1www.vita.virginia.gov

IT Risk Management in Government

Jonathan SmithSr. Risk Manager

Commonwealth Security and Risk ManagementOctober 1, 2013

www.vita.virginia.gov 1

2www.vita.virginia.gov

Agenda• Introduction• Background

– Virginia Information Technologies Agency– Commonwealth Security and Risk Management– Information Security and Reporting

• Measuring Commonwealth Risk• Governance, Risk Management, and Compliance

3

Virginia Information Technologies Agency

• Statewide IT infrastructure for in-scope government entities

• Prior to VITA there were 90+ independent autonomous IT shops

• IT infrastructure partnership (Commonwealth of Virginia & Northrop Grumman)

• Appx. 58,000 PC’s, 3500 servers, 60,000 accounts, over 2000 circuits and 2 Data Centers

• Centralized oversight of IT projects, security, procurement, standards, policy and procedures

www.vita.virginia.gov

4

Commonwealth Security and Risk Management

Security Operations• Operations and architectural design

Security Governance• Policies, standards and procedures• IT security audit program• VITA ISO duties

Risk Management• Commonwealth Risk Management program• Business impact analysis• Risk assessments• IT security incident response

www.vita.virginia.gov

5

§ 2.2-2009

www.vita.virginia.gov

§ 2.2-2009. Additional duties of the CIO relating to security of government information.

C. The CIO shall annually report to the Governor, the Secretary, and General Assembly those executive branch and independent agencies and institutions of higher education that have not implemented acceptable policies, procedures, and standards to control unauthorized uses, intrusions, or other security threats. For any executive branch or independent agency or institution of higher education whose security audit results and plans for corrective action are unacceptable, the CIO shall report such results to (i) the Secretary, (ii) any other affected cabinet secretary, (iii) the Governor, and (iv) the Auditor of Public Accounts. Upon review of the security audit results in question, the CIO may take action to suspend the public body's information technology projects pursuant to § 2.2-2015, limit additional information technology investments pending acceptable corrective actions, and recommend to the Governor and Secretary any other appropriate actions.

The CIO shall also include in this report (a) results of security audits, including those state agencies, independent agencies, and institutions of higher education that have not implemented acceptable regulations, standards, policies, and guidelines to control unauthorized uses, intrusions, or other security threats and (b) the extent to which security standards and guidelines have been adopted by state agencies.

6

Annual Report on Information Security

Assessment of the Commonwealth information security program:•Legislative requirement beginning in 2008•CIO annually reports to the Governor, Cabinet Secretaries, and General Assembly on:

– Agency Information Security Programs– Agency Risk Management Programs– Agency IT Security Audit Programs– Commonwealth Operational Security– IT Security Incidents

www.vita.virginia.gov

7

Understanding Commonwealth Risk

• Business Impact Analysis:– Identify primary and critical organizational business

processes– Identify IT systems that those business processes rely on– Identify Recovery Time Objectives (RTO)– Identify Recover Point Objectives (RPO)– Rate the business process for Availability

• Impact on life, safety, legal requirements, regulations, customer service and sensitive data if the business process or IT systems supporting the process is unavailable.

www.vita.virginia.gov

8

• Risk Assessments:– Identify sensitivity of IT system(Confidentiality, integrity,

and/or availability)– Assess the implementation of controls– Identify threats and potential risks– Rate the risks– Determine the probability of threat occurrence– Determine the potential impact if the threat occurs– Identify mitigating controls– Determine and implement mitigating controls– Determine Residual Risk: Create findings and corrective

actions when residual risk is too high

www.vita.virginia.gov

Understanding Commonwealth Risk

9

Understanding Commonwealth Risk

• IT Security AuditsInternal Audit, APA Audit, External (contractor)– Identify security audit findings– Create corrective action/remediation plans for findings– Track the remediation of the findings until closed– Validate remediation

• Vulnerability Scanning• Operational findings

www.vita.virginia.gov

10

What have we learned from the Annual Report?

www.vita.virginia.gov

•IT Security and Audit resources are not adequate across the Commonwealth as a whole

•Agencies are not properly planning for information security requirements

• Unless agency executives understand the impact of the risk carried, decisions made could potentially result in adverse consequences

11

Next steps for CSRM

• Moving to a risk based information security program

• Currently implementing a Governance, Risk Management and Compliance (GRC) tool

• Make risk recommendations for where to invest resources across the Commonwealth

• Adhere to a set level of risk tolerance across the Commonwealth

www.vita.virginia.gov

12

How Does CSRM Measure Agency Risk?

• Risk levels are primarily based on findings– Can come from any source

• Security audit, risk assessment, operational data, etc.

• Finding criticality level is based on several factors, examples include:– Business processes criticality level– Confidentiality of the data– Criticality of the application affected– Likelihood of occurrence– Magnitude of impact– Length of time finding open

www.vita.virginia.gov

13

Governance, Risk Management and Compliance (GRC) ToolWhy GRC?• Integrate the existing IT Security programs &

processes into a single centralized tool• Provide a better understanding of the risks that

Commonwealth Agencies carry• Provide Agency and Commonwealth Executives

understanding of where resources should be allocated to manage risk

www.vita.virginia.gov

14

Governance, Risk Management and Compliance (GRC) ToolWhat is captured in the GRC tool?• Business Processes• Applications• IT Security Audit Program Information• Risk Assessments• Findings• Remediation Plans• IT Security Incidents• Security Exceptions

www.vita.virginia.gov

15

Additional Benefits of a GRC tool

• Advanced Reporting• Dashboards• IT Asset Inventory• Control & Policy Library• Questionnaires/Assessments

www.vita.virginia.gov

16

What will CSRM do with the tool?

• Enhance reporting capabilities– Identify agencies carrying too much risk– Monitor remediation of risk at agencies– Show progress of agencies remediating risk– Identify operational issues increasing agency risk

• Make recommendations based on risk– Recommendations to AITR, ISO, agency head,

secretary, and/or Commonwealth CIO– Can include recommendation to restrict IT

investments until acceptable remediation is in place, underway, planned, or complete

www.vita.virginia.gov

17

What Challenges Has CSRM Faced?

• Normalizing data– Data comes from multiple sources

• Agency ISO• Agency Internal Audit• Agency Information Technology Department• Infrastructure partnership• Other VITA data sets

• Agency “Buy-in”• User training

www.vita.virginia.gov

18

Questions?

Questions?

Jonathan SmithSenior Risk ManagerCommonwealth Security and Risk ManagementVirginia Information Technologies Agency (VITA)Jonathan.M.Smith@Vita.Virginia.Gov CommonwealthSecurity@Vita.Virginia.Gov

www.vita.virginia.gov