management Program
  • University-wide, including Medical Center
  • Information on current threats, templates,
    checklists, and other guidance provided
  • Four steps of program
  • IT Mission Impact Analysis
  • IT Risk Assessment
  • IT Mission Continuity Planning
  • Evaluation and Reassessment

8
(No Transcript)
9
Implementation Strategy
  • Design
  • involved Audit, Risk Management, Police, HIPAA
    Office, Health System Computing Services
  • HIPAA questions, RiskWatch exceptions, use of
    HSCS disaster recovery/business continuity plan
  • Roll-out
  • Concentrated effort on 10 areas this academic
    year
  • Also identifying areas with ePHI
  • Encourage other departments to get moving
  • May take three years to reach all departments

10
Its not as painful as it looks!
  • No one will be starting from scratch
  • Little is expected from those with little, more
    is expected from those with more
  • The templates are designed for the most complex
    situations but work for simple solutions, too

11
Executive Support
  • Strong executive support has been a key success
    factor at other institutions
  • Executives fully behind program at UVa
  • University policy requiring participation in the
    program is coming

12
For More Information...
http//www.itc.virginia.edu/security/riskmanagemen
t Brian Davis Shirley Payne
bdavis_at_virginia.edu payne_at_virginia.edu
243-8707 924-4165
Write a Comment
User Comments (0)
About PowerShow.com