the here and now of higher ed it governance, risk, and compliance efforts jacqueline bichsel, phd...
TRANSCRIPT
![Page 1: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/1.jpg)
The Here and Now of Higher Ed IT Governance, Risk, and Compliance EffortsJacqueline Bichsel, PhD
Senior Research Analyst
EDUCAUSE
AIRI, May 8, 2014
![Page 2: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/2.jpg)
![Page 3: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/3.jpg)
EDUCAUSE Center for Analysis and Research (ECAR)IT GRC Survey
246 member institutions
![Page 4: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/4.jpg)
The Current Landscape
![Page 5: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/5.jpg)
Risk Management
![Page 6: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/6.jpg)
![Page 7: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/7.jpg)
Most allow the risk management lead a moderate to broad scope of authority.
![Page 8: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/8.jpg)
Compliance
![Page 9: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/9.jpg)
![Page 10: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/10.jpg)
Compliance lead allowed a very broad scope of authority.
![Page 11: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/11.jpg)
Governance
![Page 12: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/12.jpg)
Scope of the IT Governance Body
![Page 13: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/13.jpg)
![Page 14: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/14.jpg)
The IT Risk Environment
![Page 15: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/15.jpg)
Balance between risk control and functionality/openness.
![Page 16: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/16.jpg)
Specific Risks
![Page 17: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/17.jpg)
81%of institutions do not include IT risk in their institution’s strategic plan
![Page 18: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/18.jpg)
Units Managing IT Risk
![Page 19: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/19.jpg)
Frameworks Used in IT Risk Management
2 out of 3 institutions use at least one framework
![Page 20: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/20.jpg)
The IT Compliance Environment
![Page 21: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/21.jpg)
IT Compliance Issues
![Page 22: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/22.jpg)
![Page 23: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/23.jpg)
The IT Governance Environment
![Page 24: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/24.jpg)
Those with an ITGB are more likely to:
Involve other departments in decision-making Influence leadership Formulate binding policy Guide IT risk management Have a clear IT vision, mission, or strategy
![Page 25: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/25.jpg)
Frameworks Used in IT Governance
1 out of 3 institutions uses at least one framework
![Page 26: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/26.jpg)
Maturity in Risk Management
![Page 27: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/27.jpg)
ECAR Maturity Indices Provide starting point for institutions to assess
strengths and weaknesses Allow comparisons across the institution to
benchmark progress across time or departments Allow comparisons inter-institutionally to provide
peer comparisons
![Page 28: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/28.jpg)
Risk Management Maturity
![Page 29: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/29.jpg)
Communication/End-User Management
Communication about IT risk throughout the organization
Management of end-user activities
![Page 30: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/30.jpg)
Acceptance
lack of resistance of faculty, staff, and administration to risk management efforts
![Page 31: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/31.jpg)
Risk Assessment/Management
Identifying, tracking, prioritizing, and reporting risks
Implementing policies and controls Involvement of leadership
![Page 32: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/32.jpg)
Investment
adequate investment in risk management staff and services
![Page 33: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/33.jpg)
More mature institutions…
Have a formal risk management program (enterprise or IT)
Allow the risk management lead a broad scope of authority
Use a framework (any framework) for RM Are more effective in addressing specific IT
risks
![Page 34: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/34.jpg)
More mature institutions ALSO…
Invest more in IT compliance Are better at reviewing and updating IT
compliance practices Have less difficulty addressing compliance
rules and laws Have better support from leadership and
faculty in IT governance issues Have better IT governance in every respect
![Page 35: The Here and Now of Higher Ed IT Governance, Risk, and Compliance Efforts Jacqueline Bichsel, PhD Senior Research Analyst EDUCAUSE AIRI, May 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022070412/56649da85503460f94a945f3/html5/thumbnails/35.jpg)
Thank you, AIRI!Jacqueline Bichsel
For more information on EDUCAUSE:http://www.educause.edu/
For more information on ECAR:http://www.educause.edu/ecar