Business continuity planning: George Mason University's executive enterprise risk management approach has helped in building responses to "what-if" scenarios.Hurricane Katrina  Editing of this page by unregistered or newly registered users is currently disabled due to vandalism. and other natural disasters, the ongoing threats of terrorism, and the auditing profession's increased emphasis on business continuity planning Business Continuity Planning (BCP) is an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined have captured the attention of higher education higher educationStudy beyond the level of secondary education. Institutions of higher education include not only colleges and universities but also professional schools in such fields as law, theology, medicine, business, music, and art. executives. Most now realize that they ought to be doing business continuity planning but aren't sure where to begin. George Mason University's (Va.) Enterprise Executive Risk Management Group (EERMG) is building the organization's business continuity plans and capacity. After hearing a Motorola information security executive predict that more and more corporations would create risk management programs that incorporate cyber-risks, GMU's CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. Joy Hughes proposed an EERMG be chartered there. President Alan Merten appointed Maurice Scherrens, senior vice president for Finance and Administration, to lead the group. The team was charged with assessing information technology risks, physical risks, and risks from departmental procedures and processes, as well as overseeing the development of business continuity plans. THE TRADITIONAL MODEL University risk assessment projects are often elaborate paper drills designed to satisfy an outside audience such as an auditor. Reams REAMS Resource Evaluation And Management System of documents and an exhaustive collection of "plans" may satisfy an external audience, but they're generally impractical to implement without a very significant infusion of resources. Plus, large sets of plans prepared by people with very different viewpoints tend either to overwhelm o·ver·whelm tr.v. o·ver·whelmed, o·ver·whelm·ing, o·ver·whelms 1. To surge over and submerge; engulf: waves overwhelming the rocky shoreline. 2. a. with detail or, conversely, include generalizations that give them limited practical use. Department heads devote significant amounts of both mental energy and time to fill out myriad forms, yet the unit-level problems identified never appear to make it to the top of the priority list. High-priority items for remediation funding usually are the central ones rather than the unit ones because they affect more people and processes. Unfortunately, this approach ensures that the concerns of many individual departments will be left out of the final risk analysis. GMU'S NEW MODEL Rather than require every department in the university to fill out risk assessment forms, GMU's EERMG members first identified which departments were most relevant to business continuity planning. The group prioritized the list and developed a timeline by which the top 10 could be assessed within the first year. They created a four-year cycle for every department and associated subdivision to be assessed before the cycle begins again. The chief safety officer and the IT security coordinator distribute a 20-page risk assessment questionnaire regarding departmental assets, policies, and procedures. The team conducts interviews to clarify questions and conduct on-site security assessments, and then identify risks. The risk identification process, still in progress, has already resulted in remediation steps. For example, to limit after-hours personnel risk, police escorts were provided and evening hours were reduced. Several risk assessments were outsourced to vendors such as Protiviti (www.protiviti.com). Because the university team had bundled the risk assessment in with business continuity and disaster planning disaster planning - disaster recovery , the effort could be funded by a grant that Mason had received for business continuity. THE CONTINUITY PIECE The departmental risk assessment questionnaire also requests a business continuity plan. Most departments do not have such a plan and really have no idea how to develop one, nor is there really much expertise in central administration. Safety Officer Keith Bushey had received a pre-disaster mitigation grant late in 2005 under a FEMA-sponsored program. The EERMG decided to use it to secure assistance in developing a business continuity and risk mitigation plan. D.C.-based James Lee Witt James Lee Witt (born January 6, 1944) was Director of the Federal Emergency Management Agency (FEMA) during the administration of President Bill Clinton. Witt was born in Paris, Arkansas, and was raised in Dardanelle, in Yell County, Arkansas. Associates (JLWA JLWA James Lee Witt Associates (Washington, DC) ) (www.wittassociates.com.) was hired to leverage the work done by the risk assessment team. In addition to interviewing department heads, JLWA partners spoke with the heads of other support and service departments and with key city personnel. They reviewed planning documents and did an overall GMU GMU George Mason University GMU Game Management Unit GMU General Motors University GMU Geographic Management Unit GMU GPS Monitoring Units GMU Guided Missile Unit GMU Grant Management Unit (fundraising) GMU Gyro Mechanical Unit risk assessment, too. The end result of the effort: a FEMA-approved mitigation plan, one of the first at a U.S. institution, and a business continuity plan draft that can be further developed with the rest of the FEMA FEMA, n.pr See Federal Emergency Management Agency. grant. SECURITY GOVERNANCE These strategies were only successful because of the groundwork that had already been laid to build security alliances across the university community. Two alliances that were especially productive were the Privacy and Security Compliance Team (PSCT PSCT Peripheral Stem Cell Transplantation PSCT Park Slope Christian Tabernacle PSCT Polymer Stabilized Cholesteric Textured ) and the Security Liaisons (SL) Group. Both of these groups have become part of security governance at Mason. PSCT members, who are primarily associate deans and directors, are asked to: * ensure compliance with state and federal security and privacy regulations; * educate the university community about trends in security and privacy that have the potential to affect GMU; * recommend remedial actions A remedial action is a change made to a nonconforming product or service to address the deficiency. Rework and repair are generally the remedial actions taken on products, while services usually require additional services to be performed to ensure satisfaction. to problems; and * review policies/procedures developed by each department to ensure security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security will protect institutional data from compromise or unauthorized access, modification, destruction, or disclosure. The PSCT has also developed policies for Mason that identify three classifications of data and levels of responsibility for data ownership. The SL group is chaired by the vice president for Information Technology and CIO. Members receive security announcements and meet with the vice president of IT to discuss what is working and not working. They are: * the point of contact in their unit for security recommendations/requests; * educating the university community about trends in security and privacy; disseminating this information; * the point of contact in their unit for security incidents, suspected and real; and * a conduit to the Computer Security Incident Response Team See CERT. (CSIRT (Computer Security Incident Response Team) See CERT. ); * informing top administrators of possible gaps in training and support programs necessary to carry out requirements set forth in policies and directives; and * reviewing/commenting upon proposed security policies. The SLs, primarily directors and office administrators, play a critical role in refining and institutionalizing new policies. The SLs have been articulate voices with respect to the logistics of complying with a proposed policy. For example, the SLs were quite concerned about the emphasis in the new policy of staff being held responsible if their flies were penetrated. They wanted university officals to articulate a list of steps which, if taken, would serve as evidence that the staff person had met his or her responsibilities. As a result, brochures and web pages were developed to assist staff in auditing themselves from a technology perspective, providing basic instructions for securing one's desktop as it relates to the three data classifications. Other policies that have benefited from being vetted first by the SLs are the e-mail encryption E-mail encryption refers to encryption, and often authentication, of e-mail messages. E-mail encryption usually relies on public-key cryptography. E-mail encryption protocols Popular protocols for e-mail encryption include:
For example, once the enterprise e-mail system was configured to only accept and deliver e-mail using secure socket layers, it assuaged concerns about unencrypted data transfers via e-mail. The public internet address policy, which makes it possible to track, register, and regularly scan the computers that are accessible from the internet, was also welcomed by the SLs. Their involvement in the development of these policies resulted in the changes being much more acceptable to, and accepted by, the wider university community. MULTI-LEVEL SUCCESS The key factors in the success of Mason's program operate at two levels. In the trenches, it is essential that people's concerns be heard and that time-intensive processes are perceived as bringing benefit to those who participate. Thus, their input on proposed policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental is listened to and acted upon. Risk assessments are conducted in ways that respect their time and bring benefits to their departments. And expertise is provided to them when they are asked to create a business continuity plan. At the executive level, integration of activities takes place so that executive time is not wasted by having to process and prioritize pri·or·i·tize v. pri·or·i·tized, pri·or·i·tiz·ing, pri·or·i·tiz·es Usage Problem v.tr. To arrange or deal with in order of importance. v.intr. the output of separate activities. Grants are sought in order to fund consultants to create business continuity plans. Executive involvement influences the budget group to fund needed initiatives. Advisory groups are extensively involved in policy and procedures development, which then makes the executives comfortable in directing their units to follow these policies and procedures. Thanks to these strategies, risk assessment and business continuity planning are seen as valuable activities that benefit the university as a whole as well as the individual departments. A more detailed version of this column is available online at www.universitybusiness.com/webexclusives. At George Mason University Named after American revolutionary, patriot and founding father George Mason, the university was founded as a branch of the University of Virginia in 1957 and became an independent institution in 1972. (Va.), Joy R. Hughes is chief information officer and vice president for Information Technology, Keith Bushey is assistant vice president and chief safety officer, Cathy Hubbs is director of IT security, and Robert Nakles is executive director of the ITU (International Telecommunication Union, Geneva, Switzerland, www.itu.ch) A telecommunications standards body that is under the auspices of the United Nations. Comprising more than 185 member countries, the ITU sets standards for global telecom networks. Project and security office. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion