Hurricane Katrina and other natural disasters, the ongoing threats of terrorism, and the auditing profession's increased emphasis on business continuity planning have captured the attention of higher education executives.
Most now realize that they ought to be doing business continuity planning but aren't sure where to begin. George Mason University's (Va.) Enterprise Executive Risk Management Group (EERMG) is building the organization's business continuity plans and capacity.
After hearing a Motorola information security executive predict that more and more corporations would create risk management programs that incorporate cyber-risks, GMU's CIO Joy Hughes proposed an EERMG be chartered there.
President Alan Merten appointed Maurice Scherrens, senior vice president for Finance and Administration, to lead the group. The team was charged with assessing information technology risks, physical risks, and risks from departmental procedures and processes, as well as overseeing the development of business continuity plans.
University risk assessment projects are often elaborate paper drills designed to satisfy an outside audience such as an auditor. Reams of documents and an exhaustive collection of "plans" may satisfy an external audience, but they're generally impractical to implement without a very significant infusion of resources.
Plus, large sets of plans prepared by people with very different viewpoints tend either to overwhelm with detail or, conversely, include generalizations that give them limited practical use.
Department heads devote significant amounts of both mental energy and time to fill out myriad forms, yet the unit-level problems identified never appear to make it to the top of the priority list. High-priority items for remediation funding usually are the central ones rather than the unit ones because they affect more people and processes. Unfortunately, this approach ensures that the concerns of many individual departments will be left out of the final risk analysis.
Rather than require every department in the university to fill out risk assessment forms, GMU's EERMG members first identified which departments were most relevant to business continuity planning. The group prioritized the list and developed a timeline by which the top 10 could be assessed within the first year. They created a four-year cycle for every department and associated subdivision to be assessed before the cycle begins again.
The chief safety officer and the IT security coordinator distribute a 20-page risk assessment questionnaire regarding departmental assets, policies, and procedures. The team conducts interviews to clarify questions and conduct on-site security assessments, and then identify risks.
The risk identification process, still in progress, has already resulted in remediation steps. For example, to limit after-hours personnel risk, police escorts were provided and evening hours were reduced.
Several risk assessments were outsourced to vendors such as Protiviti (www.protiviti.com). Because the university team had bundled the risk assessment in with business continuity and disaster planning, the effort could be funded by a grant that Mason had received for business continuity.
The departmental risk assessment questionnaire also requests a business continuity plan. Most departments do not have such a plan and really have no idea how to develop one, nor is there really much expertise in central administration.
Safety Officer Keith Bushey had received a pre-disaster mitigation grant late in 2005 under a FEMA-sponsored program. The EERMG decided to use it to secure assistance in developing a business continuity and risk mitigation plan. D.C.-based James Lee Witt Associates (JLWA) (www.wittassociates.com) was hired to leverage the work done by the risk assessment team.
In addition to interviewing department heads, JLWA partners spoke with the heads of other support and service departments and with key city personnel. They reviewed planning documents and did an overall GMU risk assessment, too.
The end result of the effort: a FEMA-approved mitigation plan, one of the first at a U.S. institution, and a business continuity plan draft that can be further developed with the rest of the FEMA grant.
These strategies were only successful because of the groundwork that had already been laid to build security alliances across the university community. Two alliances that were especially productive were the Privacy and Security Compliance Team (PSCT) and the Security Liaisons (SL) Group. Both of these groups have become part of security governance at Mason.
PSCT members, who are primarily associate deans and directors, are asked to:
ensure compliance with state and federal security and privacy regulations;
educate the university community about trends in security and privacy that have the potential to affect GMU;
recommend remedial actions to problems; and
review policies/procedures developed by each department to ensure security measures will protect institutional data from compromise or unauthorized access, modification, destruction, or disclosure.
The PSCT has also developed policies for Mason that identify three classifications of data and levels of responsibility for data ownership.
The SL group is chaired by the vice president for Information Technology and CIO. Members receive security announcements and meet with the vice president of IT to discuss what is working and not working. They are:
the point of contact in their unit for security recommendations/requests;
educating the university community about trends in security and privacy; disseminating this information;
the point of contact in their unit for security incidents, suspected and real; and
a conduit to the Computer Security Incident Response Team (CSIRT);
informing top administrators of possible gaps in training and support programs necessary to carry out requirements set forth in policies and directives; and
reviewing/commenting upon proposed security policies.
The SLs, primarily directors and office administrators, play a critical role in refining and institutionalizing new policies. The SLs have been articulate voices with respect to the logistics of complying with a proposed policy.
For example, the SLs were quite concerned about the emphasis in the new policy of staff being held responsible if their files were penetrated. They wanted university officals to articulate a list of steps which, if taken, would serve as evidence that the staff person had met his or her responsibilities.
As a result, brochures and web pages were developed to assist staff in auditing themselves from a technology perspective, providing basic instructions for securing one's desktop as it relates to the three data classifications.
Other policies that have benefited from being vetted first by the SLs are the e-mail encryption policy and the public internet address policy. Both of these policies were welcomed by the SLs because they have the potential to help the staff meet their responsibilities under the new data stewardship policy.
For example, once the enterprise e-mail system was configured to only accept and deliver e-mail using secure socket layers, it assuaged concerns about unencrypted data transfers via e-mail. The public internet address policy, which makes it possible to track, register, and regularly scan the computers that are accessible from the internet, was also welcomed by the SLs. Their involvement in the development of these policies resulted in the changes being much more acceptable to, and accepted by, the wider university community.
The key factors in the success of Mason's program operate at two levels.
In the trenches, it is essential that people's concerns be heard and that time-intensive processes are perceived as bringing benefit to those who participate. Thus, their input on proposed policies and procedures is listened to and acted upon. Risk assessments are conducted in ways that respect their time and bring benefits to their departments. And expertise is provided to them when they are asked to create a business continuity plan.
At the executive level, integration of activities takes place so that executive time is not wasted by having to process and prioritize the output of separate activities. Grants are sought in order to fund consultants to create business continuity plans. Executive involvement influences the budget group to fund needed initiatives. Advisory groups are extensively involved in policy and procedures development, which then makes the executives comfortable in directing their units to follow these policies and procedures.
Thanks to these strategies, risk assessment and business continuity planning are seen as valuable activities that benefit the university as a whole as well as the individual departments.
A more detailed version of this column is available online at www.universitybusiness .com/webexclusives.
At George Mason University (Va.), Joy R. Hughes is chief information officer and vice president for Information Technology, Keith Bushey is assistant vice president and chief safety officer, Cathy Hubbs is director of IT security, and Robert Nakles is executive director of the ITU Project and security office.