Characteristics of a Mature IT RISK Management Program - PowerPoint PPT Presentation

Loading...

PPT – Characteristics of a Mature IT RISK Management Program PowerPoint presentation | free to view - id: 3bfdd8-MTgyO



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Characteristics of a Mature IT RISK Management Program

Description:

Characteristics of a Mature IT RISK Management Program As it relates to a Mature Corporate Governance Program which works to International Standards – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 56
Provided by: isacacent
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Characteristics of a Mature IT RISK Management Program


1
Characteristics of a Mature IT RISK Management
Program
  • As it relates to a Mature Corporate Governance
    Program which works to International Standards
  • such as ISO 17999 and Basel II

2
Companies are required to Improve controls
  • Examples of Laws Governing Companies
  • The Patriot Act
  • Sarbanes Oxley
  • Gramm-Leach-Bliley Act
  • HIPAA

3
Laws, Governance, Controls and the Overlap
  • The laws all
  • Require various controls for various reasons
  • Many controls in each law
  • Are identical to those in the other laws but you
    have to make sure you cover all the angles
  • You want to
  • Avoid excessive work effort to maintain
    compliance but also want to ensure compliance

4
USA Patriot Act Oct 2001
  • Impacts
  • Financial Institutions, ISPs and other companies
    that handle and store online communications
  • Purpose
  • Boost Governments ability to track and prosecute
    terrorist activity through increased use of
    surveillance, information sharing, and other
    means.
  • What does this mean
  • Obliges financial institutions to report any
    suspicious activity regarding large money
    transactions.
  • Also obliges ISPs to all Government agencies to
    collect information on users including credit
    card and bank account information.

5
USA Patriot Act Oct 2001
  • Permits
  • A single judicial body to issue a nationwide
    order covering corporate communications
  • Lets a single court order
  • Grant nationwide access to stored e-mail and
    communications records
  • Treats stored voicemail like stored e-mail
  • Allows investigators
  • To electronically ease drop on suspected
    instances of terrorism and computer crime
    especially related to money laundering

6
Gramm-Leach-Bliley Act (GLBA) - November 1999
  • Impacts
  • Mainly Financial Institutions, but also any
    company that collects name, Social Security, and
    bank account numbers of employees and customers
  • Purpose
  • To protect information financial institutions
    collect about customers
  • What does this mean
  • Safe Guard Rule forces financial institutions to
    design, implement, and maintain safeguards to
    protect customer information.

7
GLBA
  • Financial Policy Rule
  • Governs
  • How companies collect and disseminate customer
    personal financial information
  • Requires
  • A copy of privacy policy be delivered to each
    customer at least once a year
  • Indicates what is collected, how it is protected,
    and to whom it will or will not be disclosed.
  • Considered a binding contract

8
GLBA
  • Safeguards Rule
  • Requires
  • That customer information is adequately
    protected.
  • FFIEC favors
  • Risk analysis to asses the appropriateness and
    effectiveness of the safeguards
  • Requires
  • That an individual be identified to coordinate,
    monitor and test the safeguards
  • Often assigned to a third party to maintain
    separation of duties and impartiality

9
Sarbanes-Oxley Act August 2002
  • Impacts
  • Any public company
  • Purpose
  • To restore investor confidence in the financial
    reporting of public companies and hold officers
    responsible for misrepresentation
  • What does this mean
  • Mandates quarterly reporting on how a company
    derives quarterly financial report, including
    controls and procedures used. Report to be
    audited by third party.

10
Sarbanes-Oxley Act August 2002
  • Develop processes and systems to ensure data
    integrity
  • Track everyone who has access to data
  • Store resulting logs on secure media/SAN

11
Sarbanes-Oxley Act August 2002
  • Security and ops teams that manage networks and
    review logs
  • Need to have arms length relationships with
    business and IT functions to eliminate
    opportunity for fraud
  • Will require
  • Enterprise level monitoring to identify breaches
    and anomalies
  • Eventually will need to monitor all systems that
    feed financial reporting applications

12
HIPAA
  • Health Insurance Portability and Accountability
    Act - August 1996
  • Impacts Bank One as a company that handles
    individual insurance information and provides
    health care clearinghouse and billing/data
    formatting services
  • Purpose
  • To improve portability while maintaining privacy
    and security of patient information
  • What does this mean
  • Privacy rule, security rule, standards for
    Medical providers, claims processors, and
    Insurance companies - securing information and
    electronic communications.

13
References for model
  • BASEL II
  • ISO 17999
  • Provides 90 of the controls needed for
    compliance with various laws if a company is ISO
    compliant
  • SEI CMMI
  • Carnegie Mellon Software Engineering Institute
  • http//www.sei.cmu.edu/cmmi/
  • Capability Maturity Model Integration
  • ISF
  • Information Security Forum
  • Working documents on
  • How to become a mature IT Risk Management
    function within a Mature Corporate Risk
    Management Governance Program

14
What makes a Mature ITRM?
  • Processes to achieve Governance objectives
  • Meeting Risk management requirements
  • Robust reporting framework
  • Strong internal control characteristics
  • Behavior of Mature ITRM that meets criteria
  • Benefits of meeting criteria

15
Basel II View - Corporate ORM / Framework
Standard Risk Categories
16
ISO 17999 (aka 17799)
  • Establishes best practices for secure deployments
  • Policies
  • Procedures
  • Operations,
  • Business continuity
  • Incident management
  • Ref http//www.bsitraining.com/infosecurity_stan
    dards.asp17999

17
Processes to achieve Governance objectives
  • Key IT RISK Process
  • Policy Framework
  • Objectives
  • Board and Management committed
  • Statement on how risk will be managed
  • Degree of risk that will be accepted
  • Assignment of responsibility for managing risk
  • Cost/benefit process for acceptance of risk
    appetite level

18
Processes to achieve Governance objectives
  • Key IT RISK Process
  • Risk Process
  • Objectives
  • Process to identify and assess risk associated
    with each layer of an IT Asset starting with the
    Business process
  • Tools in place to measure risk
  • Controls in place to ensure tools and processes
    running at expected level of maturity
  • Processes are equal or better to those of
    business peers and meet general practice
    criteria for assessment processes

19
Processes to achieve Governance objectives
  • Key IT RISK Process
  • Control framework
  • Objectives
  • Controls that assess and manage risk are
    monitored to ensure against failure or
    un-acceptable results
  • Controls are designed to monitor for compliance
    and report status of risk profile
  • IT Risk Staff and clients/employees are informed
    of rules and regulations, made aware of current
    risk issues

20
Processes to achieve Governance objectives
  • Key IT RISK Process
  • Control framework
  • Objectives Continued
  • Employees are trained in effective risk
    management practices as well as developed for job
    enhancement/advancement
  • Rewards are based on performance against agreed
    objectives. Failures and inappropriate actions
    are dealt with
  • Loss management controls are in place to detect
    and respond to fraud and corruption activities
  • Controls are in place and working to ensure
    security of assets

21
Risk Management Requirements
  • A mature risk management structure
  • Covers the entire organization, with clearly
    defined roles and responsibilities
  • IT RISK Management Requirement
  • An ITRM structure
  • covering the entire organization,
  • with clearly defined roles and responsibilities,
  • which is consistent with the organizations risk
    management structure
  • and has a good interface with other areas.

22
Risk Management Requirements
  • A mature risk assessment process
  • Identifies and evaluates key risks, which is
    consistent across all risk areas and the
    organization
  • IT RISK Management Requirement
  • An Information risk assessment process which is
    consistent across the organization and will as a
    minimum
  • Identify the nature and extent of information
    risks facing the organization
  • Assess the likelihood of the information risks
    materializing
  • Establish the cost benefit analysis of
    implementing controls to manage information risks
    (including proportionality, such as what peer
    organizations are doing).

23
Risk Management Requirements
  • Policies, standards, and procedures developed and
    implemented
  • To ensure all identified risks are managed within
    the organizations risk appetite
  • IT RISK Management Requirement
  • Policies, standards, and procedures developed and
    implemented to ensure that all identified
    information risks are managed, including
  • Establishing the acceptable information risks
    (known as risk appetite)
  • Ensuring there is an adequate response to
    directions from the board
  • Implementing impact reduction by use of control
    measures (ability to prevent, detect, and recover
    from an incident)

24
Risk Management Requirements
  • A process
  • For the regular monitoring of risk management
    processes and the carrying out of corrective
    action.
  • IT RISK Management Requirement
  • Procedures to monitor the effectiveness of
    controls and the integrity of the information
    risk management processes

25
Risk Management Requirements
  • A process
  • For regular risk reporting to executives and to
    the Board, with facilities to enable the
    assimilation of feedback into the risk processes
  • IT RISK Management Requirement
  • A process for regular reporting of information
    risks to executives and to the Board, with
    facilities to enable the assimilation of feedback
    into the information risk management processes

26
Risk Management Requirements
  • A process
  • To communicate appropriate risk information to
    the organizations stakeholders.
  • IT RISK Management Requirement
  • A process to communicate information about
    information risks to the organizations
    stakeholders both internally and externally

27
ITRM Reporting
  • Key Reporting Indicator
  • Information Risk Incidents
  • Objective
  • To provide detailed information to the Board on
    any information risk incidents that have occurred
    within the organization, above an agreed
    cost/impact threshold.
  • Characteristics
  • Total number of incidents this period
  • Total number of incidents this financial year
  • Number of incidents above the threshold
  • For each incident above the threshold
  • An impact assessment for each incident
  • Statement of how the incident was handled
  • Key indicators for the incident (cost, resources
    expended
  • Time before the incident was under control

28
ITRM Reporting
  • Key Reporting Indicator
  • Cost effectiveness of ITRM
  • Objective
  • To provide high-level information to the Board on
    the cost effectiveness of ITRM
  • Characteristics
  • Cost of all ITRM controls
  • Effective cost of doing nothing
  • Ratio of the cost of controls against doing
    nothing
  • Benchmarking against peer organizations
  • Compliance with ITRM controls as a percentage
  • Annual report on the effectiveness of the risk
    management process

29
ITRM Reporting
  • Key Reporting Indicator
  • Exposure to Litigation
  • Objective
  • To provide information to the Board on the
    potential for litigation or regulatory action as
    a result of information risks
  • Characteristics
  • Current legal proceedings and cumulative cost
  • Current regulatory exceptions and cumulative cost
  • Existing breaches of legislation (by legal
    instrument)
  • Existing breaches of regulation
  • Level of compliance to legislation as a
    percentage
  • Potential cost of legislation breeches
  • Potential cost of regulation breeches

30
ITRM Reporting
  • Key Reporting Indicator
  • Assessment of information risks
  • Objective
  • To provide information to the Board on the
    current assessment of information risks
  • Characteristics
  • Top Ten information risks
  • Likelihood of impact
  • Potential magnitude of impact
  • Assessment of risks against risk appetite
  • Identification of critical applications at risk
  • Availability and cost of control measures
  • Top Ten current threats and vulnerabilities
    (broken down in similar fashion to top ten
    information risks
  • Top Ten emerging threats and vulnerabilities
    (broken down in a similar fashion to top ten
    information risks

31
ITRM Reporting
  • Key Reporting Indicator
  • Status of incident management procedures
  • Objective
  • To provide information to the Board on the
    current status of information risk incident
    management procedures
  • Characteristics
  • Information on the status of the information
    risk incident management process is required,
    both for the organization and peer organizations.
    Where possible, the information should be broken
    down as
  • Cost of incident management resources
  • Performance against key performance indicator
  • Time to mobilize key resources
  • Benchmark against peer organizations
  • Improvements required (with associated cost)

32
Understanding Maturity levels
  • Benefits of a Mature ITRM function
  • Levels of maturity and characteristics of each
    level
  • Next steps
  • Finding your own level of maturity
  • Building a program to be the best

33
Benefits of a Mature ITRM function
  • Benefit
  • Improves the Quality of Decision Making
  • Argument for benefit
  • The rigor that can be applied to the Board
    decisions by knowledgeable, independent directors
    is significant in enhancing the quality of those
    decisions

34
Benefits of a Mature ITRM function
  • Benefit
  • Improves access to inward investment
  • Argument for Benefit
  • Reduces the perception of risk by investors and
    market analysts through transparency and
    accountability.
  • Helps to influence the organizations ability to
    raise finance by demonstrating a commitment to
    the protection of shareholders assets.
  • Fundamental to restoring trust in capital
    markets.

35
Benefits of a Mature ITRM function
  • Benefit
  • Reduces risk
  • Argument for benefit
  • Helps ensure that the Boards objectives and the
    organizations strategy take into account the
    needs of stakeholders, therefore reducing the
    risk of costly conflict.
  • Establishes a structure where the organization
    can manage risk and develop a strong relationship
    between the organization and Board on risk
    management.
  • Helps to reduce risk of fraud through
    implementation of strong controls, which are
    regularly reviewed for integrity

36
Benefits of a Mature ITRM function
  • Benefit
  • Stimulates performance
  • Argument for Benefit
  • Corporate governance establishes a clear link
    between performance and rewards, which encourages
    the organization to improve performance.

37
Benefits of a Mature ITRM function
  • Benefit
  • Demonstrates organizational integrity
  • Argument for benefit
  • Problems emerge early and are quickly dealt
    with in an organized manner rather than remain
    hidden which gives the impression of deception in
    the markets.

38
Benefits of a Mature ITRM function
  • Benefit
  • Improves business relationships
  • Argument for Benefit
  • Demonstrates a heightened awareness of the
    needs of stakeholders by taking into account
    their interests when making decisions.
  • Promotes stronger relationships.

39
Benefits of a Mature ITRM function
  • Benefit
  • Improves public perception and marketability
  • Argument for benefit
  • Increased awareness of stakeholder needs and
    concentration on corporate social responsibility
    encourages organizations to act in a more
    publicly acceptable manner.
  • This improves the way in which the organization
    is perceived as a socially responsible business.

40
Levels of Maturity Matrix
  • 5 levels of maturity based on behaviors
  • Poor Behavior
  • Fair Behavior
  • Medium Behavior
  • Good Behavior
  • Excellent Behavior

41
Levels of Maturity Matrix
  • Criteria to apply against each level of maturity
  • C1 - CMMI (Capability Maturity Model
    Integration)
  • maturity level (refer http//www.sei.cmu.edu/cmm
    i/
  • C2 - Assimilate ITRM direction from the Board
    into existing processes to create an effective
    ITRM structure
  • C3 - Adequacy of Information Risk Assessment
    Processes
  • C4 - How comprehensive, effective, and proactive
    is the management of information risk and the
    implementation of controls
  • C5 - How the organization ensures the integrity
    and effectiveness of information risk management
    processes
  • C6 - Adequacy and level or ITRM reporting
  • C7 - Adequacy and level of ITRM communication
    both within and outside the corporation

42
Level of Maturity Poor Behavior
  • C1 - Initial process unpredictable, poorly
    controlled, and reactive
  • C2 - Handles direction from Board as separate and
    un-coordinated requests.
  • ITRM structure is poor and inflexible
  • C3 - Employs immature ITRM processes with which
    are inconsistent and have limited effectiveness
  • C4 - Implements few controls and reacts to
    Information risk incidents as they occur

43
Level of Maturity Poor Behavior
  • C5 - Employs ITRM processes which may be
    generally adequate but are not typically reviewed
  • C6 - ITRM processes provide inadequate
    information which is only reported to next level
    in the organization
  • C7 - ITRM information rarely communicated to any
    level of the organization

44
Level of Maturity Excellent Behavior
  • C1 -Optimizing focus on process improvement
  • C2 -Manages and assimilates Board Direction on
    ITRM using well established procedures.
  • ITRM structure is both consistent and flexible in
    response to change
  • C3 -Employs ITRM processes which cover the entire
    business, are mature and are appropriate to meet
    objectives.
  • C4 -Responds proactively to all information risks
    within the risk appetite though a comprehensive
    combination of baseline and targeted controls

45
Level of Maturity Excellent Behavior
  • C5 -Employs comprehensive and effective ITRM
    processes which are regularly reviewed
  • C6 -Maintains Board level ITRM reporting
    processes which are timely, adequate, and
    appropriate
  • C7 -Maintains a high level of effective ITRM
    communication at own level throughout the
    organization

46
Criteria for Strong controls needed to meet
Governance objectives
  • There is a system for the identification,
    evaluation, management, and control of KEY risks
  • An Adequate internal control environment with
    regular review mechanism exists, including board
    level oversight
  • Effective monitoring and a corrective action
    processes exist
  • Appropriate channels exist for risk communication
    and information flow with peers, staff and upper
    management

47
Next Steps
  • Finding level of maturity for your program
  • Where do you fit in each category?
  • What is your current capability?
  • What are your shortfalls?
  • What are the risks of failing to Mature?
  • Building your plan
  • Understand the Corporate Governance program
  • Understand the Corporate Risk Management program
  • Align with Corporate Operational Risk Management
    programs
  • Plan to change areas of maturity weakness
  • Sell the program

48
Questions?
49
Other levels of maturity assessments
50
Level of Maturity Fair Behavior
  • C1 - Managed Process characterized for projects
    and is often reactive- each project or effort can
    do its own thing
  • C2 Direction from Board
  • Acted on as it occurs and is assimilated into
    some existing processes.
  • ITRM structure stable but not very flexible
  • C3 -Employs adequate ITRM process where the
    coverage is known but not at all complete
  • C4 - Manages some information risks through
    limited and inconsistent assessments and control
    implementations

51
Level of Maturity Fair Behavior
  • C5 -Employs adequate ITRM processes which are
    reviewed on an ad-hoc basis
  • C6 -Inadequate and unstructured ITRM reporting to
    line management
  • C7 -ITRM information is communicated only at the
    very senior level within the organization

52
Level of Maturity Medium Behavior
  • C1 - Defined Process characterized for the
    organization and is proactive standardized
    processes
  • C2 Direction from Board acted upon in a
    consistent manner but not coordinated or
    proactive.
  • ITRM structure established, effective but limited
    in ability to react to change.
  • C3 Has effective ITRM processes in place with
    reasonable coverage of the business
  • C4 -Manages many information risks through
    irregular assessment processes and control
    implementations

53
Level of Maturity Medium Behavior
  • C5 -Has effective ITRM process in place which are
    occasionally reviewed
  • C6 -Immature and irregular processes for
    reporting to senior management
  • C7 -ITRM information is communicated at most
    senior levels within the organization

54
Level of Maturity Good Behavior
  • C1 -Quantitatively Managed process measured and
    controlled managed within statistical
    boundaries
  • C2 Direction from Board acted on consistently
    and in a coordinated but immature process.
  • ITRM structure effective and flexible but
    inconsistent in ability to manage change
  • C3 Has consistent and effective ITRM processes
    in place covering most of the business
  • C4 -Manages most information risks through a set
    of baseline controls and some targeted controls
    base on risk assessments

55
Level of Maturity Good Behavior
  • C5 -Has effective ITRM processes in place which
    are periodically reviewed
  • C6 -Generally adequate but periodic ITRM
    reporting processes to top management
  • C7 -ITRM information is communicated at own level
    throughout most of the organization
About PowerShow.com