IT Risk Assessment: Two Universities Share Their Methodologies (176780115)

7/27/2019 IT Risk Assessment: Two Universities Share Their Methodologies (176780115)

http://slidepdf.com/reader/full/it-risk-assessment-two-universities-share-their-methodologies-176780115 1/58

IT Risk Assessment: TwoUniversities Share Their

Methodologies

Nadine Stern

Associate CIO for Operations and Planning

Paul W Jeffreys

Director of IT Risk Management



Introduction



Objectives of Session:

u Overview management of IT risk

u Compare and contrast how Princeton and Oxford universitiesmanage IT risk

u Review experiences from other universities, based on EDUCAUSEreview

u Understand how risks should be managed - within an IT risk

management framework

u Sprinkle in the EDUCAUSE top-ten IT issues to serve as referencepoint

u Poll session attendees to appraise strategic risk entries

3



IT Risk Management Overview

u IT risk management: identifies, assesses and responds to IT risks – … threat (should be) measured against IT objectives

u Technology now permeates: L&T, research, administration

– … so an IT risk is a threat to institutional objectives

– … becoming increasingly important

u IT risk management helps to:

– Strengthen alignment between IT and institutional strategy

– Identify IT priorities and connect with IT Strategic Plan

– Influence capital investment

– Direct resource allocation to meet users’ requirements

u However, not all institutions have formal initiatives

u ECAR 2013 IT Risk Management poll*

– Some results shown later …

Slide 4



EDUCAUSE Top 10 Issues

u To help inform risk management practices at our institutions, have

used the EDUCAUSE Top 10 IT Issues (2013)* as a guide

u Cross-referencing provides a worthwhile external comparison toadd assurance that an institution has identified a full set of

strategic IT threats

u Comparison shown later, and will be used to undertake our

attendee poll to give a full strategic risk appraisal

5



Princeton and Oxford Approaches

u Princeton: – Aiming to align its IT Risk Assessment with institutional Executive Risk

Assessment

– Not interested in using an industry standard

– Committed to input and buy-in from IT leadership and contributors

– IT Risk assessment in distributed responsibility model

u Oxford:

– Follows ISO31000 / M_o_R standard

– Three ‘perspectives’: Strategic / Project / Operational

– Assess risks against departmental objectives as objectively as possible

– Bottom-up (work shops) and top-down (senior management)

– Well developed process to mitigate risks

– Beginning to show benefits from programme

6



IT Risk Assessment at Princeton

University

u About me:u VP for IT and Enrollment Services at The College of New Jersey for

15 years

– About 60 IT staff; About 65 Enrollment Services staff

u Associate CIO in the Office of Information Technology at Princeton

since April 2011 – 280 central OIT staff

– About 150 departmental IT staff

– My department: IT Security officer, Budget and Finance,

Organizational Effectiveness, technology Consulting, Contract

management, Strategic Planning, Associate CIO role



What I found at Princeton

u My role includes liaison to Office of Audit andCompliance

u Office of Audit and Compliance – relatively new

IT Audit functionu Yearly audits but no overall risk assessment

methodology

u OIT has decentralized Information Security

organization and planning



Evolution of IT Risk Assessment

u University had conducted a University Risk Assessment in 2009

– Information Security identified as one of the

Risk Areas, but not well defined

u OAC interested in creating their audit universe

u OIT needing to have a plan around

Information Security initiatives

– Need to develop a mechanism for yearlyupdates



Risk Matrix

u OAC gave first pass to create an IT Risk matrix

u I organized it differently; added sections of

Policy, campus awareness and compliance,Industry Trends, Educause Top 10 Issues

u Spoke to Paul Jeffreys, Oxford University



Ranking Risk

ITRiskFactors

Availability- Ensuringtimelyandreliableaccesstoanduseofinformation.

Alossofavailabilityisthedisruptionofaccesstooruseofinformationoraninformationsystem.

Systemsandcriticalinformationisavailablewhenneededinordertomaintaintheorganization'scriticaloperationsandprocesses.

Includestheabilitytorecoverfromlosses,disruption,orcorruptionofdataandITservices,aswellasfromamajordisasterwherethe

informationwaslocated.

Integrity- Guardingagainstimproperinformationmodificationordestruction,andincludesenduringinformationnon-repudiationandauthenticity.

Alossofintegrityistheunauthorizedmodificationordestructionofinformation.

Datausedformakingmanagementdecisions,recordinginformation,andreportingfinancialactivityisaccruate,complete,andreliable.

Confidentiality- Preservingauthorizedrestrictionsoninformationaccessanddisclosure,includingmeansforprotectingpersonalprivacyandproprietaryinformation.

Alossofconfidentialityistheunauthorizeddisclosureofinformation.

Therighttoviewormanipulatedataiscarefullygrantedandmonitoredtopreventthemishandlingofdata

Confidentialinformationmustonlybedivulgedasappropriateandmustbeprotectedfromunauthorizeddisclosureorinterception.

Compliance- Compliancewithregulations,contracts,andpoliciesandprocedures

LikelihoodScale

3 Highprobabilitythatidentifiedriskwilloccur.

2 Mediumprobabilitythatidentifiedriskwilloccur.

1 Lowprobabilitythatidentifiedriskwilloccur.

ImpactScale

3 PotentialsignificantimpacttotheUniversity'smission,stewardshipofassets,reputation,orstakeholders.

2 PotentialsignificantimpacttotheriskareabutmoderatetotheUniversity'smission,stewardshipofassets,reputation,orstakeholders.

1 PotentialimpactontheUniversityisminororlimitedinscope.

FinancialImpact

3 Potentialfinancialimpact>$XXX

2 Potentialfinancialimpact>$YYYbutlessthan$XXX

1 Potentialfinancialimpact$ZZZorless



The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.



ITRISKFACTORS

Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact

6 Backup,Recovery,andRetention

7

Network

UNIX

Linux

Windows

Databases

BusinessApplications

I ntegri ty Confidential ity/ Re li abi li ty Compl iance

Backup,Recovery,andRetention-Network

Backup,Recovery,andRetention-UNIX

RiskArea/Universe FinancialImpact Availability

Backup,Recovery,andRetention-Linux

Backup,Recovery,andRetention-Windows

Backup,Recovery,andRetention-Databases

Backup,Recovery,andRetention-Business

Backup,Recovery,andRetention-Desktop/Laptop

IdentityandAccessManagement/LogicalSecurity/Security



The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.



ITRISKFACTORS


10 “DataCenterOperations”–JobScheduling

11 ConfigurationManagement

UNIX

Linux

Windows

Database

Application

Desktop/Laptop

Database

BusinessApplications

Network

Reliabil ity Compliance

Network

UNIX

Linux

Windows

RiskArea/Universe Financial Impact Avai labi li ty Integrity Confidentiality/



ITRISKFACTORS


E1

E2

E3

E4

E5

E6

E7

E8

E9E10

F IPv6

G

H Protection/SecurityofResearchData

SupportingthetrendstowardITconsumerizationand

RiskArea/Universe FinancialImpact Confidentiality/ Reliability Compliance

2012EducauseTopTenITIssues

UpdatingITprofessionals'skillsandrolesto

Avai labi li ty Integri ty

Supportingtheresearchmissionthroughhigh-EstablishingandimplementingITgovernance

Cybersecurity

Developinganinstitution-widecloudstrategy

Improvingtheinstitution'soperationalefficiency

Integratinginformationtechnologyintoinstitutional

Usinganalyticstosupportcriticalinstitutional

Fundinginformationtechnologystrategically

Transformingtheinstitution'sbusinesswith



Business Unit interviews

Universityand

Department

Policies

EducationandTraining

Laws,Regulations,

Compliance

Privacy,

Confidentiality,

DataClassification

SpecificIPP

Projects

Emerging

Technologies:

Cloudcomputing,

SocialMedia,

Mobility

Constituent

specificconcerns

(students,faculty,

staff)

Missed

Opportunities

ITRiskCategories



1st year results

u Less than popular with OIT

u We realized it was too granular – and did not

really reflect priority of risk which would lead tosecurity initiative selection and prioritization

u Continued to seek other resources from other

peer institutions, Educause



Maturation

u Read many articles on risk from various sources:

NIST, Educause, Coursera course

u Gartner: good resources for assessing security

program, concepts of risks assessment: but notemplates

u IBM: mostly around penetration testing

u New CIO/VP for IT

u Realization that Audit will only focus on IT general

Controls

u Discussions with our Internal Audit group and EVPresponsible for Enterprise Risk management

u Clarification that we need to use the University Risk

Map to “INFORM” our yearly process



Developing Princeton’s IT Risk Map

20



Developing Princeton’s IT Risk Map

21



Next steps for Princeton

u Close work with our ERMC (Executive RiskManagement Committee) efforts

u Refine Matrix approach

– Add feedback loop from incident evaluations

– Periodic updating incorporating industry

trends and University’s enterprise risk

assessment process

– Creating new CISO position to focus on Risk Assessment, Security Strategy, Outreach,

Business Continuity



IT Risk Assessment atUniversity of Oxford

Professor Paul W Jeffreys

Director of IT Risk Management



IT Risk Management Framework

u Office of Government Commerce: Management_of_Risk*

– Uses International standard: ISO31000:2009

u Same standard adopted by University*

u Definition of risk (OGC):

– “An uncertain event or set of events that, should it occur, will have an effect on the

achievement of objectives.

– A risk is measured by the combination of the probability of a perceived threat or

opportunity occurring and the magnitude of its impact on objectives.”

u M_o_R Steps:

– Identify key strategic risks that would prevent the achievement of objectives;

– Assign ownership;

– Evaluate significance of each risk (classify);

– Identify suitable responses to each risk;

– Ensure internal control system manages the risk;

– Regular review

Slide 24



Organizational Perspectives

Slide 25

Long-term / beyond

department

Medium-term / bring

about business change

Short-term / ensure on-

going continuity of

business services



Define Risk Syntax and Risk Register Structure

u Syntax used to describe risk: – If - we do not ensure that IT Services' information assets are managed

correctly and securely - then - there is a possibility of information loss

and corruption AND major security breach - resulting in a risk of -

damage to reputation of department and University, possible criminal or civil proceedings, and loss or corruption of information

u Risk Register (managed in SharePoint)

– Risk identifier, Classification (Perspective), Risk description (usingsyntax), Risk probability, Risk Impact, Risk Response, Owner,

Actionees,…

u Focus on Strategic perspective here….

– ‘That which not within scope of IT Services to mitigate’

Slide 26



Assessment of (Strategic) Risk

u Goal: prioritize individual risks so that it is clear which risks are mostimportant for IT Services to address -

– Must measure against organizational objectives

– Measure as objectively as possible

u Measure using two parameters:

– Impact: estimated effect of a particular threat occurring – Probability: estimated chance of it actually occurring against the impact

specified (within the period of the activity)

u Reproducibility

– Requires definition of terms

– Four impact measures: reputation, timing, financial, availability

u Overall Risk Assessment

– Not linear combination of impact and probability

Slide 27



1. Impact (Reputation and Outputs)

Slide 28

Strategic - Reputation & Outputs – impact of threats on image, standing and output quality

Measure Level Effect

Publicity

and media

interestgenerated /

effect upon

rankings

Critical EITHER sustained or ongoing negative national media publicity OR a

negative change across all national or international HE sector rankings

Major EITHER one-off negative national, or ongoing local, media publicity OR

a negative change across the majority of national or international HE

sector rankings

Moderate EITHER negative media publicity likely, but avoidable or controllable

with management OR a negative view of IT Services at Council level

Minor Negative publicity limited to within IT Services

Insignificant Negative publicity limited to within part of IT Services



2. Impact (Timing)

Slide 29

Strategic - Timing – impact of threats on slipping timescales


Escalation of

compliance

issues,

including legal

matters

Critical EITHER delays in significant governance issues or decision-making processes

exceeding 24 months OR the matter is brought to Council OR break in service for

more than a week

Major EITHER delays in significant governance issues or decision-making processes of 12

to 24 months OR the matter is brought to the Capital Steering Group OR break in

key service for greater than a day

Moderate EITHER delays in significant governance issues or decision-making processes of

6to- 12 months OR the matter is brought to the IT Committee OR break in key IT

service for greater than two hours

Minor EITHER delays in significant governance issues or decision-making processes of

3to- 6 months OR the matter is brought to the IT Services Executive Management

Team OR break in key service for greater than 15 minutes

Insignific

ant

EITHER delays in significant governance issues or decision-making processes of up

to 3 months OR complaint limited to within IT Services’ processes OR break in

service for greater than two minutes



3. Impact (Finances and Funding)

Slide 30

Strategic - Finances & Funding – impact of threats on sustainability, funding and financial control


Financial scale

of effect

Critical Financial loss or impact exceeding £1m

Major EITHER financial loss or impact of £100k to £1m OR negative effect on

financial controls in general

Moderate EITHER Financial loss or impact of £20k to £100k OR negative effect on

financial controls in more than one area for up to six months OR ongoing

negative effect on financial controls in one area

Minor EITHER Financial loss or impact of £1k to £20k OR negative effect on

financial controls in one area for up to six months

Insignificant

Financial loss or impact up to £1k and no lasting negative effect on financialcontrols



4. Impact (Availability and user Impact)

Slide 31

Strategic - Availability and User Impact – impact of threats on availability of services and userexperience


Availability

and user

experience

Critical The majority or whole of the University is negatively affected for a

period of longer than one month

Major The majority or whole of University, or IT Services' capability ingeneral is negatively affected for a period of up to one month

Moderate EITHER individuals or a small number of teams are affected on an on-

going basis OR IT Services' capability for the University is negatively

affected for a period of up to one day

Minor EITHER individuals or a small number of teams are affected on an on-

going basis OR IT Services' capability for the University is negatively

affected for a period of up to one day

Insignificant Individuals or single teams only are negatively affected and IT Servics'e

capability in general is not affected



Probability or Likelihood

Slide 32

• Consistent with University approach

Likelihood Frequency Monthly

Probability

VeryHigh Verylikely:isconsideredtohaveachanceofoccurringeverymonth Upto100%

High Probable: i s considered tohavea chanceof occurringoncewithin the

nexttwomonths,oruptosixtimesayear

Upto50%

Moderate Possible:isconsideredtohaveachanceofoccurringoncewithinthenext

sixmonths,oruptotwiceayear

Upto16.7%

Low Unlikely: isconsideredtohaveachanceofoccurringoncewithinthenext

year,oruptotwiceintwoyears

Upto8.3%

VeryLow Exceptional:isconsideredtohaveachanceofoccurringoncewithinthe

nexttwoyears

Upto4.2%



Ask you to assess an Oxford risk…

If - we do not ensure that IT Services' information assets are managed

correctly and securely - then - there is a possibility of information loss

and corruption AND major security breach - resulting in a risk of -damage to reputation of department and University, possible criminal

or civil proceedings, and loss or corruption of information

Which type of ‘Impact’ assessment likely to have biggest impact?

Slide 33



1. Impact (Reputation and Outputs)

Slide 34

Strategic - Reputation & Outputs – impact of threats on image, standing and output quality


Publicity

and media

interest

generated /effect upon

rankings

Critical EITHER sustained or ongoing negative national media publicity OR a

negative change across all national or international HE sector rankings

Major EITHER one-off negative national, or ongoing local, media publicity OR a negative change across the majority of national or international HE

sector rankings

Moderate EITHER negative media publicity likely, but avoidable or controllable

with management OR a negative view of IT Services at Council level

Minor Negative publicity limited to within IT Services

Insignificant Negative publicity limited to within part of IT Services



Probability of Likelihood

Slide 35

Likelihood Frequency Monthly

Probability

VeryHigh Verylikely:isconsideredtohaveachanceofoccurringeverymonth Upto100%

High Probable: isconsideredtohavea chanceof occurringoncewithin the

nexttwomonths,oruptosixtimesayear

Upto50%

Moderate Possible:isconsideredtohaveachanceofoccurringoncewithinthenext

sixmonths,oruptotwiceayear

Upto16.7%

Low Unlikely: isconsideredtohaveachanceofoccurringoncewithinthenext

year,oruptotwiceintwoyears

Upto8.3%

VeryLow Exceptional:isconsideredtohaveachanceofoccurringoncewithinthe

nexttwoyears

Upto4.2%

{Critical impact * Moderate probability} = 20 classification



Oxford’s Strategic Risk Register

u Creating a strategic risk register is challenging

– Bottom-up (workshops) combined with top-down (senior management)

– Referenced against EDUCAUSE top-ten issues

– Entries becoming relatively stable (after 6 months)

Slide 36

I M P A C T

Critical 5 2

Major 4 1 8 2 2

Moderate 3 1 5

Minor 2

Insignificant 1

1 2 3 4 5

VeryLow Low Moderate High Very

High

LIKELIHOOD



Strategic risk threat mitigation

u

Each risk has a ‘Response’, ‘Risk Proximity’ and ‘% complete’;actions and controls detailed for mitigation

u Reviewed by IT Committee termly

u Objective: get all risks to ‘amber’ or less by end of academic year

u Also, process for introducing new Strategic risks

Slide 37



Oxford Summary

u

Risk management programme working – Reducing threat against departmental objectives

– Directing priorities

u Strategic risk register still being refined…

– Strategic risk register entries stable

– Risk classifications reducing as a result of concerted efforts to mitigate – Will update strategic risk again after conference…

u Top-down meets bottom-up meets EDUCAUSE top ten

– Management of strategic risks certainly delivering benefits

u Still to be connected with University of Oxford risk fully (cf Princeton)

u Still to be connected with IT Strategic Plan fully

Slide 38



Princeton / OxfordComparison



Learning While Doing – Judith Pirani*

40

Princeton OxfordStrengths Institutional Outreach

• Non-IT leaders’ input solicited

from start

• Works closely with Audit and

Compliance

•

Institutional perspective• CIO member of the President’s

Cabinet

• CIO encouraging alignment of

IT risk management with

institutional goals

Stratified Risk Model

Inclusive IT Risk Identification

Repeatable and Relatively

Objective Risk Assessment

Method

Process and Policies• Well-documented processes,

definitions, and models

• Linkage of risk and response

processes

• Monitoring risk response

Weaves IT risk into IT planning

and IT governance

Weakness Initial risk assessment too

granular?

Too much formality?



ECAR Results and Live Poll



ECAR results

u Most of the responses came from four year institutions (58% doctoral, 17%baccalaureate, and 15% master’s)

Has your institution adopted an IT risk management program or methodology?

42

Yes No, planning toimplement

No, wouldlike guidance

No



43



EDUCAUSE Conference Poll

u Identified set of top 10 strategic risks*, based on Princeton andOxford registers, and cross-referenced to the EDUCAUSE Top Ten

Issues (2013)*

u Consider each one in turn, and ask attendees two questions:

– For those who have strategic IT risk registers in their universities dothey have a similar risk included in their own top set?

– For those who do not have strategic IT risk registers in their universities

would it be likely that they would have a similar risk included in their own top set?

u Then ask which top risks are missing?

Slide 44



Risk 1

u Business Continuity: If departments delivering services inpartnership with central IT do not make adequate plans for

continuation of their business processes in the event of an outage

of IT or other utility services, then IT might not be able to deliver

services required by the university

u This could result in a risk of major academic disruption and potential

financial loss (e.g. Hurricane Katrina in New Orleans)

– 2013 issue #5 — Facilitating a better understanding of information

security and finding appropriate balance between infrastructure andsecurity

– 2013 issue #6 — Funding information technology strategically

Slide 45



Risk 2

u Emerging Technologies — Cloud Computing, Social Media,Mobility: If students, faculty, and staff use consumer-oriented and

easily accessible technologies without appropriate consultation with

central IT, then there could be serious information security

implications: loss of control of university data, problematic contract

issues, lack of attention to privacy concerns, etc

u This could result in a risk to institutional data integrity,

confidentiality, and availability, and thus a risk of institutional

financial obligation

– 2013 issue #1 — Leveraging the wireless and device explosion on

campus

– 2013 issue #3 — Developing an institution-wide cloud strategy to help

the institution select the right sourcing and solution strategies

Slide 46



Risk 3

u Privacy, Confidentiality, Data Classification: If departments donot understand the legal, regulatory, and university policies around

categories of data, then the university might suffer from

inappropriate exposure of private data, resulting in a risk of

lawsuits, loss of institutional intellectual property, loss of institutional

reputation, and financial penalties


security and finding appropriate balance between infrastructure and

security

– 2013 issue #10 — Using analytics to support critical institutional

outcomes

Slide 47



Risk 4

u Inadequate Investment in IT Services: If a convincing case for adequate investment in IT cannot be made, then we might not be

able to deliver projects and services required by the university,

resulting in a risk of failing to provide services required to run the

business of the university

– 2013 issue #4 — Developing a staffing and organizational model to

accommodate the changing IT environment and facilitate openness and

agility


– 2013 issue #9 — Transforming the institution's business with

information technology

Slide 48



Risk 5

u Failure to Recognize and Meet User Expectations: If we fail to identify user requirements and expectations and assess the extent to which we are meeting

them, then our services might not align with the university's needs. Thismisalignment could result in a risk of customers who have lost confidence in IT, a

waste of resources, damage to the IT department's reputation, and failure todeliver services required by the university

– 2013 issue #8 — Supporting the trends toward IT consumerization and bring-your-own

device

– 2013 issue #4 — Developing a staffing and organizational model to accommodate the

changing IT environment and facilitate openness and agility

– 2013 issue #1 — Access demand: wireless and device explosion, new digital divide,

demand for institutional mobile apps – 2013 issue #2 — Improving student outcomes through an approach that leverages

technology

– 2013 issue #9 — Transforming the institution's business with information technology

Slide 49



Risk 6

u Failure to Address Funding Shortages over Many Years: If wedo not recognize the recurring costs of infrastructure services and

resource appropriately, then there is the possibility that service

improvements, including essential upgrades and enhancements,

will not occur in a timely fashion — or at all. As a result, we risk

service degradation or major failure and therefore compromise to

university business operation


– 2013 issue #9 — Transforming the institution's business with

information technology

Slide 50



Risk 7

u Inadequate Program and Project Coordination: If adequateproject and program controls and management strategies are not in

place, then there may be significant over-runs in budget

expenditures or even failure to deliver, resulting in a risk of failure to

deliver important programs and projects for the university


Slide 51



Risk 8

u Failure to Manage Information Assets Securely: If we do notensure that information assets are managed correctly and securely,

then there is a possibility of information loss and corruption or of a

major security breach. These could result in a risk of damage to the

reputation of the IT department and the university, possible criminal

or civil proceedings, and loss or corruption of information


security and finding appropriate balance between infrastructure

openness and security

Slide 52



Risk 9

u Learning and Teaching Support Inadequately Resourced: If theenvironment used by the university to support many aspects of

learning and teaching is not resourced and prioritized adequately,

then the service might not be sufficiently robust or developed to

support use, demand, and user expectations, resulting in a risk of

high-profile failure or widespread dissatisfaction with tools and

inability of the university to deliver high-quality teaching

– 2013 issue #2 — Improving student outcomes through an approach

that leverages technology

– 2013 issue #7 — Determining the role of online learning and

developing a sustainable strategy for that role

Slide 53



Risk 10

u Failure to Operate Capital Investment Approvals andPrioritization: If a clearly defined project and program approvals

process is not followed, and a framework is not set up to define and

agree on the most important capital investment areas, then projects

and programs might not be prioritized correctly or adequately

controlled and resourced, resulting in a risk of inappropriate

allocation of resources, missed university objectives, and

unnecessary expenditure and delays


Slide 54



Summary

u Any top level strategic risks not covered

…

..? – State regulation

– Insufficient resources to recruit / keep best staff

– Cloud based services

u Results from poll:

– For those with strategic risk registers, no of risks appearing in more

than half

– For those without strategic risk registers, no of risks that would appear

in more than half

Slide 55



Results from Conference Poll

Slide 56

No contributing to poll: c. 120No with top-level risk register: c. 25

Those with risk register: 4 of 10 risks included

Those without risk register: 2 out of 10 risks included



Session Summary and Conclusions

u Overviewed management of IT risk

u Compared and contrasted Princeton and Oxford approaches

u Reviewed other universities

u Understood how risks should be managed - within an IT riskmanagement framework

u Compared with EDUCAUSE top ten issues

u Undertaken poll to determine whether a consensus is being

reached on what should be included in a strategic risk register

Slide 57



Thank you

References

u ECAR 2013 IT Risk Management poll:

http://net.educause.edu/ir/library/pdf/ECARpollAPR2013.pdf

u EDUCAUSE Top 10 IT Issues (2013):

http://www.educause.edu/research-and-publications/research/top-10-it-issues

u Judith Pirani’s research paper: Two Institutions Practical IT Risk Management Experiences:

http://net.educause.edu/ir/library/pdf/ecar_so/erb/ERB1306.pdf

u Strategic IT Risks Matched with EDUCAUSE Top 10 IT Issues: IT Risk management : Try this at

exercises your institution:

http://www.educause.edu/ero/article/it-risk-management-try-exercise-your-institution

u Office of Government Commerce: Management_of_Risk -

http://www.mor-officialsite.com/home/home.aspx

u UoO Risk Management policy: http://www.admin.ox.ac.uk/riskmgt/

u Learning While Doing; Two Institution’s Practical IT Risk Management Experiences, ECAR

Research Bulletin; Judith A Pirani

IT Risk Assessment: Two Universities Share Their Methodologies (176780115)

Documents

Transcript of IT Risk Assessment: Two Universities Share Their Methodologies (176780115)