IT GRC in Higher Education (286866068)
Content
IT GRC in Higher Education
Agenda
•
•
•
•
•
•
Speaker
Introductions
EDUCAUSE IT GRC
Program
IT Governance
IT Risk
IT Compliance
Get involved!
This presentation leaves copyright of the content to the presenters. Unless otherwise noted in
the materials, uploaded content carries the Creative Commons Attribution‐NonCommercial‐
ShareAlike license, which grants usage to the general public with the stipulated criteria.
Speaker Bio
Michael Corn
• Deputy CIO, Brandeis
University
• 12 years as CISO
• Mostly working on governance
and strategy
• Career limiting skepticism of
social media
(@MichaelAlanCorn)
Speaker Bio
Joanna Grama
• Director of Cybersecurity and IT
GRC Programs at EDUCAUSE
• Lawyer by training
• Credential hoarder by choice
(CISSP, CIPT, CRISC)
• Social media addict
(@runforserenity)
• (Reformed) helicopter parent
EDUCAUSE IT GRC PROGRAM
• Resources and research to help develop higher
education IT GRC programs
• Multi-disciplinary approach: Established
relationships with NACUBO (business), ACUA
(auditors), URMIA (risk management), NACUA
(attorneys)
• 201 IT-GRC discussion list members
The EDUCAUSE IT-GRC program provides resources that help
IT professionals define and implement IT GRC activities on their
campuses. Learn more and view additional resources at
www.educause.edu/it-grc
The 2015 EDUCAUSE Top 10 IT Issues List
IT GRC Themes
Governance
Risk
Compliance
• #5: Demonstrating the business value of information technology and how
technology and the IT organization can help the institution achieve its goals
• #6: Increasing the IT organization’s capacity for managing change, despite differing
community needs, priorities, and abilities
• #7: Providing user support in the new normal—mobile, online education, cloud,
and BYOD environments
• #9: Developing an enterprise IT architecture that can respond to changing
conditions and new opportunities
• #10: Balancing agility, openness, and security
• #8: Developing mobile, cloud, and digital security policies that work for most of the
institutional community
IT GRC Definitions--Governance
Governance
Risk
Compliance
• Decision‐making processes
• Ensure the effective and efficient use of IT
• Enable an institution to achieve its strategic goals
What Does the IT Governance Body Do?
Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in
Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐
compliance‐higher‐education.
Evolution of Governance at Brandeis
•
•
•
•
Couple technology governance to University Governance
Technology = Technology + Business Process
Data Governance
Rationalize Governance through Integrated Planning
Source for definitions: http://www.riskope.com/2014/04/03/lets‐define‐strategic‐tactical‐and‐operational‐planning/
Questions About IT Governance
•
•
•
•
•
What do you need to govern?
How is IT governance different from making good business
decisions? (Is it?)
Does IT governance fit into and inform already established
institutional governance processes?
Is governance possible if budget money is not attached to
governance decisions?
What does higher education need to effectively govern IT?
IT GRC Definitions--Risk
Governance
Risk
Compliance
• The potential for an unplanned, negative business outcome; IT
risk is a business risk
• Events that could potentially impact the entire institution; not
just those that would affect IT operations and staff
• Creates challenges in meeting strategic goals
Balance Between Risk Control and
Openness
Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in
Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐
compliance‐higher‐education.
Questions About IT Risk
•
•
•
•
•
What are the IT risks that would cause the institution to fail to
achieve its goals or operational excellence?
Who should IT leadership tap to lead its IT risk management
efforts? (Security? Infrastructure? Planning? Business
Continuity?)
Is there already a coordinated enterprise-wide risk
management initiative at your institution, such as an
Enterprise Risk Management (ERM) program? Can IT risk
management work within that initiative?
What is the appropriate balance between risk control and
openness in higher education? (Is there an appropriate
balance across the board?)
What does higher education need to effectively identify and
respond to IT risk?
IT GRC Definitions--Compliance
Governance
Risk
Compliance
• Operating IT systems in a way that meets imposed constraints
• Laws and regulations; contracts and agreements
• Institutional policies
IT Compliance Practices
Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in
Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐
compliance‐higher‐education.
Questions About IT Compliance
•
•
•
•
•
•
What are the laws and regulations that impact the operation
of institutional IT resources (or the data in those resources)?
What institutional policies apply to operation of institutional IT
resources (or the data in those resources)?
Do you know what contracts/agreements your institution has
made or entered into that impose conditions on the use of
institutional IT resources (or the data in those resources)?
Is there already a coordinated, enterprise-wide compliance
initiative at your institution, and can IT compliance activities
fit into or help inform the larger program?
Is IT compliance optional? (And does your institution treat it
that way?)
What does higher education need to effectively identify and
respond to IT risk?
SO WHAT NEXT??
Governance
Risk
Compliance
• Decision‐making processes
• Ensure the effective and efficient use of IT
• Enable an institution to achieve its strategic goals
• The potential for an unplanned, negative business outcome; IT risk is a business risk
• Events that could potentially impact the entire institution; not just those that would
affect IT operations and staff
• Creates challenges in meeting strategic goals
• Operating IT systems in a way that meets constraints imposed on the institution
• Laws and regulations; contracts and agreements
• Institutional policies
EDUCAUSE IT GRC PROGRAM
• 2014 ECAR Research on IT GRC in Higher Ed
• EDUCAUSE Review “Good Ideas” articles
• Curated EDUCAUSE library resources
Available at: www.educause.edu/it-grc
IT GRC Program Risk Register
• New Resource: IT Risk Register
• Intended to help institutional IT departments to get
their strategic IT risk-management programs off
the ground
• 34 strategic risks, sortable and with references
IT GRC Program Risk Register
• Sort by risk type:
• Compliance
• Financial
• System/Service/IT Life Cycle
• Operational
• Reputational
• Strategic
IT GRC Program Risk Register
• Sort by IT domain
• Based on the EDUCAUSE Core Data
Service for cross-referencing with that tool
• 11 domain areas
Get Involved! IT GRC Program
Webpage with resources: http://www.educause.edu/it‐grc
Join the discussion: ITGRC‐[email protected]
Interested in volunteering? Email [email protected]
Agenda
•
•
•
•
•
•
Speaker
Introductions
EDUCAUSE IT GRC
Program
IT Governance
IT Risk
IT Compliance
Get involved!
This presentation leaves copyright of the content to the presenters. Unless otherwise noted in
the materials, uploaded content carries the Creative Commons Attribution‐NonCommercial‐
ShareAlike license, which grants usage to the general public with the stipulated criteria.
Speaker Bio
Michael Corn
• Deputy CIO, Brandeis
University
• 12 years as CISO
• Mostly working on governance
and strategy
• Career limiting skepticism of
social media
(@MichaelAlanCorn)
Speaker Bio
Joanna Grama
• Director of Cybersecurity and IT
GRC Programs at EDUCAUSE
• Lawyer by training
• Credential hoarder by choice
(CISSP, CIPT, CRISC)
• Social media addict
(@runforserenity)
• (Reformed) helicopter parent
EDUCAUSE IT GRC PROGRAM
• Resources and research to help develop higher
education IT GRC programs
• Multi-disciplinary approach: Established
relationships with NACUBO (business), ACUA
(auditors), URMIA (risk management), NACUA
(attorneys)
• 201 IT-GRC discussion list members
The EDUCAUSE IT-GRC program provides resources that help
IT professionals define and implement IT GRC activities on their
campuses. Learn more and view additional resources at
www.educause.edu/it-grc
The 2015 EDUCAUSE Top 10 IT Issues List
IT GRC Themes
Governance
Risk
Compliance
• #5: Demonstrating the business value of information technology and how
technology and the IT organization can help the institution achieve its goals
• #6: Increasing the IT organization’s capacity for managing change, despite differing
community needs, priorities, and abilities
• #7: Providing user support in the new normal—mobile, online education, cloud,
and BYOD environments
• #9: Developing an enterprise IT architecture that can respond to changing
conditions and new opportunities
• #10: Balancing agility, openness, and security
• #8: Developing mobile, cloud, and digital security policies that work for most of the
institutional community
IT GRC Definitions--Governance
Governance
Risk
Compliance
• Decision‐making processes
• Ensure the effective and efficient use of IT
• Enable an institution to achieve its strategic goals
What Does the IT Governance Body Do?
Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in
Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐
compliance‐higher‐education.
Evolution of Governance at Brandeis
•
•
•
•
Couple technology governance to University Governance
Technology = Technology + Business Process
Data Governance
Rationalize Governance through Integrated Planning
Source for definitions: http://www.riskope.com/2014/04/03/lets‐define‐strategic‐tactical‐and‐operational‐planning/
Questions About IT Governance
•
•
•
•
•
What do you need to govern?
How is IT governance different from making good business
decisions? (Is it?)
Does IT governance fit into and inform already established
institutional governance processes?
Is governance possible if budget money is not attached to
governance decisions?
What does higher education need to effectively govern IT?
IT GRC Definitions--Risk
Governance
Risk
Compliance
• The potential for an unplanned, negative business outcome; IT
risk is a business risk
• Events that could potentially impact the entire institution; not
just those that would affect IT operations and staff
• Creates challenges in meeting strategic goals
Balance Between Risk Control and
Openness
Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in
Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐
compliance‐higher‐education.
Questions About IT Risk
•
•
•
•
•
What are the IT risks that would cause the institution to fail to
achieve its goals or operational excellence?
Who should IT leadership tap to lead its IT risk management
efforts? (Security? Infrastructure? Planning? Business
Continuity?)
Is there already a coordinated enterprise-wide risk
management initiative at your institution, such as an
Enterprise Risk Management (ERM) program? Can IT risk
management work within that initiative?
What is the appropriate balance between risk control and
openness in higher education? (Is there an appropriate
balance across the board?)
What does higher education need to effectively identify and
respond to IT risk?
IT GRC Definitions--Compliance
Governance
Risk
Compliance
• Operating IT systems in a way that meets imposed constraints
• Laws and regulations; contracts and agreements
• Institutional policies
IT Compliance Practices
Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in
Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐
compliance‐higher‐education.
Questions About IT Compliance
•
•
•
•
•
•
What are the laws and regulations that impact the operation
of institutional IT resources (or the data in those resources)?
What institutional policies apply to operation of institutional IT
resources (or the data in those resources)?
Do you know what contracts/agreements your institution has
made or entered into that impose conditions on the use of
institutional IT resources (or the data in those resources)?
Is there already a coordinated, enterprise-wide compliance
initiative at your institution, and can IT compliance activities
fit into or help inform the larger program?
Is IT compliance optional? (And does your institution treat it
that way?)
What does higher education need to effectively identify and
respond to IT risk?
SO WHAT NEXT??
Governance
Risk
Compliance
• Decision‐making processes
• Ensure the effective and efficient use of IT
• Enable an institution to achieve its strategic goals
• The potential for an unplanned, negative business outcome; IT risk is a business risk
• Events that could potentially impact the entire institution; not just those that would
affect IT operations and staff
• Creates challenges in meeting strategic goals
• Operating IT systems in a way that meets constraints imposed on the institution
• Laws and regulations; contracts and agreements
• Institutional policies
EDUCAUSE IT GRC PROGRAM
• 2014 ECAR Research on IT GRC in Higher Ed
• EDUCAUSE Review “Good Ideas” articles
• Curated EDUCAUSE library resources
Available at: www.educause.edu/it-grc
IT GRC Program Risk Register
• New Resource: IT Risk Register
• Intended to help institutional IT departments to get
their strategic IT risk-management programs off
the ground
• 34 strategic risks, sortable and with references
IT GRC Program Risk Register
• Sort by risk type:
• Compliance
• Financial
• System/Service/IT Life Cycle
• Operational
• Reputational
• Strategic
IT GRC Program Risk Register
• Sort by IT domain
• Based on the EDUCAUSE Core Data
Service for cross-referencing with that tool
• 11 domain areas
Get Involved! IT GRC Program
Webpage with resources: http://www.educause.edu/it‐grc
Join the discussion: ITGRC‐[email protected]
Interested in volunteering? Email [email protected]
