Tag Archives: #edu15

A practical approach to risk management – two perspectives

Tim Banks
Faculty IT Manager
University of Leeds

 

This is a write-up of a session  I attended on Wednesday at Educause 2015  which was delivered by Bill Arnold, Information Security Analyst at the University of Tampa, and Dr Lawrence Dobranski, ICT Security Access & Compliance, University of Saskatchewan (Canada).

Introduction

The University of Tampa, Florida, is a liberal arts institution and has a student population of around 8,000 students, 65% of whom live on campus. There are 1,200 staff and the annual turnover is c. $235m with an estimated annual economic impact of around $850 million. They formally launched their Information Security Program 3 years ago with the appointment of a Chief Information Security Officer, who reports directly to the President (Vice-Chancellor). Their stated aim is to build a culture of risk management, security awareness and data protection, and as part of this, they have created a cyber-security lab. They achieved ISO/IEC 27001:2013 accreditation in July 2015.

The (often misspelt) University of Saskatchewan is one of the top 15 research universities in Canada with 22,500 students from over 100 countries. They have a 16:1 student:staff ratio and an annual budget in excess of $1bn which includes $9.2m of scholarships and bursaries. They have 120 Graduate Degree Programs (taught postgraduate) and over 200 undergraduate degree programs. It snows regularly and can get very cold! They formally launched their information security program in June 2012, which is centred around the following three areas:

  • IT Security
  • IT Compliance
  • IT Access

It is a risk based program, meaning that priorities for investment and action are based around a risk score. Bill observed that in 2014, cybersecurity criminals were making more money than drug cartels.

A number of barriers to progress were noted which included:

  • Lack of executive support
  • Inadequate investment
  • Ineffective information security leadership
  • Information security ‘unaware’ community
  • Information security gaps especially with respect to 3rd party service providers

Practical steps

  • Ask the right questions to the right people
  • Don’t adopt every aspect of a rigorous standard (like ISO27001), use common sense
  • Focus on information lifecycle
  • Insights will come quickly once you start working with your stakeholders. These will inform your future strategy.
  • Advance planning and effective communication are absolutely essential
  • Don’t use mass surveys (if you actually want people to provide useful information)
  • Decide how you will engage – either in person or through focused surveys
  • Keep the process simple
  • Focus on business processes and impacts on information (e.g. loss / unauthorised access) rather than using technical jargon

The University of Tampa developed a very simple spreadsheet that included each major business unit on campus, each major process within the units and the process owner. The process owner was asked to rank each of their processes on a scale of 1-5 in three areas:

  • Degree of sensitivity of the data
  • Impact of loss of integrity
  • Impact of loss of availability

The average was taken of each of the three scores for each process to arrive at a risk score for the process. A discussion was held with the process owner about the information handling lifecycle involved with each process which covered:

  • Accessing the data
  • Processing the data
  • Transmitting the data
  • Sharing the data
  • Storing the data (in both paper and electronic forms)

They also looked into whether there were any compliance requirements associated with the type of information that was being stored, and determined whether the University IT department or a third party provided the service.

Summary (University of Tampa)
Bill provided the following summary of the University of Tampa’s risk based approach to managing information security.

  • Data Discovery – find out where your confidential data resides
  • Opening the Doors to positive change in University departments. You should be seen not as people who stop departments from doing things, but the people who help them to do it securely.
  • Re-engineering information handling, which will require a change in mindset from both IT and the business
  • Getting everyone to participate
  • Security Awareness (education is key)
  • Once they trust you, they will come (bringing information about risks right to your door)
  • Rinse, wash repeat (continual process)
  • Collaborate to reduce risks

Blog_4__slide1Always remember there are a lot of things we don’t know that we don’t know, as demonstrated by this slide.

 

 

 

 

Summary (University of Saskatchewan)
Lawrence focussed mainly on the best way to present information security risks to University senior management. This is done most effectively when the senior officers of the University understand and accept the cyber-risk. In addition:

  • The information presented must be in a familiar format, as we cannot afford for the busy people we are trying to communicate with wasting time trying to understanding the presentation format.
  • We need to focus on risk information and focus on the high risk areas when talking to the University executive group.
  • Don’t make the visuals too complicated or people will stop listening to you and start focussing all their attention on trying to understand the graphics.
  • Read the IEEE publication (Slide Rules)

During their audit, they discovered an internet accessible incubator control unit with a built in web server. On further investigation, if this had been hacked and the incubators shut down, then thousands of cute little chicks would have died (and research would be put back two to three years). They also found a robot roaming the hall talking to patients which the department was trying to control remotely by adding it to the wireless network. This robot was big enough to cause serious injury to somebody if an authorised person managed to take control of it.

Blog 4_slide2The key stakeholders that Laurence identified were cyber security professionals (never be afraid to ask for help) and the staff and students at the University. It is vital that those closest to the business processes are closely involved in the threat and risk/privacy impact assessment process. The world of cyber security is a fast changing one, so dedicated cyber security professionals, either internal or external are vital in order to keep abreast of emerging threats and techniques to combat them. As an institution, we need to own risk and manage it.

Some particular suggestions for ways in which to present the information security risks included using a Gartner-style quadrant with likelihood on one axis and impact on the other. Then encourage your senior team to only focus on the top-right quadrant, whilst being able to see at a glance the entire risk landscape.

slide3

An alternative is to use a radar plot to display how well the University is doing with multiple aspects of a particular IT security concern.

Overall this was a very informative session with some practical takeaways on how to both manage information security risks and communicate this to senior managers.

 

 

 

 

Perpetual Honeymoon: How to build the (almost) perfect business collaboration

Tim Banks
Faculty IT Manager
University of Leeds

I have just attended a really interesting session delivered by Bill Hogue, Director of IT (CIO) at South Carolina University. He started by telling us that in 2014, he received a phone call from the Vice Chancellor (President) of the University with news of a new initiative, partnering with IBM for delivery of some of the core University IT services. His exact words were “It’s a great opportunity and I know you’ll be excited by it”

Bill has been seeking new model for IT delivery at University of South Carolina since 2004 and was convinced that the future of IT was going to be about partnerships, not least because the world of IT was changing so fast and the staff and students at the University now had access to world-class IT services at commodity items in their everyday lives. On January 1st 2015, the University of South Carolina entered into a 10-year partnership valued at an estimated $100m dollars. The actual contract value is less than this figure, but Bill is sure that more opportunities to work with IBM will present themselves over the contract period. He summarised the whole 15 month contract negotiation period and the first 10 months of the partnership into two basic principles:

  1. Know yourself
  2. Know your collaborator

He also sounded a note of caution which was an idea commonly attributed to Peter Drucker, namely “Culture eats strategic planning for lunch”. In other words, no matter how much strategic planning you do, if you don’t have a grip on your organisational culture and haven’t prepared your organisation for change, then your strategy will fail.

http://www.strategy-business.com/blog/Strategy-or-Culture-Which-Is-More-Important

Assumptions

Bill then went on to list five assumptions about IT in Higher Education, as follows:

1: ‘Keeping the lights on’ is necessary but not sufficient on its own to deliver world class IT service. The important thing is how we serve the University and how we serve the Faculties. He told of the Director of Facilities at a University where he had previously worked who had a sign on the back of his door which he saw every time he left his office which read: “What have you done for the students today?” We should always remember why do we do what we do at the University.

2: Most of us are not receiving A+ grades from the staff and students at our institutions for our delivery of production services. It might be OK, but we are not doing a terrific job.

3: Our grades will get worse unless we do something different. Our expectations in IT are driven by consumer IT services; the challenge is only going to get harder. Currently there are 13 billion devices on the internet and this number is growing daily.

4: Running world class IT services is not a core competency of the University. The focus is teaching, learning, research and partnerships and we tend to be just ‘OK’ at delivering IT.

5: Most of us are in the early stages of transformation programs that promises to be disruptive. The IBM Institute for Business Value said in a recent report: “Demands on and in University IT Services continue to rise […] Both academic and industry leaders believe the current HE system is broken. We need a more practical and applied curriculum to exploit disruptive technologies and develop more partnerships.”

The Deal

Seventy three positions were transitioned from the University being the employer to IBM (without the individuals changing location / office etc.) Bill spoke about the need to handle this process very carefully and to ensure that all the University senior managers, including HR are on board with the process. The contract is mainly centred on delivery of Enterprise Resource Planning (ERP) systems, as this is where it was felt that IBM could deliver the best value.

A brand new Centre for Applied Analytics and Innovation is being built. This will house IBM experts in this field alongside University researchers. There were many similarities with the recently launched Leeds Institute for Data Analytics (LIDA) http://www.lida.leeds.ac.uk  at my own University of Leeds.

There are also plans to launch several apprenticeships with both staff and students working closely with IBM to develop new skills at the leading (or possibly bleeding) edge of IT development. A key factor in the partnership is the University’s access to IBM’s Watson technology, which IBM describe as ‘Cognitive Computing Systems that understand natural language’. http://www.ibm.com/smarterplanet/us/en/ibmwatson/

One of Watson’s main benefits is undertaking large scale real-time data analytics to identify ways to improve operational efficiency in finance, purchasing, facilities management etc. If the University of South Carolina is able to save just 1% on its annual $1.5bn budget, then that is a lot of money that can be reinvested in core business. This also opens up new areas of research opportunity for both staff and students to work with the Watson technology.

Bill then went on to expand on his two core principles, as follows:

Know yourself

  • Why are we doing this?
  • We can’t assume that we have a unified agendas. He could think of at least a dozen potentially competing agenda for wanting to develop a partnership such as the one with IBM that include:

o    Economic development
o    The Leader’s Legacy
o    Getting free stuff from the partner
o    Wanting to improve services
o    The need to save money
o    Minimising or spreading risk associated with IT delivery

  • IT will continue to develop over time
  • It takes a firm commitment from the senior management at the University

o   Partnerships such as this can and most probably will be very disruptive
o   Needs total support from senior leadership team (Finance, HR, Student Education, VC, ProVCs etc.)

  • You need a comms strategy to manage the message that stakeholders are receiving
  • You need to be understanding towards affected employees. You can’t turn you back on staff who have worked at the University for many years and think of them as ‘IBM’s problem’

Things that can go wrong

  • Deals don’t always work out – you need an exit strategy
  • You need to get good at negotiating terms with the private sector with people who do this all day long for IBM
  • You need to recruit new ‘talent’ including people who love to read contracts
  • You are dealing with an organisation that is in this to make a profit and they will do this at your expense if they can get away with it.
  • That’s not a bad thing so long as you manage to negotiate fair terms and the University gets what it wants out of the deal too
  • There will always be ‘cave people’ who are always against everything. Be prepared for scrutiny and criticism.
  • Be prepared for inconvenient truths. You may find some things out about your organisation, staff and even yourself when your partner takes a long hard look at your with their world-class perspective. You may find out that some of your operations are not as world-class as you would like to believe.
  • Some of your customers will resist the new business model

o    Your customer base has to change as well. That can be a hard sell
o    They may not be interested in engaging in new processes “The old ones were just fine thank-you very much.”

  • The timing of introducing a change like this will never be right. You have to accept that it will be inconvenient and disruptive.
  • You must remember to have some fun, be creative and sustain a spirit of adventure.

o    Remember to keep talking about the 10-year strategy, not the 10 day problems.

Know your collaborator

  • They are not a 501C3 (US speak for non-profit organisation)
  • Understand their culture. The University is not going to go corporate and your partner is not going to become an academic institution. You must find your common ground.
  • Your collaborator will bring their very best people “the A-team” to the negotiating table. You have to be aware that the actual delivery may be by the B-team or the C-team. IBM has 435,000 employees worldwide. Not all of them are in the A-team. Make sure you retain the right quality of delivery once the contract has been signed.
  • Who are the champions? What are their strategies? You must understand their agenda.
  • Be prepared to receive help from a lot of different sources (not all of which will be helpful).
  • You need to be prepared to stay the course.

It was a fascinating account of a very ambitious project. I couldn’t help but think that we need to increasingly take a lead from organisations such as the University of South Carolina. There are of course challenges, technical, human and cultural but we shouldn’t let these alone prevent us from taking brave decisions to do the right thing for the future of IT in our institutions of learning and research.

Conversations and opportunities – the American way

Tim Banks
Faculty IT Manager
University of Leeds

Reflections on Day 1 at Educause 2015

Observation 1: This conference is big…really big. Over 7,300 delegates are attending this year’s Educause conference, which is being held in the Indianapolis Convention Centre. The venue is mind-bogglingly big, covering an area of 120,000m2 (1.3m square feet), including 50,000m2 (566,000 square feet) of open exhibition space across six blocks. IMG_8891There are 71 separate meeting rooms, which have been used by over 30,000 Star Wars fans during the two Star Wars Conventions that have been held here in recent years.

The exhibition hall is vast, with stands from over 250 suppliers, from small start-ups to global IT giants. There are up to 30 parallel sessions at any one time, making selection of the right one based on a short text description quite daunting.

Observation 2: The conference is very well organised (and sponsored). Despite the huge numbers of people and enormous scale of the venue, everything runs very smoothly, with few or no queues. The venue and organisers seem to have struck the right balance between the number of people attending and quantity of essential facilities on offer (catering, toilets, drinks stations etc.). Sessions start and end on time (by and large), and there is enough time built into the programme for the 10 minute walk between rooms.

Observation 3: The quality of the parallel sessions is variable. Some parallel sessions are most definitely better than others, although I have not found one today which I would class as truly ‘excellent’. This situation is helped by the fact that if you are really not getting on with a particular session, then nobody bats an eyelid if you stand up in the middle of it and walk out; it seems to be quite normal practice, and something which I have put to good use today on more than one occasion.

Observation 4: The people are very friendly and approachable. Conference delegates are happy to just talk to you if you approach them. I spent lunchtime sat on a table with attendees with varying degrees of hearing impairment, and we had a very interesting (sign-language interpreted) conversation about delivery of IT services and optimisation of hearing aids for listening to music. I was fondly referred to as ‘UK Guy’ by another attendee in the one of the sessions, so am thinking of a requesting a new conference badge proudly displaying my new pseudonym.

Observation 5: We are not going to starve or go thirsty. Cans of Coke, Sprite and other hot and cold drinks appear at regular intervals throughout the day; at lunchtime, enough food to feed several armies appeared from nowhere; cakes, pastries and chocolates were provided during the mid-afternoon break, and then during the early evening canapes, mini burgers, pasta and nachos were being served…

IMG_8898Observation 6: The suppliers’ fair is very useful. Due to the size of the conference, anybody who is anybody in the world of IT delivery is represented here with their top sales and marketing teams. I have had many extremely useful conversations with major global IT suppliers that just wouldn’t be possible if I tried to make contact by phone or e-mail. The quality of the freebies seems to be significantly better than previous conferences I have attended.

Observation 7: The US Universities are quite some way behind the UK in several key areas of IT service delivery. It is clear from listening to both speakers and delegates from the USA that they are several years behind the UK in areas such as Information Security, IT Service Management, implementation of the ITIL framework, and splitting budgets into ‘business as usual’ delivery and project work. This came as quite a surprise to me, as I had assumed that US institutions were at the same level of maturity or better than the UK sector.

It has been an exhausting, but very productive day. My next blog post will give a detailed overview of today’s sessions.