Hurricane Katrina and other natural disasters, the ongoing threats of terrorism, and the auditing profession's increased emphasis on business continuity planning have captured the attention of higher education executives. Most now realize that they ought to be doing business continuity planning; most, however, are not sure where to begin. George Mason University (Va.) has developed an executive-level Enterprise Executive Risk Management Group (EERMG) to build the organization's business continuity plans and capacity.
At the April 2005 EDUCAUSE Security Professionals Conference, William Boni, vice president for Information Security and Protection at Motorola, noted that currently chief security officers in the business world are placed in the corporation in one of three organizational units: IT, finance, or police/safety. He has seen an emerging trend towards moving the CSO to the finance area.
The rationale is that cyber-risk is no different from any other significant risk facing the corporation. Like other risks, cyber-risks have the potential to cause damage to a reputation and to have a financial impact; they are quite expensive to remediate; they often require cultural change to remediate; and they need to be prioritized along with other risks facing the corporation. Boni predicted that more and more corporations would create programs in enterprise risk management that include cyber-risks, rather than having cyber-risks be assessed and prioritized as stand-alone risks. Joy Hughes, the CIO at George Mason University, found Boni's argument to be convincing.
She proposed to Mason's president, Alan Merten, who has had extensive experience as a consultant to corporations on information technology issues, that he charter an EERMG under the leadership of Maurice Scherrens, senior vice president for Finance and Administration.
The EERMG was charged to assess risks not just in information technology, but also physical risks and risks from departmental procedures and processes, and to oversee the development of business continuity plans.
Its membership reflects these charges. The senior vice president for Finance and Administration has an enterprise view of a variety of administrative offices as well as auxiliary enterprises, such as the book store, housing, and athletics. The vice president for Information Technology and chief information officer is also the university's chief security officer. The chief safety officer is responsible for emergency preparedness planning and for physical security; the director of internal audit and management services is responsible for ensuring good business practices are followed; the controller is responsible for effective financial controls; and the executive director of the ITU security and project office, who reports to the CIO, is responsible for cybersecurity policies and planning. Together they have the experience and organizational clout to bring about broad policy changes.
University risk assessment projects are often elaborate paper drills designed to satisfy an outside audience such as an auditor. While reams of documents and an exhaustive collection of "plans" may satisfy an external audience, they are generally impractical to implement without a very significant infusion of resources. Additionally, large sets of plans that were prepared by people with very different viewpoints tend either to overwhelm with detail those who attempt to evaluate them or, conversely, are subject to such generalizations as to make them of limited practical use.
In the usual university-wide risk assessment project, department heads devote significant amounts of both mental energy and time to fill out myriad forms, yet the unit-level problems identified never appear to make it to the top of the priority list.
High-priority items for remediation funding usually are the central ones rather than the unit ones because they affect more people and processes. When an institution has limited resources to dedicate to risk remediation, it makes sense to give the highest priority to the "most critical" risks to the enterprise as a whole. Unfortunately, this approach ensures that the concerns of many individual departments will be left out of the final risk analysis.
Rather than require every department in the university to fill out risk assessment forms, the EERMG members first dedicated time and energy to identifying which departments were most relevant to business continuity planning. The group then prioritized the list of departments and developed a timeline by which the top 10 departments could be assessed within the first year. They created a four-year cycle for every department and associated subdivision to be assessed before the cycle begins again.
The chief safety officer and the IT security coordinator head up the risk assessment team. They include in their assessments an investigation of physical, process, and personnel security, as well as IT security. The process is iterative. It begins with the distribution of a standard 20-page risk assessment questionnaire that asks about departmental assets, policies, and procedures.
The risk assessment questionnaire asks the office personnel to list critical assets. Questions fall under the categories of physical security, including staffing, building access, and workplace procedures; electronic security, including account and password management, virus protection, data backup and recovery, operating systems and application software; and data privacy, including confidentiality policies, security awareness and education, and Gramm Leach Bliley Act and Family Education Rights Privacy Act requirements. Each office is asked for a copy of its business continuity plan.
The risk assessment team visits each department and conducts interviews to clarify questions and conduct on-site security assessments. The two interviewers look to identify not only specific risks, but also general themes that could affect the university as a whole.
This personal approach allows the interviewers to make suggestions for addressing problems at the time of the interview rather than to assign blame for deficiencies. Because of the length and the complexity of some of the questions, a second interview session is scheduled upfront for approximately two weeks following the first interview. While the second session is not always used, it does allow for additional work to be done by the department to address questions not fully answered during the first interview. Overall, the feedback from those department heads that have gone through the interview process has been very positive.
The EERMG directs the risk assessment team to attempt to remediate risks on the spot, whenever feasible. This focus on remediation (support) reduces the anxiety inherent in assessment (blame), which otherwise can serve as a barrier to departments to participate. For example, in the offices that have been interviewed thus far, the following risks have already resulted in remediation steps:
After-hours personnel risk: Police escorts and reduction of evening hours were added.
No fire extinguisher: One was provided.
Only one door on module office unit: A back door was added as an emergency exit.
Unsupported servers: These servers were decommissioned and data was collocated on an existing centrally supported server, with service level agreements made with each department.
This process is quite time--intensive when compared to the usual risk assessment process, and one danger is that there simply won't be enough time to conduct this process with the more complex organizations. These complex organizations include ones that have offices located on several campuses or ones where the risks are extremely high and/or processes are in a vulnerable state.
The EERMG arranges for several of these risk assessments to be conducted by outside companies, such as Protiviti (www.protiviti.com). The internal team coordinates the outside assessments so that the results from one can be leveraged with the other. Because the university bundles the risk assessment in with business continuity and disaster planning, the effort could be funded by a grant that Mason had received for business continuity to fund the largest and most complex of the external assessments.
The EERMG is charged not just with risk assessment and remediation but also with planning for business continuity. So, each risk assessment of a department also asks for a business continuity plan. The team is finding that most departments do not have such a plan and really have no idea how to develop one, nor is there really much expertise in the central administration with respect to business continuity.
The university's safety officer, Keith Bushey, received a pre-disaster mitigation grant late in 2005 under a FEMA-sponsored program, one of several grants he obtained to further emergency preparedness and business continuity planning. The EERMG decided to use it to secure assistance in developing a business continuity and risk mitigation plan. D.C.-based James Lee Witt Associates (JLWA) (www.wittassociates.com) was hired to leverage the work done by the risk assessment team by focusing first on the offices that had been through the risk assessment process. These offices saw the JLWA engagement as a natural follow-up to the business continuity questions in the risk assessments. This increased the university perception that the risk assessments were being taken seriously by university leadership.
In addition to interviewing department heads in those offices, JLWA spoke with the heads of other support and service departments and with key city personnel. JLWA also did an in-depth review of planning documents and an overall risk assessment of the university.
The end result of the joint effort between JLWA and the university will be a FEMA-approved mitigation plan, one of the first at a university anywhere in the United States, and a draft business continuity plan that can be further developed with the second half of the FEMA grant.
These strategies have only been successful because of the groundwork that had already been laid at Mason to build security alliances across the university community. Two of the alliances that have been especially productive are the Privacy and Security Compliance Team (PSCT) and the Security Liaisons (SL) Group. Both of these groups have become part of security governance at Mason.
The PSCT is chaired by the president's chief of staff. Members are primarily associate deans and directors, whose responsibilities are to:
Ensure the university complies with state and federal regulations on security and privacy of university data.
Educate the university community about trends in security and privacy that have the potential to affect how the university does business.
Recommend to the president remedial action(s) on identified problems.
Review policies and procedures developed by each department or unit to ensure that these departments or units have appropriate security measures that will protect institutional data from compromise or unauthorized access, modification, destruction, or disclosure.
The PSCT has researched the data stewardship policies at other universities and developed one for Mason that identifies three classifications of data and detailed levels of responsibility for data ownership. The levels of ownership range from the chief data steward, who in the case of student data is identified as the provost; to data administrators, who are often systems administrators; to data users, which includes everyone with the capacity to access university data, even those with limited read-only permission. Adherence to this policy is now one of the requirements in employment contracts and in annual personnel evaluations. The adoption of this policy provides the university with a perfect opportunity to discuss risk, personalizing the discussion in terms of data ownership and responsibility.
The Security Liaison group is chaired by the vice president for Information Technology and CIO. Members are appointed to be the stand-ins for the deans and vice presidents. These are the people who receive security announcements and who meet with the VPIT to discuss what is working and not working. Their responsibilities are to:
Serve as the point of contact in their unit for security recommendations/requests coming from the VPIT.
Educate the university community about trends in security and privacy that have the potential to affect how the university does business.
Be responsible for disseminating this information to their offices.
Be the point of contact in their unit for security incidents, suspected and real, and be a conduit to the Computer Security Incident Response Team (CSIRT).
Inform the VPIT and the president's chief of staff of possible gaps in training and support programs necessary to carry out requirements set forth in policies and directives.
Review and comment upon proposed security policies.
The Security Liaisons, primarily directors and office administrators, play a critical role in refining and institutionalizing new policies. The SLs have been articulate voices with respect to the logistics of complying with a proposed policy. An example is the data stewardship policy. When the SLs met with the VPIT to discuss the policy, it became clear that there were many misconceptions interfering with their ability to put into practice the new data-classification procedures. A second meeting was scheduled and representatives from the registrar's office, legal services, sponsored programs, and fiscal services came to clear up questions about data classifications.
For example, the Security Liaisons were quite concerned about the emphasis in the new policy of staff being held responsible if their files were penetrated. They wanted the university to articulate a list of steps that, if taken, would serve as evidence that the staff person had met his or her responsibilities. So brochures and web pages were developed to assist staff members in auditing themselves from a technology perspective, providing basic instructions for securing one's desktop in relation to the three data classifications.
Other policies that have benefited from being vetted first by the Security Liaisons are the e-mail encryption policy and the public internet address policy. Both of these policies have been welcomed by the SLs because they have the potential to help the staff meet their responsibilities under the new data stewardship policy. For example, once the enterprise e-mail system was configured to only accept and deliver e-mail using secure socket layers, it assuaged SL concerns about unencrypted data transfers via e-mail. The public internet address policy, which makes it possible to track, register, and regularly scan the computers that are accessible from the internet, was also welcomed by the SLs. Their involvement in the development of these policies has resulted in the policies being much more acceptable to, and accepted by, the wider university community.
The key factors in the success of Mason's program operate at two levels.
At one level are the people in the trenches. It is essential that their concerns be heard and that time-intensive processes are perceived as bringing benefit to those who participate. Thus, their input on proposed policies and procedures is listened to and acted upon. Risk assessments are conducted in ways that respect their time and bring benefits to their departments. And expertise is provided to them when they are asked to create a business continuity plan.
At the executive level, integration of activities takes place so that executive time is not wasted by having to process and prioritize the output of separate activities. Grants are sought in order to fund consultants to create business continuity plans. Executive involvement influences the budget group to fund needed initiatives. Advisory groups are extensively involved in policy and procedures development, which then makes the executives comfortable in directing their units to follow these policies and procedures. Thanks to these strategies, risk assessment and business continuity planning are seen as valuable activities that benefit the university as a whole, as well, as the individual departments.