Brian Markham Director, DIT Compliance and Risk Services May 1, 2014

Slides:

Advertisements

Similar presentations

Tales from the Lab: Experiences and Methodology Demand Technology User Group December 5, 2005 Ellen Friedman SRM Associates, Ltd.

Advertisements

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,

A Joint Code of Practice Objectives and Summary Presentation

Red Flag Rules: What they are? & What you need to do

Course: e-Governance Project Lifecycle Day 1

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Security Controls – What Works

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

Project Risk Management

Office of Inspector General (OIG) Internal Audit

1 Risk management and Investigation Peter Roberts

DATA SECURITY AND COMPLIANCE…WHAT YOU NEED TO KNOW 1 CYBERSECURITY MONTH SERIES Presented by George Guzman October 27, 2014.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Risk-Based Inspection Program Best Practice – Executive Summary

Vendor Risk: Effective Management is Essential

Understanding ITIL. The Legislation Minefield  Privacy & Security  Personal Information Protection Electronic Document Act (PIPEDA)  US Patriot Act.

Information Security Technological Security Implementation and Privacy Protection.

The Evergreen, Background, Methodology and IT Service Management Model

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Equity Housing Group Risk Management. 05 August 2002 © MazarsEquity Housing Group: Risk Management 2 Agenda Introduction: what is Risk Management? The.

ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.

GRC - Governance, Risk MANAGEMENT, and Compliance

Business Analysis Professional Development Day – Sep 2015 Data Governance and Cross-Functional Needs Neelam Mohanty.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

Roles and Responsibilities

© 2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Risk Management in the Built Environment Qualitative and Quantitative Risk Management By Professor Simon Burtonshaw-Gunn – licensed under the Creative.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

Corporate Governance and Risk Management. Introduction Corporate Governance What does it mean? and Why does it matter? Risk Management Challenges of growth.

Eliza de Guzman HTM 520 Health Information Exchange.

Nancy L. Owens & Karyn Boston

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

MANAGING THIRD-PARTY RISK New York Region Regulatory Conference Call March 3, 2011.

Conducting Clinical Risk Assessments And Implementing Compliance Practices Jane L. Stratton Chiron Corporation VP/Associate General Counsel Chief Compliance.

Working with HIT Systems

Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Microsoft Belgium Security Summit Georges Ataya S olvay B usiness S chool, ISACA Belux Detlef Eckert Microsoft EMEA.

Project Risk Management Planning Stage

An EDI Testing Strategy Rosemary B. Abell Director, National HIPAA Practice Keane, Inc. HIPAA Summit V October 30 – November 1, 2002.

Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.

Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.

Project Life Presented by Chuck Ray, PMP ITS Project Manager.

RISK MANAGEMENT IN THE PUBLIC SECTOR CONVERGING MULTIPLE STAKEHOLDER’S EXPECTATIONS Organised by National Treasury Presented by WELEKAZI DUKUZA CEREBRO.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.

Breakout Session 3 QHSE Strategic Risk Management.

Risk Management in Software Development Projects Roberto Torres Ph.D. 11/6/01.

Risk Assessment Beginning an Analysis Date by Jim Bowman.

Information Security Program

An Overview on Risk Management

Regulatory Compliance

Understanding ITIL.

ESSENTIALS OF A PHYSICAL SECURITY SYSTEMS RISK ASSESSMENT

IS4680 Security Auditing for Compliance

Matthew Christian Dave Maddox Tim Toennies

Making Information Security Manageable with GRC

Risk Assessment = Risky Business

Making Information Security Actionable with GRC

Risk Management Process (Revised)

Risk Management CSCE 489/689 (Software Security) Fall 2018

Neopay Practical Guides #2 PSD2 (Should I be worried?)

Effective Risk Management in Decision Making Process

Presentation transcript:

Brian Markham Director, DIT Compliance and Risk Services May 1, 2014

Introduction UMD grad (BA and MBA) Seven years in IT at UMD IT Compliance and Risk Introduction UMD grad (BA and MBA) Seven years in IT at UMD Seven years in consulting (KPMG, PwC) New-ish to GW (November ’13)

Agenda Three things: The business of IT (an overview) Compliance Risk IT Compliance and Risk Agenda Three things: The business of IT (an overview) Compliance Risk

The Business of IT

IT Compliance and Risk Why do we have IT? You

IT Compliance and Risk Why do we have IT? You IT Awesome!

Application Development IT Compliance and Risk How do we succeed? Compliance Risk Application Development Customer Support Operations Security Strategic Planning Governance

Understanding the business Understanding requirements IT Compliance and Risk IT is about… Users/Customers Understanding the business Understanding requirements Implementing technology that meets requirements to enable the business Perspective/vision of the future Planning, strategy, execution Fun!

IT folks aren’t experts in all things IT Compliance and Risk But… IT is complicated IT folks aren’t experts in all things Different users have different needs Business/requirements change Technology changes (fast)

Role of Compliance and Risk IT Compliance and Risk Role of Compliance and Risk Meet requirements (contracts, laws, policy) Ensure that confidentiality data is protected Ensure that data cannot be altered Ensure that systems are available Understand and manage risk Ensure that services can be offered that are secure and meet requirements Services are “fit for use”

Compliance

GW and Compliance Federal Educational Rights and Privacy Act (FERPA) IT Compliance and Risk GW and Compliance Federal Educational Rights and Privacy Act (FERPA) Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS) University Policies Contracts and Agreements

How Do We Achieve Compliance? IT Compliance and Risk How Do We Achieve Compliance? Understand the requirements Identify stakeholders Review controls and the “as-is” state Reference control guidance and best practices Assess controls Test of Design Test of Operating Effectiveness Document gaps, identify corrective actions Continuous monitoring

Plan for Compliance Implement Controls Assess Controls IT Compliance and Risk In other words… Deming Cycle – Plan, Do, Check, Act Plan for Compliance Implement Controls Assess Controls Corrective Actions

Compliance Challenges IT Compliance and Risk Compliance Challenges Understanding Expensive It’s hard Compliance ≠ Security!

Risk

IT Compliance and Risk What is Risk? A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Impact X Probability = Risk Priority

Data-driven “gut feel” Use data where possible: IT Compliance and Risk Quantifying Risk It’s not easy Data-driven “gut feel” Use data where possible: Outages/Downtime Revenue Lost Performance vs. SLAs Performance of KPIs Historical Data

Lots of Risk! Compliance Risk Financial Risk Human Resource Risk IT Compliance and Risk Lots of Risk! Compliance Risk Financial Risk Human Resource Risk Operations Risk (Availability) Project Risk Reputation Risk Safety Risk Security Risk Vendor Risk

Process and documentation Outreach and buy-in IT Compliance and Risk Where do we start? Governance! Process and documentation Outreach and buy-in Identify, track and mitigate risks Prioritize Continuous improvement

Risk Management Challenges IT Compliance and Risk Risk Management Challenges You don’t know what you don’t know Incentives to not report Risks can be expensive IT is complicated

Governance Risk & Compliance (GRC) tool Risk Register IT Compliance and Risk Risk Management Tools Governance Risk & Compliance (GRC) tool Risk Register Assessment methodologies Risk Assessments Control catalogs Configuration Management Database (CMDB)

Compliance and risk management is a critical piece of IT management IT Compliance and Risk Summary Compliance and risk management is a critical piece of IT management Understand the compliance landscape Understand the risk landscape We are all risk managers!

IT Compliance and Risk For More Information Contact Brian Markham at 571-553-0189 or bmarkham@gwu.edu.