of 23

IT GRC in Higher Education (286866068)

Published on February 2017 | Categories: Documents | Downloads: 5 | Comments: 0
43 views

Comments

Content

IT GRC in Higher Education

Agenda







Speaker
Introductions
EDUCAUSE IT GRC
Program
IT Governance
IT Risk
IT Compliance
Get involved!

This presentation leaves copyright of the content to the presenters. Unless otherwise noted in 
the materials, uploaded content carries the Creative Commons Attribution‐NonCommercial‐
ShareAlike license, which grants usage to the general public with the stipulated criteria.

Speaker Bio
Michael Corn
• Deputy CIO, Brandeis
University
• 12 years as CISO
• Mostly working on governance
and strategy
• Career limiting skepticism of
social media
(@MichaelAlanCorn)

Speaker Bio
Joanna Grama
• Director of Cybersecurity and IT
GRC Programs at EDUCAUSE
• Lawyer by training
• Credential hoarder by choice
(CISSP, CIPT, CRISC)
• Social media addict
(@runforserenity)
• (Reformed) helicopter parent

EDUCAUSE IT GRC PROGRAM
• Resources and research to help develop higher
education IT GRC programs
• Multi-disciplinary approach: Established
relationships with NACUBO (business), ACUA
(auditors), URMIA (risk management), NACUA
(attorneys)
• 201 IT-GRC discussion list members
The EDUCAUSE IT-GRC program provides resources that help
IT professionals define and implement IT GRC activities on their
campuses. Learn more and view additional resources at
www.educause.edu/it-grc

The 2015 EDUCAUSE Top 10 IT Issues List
IT GRC Themes
Governance

Risk

Compliance

• #5: Demonstrating the business value of information technology and how 
technology and the IT organization can help the institution achieve its goals
• #6: Increasing the IT organization’s capacity for managing change, despite differing 
community needs, priorities, and abilities

• #7: Providing user support in the new normal—mobile, online education, cloud, 
and BYOD environments
• #9: Developing an enterprise IT architecture that can respond to changing 
conditions and new opportunities
• #10: Balancing agility, openness, and security

• #8: Developing mobile, cloud, and digital security policies that work for most of the 
institutional community

IT GRC Definitions--Governance

Governance

Risk

Compliance

• Decision‐making processes 
• Ensure the effective and efficient use of IT 
• Enable an institution to achieve its strategic goals

What Does the IT Governance Body Do?

Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in 
Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐
compliance‐higher‐education. 

Evolution of Governance at Brandeis





Couple technology governance to University Governance
Technology = Technology + Business Process
Data Governance
Rationalize Governance through Integrated Planning

Source for definitions: http://www.riskope.com/2014/04/03/lets‐define‐strategic‐tactical‐and‐operational‐planning/

Questions About IT Governance






What do you need to govern?
How is IT governance different from making good business
decisions? (Is it?)
Does IT governance fit into and inform already established
institutional governance processes?
Is governance possible if budget money is not attached to
governance decisions?
What does higher education need to effectively govern IT?

IT GRC Definitions--Risk

Governance

Risk

Compliance

• The potential for an unplanned, negative business outcome; IT 
risk is a business risk
• Events that could potentially impact the entire institution; not 
just those that would affect IT operations and staff
• Creates challenges in meeting strategic goals 

Balance Between Risk Control and
Openness

Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in 
Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐
compliance‐higher‐education. 

Questions About IT Risk







What are the IT risks that would cause the institution to fail to
achieve its goals or operational excellence?
Who should IT leadership tap to lead its IT risk management
efforts? (Security? Infrastructure? Planning? Business
Continuity?)
Is there already a coordinated enterprise-wide risk
management initiative at your institution, such as an
Enterprise Risk Management (ERM) program? Can IT risk
management work within that initiative?
What is the appropriate balance between risk control and
openness in higher education? (Is there an appropriate
balance across the board?)
What does higher education need to effectively identify and
respond to IT risk?

IT GRC Definitions--Compliance
Governance

Risk

Compliance

• Operating IT systems in a way that meets imposed constraints
• Laws and regulations; contracts and agreements
• Institutional policies

IT Compliance Practices

Source: Jacqueline Bichsel and Patrick Feehan, Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in 
Higher Education (Louisville, CO: ECAR, June 2014), http://www.educause.edu/library/resources/it‐governance‐risk‐and‐
compliance‐higher‐education. 

Questions About IT Compliance







What are the laws and regulations that impact the operation
of institutional IT resources (or the data in those resources)?
What institutional policies apply to operation of institutional IT
resources (or the data in those resources)?
Do you know what contracts/agreements your institution has
made or entered into that impose conditions on the use of
institutional IT resources (or the data in those resources)?
Is there already a coordinated, enterprise-wide compliance
initiative at your institution, and can IT compliance activities
fit into or help inform the larger program?
Is IT compliance optional? (And does your institution treat it
that way?)
What does higher education need to effectively identify and
respond to IT risk?

SO WHAT NEXT??

Governance

Risk

Compliance

• Decision‐making processes 
• Ensure the effective and efficient use of IT 
• Enable an institution to achieve its strategic goals

• The potential for an unplanned, negative business outcome; IT risk is a business risk
• Events that could potentially impact the entire institution; not just those that would 
affect IT operations and staff
• Creates challenges in meeting strategic goals 

• Operating IT systems in a way that meets constraints imposed on the institution
• Laws and regulations; contracts and agreements
• Institutional policies

EDUCAUSE IT GRC PROGRAM
• 2014 ECAR Research on IT GRC in Higher Ed
• EDUCAUSE Review “Good Ideas” articles
• Curated EDUCAUSE library resources
Available at: www.educause.edu/it-grc

IT GRC Program Risk Register
• New Resource: IT Risk Register
• Intended to help institutional IT departments to get
their strategic IT risk-management programs off
the ground
• 34 strategic risks, sortable and with references

IT GRC Program Risk Register
• Sort by risk type:
• Compliance
• Financial
• System/Service/IT Life Cycle
• Operational
• Reputational
• Strategic

IT GRC Program Risk Register
• Sort by IT domain
• Based on the EDUCAUSE Core Data
Service for cross-referencing with that tool
• 11 domain areas

Get Involved! IT GRC Program
Webpage with resources: http://www.educause.edu/it‐grc
Join the discussion: ITGRC‐[email protected]
Interested in volunteering?  Email [email protected]

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close