IT Compliance and Risk Brian Markham Director, DIT Compliance and Risk Services May 1, 2014

IT Compliance and Risk

Brian Markham

Director, DIT Compliance and Risk Services

May 1, 2014

IT Compliance and Risk

• UMD grad (BA and MBA)• Seven years in IT at UMD • Seven years in consulting (KPMG, PwC)• New-ish to GW (November ’13)

Introduction

IT Compliance and Risk

Three things:• The business of IT (an overview)• Compliance• Risk

Agenda

The Business of IT

IT Compliance and Risk

Why do we have IT?

You

IT Compliance and Risk

Why do we have IT?

You IT Awesome!

IT Compliance and Risk

How do we succeed?

Customer Support OperationsApplication

DevelopmentStrategic PlanningSecurity

RiskCompliance

Governance

• Users/Customers• Understanding the business• Understanding requirements• Implementing technology that meets

requirements to enable the business• Perspective/vision of the future• Planning, strategy, execution• Fun!

IT Compliance and Risk

IT is about…

• IT is complicated• IT folks aren’t experts in all things• Different users have different needs• Business/requirements change• Technology changes (fast)

IT Compliance and Risk

But…

• Meet requirements (contracts, laws, policy)• Ensure that confidentiality data is protected• Ensure that data cannot be altered• Ensure that systems are available• Understand and manage risk• Ensure that services can be offered that

are secure and meet requirements• Services are “fit for use”

IT Compliance and Risk

Role of Compliance and Risk

Compliance

• Federal Educational Rights and Privacy Act (FERPA)

• Federal Information Security Management Act (FISMA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Payment Card Industry Data Security Standard (PCI DSS)

• University Policies• Contracts and Agreements

IT Compliance and Risk

GW and Compliance

• Understand the requirements• Identify stakeholders• Review controls and the “as-is” state• Reference control guidance and best practices• Assess controls

– Test of Design– Test of Operating Effectiveness

• Document gaps, identify corrective actions• Continuous monitoring

IT Compliance and Risk

How Do We Achieve Compliance?

IT Compliance and Risk

In other words…

Plan for Compliance

Implement Controls

Assess Controls

Corrective Actions

Deming Cycle – Plan, Do, Check, Act

• Understanding• Expensive• It’s hard• Compliance ≠ Security!

IT Compliance and Risk

Compliance Challenges

Risk

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Impact X Probability = Risk Priority

IT Compliance and Risk

What is Risk?

• It’s not easy• Data-driven “gut feel”• Use data where possible:

– Outages/Downtime– Revenue Lost– Performance vs. SLAs– Performance of KPIs– Historical Data

IT Compliance and Risk

Quantifying Risk

• Compliance Risk• Financial Risk• Human Resource Risk• Operations Risk (Availability)• Project Risk• Reputation Risk • Safety Risk • Security Risk • Vendor Risk

IT Compliance and Risk

Lots of Risk!

• Governance!• Process and documentation• Outreach and buy-in• Identify, track and mitigate risks

– Prioritize

• Continuous improvement

IT Compliance and Risk

Where do we start?

IT Compliance and Risk

Risk Management Challenges

• You don’t know what you don’t know• Incentives to not report• Risks can be expensive• IT is complicated

IT Compliance and Risk

Risk Management Tools

• Governance Risk & Compliance (GRC) tool

• Risk Register• Assessment methodologies• Risk Assessments• Control catalogs• Configuration Management Database

(CMDB)

IT Compliance and Risk

Summary

• Compliance and risk management is a critical piece of IT management

• Understand the compliance landscape• Understand the risk landscape• We are all risk managers!

IT Compliance and Risk

For More Information

Contact Brian Markham at 571-553-0189 or bmarkham@gwu.edu.