Enviar búsqueda
Cargar
Project risk assessment presentation feb 2013
•
2 recomendaciones
•
870 vistas
C
CentralOhioAGA2012
Seguir
Denunciar
Compartir
Denunciar
Compartir
1 de 79
Descargar ahora
Descargar para leer sin conexión
Recomendados
Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...
xKinAnx
Smart buildings: ROI Unleashed
Smart buildings: ROI Unleashed
Optimum Energy
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
timmcguinness
Unit 11 - Final Project - Threat & Risk Assessment - Babeli
Unit 11 - Final Project - Threat & Risk Assessment - Babeli
Lianna Babeli
Practical project risk assessment, Simon White
Practical project risk assessment, Simon White
Association for Project Management
Risk Assessment and Reduction
Risk Assessment and Reduction
Prof. David E. Alexander (UCL)
Risk assessment principles and guidelines
Risk assessment principles and guidelines
Haris Tahir
Risk assessment presentation
Risk assessment presentation
mmagario
Recomendados
Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...
xKinAnx
Smart buildings: ROI Unleashed
Smart buildings: ROI Unleashed
Optimum Energy
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
timmcguinness
Unit 11 - Final Project - Threat & Risk Assessment - Babeli
Unit 11 - Final Project - Threat & Risk Assessment - Babeli
Lianna Babeli
Practical project risk assessment, Simon White
Practical project risk assessment, Simon White
Association for Project Management
Risk Assessment and Reduction
Risk Assessment and Reduction
Prof. David E. Alexander (UCL)
Risk assessment principles and guidelines
Risk assessment principles and guidelines
Haris Tahir
Risk assessment presentation
Risk assessment presentation
mmagario
Powerpoint Risk Assessment
Powerpoint Risk Assessment
Steve Bishop
Risk Presentation
Risk Presentation
Kathy_67
Risk Assessment (Project: Cosmic Constructor)
Risk Assessment (Project: Cosmic Constructor)
MagicalPotato9000
Dubai Chamber Annual Report 2014
Dubai Chamber Annual Report 2014
DubaiChamber
Expatriates in the united arab emirates
Expatriates in the united arab emirates
jaleelshahid
Presentation: Risk minimisation in the Australian context
Presentation: Risk minimisation in the Australian context
TGA Australia
Workplace Stress Risk Management
Workplace Stress Risk Management
David Alman
HPE Presentation on Internet of Things at IoT World 2016 - Dubai
HPE Presentation on Internet of Things at IoT World 2016 - Dubai
Alpha Data
Dubai SME's - Issues & Challenges
Dubai SME's - Issues & Challenges
DubaiChamber
IMPACT Event & Destination Management DMC - MICE Presentation 2016
IMPACT Event & Destination Management DMC - MICE Presentation 2016
MICEboard
Promoting preventive mitigation of buildings against hurricanes
Promoting preventive mitigation of buildings against hurricanes
Bejoy Alduse
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
Aviva Spectrum™
PetroSync - Project Risk Assessment & Management
PetroSync - Project Risk Assessment & Management
PetroSync
Introduction DM 211 Project Development and Management
Introduction DM 211 Project Development and Management
Jo Balucanag - Bitonio
Human Health Risk Assessment Training Module
Human Health Risk Assessment Training Module
Jason Suwala
risk assessment
risk assessment
Dr. Vartika Srivastava
Burj Khalifa
Burj Khalifa
khaledalshami93
Anti-Money Laundering (AML) Risk Assessment Process
Anti-Money Laundering (AML) Risk Assessment Process
accenture
Dubai Learnings Presentation Final
Dubai Learnings Presentation Final
Drew Lein
Brief Introduction to UAE
Brief Introduction to UAE
Ashish Malhotra
Strategic IT Governance & IT Security Managament for Executives
Strategic IT Governance & IT Security Managament for Executives
Software Park Thailand
Region 8 Aviation Safety Newsletter
Region 8 Aviation Safety Newsletter
butest
Más contenido relacionado
Destacado
Powerpoint Risk Assessment
Powerpoint Risk Assessment
Steve Bishop
Risk Presentation
Risk Presentation
Kathy_67
Risk Assessment (Project: Cosmic Constructor)
Risk Assessment (Project: Cosmic Constructor)
MagicalPotato9000
Dubai Chamber Annual Report 2014
Dubai Chamber Annual Report 2014
DubaiChamber
Expatriates in the united arab emirates
Expatriates in the united arab emirates
jaleelshahid
Presentation: Risk minimisation in the Australian context
Presentation: Risk minimisation in the Australian context
TGA Australia
Workplace Stress Risk Management
Workplace Stress Risk Management
David Alman
HPE Presentation on Internet of Things at IoT World 2016 - Dubai
HPE Presentation on Internet of Things at IoT World 2016 - Dubai
Alpha Data
Dubai SME's - Issues & Challenges
Dubai SME's - Issues & Challenges
DubaiChamber
IMPACT Event & Destination Management DMC - MICE Presentation 2016
IMPACT Event & Destination Management DMC - MICE Presentation 2016
MICEboard
Promoting preventive mitigation of buildings against hurricanes
Promoting preventive mitigation of buildings against hurricanes
Bejoy Alduse
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
Aviva Spectrum™
PetroSync - Project Risk Assessment & Management
PetroSync - Project Risk Assessment & Management
PetroSync
Introduction DM 211 Project Development and Management
Introduction DM 211 Project Development and Management
Jo Balucanag - Bitonio
Human Health Risk Assessment Training Module
Human Health Risk Assessment Training Module
Jason Suwala
risk assessment
risk assessment
Dr. Vartika Srivastava
Burj Khalifa
Burj Khalifa
khaledalshami93
Anti-Money Laundering (AML) Risk Assessment Process
Anti-Money Laundering (AML) Risk Assessment Process
accenture
Dubai Learnings Presentation Final
Dubai Learnings Presentation Final
Drew Lein
Brief Introduction to UAE
Brief Introduction to UAE
Ashish Malhotra
Destacado
(20)
Powerpoint Risk Assessment
Powerpoint Risk Assessment
Risk Presentation
Risk Presentation
Risk Assessment (Project: Cosmic Constructor)
Risk Assessment (Project: Cosmic Constructor)
Dubai Chamber Annual Report 2014
Dubai Chamber Annual Report 2014
Expatriates in the united arab emirates
Expatriates in the united arab emirates
Presentation: Risk minimisation in the Australian context
Presentation: Risk minimisation in the Australian context
Workplace Stress Risk Management
Workplace Stress Risk Management
HPE Presentation on Internet of Things at IoT World 2016 - Dubai
HPE Presentation on Internet of Things at IoT World 2016 - Dubai
Dubai SME's - Issues & Challenges
Dubai SME's - Issues & Challenges
IMPACT Event & Destination Management DMC - MICE Presentation 2016
IMPACT Event & Destination Management DMC - MICE Presentation 2016
Promoting preventive mitigation of buildings against hurricanes
Promoting preventive mitigation of buildings against hurricanes
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
PetroSync - Project Risk Assessment & Management
PetroSync - Project Risk Assessment & Management
Introduction DM 211 Project Development and Management
Introduction DM 211 Project Development and Management
Human Health Risk Assessment Training Module
Human Health Risk Assessment Training Module
risk assessment
risk assessment
Burj Khalifa
Burj Khalifa
Anti-Money Laundering (AML) Risk Assessment Process
Anti-Money Laundering (AML) Risk Assessment Process
Dubai Learnings Presentation Final
Dubai Learnings Presentation Final
Brief Introduction to UAE
Brief Introduction to UAE
Similar a Project risk assessment presentation feb 2013
Strategic IT Governance & IT Security Managament for Executives
Strategic IT Governance & IT Security Managament for Executives
Software Park Thailand
Region 8 Aviation Safety Newsletter
Region 8 Aviation Safety Newsletter
butest
Cobit presentation
Cobit presentation
Fran Rodriguez
Info sec 2011 julen c mohanty
Info sec 2011 julen c mohanty
Julen Mohanty
Info sec 2011 julen c mohanty
Info sec 2011 julen c mohanty
Julen Mohanty
Build a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management Program
Info-Tech Research Group
Lee White resume
Lee White resume
Lee White
Big data and the challenge of extreme information
Big data and the challenge of extreme information
John Mancini
Symantec reportinternetsecurity
Symantec reportinternetsecurity
Achraf Chtibi
ERM Presentation
ERM Presentation
H Contrex
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
prosenzw69
Gill_Pat.2016.Resume.CISO.1
Gill_Pat.2016.Resume.CISO.1
Patrick Gill, MBA, CRISC
Stephen Ulanoski - GE
Stephen Ulanoski - GE
Ben Allen
Thomas P. DeLaine Jr.
Thomas P. DeLaine Jr.
tjdelaine
Thomas P DeLaine Jr Resume
Thomas P DeLaine Jr Resume
tjdelaine
Thomas P DeLine Jr Resume
Thomas P DeLine Jr Resume
tjdelaine
Resume - Timothy Nolan 8-5-2015
Resume - Timothy Nolan 8-5-2015
Timothy Nolan
IT Optimization & Risk Management
IT Optimization & Risk Management
Jeromie Jackson
Developing Metrics for Information Security Governance
Developing Metrics for Information Security Governance
digitallibrary
CFordham Marymount Career Workshop
CFordham Marymount Career Workshop
Teresita Abay - Krueger
Similar a Project risk assessment presentation feb 2013
(20)
Strategic IT Governance & IT Security Managament for Executives
Strategic IT Governance & IT Security Managament for Executives
Region 8 Aviation Safety Newsletter
Region 8 Aviation Safety Newsletter
Cobit presentation
Cobit presentation
Info sec 2011 julen c mohanty
Info sec 2011 julen c mohanty
Info sec 2011 julen c mohanty
Info sec 2011 julen c mohanty
Build a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management Program
Lee White resume
Lee White resume
Big data and the challenge of extreme information
Big data and the challenge of extreme information
Symantec reportinternetsecurity
Symantec reportinternetsecurity
ERM Presentation
ERM Presentation
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
Gill_Pat.2016.Resume.CISO.1
Gill_Pat.2016.Resume.CISO.1
Stephen Ulanoski - GE
Stephen Ulanoski - GE
Thomas P. DeLaine Jr.
Thomas P. DeLaine Jr.
Thomas P DeLaine Jr Resume
Thomas P DeLaine Jr Resume
Thomas P DeLine Jr Resume
Thomas P DeLine Jr Resume
Resume - Timothy Nolan 8-5-2015
Resume - Timothy Nolan 8-5-2015
IT Optimization & Risk Management
IT Optimization & Risk Management
Developing Metrics for Information Security Governance
Developing Metrics for Information Security Governance
CFordham Marymount Career Workshop
CFordham Marymount Career Workshop
Project risk assessment presentation feb 2013
1.
Project Risk Assessment ©
Thomas E. Festing – 2013 1
2.
A Little Background
– Tom Festing State of Ohio: 11 Years In The US Army - Captain: Office of Budget & Management Communications & Automation Internal Audit / IT General Controls Banking & Finance Risk Assessments /Consulting support Have driven an Abrams M1 Tank (mighty fine) Things, That If I Told You – 10 Years Internal Audit/Risk Management : JP Morgan Chase & Prudential Home Mortgage Someone “May Come And Take Us Both Away”! Risk assessments, Privacy, ITGC reviews Education/Certifications: Infrastructure / Data Center Technology CISA/CRISC BSBA In Accounting (Back When Dirt Was New) 1 Year CIO: Been Working On A Masters Since 1981 Non-traditional Credit Card Industry “Owned” IT functions 35 Years Married: Wife & Two Children 10 Years Public Accounting: Moved 17 times in 35 years 7 years with Arthur Andersen Two Dogs IT audit and consulting support 2 year old Grandson IT Risk Assessment & Governance © Thomas E. Festing – 2013 2
3.
This is not
a “technology” presentation …. It is from a “business risk” perspective! Today’s objective … but to make you is not to make aware of a risk-based you a “guru” … approach! © Thomas E. Festing – 2013 3
4.
Project Risk Assessment •
Why are we here? • Definition – Risk Assessment • The Business Problem – Problem – Solution – Objective/Approach • The Process – Frame It – Collect It – Analyze It – Tell All • Life Cycle • Questions/Comments © Thomas E. Festing – 2013 4
5.
Why Are We
Here Today? Risk professionals are confronted with developing processes that integrate with holistic risk management strategy complementing Enterprise Risk management, IT risk, privacy, and NIST 800-30 Risk Assessments. This session provides an example of a repeatable survey-based process that aids in assessing the business risks associated with managing large/complex projects. These risks transcend traditional functionality and code testing - expanding to potential business weaknesses within the areas of project governance, management, business requirements, design /architecture, implementation, and security. Review an approach that provides quantifiable results supporting stratification of potential issues by organization demographics - including business functions, position, experience, and participation at both a business and IT levels. Review deliverable examples that provide benchmark data that can be used by senior management and project sponsors to support accountability and follow-on assessments to evaluate changes in project communications and execution. © Thomas E. Festing – 2013 5
6.
The Business Solution What
do you really want! Proactively identify areas where large project management may be at risk. Stratify possible risk areas based on demographics – who is “in sync” and who is “out”. Identify areas that can be adjusted to help ensure success. Understand how to make it easy! What will you get! Explanation/walkthrough of process. Copy of sample survey questions. Description of a “tool”. CPE credits … and © Thomas E. Festing – 2013 ME! 6
7.
Extract - Holistic
Risk Assessment Strategy Enterprise Risk Management IT Risk Assessment NIST 800-30 G ov na er nce Se cur ity Ma na g me nt e Monitoring D a ta Ma na g me nt e Func ti na lity o Re cove rability/A v ila bility a R edu ndan t P i ci es and ol P orman ce erf Tran sact i n o D t A vai l abi l i y/ aa t B / R & R cove ry CD e P erson nel V en dor M anage m nt e C t ol C abi l t i s on r ap i e E ase of U se E xposure Pop ul at i n o E xt r al Faci ng e n User S curi t A dm. e y S uri y Moni t ori ng ec t D t P r va cy a a i C han ge A t vi t c i y A / el easeL evel ge R In vent ory P r ced ures o Moni t ori g n Mon i ori ng t I m ort ance p Archi t ect re u S eed p Suf f ci ent i C f den t on i No/L ow Ex posure S t on g r Exp er t Techn i al Supp ort c NoE xt rna l Faci ng e C t al i zed en r I n Pl ace Est abl i h ed s T racks D et ai A i vi y l ct t Publ i c D at a C urrent Lo w Lo w I m act p Lo w C ur r n t e I mport ant E xi t s s Li i ed C onf denc e mt i Moder at eE xposu r e M r i nal ag Some E per ence x i D epar t en t l m a I t er nal E xposu r n e M xed E nvi onment i r A d- Hoc A - oc dH P er f l U ser s ow u I t er nal n I mpor t n t a Medi m u Medi um Med i m u P ti l l ar a y C t mer C i i cal us o rt D ef i i ent - N ne c o No C nf i ence o d Hi h E xposu r g e Weak G eral U en ser "Everyo ne" Ex t rna l Exp osure e Decen t al i zed r D es N ot E xi t o s D oes N t Exi st o D es N ot Ex i t o s Pri vat e Hi ghl y I po r an t m t Hi h g Hi gh Lo w Hi gh Mi si on C t cal s ri i Optimized Po l ci esan d i Pe r orman ce f T r nsact i n a o D at aA vai l abi l t y/ i R edu ndan t BC / R & R ecove r D y Personn el V en dor M anage m nt e C t ol C abi l t i s on r ap i e E ase of U se E xposure Pop ul at i n o E xt r al Faci ng e n U r Secu ri y A m. se t d Se curi y Moni t ori g t n Dat aP r vacy i C han ge A i vi y ct t A / el easeL evel ge R In vent ory Procedu res Mon i ori ng t M oni t r ng oi Import ance Archi t ect re u Sp eed 3 2 2 2 9 3 2 2 2 2 2 9 3 5 2 3 2 6 5 9 5 4 5 9 9 9 9 5 4 9 3 5 5 5 9 10 2 5 2 2 9 2 2 5 5 2 2 9 5 2 2 3 9 10 5 2 2 3 9 9 2 2 5 2 2 9 3 5 2 3 2 10 Risk Environment 5 10 2 9 9 9 9 2 6 3 9 9 5 8 10 3 5 10 5 9 6 5 5 5 2 5 5 2 2 9 3 8 3 3 2 10 5 9 9 2 6 9 9 9 2 8 2 9 3 5 2 3 2 6 5 6 2 2 7 6 2 6 5 3 2 9 3 5 2 3 2 10 Preparing For Ris k As s es s ment (U nders tand) 6 10 10 3 9 9 2 6 9 6 9 9 3 3 10 3 5 10 3 2 5 5 7 6 3 2 5 2 8 9 3 5 2 3 2 10 5 10 10 1 5 4 5 2 2 2 10 10 7 5 2 3 5 10 Execute Audit 5 5 2 2 9 9 5 5 2 2 5 9 3 5 2 3 2 10 5 9 2 2 7 5 5 5 2 2 5 9 3 5 5 3 2 10 Identify Threat 3 5 2 5 9 9 9 5 5 9 9 9 5 2 5 3 2 10 5 5 2 2 3 2 9 5 2 2 2 9 3 5 2 3 2 10 Plan/Scope 5 9 5 2 2 10 10 5 7 5 2 9 3 5 2 3 2 10 Communications & Information Sharing (Deliverables ) Risk Assessment 5 9 5 2 2 2 1 5 2 5 2 9 3 5 2 3 2 10 Identify Vulnerabilities / Predis pos ing Maintaining Ris k As s es s ment (Life Cycle) 5 5 5 3 5 10 10 5 5 5 Conditions 2 9 3 5 2 3 2 6 6 10 10 6 2 9 9 9 9 9 6 9 3 5 3 3 5 10 5 5 9 5 9 2 2 5 6 2 2 2 3 2 2 5 2 5 5 5 9 5 9 2 2 5 2 2 2 2 3 2 2 5 2 5 5 10 10 5 5 5 9 9 8 3 10 10 9 5 2 3 5 10 Determine Likelihood of Occurrence IT Ris k As s es s ment Hi Determine Impact Control Effectiveness gh 1 1 1 3 3 3 1 1 Determine Ris k 3 3 1 1 3 3 Regulatory Availability Efficiency 1 3 1 1 3 3 Likelihood 1 3 1 3 1 3 1 3 1 3 1 3 1 3 L o H w i Impact g h IT Governance Focus Enterprise Risk Mgmt Focus • Assess IT technology risk drives Strategy • Regulatory requirement Governance • Creating A Multi-Year Audit Plan • Identifying security threats/ likelihood/ impact • Technology device/process focus • Business focus Focus • Regulatory requirements Focus GOVERNANCE APPLICATION • Data Privacy • Large/complex projects STORAGE/ • Provides quantifiable TRANSIT REMOVABLE analysis stratifying key MEDIA Common Linkage governance areas REPORTS Linkage to ERM Project Risk Assessments Privacy Managing Change © Thomas E. Festing – 2013 7
8.
Risk Assessment
A Risk Assessment is a logical first step in a methodical risk management process ... that provides a framework for creating a quantifiable or qualitative value of the risk ... linking to threat sources and vulnerabilities … supporting determining the inherent likelihood and impact …. that could hinder an organization from attaining its business goals and objectives in an efficient, effective, and controlled manner – be it process, technology, people, or vendor generated. © Thomas E. Festing – 2013 8
9.
Project Risk Assessment
Process 9 Thomas E. Festing – 2013
10.
Project Risk Assessment
Process Ready? 10 Thomas E. Festing – 2013
11.
Project Risk Assessment
– New Agenda Nope… I used to think that 90% was all about the journey – and thought everyone was excited about the trek as I was. The end was just the conclusion of the “fun stuff”. Well – its not. You need to see what’s at the end so you can see if the 90% is worth the 10%. It also allows you to see why the path is not “easy”. So here’s the modified agenda. © Thomas E. Festing – 2013 11
12.
Project Risk Assessment
– New Agenda • A “Peek” To End Deliverables What do I get! • Definition – Risk Assessment • The Business Problem Why do I even want – Problem to take this trip! – Solution – Objective/Approach What will I take the trip in … is it sound! • The Process 10% - End Deliverable – Tell All – Frame It – Collect It 90% - Fun Stuff – Analyze It – Tell All 10% - End Deliverable .. recap • Life Cycle Sustain … don’t make the same trip twice • Questions/Comments How many CPE did I get for this? © Thomas E. Festing – 2013 12
13.
THE PEEK © Thomas
E. Festing – 2013 13
14.
The Peek Wouldn’t
it make more sense to be able to get a peek at what we will “get … like: Define critical project risk and demographic areas! Strategy for collecting and analyzing data! Understanding what/how to communicate results! How you can track improvements. Understand how this links to ERM and other risk assessments! May be handy – especially if we run out of time …… © Thomas E. Festing – 2013 14
15.
The Business Problem
Large projects tend to fail. Need to find a way to identify potential risk areas. Need to find a way to track improvements. © Thomas E. Festing – 2013 15
16.
Critical Risk Areas
Management Governance Need a common language. Program Management Use a limited number of broad-based “business relevant” control areas. Business Requirements They do need to link to standard Design & Development control areas so they are “defendable” and tie to audit & ERM. Implementation/Operations Build standard survey questions for each “Control Area”. Information Security End results - 6 Categories / 22 Sub-areas / 47 Questions. © Thomas E. Festing – 2013 16
17.
Collect / Analyze
Data By Demographics Stratifying & consolidating data by demographics provides a way to gauge responses and provide different perspectives. Gaining input across different “levels” and organizational groups helps identify who is or is not ……… © Thomas E. Festing – 2013 17
18.
Collect / Analyze
Data By Demographics Functional Need to: Project Involvement Area/Responsibility Identify demographics Executive Leadership Collect input with anonymity Core Team Member Line Of Business Keeps it relevant & limited Subject Matter Expert Information Technology Example demographics …. Tester Vendor/Consultant None Position Years Experience Executive Management 1-3 Years Senior Managers/ Use On-Line Survey 3-6 Years Directors Supervisors 6-9 Years Staff > 9 Years © Thomas E. Festing – 2013 18
19.
Collect & Analyze
Data Success is not driven by slogans, mandates, and t-shirts – but by the support of the diversified team © Thomas E. Festing – 2013 19
20.
Collect & Analyze
Data Data Collection Import To Core By Critical Risk Areas Risk Engine (6 Categories / 22 Sub-areas) Use On-Line Survey Management Governance (Survey Monkey) Program Management Business Requirements Design & Development CORE RISK ENGINE Implementation/Operations Information Security By Demographics & 47 specific Question “Crunch” Data © Thomas E. Festing – 2013 20
21.
Communicate To Management
A way to communicate Overall Top / so management can Bottom 5 areas “size” and “track”. Baseline 1 i 1 H 9 h g 1 9 6 1 2 5 0 4 1 3 3 8 Future Point In Time 2 1 7 4 4 1 2 6 1 1 Impact Project Success 1 2 5 2 6 2 1 5 1 H h g 7 i 7 9 1 Detail By Question 1 4 3 0 8 5 8 1 7 9 2 1 2 0 2 Area/Demographics 1 Impact Project Success 1 6 1 1 0 8 3 5 2 1 w o 1 L 2 1 4 9 8 7 6 5 4 3 2 1 1 1 Extremely Confidence Level Not Confident 6 0 Confident 1 2 7 Risk Ares 1 3 2 0 1 1 8 9 Heat Map w o L Extremely Confidence Level Not Confident Confident © Thomas E. Festing – 2013 21
22.
Communicate To Management GOAL:
CONCLUSION - RECOMMENDATION - PRIORITIZATION Significant areas indicated a protracted lack of confidence. Area average – except Information Security – were lower at this milestone than the previous two assessments. © Thomas E. Festing – 2013 22
23.
Coordinated ERM and
Risk Assessments LIFE CYCLE 6 OTHER RISK BUSINESS AREAS 8 ASSESSMENTS Legal/Regulatory Various Risk Reports Project Risk Risk Assessment Various Risk Reports Assessment Various Risk Reports 1 DR/BC Business Impact Assessment CORE RISK ENGINE Enterprise Risk Management (ERM) Business Process Assessment 2 “What Privacy Risk If” Governance/Process Assessment 5 Preventative/Logical 6 PRIORITIZATION Detective/Monitoring Threat Assessment RESIDUAL/INHERENT RISK Change Management NIST 800-30 4 TECHNOLOGY CHANGE RISK TOLERANCE Availability/Data Management COMMON RISK TECHNOLOGY AREAS Business Process DRIVERS Risk Driver IT Risk Assessment Technology Device 3 Audit Plan IT Business Plan © Thomas E. Festing – 2013 23
24.
Now the detail
fun journey for the “why” and “how”! PEEK END © Thomas E. Festing – 2013 24
25.
The Business Problem ©
Thomas E. Festing – 2013 25
26.
Risk Assessments For years
we have convinced ourselves that all we needed to do was carry forward our audit approach and strategy from year to year – or just focus on NIST. We acknowledged that there was always “change”, and some level of “business risk” that management would accept. After all, what you didn’t know couldn’t hurt you! …or is it “If it doesn’t kill you – it makes you stronger”? No one disputes that project risk increases based on the project size and duration. Today – we have traditionally built structured risk-based approaches based on a combination of financial risk management, technology risk assessment framework, and risk-based audit scoping that works in concert with the overall enterprise risk management model to guide audit’s assurance of “reasonable” levels of residual risk. © Thomas E. Festing – 2013 26
27.
The Business Problem
Organizations are confronted with having to develop efficient, effective, and repeatable assessment tools to aid in assessing the business risks with managing large enterprise projects. Pressure is placed on more than just functionality and code testing, but now expands to where to focus limited resources to target potential weaknesses within the areas of project: Governance, Project Management, Business Requirements, Design/Architecture, Implementation, and Security. Pressures are being applied by Audit Committees and Boards to understand cost / benefits and what proactive steps are being taken to reduce industry “failure” rates! © Thomas E. Festing – 2013 27
28.
The Business Problem 2012
Gartner – Survey “.. While larger projects are more likely to fail than smaller projects, around half of all project failures, irrespective of project size, were put down to functionality issues and substantial delays.” “.. Failure rate of IT projects with budgets exceeding $1 million was found to be almost 50% higher than for projects … below $350,000.” “.. Smaller projects experienced a one-third lower failure rate than large projects . keep small … not exceeding six months in duration …” Specifically identified: Cost: Not identifying budget variances/ overruns early. Changes in scope – with related impact to cost vs. budget. Functionality: Not capturing business functionality expectations. Sounds like project Quality. management & Infrequent project status meetings. Governance to me! Misalignment with business strategy. Late! © Thomas E. Festing – 2013 28
29.
The Real Business
Solution This session provides an example approach of a repeatable survey-based process that: Provides quantifiable analysis techniques gained by evaluating input across demographic cross sections by: • Functions, • Position, • Experience, and • Participation at both a business and IT levels. Provides quantifiable results support stratification of potential issues both by project area and organization layer. Delivers benchmark data to support: • Audit focus during the project. • Follow-on assessments to evaluate if changes in project communications and execution are achieving the desired results. © Thomas E. Festing – 2013 29
Descargar ahora