Information Services. Information Technology Committee. 21 st June IT Risks in Schools

Transcription

1 Information Services Information Technology Committee 21 st June 2012 IT Risks in Schools Brief description of the paper re your IT services sufficiently robust for the purpose they are intended? There are risks associated with using IT systems which can result in loss of reputation and or money. Many schools run services where the impact of system failure or poor security could be high. IS are proposing an approach to help senior management in schools to assess the risks through an annual process of offering guidance and support so as to be able to answer the question above: ction requested To consider whether Schools would wish to receive an annual guidance letter regarding IT risks aimed at raising awareness and assessment of their potential impact. Resource implications Does the paper have resource implications? No Risk ssessment Does the paper include a risk analysis? Yes The whole paper is concerned with assessing risks around IT systems use Equality and Diversity Does the paper have equality and diversity implications? No Originator of the paper Simon Marsden Information Services Freedom of information Can this paper be included in open business? Yes

2 re your IT based services sufficiently robust for the purpose they are intended and used? When running IT services it is important to consider the potential impact of risks associated with those services. There are three main risks: 1. The service is insufficiently robust and as a result is unavailable at some business critical time resulting in loss either financial or reputational 2. The service is insecure resulting in loss or inappropriate use of data which covers a broad spectrum of loss eg research time if research data is not backed up and is lost, or loss of reputation and financial penalties in the case of personal data. 3. Your server infrastructure has been compromised and is hosting unauthorised software which may result in reputational loss. There are many cases where systems change over time as functions are added to a system or as its use replaces other methods of working to the point where what was a simple system has become a mission critical service. It is easy to overlook the increasing impact of failure on your business. IS have the responsibility for ensuring that these risks are addressed for the central services and Heads of School have a responsibility to ensure that IT services that are run in their school are similarly fit for purpose. Of course there is a wide spectrum of approaches, some schools choose to only use centrally provided services and therefore have no school level risks and others run complex services that are the heart of their teaching and research. There have been a number of incidents over the last couple of years that indicate that all Schools may not have understood or engaged with this issue. Some examples: number of websites were hacked so as to advertise Viagra web application not using ESE was hacked resulting in password theft. s most users had set their password to match ESE this compromised all ESE protected services for those users Failure of underlying infrastructure disrupting delivery of course material in the run up to an assessment deadline Failure to maintain security levels resulting in servers being infected with software that sent spam Inability to support a critical IT component after a member of staff left The CIO for UoE (Jeff Haywood) has an overall responsibility to ensure that these kinds of risks are minimised and where we do have issues, we learn from them. Formally, the duty is discharged through the annual risk management questionnaire about the risks associated with failure of IT services and the risk of loss of data. This is a relatively weak process as indicated by the number of incidents that have surfaced, although the process may well have been followed correctly.

3 Consequently, we have been considering what advice and guidance we could offer to help with discharging this responsibility such that senior management in Schools has a framework to help address the potential risks. Our suggestion is that we should write to Schools each year with a letter that offers advice, some of which would be a result of new incidents or threats that had occurred during the year and offers IS help if that is preferred. This is intended to help senior management engage with and potentially improve the management of risk in their school, there is no intention to ask for any change in reporting. We have attached a draft of the type of communication we have in mind. Would you find this or a modified approach useful? If you would like it modified could you suggest how? SLM/JH 12/6/12

4 DRFT Guidance notes for Heads of Colleges/Support Groups/Schools/Service Units regarding the IT Questions in the University nnual Risk Management Report ll Heads of Colleges and Support Groups are required to submit an annual Risk Management Report which contains two questions directed towards IT and data areas (see table below). I am conscious that, as the range and complexity of IT services that can be offered by Schools and Support Units has expanded, and as more data have become electronic in form, some guidance might be welcomed by those who are responsible for these aspects of their unit s activities. 16 Have there been any instances of failure, loss or inadequate operation of IT systems, infrastructure or controls that resulted in significant disruption to College / Support Group activities? 17 Have there been any occurrences of inadequate security over, or loss of personal data from the University e.g. loss of electronic equipment, memory devices etc containing personal data, unauthorised downloading from or access to electronic systems/files or and manual records containing personal data etc, Yes No If YES, provide details Minimising the risk of problems in IT provision that might result in a YES response to Q16 & 17 is desirable for us all, and Central Management Group has requested that I, as CIO, should work with the Internal udit department to extend their work beyond the IT services of Information Services to those operated by Schools and Service Units. The type of questions that I has asked Information Services to answer in order to evidence good practice is very similar to those set out below. To address Q16, the sorts of questions that a Head might ask of the staff responsible for IT services in her/his area are: 1. What IT services is my School/Unit (or substantial sub-unit such as a Centre or Institute) operating for its staff, students, visitors, clients? Examples of IT services include: VLE or other digital learning systems, filestore, high performance computing, teaching admin systems (including with staff and student data), website, and network/firewalls. 2. Which are the most important of those services (eg in terms of numbers of users / criticality to unit business)? 3. What is the risk to the business of my unit from each of those important services being unavailable? (Consider how long loss can be tolerated/worked-around and times of the week/year when they are most critical.) 4. What is the reputational risk to my unit or the University resulting of each of those important services being unavailable? 5. How is the security of the system being assured? (Consider authentication mechanisms, the number of people who have/need admin access etc.) To address Q17, consider these questions: 1. What are the business consequences of data being lost? (Eg are they irreplaceable, are they backed-up safely etc.) 2. What are the reputational consequences of data being lost? (Eg personal data, commercially confidential etc.) 3. What is done to ensure that staff and students understand the University policy and guidance on managing sensitive data, and is compliance satisfactory? (University policy etc

5 DRFT can be found here: & ) The University Risk Management Committee will forward to me any YES responses to Q16 or 17, so that I can work with the relevant units in College or Support Group to understand the problem that has arisen and seek ways to learn from it to minimise other occurrences. I shall also ask College and Support Group Offices to alert me to any YES responses from Schools or Units that the Office does not consider sufficiently serious to warrant a YES response on the Risk Management proforma, but which are nevertheless of sufficient magnitude to offer lessons from which we might learn. If you would like advice from IS on how to address these issues within your School or Unit, please contact the Head of your IS College Consultancy Team or Bryan Macgregor in the first instance. Vice Principal Jeff Haywood date