Office of the Chief Risk Officer (OCRO) IT Audit and The Value to IT

Office of the Chief Risk Officer (OCRO) IT Audit and The Value to IT Operation December 12, 2019

IT Audit Team 2 Grumpy Happy Bashful Ranjita Chakravarty Biniam Debrezion Rose Huang ACRP Valued Partner and Advisor

Office of the Chief Risk Officer (OCRO) Henry Gusman Michael Duff Orchestrates efforts to protect the information assets that are important to Stanford. (Reports dual to OCRO and OCIO.) Provides independent, objective assurance and advisory services designed to add value and improve the operations of Stanford University, SLAC and the Stanford University Hospitals. Internal Audit Shawna Hanson Protects the privacy of university, employee, patient, and other confidential information; ensures the proper use and disclosure of such information; fosters a culture that values and promotes privacy. Tina Dobleman Identifies and assesses risk, working to reduce potential loss through risk mitigation, risk transfer, and risk financing; performs claim management, participates in mediations and settlements; provides risk consulting and global risk management. 3 Information Security Chief Risk Officer Ethics and Compliance Enterprise Risk Management Privacy Risk Management Tina Hua Provides cardinal direction and guidance for establishing and maintaining effective ethics and compliance activities by exercising oversight and coordinating efforts to advise, partner and engage the university community. Sonya Pais Coordinates the University’s enterprise risk management efforts to provide a framework and processes for the identification, assessment, mitigation and monitoring of risks to the achievement of the University’s mission and goals. ACRP Valued Partner and Advisor

OCRO’s Mission Valued Partner and Advisor 4 ACRP Valued Partner and Advisor

Three Lines of Defense Model Governing Body Board Audit Committee Senior Management 3rd Line of Defense Financial Control Security Management Controls Internal Controls Measures Regulator 2nd Line of Defense External Audit 1st Line of Defense Risk Management Internal Audit Quality Inspection Compliance 5 ACRP Valued Partner and Advisor

Client Universe University SMC IT Audit Projects SLAC Hospitals 6 ACRP Valued Partner and Advisor

Example of IT Risks 1 Cybersecuri ty 2 Information Security FY15 SLAC ERP Cybersecurity Review FY17 ERM Info Privacy & Security FY 19 ongoing Follow up on ISO security Assessments FY17 Student Financial Aid Data Security FY 19 Firewall Audit (Hospitals) 3 IT Systems Development Projects 5 Outsourced IT Services FY18 QCAP preimplementati on FY 19 ADAPT – Oracle Gift processing FY17 SMC BCP Review FY18 DAPER IT Governance 8 IT Skills Among Internal Auditors 6 Social Media 4 IT Governance FY15 Cloud Computing Risk Assessment FY 19 Solovis (Cloud implementati on at SMC) 9 Emerging Technologie s 7 Mobile Computing FY15 Cloud Computing Risk Assessment FY20 Robotics/ Machine Learning FY14 Mobile Device Security Review FY15 Social Media Governance Ongoing Social Media Board member FY16 Epic Mobile Device Core Skills & SME Initiatives 10 Board & Audit Committee IT Awareness OCRO Leadership Presentation to the Board & Audit Committee

Develop Annual Audit / Advisory Project Plan INDUSTRY Emerging IT Risks Enterprise Risk Management (ERM/CMCC) STANFORD BUSINESS/IT INITIATIVES Annual Project Plan (Audit / Advisory) Audit Committee Approval Stanford University Management Inputs

Our Approach STEP 1 STEP 2 STEP 3 IDENTIFY ASSESS ASSIST IT risks to business People Assessmen t Framework People, Process & Technolog y Process Technology People Process Technology

Partners IT Audit Team 10 IA Team Privacy / ISO / ERM / RM / E&C UIT Decentralized IT ACRP Other Stanford Units Valued Partner and Advisor

Questions / Thoughts? 11 ACRP Valued Partner and Advisor