Download
canheit 2012 n.
Skip this Video
Loading SlideShow in 5 Seconds..
CANHEIT 2012 PowerPoint Presentation
Download Presentation
CANHEIT 2012

CANHEIT 2012

161 Views Download Presentation
Download Presentation

CANHEIT 2012

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CANHEIT 2012 Building the Digital University What’s Out There? Building a Central IT Repository University of Guelph

  2. Building a Central IT Repository • Welcome! • Presentation Goal/Format University of Guelph

  3. Building a Central IT Repository Agenda • Introduction • Learning Objectives • Why have a Central IT Repository? • What are we @Guelph Trying to Do? • How are we Building IT? • Learning Objectives (Details) • Wrap-up University of Guelph

  4. Building a Central IT Repository University of Guelph

  5. Building a Central IT Repository Introduction • Guelph’s IT organization/culture • IT Governance • 50% distributed/decentralized • What about Me? • My portfolio University of Guelph

  6. Building a Central IT Repository Why are you here? • Are you thinking about: • IT Risk management? • IT contingency planning? • Compliance (PCI, FIPPA)? University of Guelph

  7. Building a Central IT Repository Learning Objectives Recognize the value of a central IT Repository University of Guelph

  8. Building a Central IT Repository Learning Objectives Recognize the value of a central IT Repository Understand the basic requirements for IT risk management University of Guelph 8

  9. Building a Central IT Repository Learning Objectives Recognize the value of a central IT Repository Understand the basic requirements for IT risk management Learn how Guelph’s approach combines application, services and people information University of Guelph 9

  10. Building a Central IT Repository Learning Objectives Recognize the value of a central IT Repository Understand the basic requirements for IT risk management Learn how Guelph’s approach combines application, services and people information Take away ideas for valuable metrics University of Guelph 10

  11. Building a Central IT Repository Learning Objectives Recognize the value of a central IT Repository Understand the basic requirements for IT risk management Learn how Guelph’s approach combines application, services and people information Take away ideas for valuable metrics Consider visibility and sustainability challenges University of Guelph 11

  12. Building a Central IT Repository WHY build a Repository? It’s the right thing to do! (if you’re trying to manage risk) Inventory of IT Assets is a foundational component of any IT security program! University of Guelph

  13. Building a Central IT Repository WHY build a Repository? • It’s the right thing to do! (if you’re trying to manage risk) • Inventory of IT Assets is a foundational component of any IT security program! • What do we need to protect? University of Guelph 13

  14. Building a Central IT Repository WHY build a Repository? • It’s the right thing to do! (if you’re trying to manage risk) • Inventory of IT Assets is a foundational component of any IT security program! • What do we need to protect? • Who is responsible? University of Guelph 14

  15. Building a Central IT Repository WHY build a Repository? • It’s the right thing to do! (if you’re trying to manage risk) • Inventory of IT Assets is a foundational component of any IT security program! • What do we need to protect? • Who is responsible? • Who are we dependent on? University of Guelph 15

  16. Building a Central IT Repository WHY build a Repository? Risk management standards/frameworks The starting point is always identifying IT assets! University of Guelph

  17. Building a Central IT Repository WHY build a Repository? • Risk management standards/frameworks • The starting point is always identifying IT assets! • ISO 27002 (clauses 7.1 & 7.2) • Clause 7.1 Responsibility for Assets • Clause 7.2 Information Classification University of Guelph 17

  18. Building a Central IT Repository WHY build a Repository? • Risk management standards/frameworks • The starting point is always identifying IT assets! • ISO 27002 (clauses 7.1 & 7.2) • Clause 7.1 Responsibility for Assets • Clause 7.2 Information Classification • SANS “20 critical security controls” • #1 Inventory of authorized devices • #2 Inventory of authorized software University of Guelph 18

  19. Building a Central IT Repository WHY build a Repository? • Risk management standards/frameworks • The starting point is always identifying IT assets! • ISO 27002 (clauses 7.1 & 7.2) • Clause 7.1 Responsibility for Assets • Clause 7.2 Information Classification • SANS “20 critical security controls” • #1 Inventory of authorized devices • #2 Inventory of authorized software • NIST SP 800-60 University of Guelph 19

  20. Building a Central IT Repository WHY build a Repository? • Risk management standards/frameworks • The starting point is always identifying IT assets! • ISO 27002 (clauses 7.1 & 7.2) • Clause 7.1 Responsibility for Assets • Clause 7.2 Information Classification • SANS “20 critical security controls” • #1 Inventory of authorized devices • #2 Inventory of authorized software • NIST SP 800-60 • PCI DSS (requirements 9 & 12) • Where is cardholder data stored? University of Guelph 20

  21. Building a Central IT Repository WHAT Are We Building? • What it is: The IT Repository is an on-line web-accessible inventory of the University’s IT Assets and the human resources who have a specific relationship with the Assets. • A ‘high level’ catalogue of IT application systems and infrastructure services. University of Guelph

  22. Building a Central IT Repository WHAT Are We Building? • What it is: The IT Repository is an on-line web-accessible inventory of the University’s IT Assets and the human resources who have a specific relationship with the Assets. • A ‘high level’ catalogue of IT application systems and infrastructure services. • What it isn’t: A physical hardware inventory (CMDB) with device/configuration details, not is it an end-user targeted IT Service Catalogue. • It is not an asset management system for tracking acquisition costs, licensing, obsolescence, etc. University of Guelph 22

  23. Building a Central IT Repository Repository Goals Gain University-wide visibility of existing applications and infrastructure services University of Guelph

  24. Building a Central IT Repository Repository Goals Gain University-wide visibility of existing applications and infrastructure services Identify system and service ownership and accountability University of Guelph 24

  25. Building a Central IT Repository Repository Goals Gain University-wide visibility of existing applications and infrastructure services Identify system and service ownership and accountability Identify systems which store sensitive information or have special compliance requirements (e.g. PCI DSS) University of Guelph 25

  26. Building a Central IT Repository Repository Goals Gain University-wide visibility of existing applications and infrastructure services Identify system and service ownership and accountability Identify systems which store sensitive information or have special compliance requirements (e.g. PCI DSS) Encourage collaboration and leveraging of resources and expertise University of Guelph 26

  27. Building a Central IT Repository Repository Goals Gain University-wide visibility of existing applications and infrastructure services Identify system and service ownership and accountability Identify systems which store sensitive information or have special compliance requirements (e.g. PCI DSS) Encourage collaboration and leveraging of resources and expertise Identify duplication and redundancy (show interconnections) University of Guelph 27

  28. Building a Central IT Repository Repository Goals Gain University-wide visibility of existing applications and infrastructure services Identify system and service ownership and accountability Identify systems which store sensitive information or have special compliance requirements (e.g. PCI DSS) Encourage collaboration and leveraging of resources and expertise Identify duplication and redundancy (show interconnections) (new) Enable improved management responsiveness to potential disruptions and incidents University of Guelph 28

  29. Building a Central IT Repository IT Assets • Current ‘beta’ Repository has two tables (Assets and People) • Asset table has two types: • Applications (transaction-processing systems) • Infrastructure ‘services’ (e.g. backup/recovery) University of Guelph

  30. Building a Central IT Repository IT Assets • Current ‘beta’ Repository has two tables (Assets and People) • Asset table has two types: • Applications (transaction-processing systems) • Infrastructure ‘services’ (e.g. backup/recovery) • I’m Thinking about: • A third asset type for academic/research (e.g. labs) • A third table for documenting IT Controls University of Guelph 30

  31. Building a Central IT Repository IT Asset Attributes • Attributes are chosen for high-level risk management, not for ITSM (service management). • Currently twenty-two attributes (see hand-out) • Attributes become metrics when summarized, allowing identification and analysis of areas of risk. • Current list of attributes has been reviewed and accepted by our senior IT governance committee (ITSC). University of Guelph

  32. Building a Central IT Repository University of Guelph

  33. Building a Central IT Repository University of Guelph

  34. Building a Central IT Repository IT People Records • Identify ‘IT People’ who are ‘related’ to Assets (i.e. who is accountable, who/where is IT support). University of Guelph

  35. Building a Central IT Repository IT People Records • Identify ‘IT People’ who are ‘related’ to Assets (i.e. who is accountable, who/where is IT support). • Identifies the individual’s role in relation to IT: • Executive Sponsor • System Owner • Primary (& alternate) Technical Support University of Guelph 35

  36. Building a Central IT Repository IT People Records • Identify ‘IT People’ who are ‘related’ to Assets (i.e. who is accountable, who/where is IT support). • Identifies the individual’s role in relation to IT: • Executive Sponsor • System Owner • Primary (& alternate) Technical Support • People record attributes: • Title, department, contact information • Emergency contact info (provided by individual) • Date Last Updated (& updated by) University of Guelph 36

  37. Building a Central IT Repository University of Guelph

  38. Building a Central IT Repository HOW Do We Build it? • Some History • Remember Y2k? • Initial CIO focus was mainly ‘information architecture’ University of Guelph

  39. Building a Central IT Repository HOW Do We Build it? • Some History • Remember Y2k? • Initial CIO focus was mainly discovering extent of “inter-connectedness” • Build vs Buy • CIO keen on trying a SaaS approach • We flip-flopped a couple of times University of Guelph 39

  40. Building a Central IT Repository HOW Do We Build it? • Some History • Remember Y2k? • Initial CIO focus was mainly ‘information architecture’ • Build vs Buy • CIO keen on trying a SaaS approach • We flip-flopped a couple of times • Low-key; keep it simple University of Guelph 40

  41. Building a Central IT Repository HOW Do We Build it? • Current Status • Stabilizing a ‘beta’ version of code and data structure • Populating the tables based on Central (CIO’s Office) knowledge • Previewing to selected stakeholders • Roll-out on hold pending secure authentication University of Guelph

  42. Building a Central IT Repository HOW Do We Build it? • Current Status • Stabilizing a ‘beta’ version of code and data structure • Populating the tables based on Central (CIO’s Office) knowledge • Previewing to selected stakeholders • Roll-out on hold pending secure authentication • Nice to have’s • Identifying Assets not yet acquired but desired (i.e. IT demand) • Highlighting Assets which are ‘evolving’ (e.g. major upgrades) • Formal executive sponsorship University of Guelph 42

  43. Building a Central IT Repository 1. Recognize the value of a central IT Repository of IT Assets and IT ‘People’ • Enable informed decision-making and information sharing • Visibility (always a good starting point) • Highlight important risk-related information such as: • Technical support staff and 3rd party dependencies • Storage of sensitive data (compliance requirements) • E-commerce (PCI compliance requirements) University of Guelph

  44. Building a Central IT Repository 1. Recognize the value of a central IT Repository of IT Assets and IT ‘People’ • Enable informed decision-making and information sharing • Visibility (always a good starting point) • Highlight important risk-related information such as: • Technical support staff and 3rd party dependencies • Storage of sensitive data (compliance requirements) • E-commerce (PCI compliance requirements) • Accountability • Who is responsible? Connect IT Assets and People University of Guelph 44

  45. Building a Central IT Repository 1. Recognize the value of a central IT Repository of IT Assets and IT ‘People’ • Contingency Planning • Emergency preparedness • Incident response University of Guelph

  46. Building a Central IT Repository 1. Recognize the value of a central IT Repository of IT Assets and IT ‘People’ • Contingency Planning • Emergency preparedness • Incident response • IT Asset Security ‘Profiling’ (i.e. individual asset risk assessments) • Where is this Asset Hosted? • Who is responsible for technical support? • Are we scanning this Asset for vulnerabilities? University of Guelph 46

  47. Building a Central IT Repository Understand the basic requirements for IT Risk Management Risk Management Defined: A 3-phase process of identifying risk, assessing risk, and taking action to reduce risk to an acceptable (residual) level. Risk Defined: The function of the likelihood of a given threat exploiting a vulnerability and the resulting impact of that adverse event. Risk assessment starts with characterizing or classifying systems (assets) as to their overall criticality (e.g. financial impact, data sensitivity). The risk factors are the ‘attributes’ we want to gather for each system. University of Guelph

  48. Building a Central IT Repository Understand the basic requirements for IT Risk Management Requirement #1 = Asset Identification. University of Guelph 48

  49. Building a Central IT Repository Understand the basic requirements for IT Risk Management Requirement #1 = Asset Identification. Requirement #2 = gather risk-related attributes. University of Guelph 49

  50. Building a Central IT Repository Understand the basic requirements for IT Risk Management Requirement #1 = Asset Identification. Requirement #2 = gathering risk-related attributes. Ranking/classifying assets with highest risk impact ‘scores’. University of Guelph 50