Addressing Complex Security Threats Through Risk Management

EDUCAUSE Security Professionals Conference

May 6, 2008

Rebecca J. Whitener, CPA, CIA, CISA, CFEFormer Vice President and Chief Risk Officer EDS

There are complex issues impacting business, government and higher education

“……..each new wave of technology will make obsolete existing information security measures - increasing security exposures in new and legacy environments”

Gartner

Advances in technology creates new exposures

Organizations of all types are susceptible to these threats…..…

by Ed U. KaishunIt only seemed like ye sterda y that Atlanta Public Schools (APS)

made headlines for negative rea sons: disrepair of facilities, decliningstudent achievement, rising drop-out rate, etc. Remarkably, APS isnow continually featured in positive headlines. Since its nadir in thelate 1990’s, APS has ta ken steps to raise academic standards a ndexpec tations for Atlanta’s children, produce graduate s much better

AP RIL 2, 2001

FINAL

“Your Company” a victimof Cyberspace crime againThird time in Two Weeks Could it have been prevented

prepared for successful careers a nd low er the drop-out ra te to 10%.In a news conference last w eek, the M ayor publicly congratulatedthe APS faculty, the Atlanta School Boa rd, and the Superintendenton a job well done at the Fifth A nnua l Atlanta Public Educa tionSummit. Since the beginning of this year , APS has rece ived similaraccolades from the Georgia Board of Education, the Governor a ndthe Business Roundtable, an educational advocacy groupre pre senting 200 U.S. corporations.

This begs the question – H ow did this rema rka ble turnaroundoccur? We we nt looking for the answe r to this question. Many inAtlanta point to the collective effor ts of APS and the Metro AtlantaChamber of Commerc e in 1998 as the watershed e vent.

In the winter of 1998, the Education Committee of the Chamberassembled a Specia l Task Force on Education. This task forceserved to ide ntify how Atlanta’s business community could bestsupport A tlanta Public Schools in generating more employablegraduates.

According to Odie Dona ld, then cha ir of the EducationCommittee, “Unlike other efforts to narrow the gulf between APSand the Business Community, the Spec ial Task Force on Educa tionallowed both par ties to w ork in true partnership for the benefit ofAtlanta’s children.” Adds Benjamin Canada, the n APSSuperintendent, “APS was give n a seat at the table, rathe r than be ing

trea ted a s a patient. As I look back on the ear ly days of the Spec ialTa sk Forc e on Education, three signif icant things come to mind –strong le adership, unwa vering commitment and acc ountability.”

As a result of APS’ remarkable achievements, the A tlantabusine ss c ommunity has continued to signif ic antly support theschool district. Monetary, huma n and in-kind resources have beenstrategically alloc ated to e ffec t change. Additionally, ED UPACfunding has been earmarked to support the succ essful re-elec tioncampa igns of several sc hool board me mbers.

The initial ac tions of the Specia l Task Force on Educationserved a s a ra llying point to improve public educ ation in Atlanta.Over the past five years, an e xpansive coa lition of organiz ations a ndeduca tional initiative s have c omplemente d the effort. The resulttoday is sweeping cha nges in the city’s school district.

Annually, members of this educ ation coalition come togethe r atthe Atlanta Public Education Summit, held by the Metro AtlantaChamber of Commerc e. Important performance measures areanalyz ed, improve ments a re discusse d and recognition is give n toexemplary programs and coalition pa rtne rs.

$1,000 $1,100

$1,500

$2,200

$3,500

$0

$5 00

$1,0 00

$1,5 00

$2,0 00

$2,5 00

$3,0 00

$3,5 00

$4,0 00

1998 1999 2000 2001 2002

Online AttacksRevolution WithinPublic Schools

“Unl ik e other efforts to narr ow the gul f

between AP S [A tlanta P ublic Schools] andthe Busines s Comm unity, the Special Task

Force on Education al lowed both parties towork in true partner ship for the benefi t o f

Atlanta’s c hi ldren”

— Odie Donald, President and CEO,BellSouth Corporation

“The tas k force adopted a dual focus.

Not only d id we concentrate on assistingthe Atlanta P ublic Schools in producing

more employable graduates, we a ls ofoc used on bringing forth m or e employable

AP S graduates”

— Gary Lee, Jr., former task member, retired VPand Executive Director of the UPS Foundation

“AP S [Atlanta P ublic Schools ] was g iv ena s eat at the table, rather than being

treated as a patient. A s I look back on theearly days of the Spec ial Tas k Forc e on

Educ ation, thr ee signi ficant things cometo m ind — strong leadership, unwav ering

comm itment and accountabi lity”

— Dr. Benjamin Canada,Secretary of Education

by J ane Doe

This inaugural issue celebrates how

Atlanta Public Schools transformed itse lf intoa world-class school district. It ma y serve as a

template to othe r municipalities on how to

make significa nt improvements in publiceduca tion.

The va ried c ontributors to this specialedition of The Atlanta Journa l-Constitution’s

Guide to A tlanta Public Education refle ct the

city-wide coalition re sponsible for thesere markable results.

Contributors:

Atlan ta P ubl ic S cho ols

Atlan ta Boa rd of E duc ation

Metro Atlanta Cham ber ofCom me rc e

Atlan ta Com mi tte e for P ubli cE duc ation

Mayo r’s Renai ssanceCom miss i on

Atlan ta P artners for E du catio n

Atlan ta’s Bus in ess Com mu nity

Atlan ta’s No n-P rofi t Agen cies Public education in Atlanta: Much has changed in five years

Inside This Issue

Interv iew with th e Atlan ta Pu blicSch ools Superintenden t . . . . . . . . . . 3

“Revo lu tion within APS”:5 Year Ch rono lo gy of Events(19 98-Presen t) . . . . . . . . . . . . . . . . . . . 4

Per spectives: Stud ents, Faculty,Par ents, C ommunity Partner s . . . . 5

Washington Post

226,874,657 records containing sensitive personal information involved in security breaches in the U.S. since January, 2005Privacy Rights Clearing House

www.privacyrights.org

Updated through May 4 , 2008

2007 marked a significant change for information security incidents occurring at colleges and universities around the world as reported in the news

A sample of the information in the Educational Security Incidents (ESI) Year in Review - 2007: Total Number of Incidents: 139 67.5% increase over

2006 Total Number of Institutions Affected: 112 72.3% increase

over 2006

The ESI Year in Review - 2007 ◦ By Adam Dodge - Posted on February 10th, 2008

Educational Security Incidents – 2007 *

Standard mode of operation for adverse event responses is becoming increasingly ineffective

Reactive Response to an event IT Driven Based on assessments

of vulnerabilities

Generally NOTPro-Active Focused on ResilienceCross-FunctionalBuilt upon a

comprehensive “Risk” Assessment

Enterprise Risk Management is emerging in response to these complex challenges*

Governance

DisastersRegulatory

actions

*Forrester

These forces are leading to an increase in the need for a comprehensive view of enterprise-wide risks and the emergence of a new role – the Chief Risk Officer.

Traditional - Focus on business line processes, internal controls

Enterprise-wide Coordination - CRO, Audit, General Counsel or cross-functional team develops a common direction for Governance, Risk and Compliance (GRC)

Move to Increased Monitoring and Reporting

Analysis - Collection and evaluation of data helps determine the impact and likelihood of risk events

Aggregation and Integration - Full integration into cross-functional processes and technologies

Stages of Enterprise Risk Management

“…many business experts believe that the concept of a cross-functional convergence of these activities (Governance, Risk and Compliance) represents a progressive approach in this area, and is quickly replacing the traditional fragmented or silo mentality.”

The Corporate Defense Continuum, Risk and Compliance, Sean Lyons, 1/23/2007

Traditional Silo-based

True Risk Resiliency

Cross Functional Coordination

Governance, Risk and Compliance Continuum

ERM objectives include a balance between cost /benefit and opportunity optimization

Adverse Events Opportunities

Enterprise Risk Management

ERM implementations are challenging

Why is ERM so complex?

Often requires a “culture” change It is hard to distinguish ERM from “old fashioned” business

management The approach that works for some companies may not work

for others ERM models are about estimating the impact and likelihood

of risk events The risk environment includes the behavior of people

(difficult to predict) Each “Risk” being considered within an ERM model is often

highly dependent upon context

The complexity of the task requires an effective strategy

“……. protecting the complex, technology-dependent, globally focused organization today is still in the hands of organizational structures and methods that were developed before the commercial computer age – let alone the network age. ……….Given this and the “silo” development of operational risk functions, the compelling question organizations now need to ask is “what constitutes good risk management?” BRG. 2005

Weak or non-existent cross-functional risk processes

Effective risk models and processes

Some well developed processes with gaps

Desired State

Any organization’s risk management strategy

Elements of a comprehensive risk management strategy

Risk Issue Identification

Governance and

Organization

Status Reporting

Map to Process and

Owner

Action Plan Management

Assessment/ Measurement

Culture and Awareness

Context is Critical

ERM framework & standards are available

COSO = Committee of Sponsoring Organizations

Risk Management Framework

Risk M

anagem

ent

Conte

xt

Monitor and Report

Risk Governance

Aw

are

ness

Com

mun

icatio

ns

Risk Identification

Risk Evaluation

Risk Analysis

Risk Treatment

Based on AS/NZS 4360: Australian/New Zealand Standard® Risk Management

Collaborate on strategy◦ Cross functional input from legal, audit,

CRO, CFO, CSPO, risk owners

Identify and classify relevant compliance requirements as they relate to:◦ Strategic, Financial, Operational,

Technology objectives

Assess impact, assign confidence ranking◦ Identify impact/likelihood of adverse

events on corporate objectives◦ Assess inherent risks of noncompliance◦ Assess risks remaining after mitigations ◦ Plot risks on risk map

Focus on areas with highest concerns◦ Risks are not equally important◦ Focus on those high and to the right

Prioritization of Risks

Impact

Likelihood

High FocusRisks

Scenario Planning Consideration of events or

outcomes that could reasonably occur - not necessarily based on historical data.

Gathered through Brainstorming with “what if’s”.

Involves environmental scanning, predictive analysis, cross-functional input from multiple sources.

Creates circumstances to judge “preparedness”.

Addresses impact and likelihood.

Root Cause Analysis Root cause analysis helps

identify what, how and why something happened, thus preventing recurrence.

Root causes are underlying, are reasonably identifiable, can be controlled by management and allow for generation of recommendations.

The process involves data collection, cause charting, root cause identification and recommendation generation and implementation.

By directing corrective measures at root causes, it is hoped that the likelihood of problem recurrence will be minimized.

Two risk assessment tools

Every company tailors its ERM program based on its specific needs…..◦ A common element is that day-to-day risk

management decisions are made at every level in the organization.

Any organization concerned with successfully operationalizing ERM must ensure that its people…◦ Understand ERM concepts ◦ Understand how to carry out their

responsibility….acting in accordance with any defined ERM principles. 

The role of “People” in ERM

Organizational culture Not linked to any unique sanction,

reward or incentive Complexity of the ERM process itself Cost/benefit constraints Expertise Dynamic nature of managing risks Cross functional differences

Roadblocks to getting people to act in accordance with ERM principles

“A successful CRO does not command from above. They set a framework for risk management, while day-to-daydecisions on what is or isn’t an acceptablerisk falls to managers and employees in the frontline of business.”

Economist IntelligenceUnit

Overcoming ERM obstacles to decision makers

Clarify objectives

Communicate (top down and bottom up)

Include and involve in all aspects of ERM program

Create performance metrics and expectations

Factor in emotions

New Enemies Terrorists, professionals with different

motivations, man-made and natural events

Posing New Threats Real time, context aware activity,

instantaneous, multiple sources, catastrophic impact

Requiring New Solutions Moving from reactive to proactive Adaptive, responsive to context Based on risk assessment

The future will require an increasing focus on:

Board and Executive Management Support Common risk language and concepts Communication about risk using appropriate channels Development of training programs for risk management Development of a knowledge-sharing system Built into performance expectations Identification of cross-functional "risk champions"

Organizations will need a comprehensive “Risk” focus….

Goal is to create a risk culture where people consciously take risk into consideration in decision-making at all levels of the organization