The purpose of risk management is to identify potential problems before they occur so that risk mitigation activities may be implemented as needed to avoid adverse impact on the business process. Risk management is a continuous, forward-looking process that is an important part of business and technical management processes. Risk management should address issues that could endanger achievement of campus objectives.
Effective risk management includes early and aggressive risk identification through the collaboration and involvement of relevant stakeholders. Strong leadership across all relevant stakeholders is needed to establish an environment for the free and open disclosure and discussion of risk.
Although technical issues are a primary concern both early on and throughout all project phases, risk management must consider both internal and external sources for cost, schedule, and technical risk. Early and aggressive detection of risk is important because it is typically easier, less costly, and less disruptive to make changes and correct work efforts during the earlier, rather than the later, phases of the project.
There are many of types of information and data stored and processed on campus. The use of data ranges from aiding teaching and learning to the administration of the University and the UW System to numerous research projects crossing disciplines. This data is the target of cybercriminal and cyber espionage activities to either harm others, gain financial profit, or to expose information to benefit nation-state, corporation or other social/political agenda.
Risk is never fully eliminated. No matter what controls are put in place, by storing and processing information, there is some element of risk to the confidentiality, integrity or availability of the data. This training, for example, attempts to reduce risk by providing awareness of what IT security risk is and controls to help reduce it. Awareness alone does not sufficiently reduce the risk. Risk is also reduced by:
The Cybersecurity field is focused on working across the organization to identify, measure, and when necessary remediate or eliminate risk. The Office of Cybersecurity is working on the following initiatives to improve how we collectively identify, measure and address risk. These activities are part of the 2015-2019 UW-Madison Cybersecurity Strategy.
Cybersecurity is working with the UW-Madison Chief Data Officer to create a campus data management governance plan. This includes updating the data classification matrix, identifying security controls for different data types and to provide education and training around the proper handling of the different types of data elements. The Chief Data Officer will continue to provide updates on the status of this effort.
The Office of Cybersecurity is working with campus to develop a Risk Management Framework (RMF). The framework with provide processes around the six steps of:
The result of the RMF is a security plan for the system to follow. The Office of Cybersecurity will have a draft of these processes in the first quarter of 2016.