By Jesse Drake
In the board game, risk means defending one-dimensional territories against imaginary armies. In the world of IT, unmanaged risk has real-world consequences. Sloppy data handling often precedes a security breach.
Getting a comprehensive picture of risks associated with IT products and systems in use at the University is one element of Governance, Risk & Compliance (GRC) in the Information Security Office (ISO). Let's take a closer look at all aspects of GRC.
Despite the prominence of governance in the department name, GRC's bread and butter is risk management and compliance. IT governance-related tasks include enforcing the U's Information Security Policy 4-004, managing exceptions to policy processes, and reporting up to IT governance committees.
"One of the goals of our team is creating a way to assess technology risk here and then communicating that risk to leadership so that they can make decisions," said GRC Associate Director Greg Nance.
In life and work, we can't completely eliminate risk, but we can mitigate it.
In his May 16 UIT Talks event, Nance likened the mitigation concept to the experience of a pedestrian. Take, for example, UIT commuters walking to 102 Tower. Pedestrians can't control driver behavior, but can be reasonably reassured that measures are in place to mitigate risk – traffic lights, walk signals that "chirp" for the hard of hearing, concrete barricades, even painted crosswalk reminders to "LOOK" before they walk (or leap).
In GRC parlance, "mitigation" is interchangeable with "controls." In a work setting, controls apply to everything from firewalls that prevent nefarious actors from obtaining personal information, to employees safeguarding University-owned IT resources, and properly storing and transmitting sensitive data.
Risk Analyst Rudy Matthes oversees inherent risk process, with "the audacious goal of doing an inherent risk assessment on every single information system and application." By every single, he means campus, hospital, high-performance computing, standup systems for researchers, systems used by third party vendors working at the U, everything. And the greater the number of people with access to data, the greater the risk.
"If something is internet-facing, that changes the risk exposure quite a bit," Nance said.
Their focus is data, not devices. GRC Analyst Lana Xaochay, who develops related policies, procedures, and training, explains the team's technology-agnostic approach this way.
"When people think of the Information Security Office and IT, they link the two together and they think we handle devices, and that’s not true," she said. "We’re looking at all data that the University owns, anything used to conduct business for the University. That can be research, clinical, campus, there isn't anything outside of our purview if it’s an information asset utilized in any way."
Pin-pointing data type begins with assigning each system or application with a risk score (high, medium, or low) and data classification – restricted (e.g., Protected Health Information), sensitive (e.g., intellectual property), or public (e.g., directory contact information). This framework helps Matthes identify risks and determine if basic controls are being followed.
He then hands off to Risk Analyst Casey Wilson, who conducts in-depth risk and residual risk assessments.
“I take a deeper dive, look at a bunch of controls, and assess whether whatever system we’re looking at is abiding by those controls,” Casey said. “I quantify the residual risk, and combined with Rudy’s analysis, that’s what we report up to executives.”
Casey is also leading a new vendor security risk management initiative, slated to start by the end of 2017, which will identify the U's critical vendors and help ensure they're meeting the same risk requirements as internal IT systems, starting with 150 vendors the first year.
The regulatory environment in which the University of Utah operates in is broad and growing.
Compliance simply means meeting all of the regulatory requirements set forth by various state and federal agencies, like the Health Insurance Portability and Accountability Act (HIPAA) and Personally Identifiable Information (PII) state privacy laws (more examples at right).
GRC makes sure that system owners and leadership at the organization and University levels are informed about requirements, and prepared to demonstrate to regulators how they're meeting the requirements.
Compliance also encompasses training. Xaochay has been developing a formal security awareness program. An interactive training module about HIPAA is being rolled out to hospital employees in December 2017.
“We’re excited about that,” she said. “A lot of people ask for it. A lot of users want the knowledge, which we’ll continue building and release University-wide eventually.”
GRC becomes involved in risk assessment as a tollgate in the project management lifecycle, but they encourage anyone in the U community who manages a system or application they suspect needs a risk assessment to reach out. See "When should you contact GRC?" at right for more information.
"I like working and talking with people," Matthes said. "You think, information systems, but there’s a person behind that system that we enjoy interacting and engaging with."