SlideShare una empresa de Scribd logo

Mastering Information Technology Risk Management

Goutama Bachtiar
Goutama Bachtiar

This is the presentation slide as part of the courseware utilized when delivering Information Technology Risk Management training - workshop on May 2013.

TecnologíaEmpresarialesEconomía y finanzas
1 de 114
Mastering Information Technology Risk Management Goutama Bachtiar Technology Advisor, Auditor, Consultant www.linkedin.com/in/goutama May 2013
Trainer Profile  15 years of working experience with exposure in advisory, consulting, audit, training and education, software development, project management and network administration  VP - Head of Information Technology at Roligio Group  Advisor at Global Innovations and Technology Platform  Subject Matter Expert, Editorial Journal Reviewer and Exam Developer at ISACA  Program Evaluator at Project Management Institute  Microsoft Faculty Fellow  Columnist and contributor at ZDNet Asia, e27.co, Forbes Indonesia, DetikINET and InfoKomputer among others
Risk Management
Definition • Risk is the effect of uncertainty on objectives, whether positive or negative • Risk Management: Identification, assessment, and prioritization of risks • Involves coordination and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities ValueConsult IT Risk Management 4
Sources • Uncertainty in financial markets • Project failures (at any phase in design, development, production, or sustainment life-cycles) • Legal liabilities • Credit risk • Accidents • Natural causes and disasters • Deliberate attack from an adversary • Uncertain or unpredictable root-cause • Others… ValueConsult IT Risk Management 5
Ideal Risk Management • Prioritizing risks with the greatest loss (or impact) and the greatest probability of occurrence • Risks with lower probability of occurrence and lower loss are handled in descending order • In practice the process of assessing overall risk can be difficult • Balancing resources used to mitigate between risks with high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled ValueConsult IT Risk Management 6
Intangible Risk Management • Identifying a new type of a risk with 100% probability of occurring but is ignored by organization due to lack of identification ability • For example, when deficient knowledge is applied to a situation, a knowledge risk materializes • Relationship risk appears when ineffective collaboration occurs • Directly reduce productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, bran d value, and earnings quality • Allows risk management to create immediate value from risk identification and reduction that reduce productivity ValueConsult IT Risk Management 7
Risk Management Methodology • Identify and characterize threats • Assess vulnerability of critical assets to specific threats • Determine likelihood and impact of the risks • Identify ways to reduce those risks • Prioritize risk reduction measures based on a strategy ValueConsult IT Risk Management 8
Risk Management Principles • Create value • Resources expended to mitigate risk should be less than the consequence of inaction (the gain should exceed the pain) • be an integral part of organizational processes • be part of decision making process • explicitly address uncertainty and assumptions • be systematic and structured ValueConsult IT Risk Management 9
Risk Management Principles (cont’d) • • • • • • be based on the best available information be tailorable take human factors into account be transparent and inclusive be dynamic, iterative and responsive to change be capable of continual improvement and enhancement • be continually or periodically re-assessed ValueConsult IT Risk Management 10
Risk Management Process • ISO 31000 1. Establishing the context • identification of risk in a selected domain of interest • planning the remainder of the process • mapping out – the social scope of risk management – the identity and objectives of stakeholders – the basis upon which risks will be evaluated, constraints. • defining a framework for the activity and an agenda for identification • developing an analysis of risks involved in the process • mitigation or solution of risks using available technological, human and organizational resources. 2. 3. ValueConsult Identification: source and problem analysis Assessment IT Risk Management 11
Risk Options • Design a new business process with adequate built-in risk control and containment measures from the start • Periodically re-assess risks accepted in ongoing processes as a normal feature of business operations and modify mitigation measures • Transfer risks to an external agency (insurance company, etc) • Avoid risks altogether (i.e. closing down a particular high-risk business unit/department) ValueConsult IT Risk Management 12
Risk Response • Avoidance Eliminate, withdraw from or not become involved • Reduction Optimize, Mitigate • Sharing Transfer , outsource or insure • Retention Accept and budget ValueConsult IT Risk Management 13
Risk Management Plan • Select appropriate controls or countermeasures to measure each risk • Propose applicable and effective security controls for managing the risks • Contain a schedule for control implementation and responsible persons for those actions • Approval from the appropriate level of management for risk mitigation ValueConsult IT Risk Management 14
Risk Management Plan (cont’d) • According to ISO/IEC 27001, after risk assessment prepare a Risk Treatment Plan (document the decisions about how each of the identified risks should be handled) • Mitigation of risks often means selection of security controls; it should be documented in a Statement of Applicability, which identifies which particular control objectives and controls from the standard have been selected, and why • Implementation follows all of the planned methods for mitigating the effect of the risks ValueConsult IT Risk Management 15
Risk Management Plan (cont’d) • Initial risk management plans will never be perfect • Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced • Risk analysis results and management plans should be updated periodically. There are two primary reasons for this: – To evaluate whether the previously selected security controls are still applicable and effective – To evaluate the possible risk level changes in the business environment ValueConsult IT Risk Management 16
Risk Management Challenges • Prioritizing risk management processes too highly could keep an organization from ever completing a project or even getting started • Do differentiate between risk and uncertainty -- Risk can be measured by impacts x probability • If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur • Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably • Unlikely events do occur but if risk is unlikely enough to occur it may be better to simply retain risk and deal with the result if loss does occur • Qualitative risk assessment is subjective and lacks consistency • Primary justification for a formal risk assessment process is legal and bureaucratic ValueConsult IT Risk Management 17
Enterprise Risk Management
Definition • Methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives • Its framework involves – Identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities) – Assessing them in terms of likelihood and magnitude of impact – Determining a response strategy – Monitoring progress and assurance ValueConsult IT Risk Management 19
Definition (cont’d) • In short, ERM is also a risk-based approach to managing an company, corporation, enterprise’s integrating concepts of internal control, Sarbanes-Oxley Act for U.S corps and Strategic Planning ValueConsult IT Risk Management 20
Benefits • Identifying and addressing risk and opportunities proactively • Company or business will protect and create value for their stakeholders such as owners, employees, customers, regulators, an d society in general ValueConsult IT Risk Management 21
ERM Framework • Known as Risk Response Strategy: – Avoidance: exiting the activities giving rise to risk – Reduction: taking action to reduce the likelihood or impact related to the risk – Alternative Actions: deciding and considering other feasible steps to minimize risks – Share or Insure: transferring or sharing a portion of the risk, to finance it – Accept: no action is taken, due to a cost or benefit decision ValueConsult IT Risk Management 22
Risk Types and Examples • Hazard risk Liability torts, Property damage, Natural catastrophe • Financial risk Pricing risk, Asset risk, Currency risk, Liquidity risk • Operational risk Customer satisfaction, Product failure, Integrity, Reputational risk • Strategic risks Competition, Social trend, Capital availability ValueConsult IT Risk Management 23
ERM Processes • Establishing Context Understanding current conditions the organization operates on an internal, external and risk management context • Identifying Risks Documenting material threats to organization’s achievement of its objectives and representation of areas the organization may exploit for competitive advantage • Analyzing/Quantifying Risks Creating probability distributions of outcomes for each material risk ValueConsult IT Risk Management 24
ERM Processes (cont’d) • Integrating Risks Aggregating all risk distributions, reflecting correlations and portfolio effects, formulating results of impact on company key performance metrics • Assessing or Prioritizing Risks Determining contribution of each risk to aggregate risk profile, and doing prioritization • Treating or Exploiting Risks Crafting strategies for controlling and exploiting various risks • Monitoring and Reviewing Measuring and monitoring risk environment and performance of risk management strategies ValueConsult IT Risk Management 25
ERM Objectives • Companies manage risks and have various departments or functions ("risk functions") that identify and manage particular risks • Each risk function varies in capability and how it coordinates with other risk functions • Main goal and challenge is improving this capability, coordination, integration of output to provide a unified picture of risk for stakeholders and improving organization's ability to manage enterprise risks effectively ValueConsult IT Risk Management 26
ERM Challenges • Identifying executive sponsors • Establishing a common risk language or glossary • Describing the enterprise’s risk appetite (take or not) • Identifying and describing risks in risk inventory • Implementing risk-ranking methodology to prioritize risks within and across functions • Setting up Risk Committee and or Chief Risk Officer to coordinate certain activities of entire risk functions ValueConsult IT Risk Management 27
ERM Challenges (cont’d) • Establishing ownership for particular risks and responses • Calculating Cost-Benefit Analysis of risk management effort. • Developing action plans to ensure risks are appropriately managed • Developing consolidated reporting for various stakeholders • Monitoring results of actions taken in mitigating risk • Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities • Developing technical ERM framework that enables secure participation by third parties and remote employees ValueConsult IT Risk Management 28
Risk Functions • Strategic planning Identifying external threats and competitive opportunities, along with strategic initiatives to address them • Marketing Understanding target customer to ensure product or service alignment with its requirements • Compliance & Ethics Monitoring compliance with code of conduct and directing fraud investigations • Accounting / Financial compliance Complying with Sarbanes-Oxley which identifies financial reporting risks ValueConsult IT Risk Management 29
Risk Functions (cont’d) • Law Department Managing litigation and analyzing emerging legal trends that impact the organization • Insurance Ensuring proper insurance coverage for the organization • Treasury Ensuring cash is sufficient to meet business needs, while managing risk related to commodity pricing or foreign exchange • Operational Quality Assurance Verifying operational output is tolerable ValueConsult IT Risk Management 30
Risk Functions (cont’d) • Operations management Ensuring business runs day-to-day and related barriers are surfaced for resolution • Credit Ensuring any credit provided to customers is appropriate to their ability to pay • Customer service Ensuring customer complaints are handled promptly and root causes are reported to operations for resolution • Internal audit Evaluating effectiveness of entire risk functions and recommending improvements ValueConsult IT Risk Management 31
Internal Audit Role • Beside IT Audit, they play an important role in evaluating organization risk management processes and advocating continued improvement • Should not take any direct responsibility for making risk management decisions for the enterprise or managing risk management function • Perform an annual risk assessment of the enterprise • Develop audit engagements plan • Involves review of various risk assessments performed by enterprise: strategic plans, competitive benchmarking, and SOX top-down risk assessment • Considering prior audits, and interviewing variety of senior management ValueConsult IT Risk Management 32
IT Risk Management
IT Risk Concept • Part of business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise • Consists of IT-related events that could potentially impact the business • Occur both uncertain frequency and magnitude • It creates challenges in meeting strategic goals and objectives • Due to IT’s importance to the overall business, IT risk should be treated like other key business risks. ValueConsult IT Risk Management 34
Risk IT Framework • Framework – Integrate the management of IT risk with the overall ERM – Compare assessed IT risk with risk appetite and risk tolerance of the organization – Understand how to manage the risk ValueConsult IT Risk Management 35
Risk IT Categories  IT Benefit/Value enabler Missed opportunity to increase business value by IT enabled or improved processes  IT Program/Project delivery Related to the management of IT related projects intended to enable or improve business  IT Operation and Service Delivery Day by day IT operations and service delivery that can bring issues, inefficiency to the business operations of an organization ValueConsult IT Risk Management 36
Risk Assessment ISACA Risk IT Information Security Risk Management for ISO 27001 IT Risk Assessment Frameworks CRAMM Information Security Toolkit OCTAVE (Operationally Critical Threat, Asset, Vulnerability Evaluation) ValueConsult IT Risk Management 37
IT Risk ASSESSMENT •Definition of risk assessment The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat. ValueConsult IT Risk Management 38
IT Risk ASSESSMENT Components of risk assessment • Threats to, and vulnerabilities of, processes and/or assets (including both physical and information assets) • Impact on assets based on threats and vulnerabilities • Probabilities of threats (combination of the likelihood and frequency of occurrence) ValueConsult IT Risk Management 39
ISACA Risk IT
ISACA Risk IT Risk IT: A Balance is Essential • Risk and value are two sides of the same coin. • Risk is inherent to all enterprises. BUT Enterprises need to ensure that opportunities for value creation are not missed by trying to eliminate all risk. ValueConsult IT Risk Management 41
Risk IT Extends Val IT and COBIT Risk IT complements and extends COBIT and Val IT to make a more complete IT governance guidance resource. ValueConsult IT Risk Management 42
IT-related Risk Management Risk IT is not limited to information security. It covers all ITrelated risks, including: • Late project delivery • Not achieving enough value from IT • Compliance • Misalignment • Obsolete or inflexible IT architecture • IT service delivery problems ValueConsult IT Risk Management 43
Guiding Principles of Risk IT  Always connect to enterprise objectives.  Align the management of IT-related business risk with overall enterprise risk management.  Balance the costs and benefits of managing risk.  Promote fair and open communication of IT risk. ValueConsult IT Risk Management 44
Guiding Principles of Risk IT  Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels.  Understand that this is a continuous process and an important part of daily activities. ValueConsult IT Risk Management 45
Key Risk IT Content: The “What” • Key content of the Risk IT framework includes: • Risk management essentials • In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture • In Risk Evaluation: Describing business impact and risk scenarios • In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation • Section on how Risk IT extends and enhances COBIT and Val IT (Note: Risk IT does not require the use of COBIT or Val IT.) ValueConsult IT Risk Management 46
Key Risk IT Content: The “What” • Process model sections that contain: • Descriptions • Input-output tables • RACI (Responsible, Accountable, Consulted, Informed) table • Goals and Metrics Table • Maturity model is provided for each domain • Appendices • Reference materials • High-level comparison of Risk IT to other risk management frameworks and standards • Glossary 47
IT Risk Communication • IT risk communication flows are: – Expectation • what the organization expects as final result • what are the expected behavior of employee and management • Encompasses strategy, policies, procedures, awareness training – Capability • It indicates how the organization is able to manage the risk – Status • Information of the actual status of IT risk • Encompasses risk profile of the organization, Key Risk Indicator, events, root cause of loss events ValueConsult IT Risk Management 48
IT Risk Communication (cont’d) • An effective information should be       Clear Concise Useful Timely Aimed at the correct target audience Available on a need to know basis ValueConsult IT Risk Management 49
Risk IT Three Domains ValueConsult IT Risk Management 50
Risk Governance • Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return • RG1 Establish and Maintain a Common Risk View RG1.1 Perform enterprise IT risk assessment RG1.2 Propose IT risk tolerance thresholds RG1.3 Approve IT risk tolerance RG1.4 Align IT risk policy RG1.5 Promote IT risk aware culture RG1.6 Encourage effective communication of IT risk ValueConsult IT Risk Management 51
Risk Governance (cont’d) • RG2 Integrate With ERM RG2.1 Establish and maintain accountability for IT risk management RG2.2 Coordinate IT risk strategy and business risk strategy RG2.3 Adapt IT risk practices to enterprise risk practices RG2.4 Provide adequate resources for IT risk management RG2.5 Provide independent assurance over IT risk management ValueConsult IT Risk Management 52
Risk Governance (cont’d) • RG3 Make Risk-aware Business Decisions RG3.1 Gain management buy in for the IT risk analysis approach RG3.2 Approve IT risk analysis RG3.3 Embed IT risk consideration in strategic business decision making RG3.4 Accept IT risk RG3.5 Prioritize IT risk response activities ValueConsult IT Risk Management 53
Risk Evaluation • Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms • RE1 Collect Data RE1.1 Establish and maintain a model for data collection RE1.2 Collect data on the operating environment RE1.3 Collect data on risk events RE1.4 Identify risk factors ValueConsult IT Risk Management 54
Risk Evaluation (cont’d) • RE3 Maintain Risk Profile RE3.1 Map IT resources to business processes RE3.2 Determines business criticality of IT resources RE3.3 Understand IT capabilities RE3.4 Update risk scenario components RE3.5 Maintain the IT risk register and iT risk map RE3.6 Develop IT risk indicators ValueConsult IT Risk Management 55
Risk Evaluation (cont’d) • RE2 Analyze Risk RE2.1 Define IT risk analysis scope RE2.2 Estimate IT risk RE2.3 Identify risk response options RE2.4 Perform a peer review of IT risk analysis ValueConsult IT Risk Management 56
Risk Response • Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities • RR1 Articulate Risk RR1.1 Communicate IT risk analysis results RR1.2 Report IT risk management activities and state of compliance RR1.3 Interpret independent IT assessment findings RR1.4 Identify IT related opportunities ValueConsult IT Risk Management 57
Risk Response (cont’d) • RR2 Manage Risk RR2.1 Inventory controls RR2.2 Monitor operational alignment with risk tolerance thresholds RR2.3 Respond to discovered risk exposure and opportunity RR2.4 Implement controls RR2.5 Report IT risk action plan progress ValueConsult IT Risk Management 58
Risk Response (cont’d) • RR3 React to Events RR3.1 Maintain incident response plans RR3.2 Monitor IT risk RR3.3 Initiate incident response RR3.4 Communicate lessons learned from risk events ValueConsult IT Risk Management 59
Risk/Response Definition The purpose of defining a risk response is to bring risk in line with the defined risk tolerance for the enterprise after due risk analysis. In other words, a response needs to be defined such that future residual risk (=current risk with the risk response defined and implemented) is as much as possible (usually depending on budgets available) within risk tolerance limits. ValueConsult IT Risk Management 61
Risk IT Benefits and Outcomes Accurate view on current and near-future IT-related events End-to-end guidance on how to manage IT-related risks Understanding of how to capitalise on the investment made in an IT internal control system already in place Integration with the overall risk and compliance structures within the enterprise Common language to help manage the relationships Promotion of risk ownership throughout the organisation Complete risk profile to better understand risk ValueConsult Management IT Risk 62
Risk IT Evaluation • The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events • Risk IT prescribe different methods – – – – – – COBIT Information criteria Balanced scorecard Extended balanced scorecard Westerman COSO Factor Analysis of Information Risk ValueConsult IT Risk Management 63
Risk IT Scenarios • The hearth of risk evaluation process • Scenarios can be derived in two different and complementary ways: – A top-down approach from the overall business objectives to the most likely risk scenarios that can impact them – A bottom-up approach where a list of generic risk scenarios are applied to the organization situation – Each risk scenarios is analyzed determining frequency and impact, based on the risk factors ValueConsult IT Risk Management 64
Risk IT Response • Risk avoidance, exiting the activities that give rise to the risk • Risk mitigation, adopting measures to detect, reduce the frequency and/or impact of the risk • Risk transfer, transferring to others part of the risk, by outsourcing dangerous activities or by insurance • Risk acceptance: deliberately running the risk that has been identified, documented and measured • Key risk indicators: metrics capable of showing that organization is subject or has a high probability of being subject to a risk exceeding the defined risk appetite ValueConsult IT Risk Management 65
Relationship with ISACA Frameworks • Risk IT Framework complements ISACA’s COBIT • COBIT provides a comprehensive framework for the control and governance of businessdriven information-technology-based (ITbased) solutions and services • COBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk ValueConsult IT Risk Management 66
Relationship with ISACA Frameworks (cont’d) • Risk IT sets good practices for the ends by providing a framework for enterprises to identify, govern and manage IT risk • Val IT allows business managers to get business value from IT investments, by providing a governance framework • VAL IT can be used to evaluate the actions determined by Risk management process ValueConsult IT Risk Management 67
Relationship With Other Frameworks • Risk IT accept Factor Analysis of Information Risk terminology and evaluation process • ISO 27005 For a comparison of Risk IT processes and those foreseen by ISO/IEC 27005 standard • ISO 31000 The Risk IT Practitioner Guide appendix 2 • COSO The Risk IT Practitioner Guide appendix 4 ValueConsult IT Risk Management 68
Information Security Risk Management for Iso/IEC 27001/ISO 27005 ISO/IEC 27000 Family of Standards • ISO/IEC 27001 based on BS7799 by British Standards Institution • Adopts “plan-do-check-act” process model • Information Security Management System (ISMS) standard (ISO/IEC 27001) • Formal specification  mandates specific requirements • Adoption of ISO/IEC 27001 allows for formal audit and certification to explicit standard • Risk management based on ISO/IEC 27000 standards ValueConsult IT Risk Management 69
Information Security Risk Management for Iso/IEC 27001/ISO 27005 ISO/IEC 27005 • Information security risk management standard • Does not specify, recommend or name any specific risk analysis method • Does specify a structured, systematic and rigorous process from analysis risks to creating the risk treatment plan ValueConsult IT Risk Management 70
CRAMM Information security risk toolkit • Provides staged and disciplined approach towards IT risk assessment Source: http://www.cramm.com/overview/howitworks.htm ValueConsult IT Risk Management 71
CRAMM Information security risk toolkit Asset identification and valuation • • • • Physical Software Data Location Threat and vulnerability assessment • • • • • Hacking Viruses Failures of equipment or software Wilful damage or terrorism Errors by people Countermeasure selection and recommendation ValueConsult IT Risk Management 72
CERT OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation Framework by Software Engineering Institute (1999) • Components of information security risk evaluation • Processes with required inputs, activities, outputs • Phase 1: Build asset-based threat profiles • Phase 2: Identify Infrastructure Vulnerabilities • Phase 3: Develop security strategy and plans Self-directed information security risk evaluation Analysis team includes people from business units and IT department ValueConsult IT Risk Management 73
CERT OCTAVE ValueConsult IT Risk Management 74
CERT OCTAVE ValueConsult IT Risk Management 75
Software Risk Management
Understanding Risks in the Systems Development Life Cycle Business Application Development Alternative Software Development Strategies Information Systems Maintenance Practices Project Management Practices System Development Tools and Productivity Aids Software Development Process Improvement Practices Auditing Systems Development, Acquisition and Maintenance ValueConsult IT Risk Management 77
Business Application Development An Individual Application or Project is Initiated by • A new opportunity that relates to new or existing business process • A problem that relates to an existing business process • A new opportunity that will enable the organization to take advantage of technology • A problem with the current technology Traditional Systems Development Life Cycle Phases • Phase 1—Feasibility • Phase 2—Requirements definition • Phase 3—Design • Phase 4—Development • Phase 5—Implementation ValueConsult IT Risk Management 78
Business Application Development Roles and Responsibilities of Groups and Individuals • • • • • • • • • • Senior management User management Project Steering committee Project Sponsor Systems development management Project manager Systems development project team User project team Security officer Quality assurance ValueConsult IT Risk Management 79
Business Application Development Risks Associated with Software Development • Potential risks exist when poor or inadequate SDLC methodologies are utilized • Systems designed using a poor methodology may not meet the users needs and often exceed limits of financial resources • Merely following a methodology does not ensure success of a development project ValueConsult IT Risk Management 80
Business Application Development Structured Analysis, Design, and Development Techniques • Develop system context diagrams • Perform hierarchical data flow/control flow decomposition • Develop control transformations • Develop mini-specifications • Develop data dictionaries • Define all external events—inputs from external environment • Define single transformation data flow diagrams from each external event ValueConsult IT Risk Management 81
Traditional System Development Life Cycle (SDLC) Approach Phase 1 - Feasibility Study • Define a time frame • Determine an optimum alternative/solution in meeting business needs and general information resource requirements or estimates • Determine if an existing system can correct the situation with slight or no modification • Determine if a vendor product offers a solution • Determine the approximate cost • Determine if the solution fits the business strategy ValueConsult IT Risk Management 82
Business Application Development Phase 2 - Requirements Definition • Identify and consult stakeholders to determine their expectations • Analyze requirements to detect and correct conflicts and determine priorities • Identify system bounds and how the system should interact with its environment • Convert user requirements into system requirements • Record requirements in a structured format • Verify that requirements are complete, consistent, unambiguous, verifiable, modifiable, testable and traceable • Resolve conflicts between stakeholders • Resolve conflicts between the requirements set and the resources that are available ValueConsult IT Risk Management 83
Traditional System Development Life Cycle (SDLC) Approach Software Acquisition • • • • • • • Decision made to acquire not develop Occurs after Requirements phase Request for proposal (RFP) contents Topics of discussion with users about vendors Contract contents Contract management Integrated Resource Management Systems • Fully integrated corporate solution • SAP, Peoplesoft, Oracle Financials, etc. • Impact on way the corporation does business • Need to conduct a impact and risk assessment ValueConsult IT Risk Management 84
Traditional System Development Life Cycle (SDLC) Approach Phase 3 - Design • User involvement • Key design activities • Software baselining • End of design phase Phase 4 - Development • Key activities • Programming methods and techniques • On-line programming facilities (Integrated Development Environment - IDE) • Programming languages • High-level • Object-oriented • Scripting [such as SH(SHELL), PERL, TCL, Python, JAVAScript and VB Script] • Low-level assembler • Fourth generation • Decision support or expert systems • Program debugging ValueConsult IT Risk Management 85
Traditional System Development Life Cycle (SDLC) Approach Phase 4 - Development (continued) • Testing • Elements of a software testing process • Test plan • Conduct and report test results • Address outstanding issues • General testing levels • Unit testing • Interface or integration testing • System testing • Final acceptancce testing ValueConsult IT Risk Management 86
Traditional System Development Life Cycle (SDLC) Approach Phase 4 - Development (continued) • Testing (continued) • Other types of testing - related terminology • Alpha and beta testing • Pilot testing • Whitebox testing • Blackbox testing • Function/validation testing • Regression testing • Parallel testing • Sociability testing • Automated applicating testing ValueConsult IT Risk Management 87
Traditional System Development Life Cycle (SDLC) Approach Phase 5 - Implementation • Planning for implementation • Formal plan • Data conversion • Acceptance testing • Certification and accreditation process Post-Implementation Review • Assess adequacy • Evaluate projected cost benefits • Develop recommendations • Develop an action plan • Assess the development project process ValueConsult IT Risk Management 88
Alternative Software Development Strategies Data-Oriented System Development Object-Oriented System Development ComponentBased Development Web-Based Application Development Prototyping Rapid Application Development (RAD) Agile Development Reengineering Reverse Engineering ValueConsult IT Risk Management 89
Logical Access Exposures and Controls Remote access security risks include: Remote access security controls include: Denial of service Policy and standards Malicious third parties Proper authorizations Misconfigured communications software Identification and authentication mechanisms Misconfigured devices on the corporate computing infrastructure Encryption tools and techniques, such as the use of VPN Host systems not secured appropriately System and network management Physical security issues over remote users’ computers ValueConsult IT Risk Management 90
Logical Access Exposures and Controls Remote access using personal digital assistants (PDAS) control issues to address include: • • • • • • • • Compliance Approval Standard PDA applications Due care PDA applications Synchronization Encryption Virus detection and control ValueConsult IT Risk Management 91
Logical Access Exposures and Controls Authorization Issues • Access issues with mobile technology • These devices should be strictly controlled both by policy and by denial of use. Possible actions include: • Banning all use of transportable drives in the security policy • Where no authorized used of USB ports exists, disabling use with a logon script which removes them form the system directory • If they are considered necessary for business use, encrypting all data transported or saved by these devices • Audit logging in monitoring system access • provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID ValueConsult IT Risk Management 92
Logical Access Exposures and Controls Authorization Issues • Audit logging in monitoring system access • Access rights to system logs • A periodic review of system-generated logs can detect security problems, including attempts to exceed access authority or gain system access during unusual hours. Audit logging in monitoring system access • Tools for audit trails (logs) analysis • Audit reduction tools • Trends/variance-detection tools • Attack signature-detection tools ValueConsult IT Risk Management 93
Logical Access Exposures and Controls Authorization Issues • Audit logging in monitoring system access • Cost consideration • Audit concerns • Patterns or trends that indicate abuse of access privileges, such as concentration on a sensitive application • Violations (such as attempting computer file access that is not authorized) and/or use of incorrect passwords • Restrict and monitor access to computer features that bypass cost consideration • Generally, only system software programmers should have access to: • Bypass label processing (BLP) • System exits • Special system logon IDs ValueConsult IT Risk Management 94
Risk in Change Control and Management
Information Systems Maintenance Practices Change Management Process Overview - POSB Lucky Draw Fraud Case • Deploying changes • Documentation • Testing program changes • Emergency changes • Deploying changes back into production • Change exposures (unauthorized changes) ValueConsult IT Risk Management 96
Information Systems Maintenance Practices Configuration Management Library Control Software • Executable and source code integrity • Source code comparison System Change Procedures and the Program Migration Process • Evaluate the adequacy of the organization’s procedures • Identify system changes • Review documentation • Evaluate adequacy of procedures ValueConsult IT Risk Management 97
Network Risk Management
Network Infrastructure Security LAN Security • Local area networks facilitate the storage and retrieval of programs and data used by a group of people. LAN software and practices also need to provide for the security of these programs and data. LAN risk and issues • Dial-up access controls ValueConsult IT Risk Management 99
Network Infrastructure Security Client-Server Security • Control techniques in place • Securing access to data or application • Use of network monitoring devices • Data encryption techniques • Authentication systems • Use of application level access control programs Client/server risks and issues • Access controls may be weak in a client-server environment. • Change control and change management procedures. • The loss of network availability may have a serious impact on the business or service. • Obsolescence of the network components • The use of modems to connect the network to other networks • e connection of the network to public switched telephone networks may be weak • Changes to systems or data • Access to confidential data and data modification may be unauthorized • Application code and data may not be located on a single machine enclosed in a secure computer room, as with mainframe computing ValueConsult IT Risk Management 100
Network Infrastructure Security Internet Threats and Security Passive attacks • Network analysis • Eavesdropping (Video: Wireshark Wireless Password Sniffing) • Traffic analysis Active attacks • • • • • • • • • Brute-force attack Masquerading Packet replay Message modification Unauthorized access through the Internet or web-based services Denial of service Dial-in penetration attacks E-mail bombing and spamming E-mail spoofing ValueConsult IT Risk Management 101
Network Infrastructure Security Internet Threats and Security • Threat impact • Loss of income • Increased cost of recovery • Increased cost of retrospectively securing systems • Loss of information • Loss of trade secrets • Damage to reputation • Legal and regulatory noncompliance • Failure to meet contractual commitments • Legal action by customers for loss of confidential data ValueConsult IT Risk Management 102
Network Infrastructure Security Internet Threats and Security • Causal factors for internet attacks • Availability of tools and techniques on the Internet • Lack of security awareness and training • Exploitation of security vulnerabilities • Inadequate security over firewalls • Internet security controls Firewall Security Systems • Firewall general features • Firewall types • Router packet filtering • Application firewall systems • Stateful inspection ValueConsult IT Risk Management 103
Network Infrastructure Security Firewall Security Systems • Examples of firewall implementations • Screened-host firewall • Dual-homed firewall • Demilitarized zone (DMZ) Firewall issues • • • • • • A false sense of security The circumvention of firewall Misconfigured firewalls What constitutes a firewall Monitoring activities may not occur on a regular basis Firewall policies ValueConsult IT Risk Management 104
Network Infrastructure Secuity Intrusion Detection Systems (IDS) An IDS works in conjunction with routers and firewalls by monitoring network usage anomalies. • Network-based IDSs • Host-based IDSs Components: • Sensors that are responsible for collecting data • Analyzers that receive input from sensors and determine intrusive activity • An administration console • A user interface ValueConsult IT Risk Management 105
Network Infrastructure Security Types of Intrusion Detection Systems (IDS) • Signature-based • Statistical-based • Neural networks Features • • • • • • Intrusion detection Gathering evidence on intrusive activity Automated response Security monitoring Interface with system tolls Security policy management ValueConsult IT Risk Management 106
Network Infrastructure Security Intrusion Detection Systems (IDS) • Limitations: • Weaknesses in the policy definition • Application-level vulnerabilities • Backdoors into applications • Weaknesses in identification and authentication schemes ValueConsult IT Risk Management 107
Network Infrastructure Security Encryption • Key elements of encryption systems • Encryption algorithm • Encryption key • Key length • Private key cryptographic systems • Public key cryptographic systems • Elliptical curve cryptosystem (ECC) • Quantum cryptography • Digital signatures ValueConsult IT Risk Management 108
Network Infrastructure Security Encryption (Continued) • Digital signatures • Data integrity • Authentication • Nonrepudiation • Replay protection • Public key infrastructure • Digital certificates • Certificate authority (CA) • Registration authority (RA) • Certificate revocation list • Certification practice statement (CPS) ValueConsult IT Risk Management 109
Network Infrastructure Security Encryption (Continued) • Use of encryption in OSI protocols • Secure sockets layer (SSL) • Secure Hypertext Transfer Protocol (S/HTTP) • IP security • SSH • Secure multipurpose Internet mail extensions (S/MIME) • Secure electronic transactions (SET) ValueConsult IT Risk Management 110
Project Risk Management
PRM Processes • Planning how risk is managed within particular project • Plans include risk management tasks, responsibilities, activities and budget • Assigning a healthy skepticism risk officer responsible for foreseeing potential project problems • Maintaining live project risk database (risk profile) • Each risk should have these attributes: opening date, title, short description, probability and importance ValueConsult IT Risk Management 112
PRM Processes (cont’d) • Creating anonymous risk reporting channel • Each team member should have the possibility to report risks that he/she foresees in the project • Preparing mitigation plans for risks that are chosen to be mitigated • Identify how the risk will be handled – what, when, by whom and how will it be done to avoid it or minimize consequences if it becomes a liability • Summarizing planned and faced risks, effectiveness of mitigation activities, and effort spent for the risk management ValueConsult IT Risk Management 113
Q&A QUESTION & ANSWER ValueConsult IT Risk Management 114
THANK YOU! THANK YOU ValueConsult IT Risk Management 115

Recomendados

Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Risk Identification Process PowerPoint Presentation Slides
Risk Identification Process PowerPoint Presentation SlidesRisk Identification Process PowerPoint Presentation Slides
Risk Identification Process PowerPoint Presentation SlidesSlideTeam
 
Risk management
Risk management Risk management
Risk management mamta bhaurya
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
 
Risk management
Risk managementRisk management
Risk managementHarold Malamion
 
Risk identification
Risk identificationRisk identification
Risk identificationmurukkada
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 

Recomendados

Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Risk Identification Process PowerPoint Presentation Slides
Risk Identification Process PowerPoint Presentation SlidesRisk Identification Process PowerPoint Presentation Slides
Risk Identification Process PowerPoint Presentation SlidesSlideTeam
 
Risk management
Risk management Risk management
Risk management mamta bhaurya
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
 
Risk management
Risk managementRisk management
Risk managementHarold Malamion
 
Risk identification
Risk identificationRisk identification
Risk identificationmurukkada
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Risk Management
Risk ManagementRisk Management
Risk Managementcgeorgeo
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementComputer Aid, Inc
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementJorge Vaz Girão , CISA, PMP, PMDPro I, ERMCP
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
 
Risk Management
Risk ManagementRisk Management
Risk ManagementStefan Csosz
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideSlideTeam
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesSlideTeam
 
ISO 31000 risk management process
ISO 31000 risk management processISO 31000 risk management process
ISO 31000 risk management processMuizz Anibire
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Diane Christina
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Risk Appetite
Risk AppetiteRisk Appetite
Risk AppetiteTowers Perrin
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Risk management presentation
Risk management presentationRisk management presentation
Risk management presentationabpeters82
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in businessr2financial
 
ERM Presentation
ERM PresentationERM Presentation
ERM PresentationH Contrex
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk managementKannan Subbiah
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 

Más contenido relacionado

La actualidad más candente

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Risk Management
Risk ManagementRisk Management
Risk Managementcgeorgeo
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideSlideTeam
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesSlideTeam
 
ISO 31000 risk management process
ISO 31000 risk management processISO 31000 risk management process
ISO 31000 risk management processMuizz Anibire
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Diane Christina
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Risk management presentation
Risk management presentationRisk management presentation
Risk management presentationabpeters82
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in businessr2financial
 
ERM Presentation
ERM PresentationERM Presentation
ERM PresentationH Contrex
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk managementKannan Subbiah
 

La actualidad más candente (20)

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk Management
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and Performance
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation Slides
 
ISO 31000 risk management process
ISO 31000 risk management processISO 31000 risk management process
ISO 31000 risk management process
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management Framework
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Risk Appetite
Risk AppetiteRisk Appetite
Risk Appetite
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Risk management presentation
Risk management presentationRisk management presentation
Risk management presentation
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in business
 
ERM Presentation
ERM PresentationERM Presentation
ERM Presentation
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk management
 

Similar a Mastering Information Technology Risk Management

Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
project_risk_mgmt_final 1.ppt
project_risk_mgmt_final 1.pptproject_risk_mgmt_final 1.ppt
project_risk_mgmt_final 1.pptBetshaTizazu2
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk managementInfosys
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationDavid Fernandes
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Sadia Razzaq
 
2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption RiskDr Darren O'Connell AGIA
 
PMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.pptPMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.pptDorraLamouchi1
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.pptavisha23
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.pptAyidAlmgati
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - complianceNeeraj Verma
 
Critical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_enCritical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_enVyacheslav Guzovsky
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionDuncan O. Ogutu; CPA, CFE
 
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.pptbillugamma06
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk TransferCBIZ, Inc.
 

Similar a Mastering Information Technology Risk Management (20)

Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
project_risk_mgmt_final 1.ppt
project_risk_mgmt_final 1.pptproject_risk_mgmt_final 1.ppt
project_risk_mgmt_final 1.ppt
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk management
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
 
2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk
 
PMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.pptPMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.ppt
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.ppt
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.ppt
 
Project Risk management
Project Risk management Project Risk management
Project Risk management
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - compliance
 
Critical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_enCritical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_en
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
 
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
 
Coso erm
Coso ermCoso erm
Coso erm
 
Coso erm
Coso ermCoso erm
Coso erm
 

Más de Goutama Bachtiar

Crypto Currency, Bitcoin and Blockchain
Crypto Currency, Bitcoin and BlockchainCrypto Currency, Bitcoin and Blockchain
Crypto Currency, Bitcoin and BlockchainGoutama Bachtiar
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
Blockchain Essentials - Harnessing the Technology for Banking Industry
Blockchain Essentials - Harnessing the Technology for Banking IndustryBlockchain Essentials - Harnessing the Technology for Banking Industry
Blockchain Essentials - Harnessing the Technology for Banking IndustryGoutama Bachtiar
 
Leveraging Agile Project Management with Scrum
Leveraging Agile Project Management with ScrumLeveraging Agile Project Management with Scrum
Leveraging Agile Project Management with ScrumGoutama Bachtiar
 
Library of Information Technology Icons
Library of Information Technology IconsLibrary of Information Technology Icons
Library of Information Technology IconsGoutama Bachtiar
 
Dealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereDealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereGoutama Bachtiar
 
IS and IT Auditor Roles in Today's New Economy
IS and IT Auditor Roles in Today's New EconomyIS and IT Auditor Roles in Today's New Economy
IS and IT Auditor Roles in Today's New EconomyGoutama Bachtiar
 
Conducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudConducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudGoutama Bachtiar
 
Utilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationUtilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationGoutama Bachtiar
 
Managing IT Risks in Internet Banking
Managing IT Risks in Internet BankingManaging IT Risks in Internet Banking
Managing IT Risks in Internet BankingGoutama Bachtiar
 
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryElectronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryGoutama Bachtiar
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsGoutama Bachtiar
 
The State of ERP in Indonesia: Trends, Opportunities and Challenges
The State of ERP in Indonesia: Trends, Opportunities and ChallengesThe State of ERP in Indonesia: Trends, Opportunities and Challenges
The State of ERP in Indonesia: Trends, Opportunities and ChallengesGoutama Bachtiar
 
Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Goutama Bachtiar
 
Implementing BPMN 2.0 with Microsoft Visio
Implementing BPMN 2.0 with Microsoft VisioImplementing BPMN 2.0 with Microsoft Visio
Implementing BPMN 2.0 with Microsoft VisioGoutama Bachtiar
 
Understanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor RelationshipsUnderstanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor RelationshipsGoutama Bachtiar
 
Valuing Information Management and IT Architecture
Valuing Information Management and IT ArchitectureValuing Information Management and IT Architecture
Valuing Information Management and IT ArchitectureGoutama Bachtiar
 
Riding and Capitalizing the Next Wave of Information Technology
Riding and Capitalizing the Next Wave of Information TechnologyRiding and Capitalizing the Next Wave of Information Technology
Riding and Capitalizing the Next Wave of Information TechnologyGoutama Bachtiar
 

Más de Goutama Bachtiar (20)

Crypto Currency, Bitcoin and Blockchain
Crypto Currency, Bitcoin and BlockchainCrypto Currency, Bitcoin and Blockchain
Crypto Currency, Bitcoin and Blockchain
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
Blockchain Essentials - Harnessing the Technology for Banking Industry
Blockchain Essentials - Harnessing the Technology for Banking IndustryBlockchain Essentials - Harnessing the Technology for Banking Industry
Blockchain Essentials - Harnessing the Technology for Banking Industry
 
Delving into Fintech
Delving into FintechDelving into Fintech
Delving into Fintech
 
Leveraging Agile Project Management with Scrum
Leveraging Agile Project Management with ScrumLeveraging Agile Project Management with Scrum
Leveraging Agile Project Management with Scrum
 
Library of Information Technology Icons
Library of Information Technology IconsLibrary of Information Technology Icons
Library of Information Technology Icons
 
PMBOK 6th vs 5th Edition
PMBOK 6th vs 5th EditionPMBOK 6th vs 5th Edition
PMBOK 6th vs 5th Edition
 
Dealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereDealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking Sphere
 
IS and IT Auditor Roles in Today's New Economy
IS and IT Auditor Roles in Today's New EconomyIS and IT Auditor Roles in Today's New Economy
IS and IT Auditor Roles in Today's New Economy
 
Conducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudConducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and Fraud
 
Utilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationUtilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and Investigation
 
Managing IT Risks in Internet Banking
Managing IT Risks in Internet BankingManaging IT Risks in Internet Banking
Managing IT Risks in Internet Banking
 
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryElectronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and Solutions
 
The State of ERP in Indonesia: Trends, Opportunities and Challenges
The State of ERP in Indonesia: Trends, Opportunities and ChallengesThe State of ERP in Indonesia: Trends, Opportunities and Challenges
The State of ERP in Indonesia: Trends, Opportunities and Challenges
 
Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)
 
Implementing BPMN 2.0 with Microsoft Visio
Implementing BPMN 2.0 with Microsoft VisioImplementing BPMN 2.0 with Microsoft Visio
Implementing BPMN 2.0 with Microsoft Visio
 
Understanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor RelationshipsUnderstanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor Relationships
 
Valuing Information Management and IT Architecture
Valuing Information Management and IT ArchitectureValuing Information Management and IT Architecture
Valuing Information Management and IT Architecture
 
Riding and Capitalizing the Next Wave of Information Technology
Riding and Capitalizing the Next Wave of Information TechnologyRiding and Capitalizing the Next Wave of Information Technology
Riding and Capitalizing the Next Wave of Information Technology
 

Último

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Último (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Mastering Information Technology Risk Management

  • 1. Mastering Information Technology Risk Management Goutama Bachtiar Technology Advisor, Auditor, Consultant www.linkedin.com/in/goutama May 2013
  • 2. Trainer Profile  15 years of working experience with exposure in advisory, consulting, audit, training and education, software development, project management and network administration  VP - Head of Information Technology at Roligio Group  Advisor at Global Innovations and Technology Platform  Subject Matter Expert, Editorial Journal Reviewer and Exam Developer at ISACA  Program Evaluator at Project Management Institute  Microsoft Faculty Fellow  Columnist and contributor at ZDNet Asia, e27.co, Forbes Indonesia, DetikINET and InfoKomputer among others
  • 4. Definition • Risk is the effect of uncertainty on objectives, whether positive or negative • Risk Management: Identification, assessment, and prioritization of risks • Involves coordination and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities ValueConsult IT Risk Management 4
  • 5. Sources • Uncertainty in financial markets • Project failures (at any phase in design, development, production, or sustainment life-cycles) • Legal liabilities • Credit risk • Accidents • Natural causes and disasters • Deliberate attack from an adversary • Uncertain or unpredictable root-cause • Others… ValueConsult IT Risk Management 5
  • 6. Ideal Risk Management • Prioritizing risks with the greatest loss (or impact) and the greatest probability of occurrence • Risks with lower probability of occurrence and lower loss are handled in descending order • In practice the process of assessing overall risk can be difficult • Balancing resources used to mitigate between risks with high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled ValueConsult IT Risk Management 6
  • 7. Intangible Risk Management • Identifying a new type of a risk with 100% probability of occurring but is ignored by organization due to lack of identification ability • For example, when deficient knowledge is applied to a situation, a knowledge risk materializes • Relationship risk appears when ineffective collaboration occurs • Directly reduce productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, bran d value, and earnings quality • Allows risk management to create immediate value from risk identification and reduction that reduce productivity ValueConsult IT Risk Management 7
  • 8. Risk Management Methodology • Identify and characterize threats • Assess vulnerability of critical assets to specific threats • Determine likelihood and impact of the risks • Identify ways to reduce those risks • Prioritize risk reduction measures based on a strategy ValueConsult IT Risk Management 8
  • 9. Risk Management Principles • Create value • Resources expended to mitigate risk should be less than the consequence of inaction (the gain should exceed the pain) • be an integral part of organizational processes • be part of decision making process • explicitly address uncertainty and assumptions • be systematic and structured ValueConsult IT Risk Management 9
  • 10. Risk Management Principles (cont’d) • • • • • • be based on the best available information be tailorable take human factors into account be transparent and inclusive be dynamic, iterative and responsive to change be capable of continual improvement and enhancement • be continually or periodically re-assessed ValueConsult IT Risk Management 10
  • 11. Risk Management Process • ISO 31000 1. Establishing the context • identification of risk in a selected domain of interest • planning the remainder of the process • mapping out – the social scope of risk management – the identity and objectives of stakeholders – the basis upon which risks will be evaluated, constraints. • defining a framework for the activity and an agenda for identification • developing an analysis of risks involved in the process • mitigation or solution of risks using available technological, human and organizational resources. 2. 3. ValueConsult Identification: source and problem analysis Assessment IT Risk Management 11
  • 12. Risk Options • Design a new business process with adequate built-in risk control and containment measures from the start • Periodically re-assess risks accepted in ongoing processes as a normal feature of business operations and modify mitigation measures • Transfer risks to an external agency (insurance company, etc) • Avoid risks altogether (i.e. closing down a particular high-risk business unit/department) ValueConsult IT Risk Management 12
  • 13. Risk Response • Avoidance Eliminate, withdraw from or not become involved • Reduction Optimize, Mitigate • Sharing Transfer , outsource or insure • Retention Accept and budget ValueConsult IT Risk Management 13
  • 14. Risk Management Plan • Select appropriate controls or countermeasures to measure each risk • Propose applicable and effective security controls for managing the risks • Contain a schedule for control implementation and responsible persons for those actions • Approval from the appropriate level of management for risk mitigation ValueConsult IT Risk Management 14
  • 15. Risk Management Plan (cont’d) • According to ISO/IEC 27001, after risk assessment prepare a Risk Treatment Plan (document the decisions about how each of the identified risks should be handled) • Mitigation of risks often means selection of security controls; it should be documented in a Statement of Applicability, which identifies which particular control objectives and controls from the standard have been selected, and why • Implementation follows all of the planned methods for mitigating the effect of the risks ValueConsult IT Risk Management 15
  • 16. Risk Management Plan (cont’d) • Initial risk management plans will never be perfect • Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced • Risk analysis results and management plans should be updated periodically. There are two primary reasons for this: – To evaluate whether the previously selected security controls are still applicable and effective – To evaluate the possible risk level changes in the business environment ValueConsult IT Risk Management 16
  • 17. Risk Management Challenges • Prioritizing risk management processes too highly could keep an organization from ever completing a project or even getting started • Do differentiate between risk and uncertainty -- Risk can be measured by impacts x probability • If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur • Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably • Unlikely events do occur but if risk is unlikely enough to occur it may be better to simply retain risk and deal with the result if loss does occur • Qualitative risk assessment is subjective and lacks consistency • Primary justification for a formal risk assessment process is legal and bureaucratic ValueConsult IT Risk Management 17
  • 19. Definition • Methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives • Its framework involves – Identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities) – Assessing them in terms of likelihood and magnitude of impact – Determining a response strategy – Monitoring progress and assurance ValueConsult IT Risk Management 19
  • 20. Definition (cont’d) • In short, ERM is also a risk-based approach to managing an company, corporation, enterprise’s integrating concepts of internal control, Sarbanes-Oxley Act for U.S corps and Strategic Planning ValueConsult IT Risk Management 20
  • 21. Benefits • Identifying and addressing risk and opportunities proactively • Company or business will protect and create value for their stakeholders such as owners, employees, customers, regulators, an d society in general ValueConsult IT Risk Management 21
  • 22. ERM Framework • Known as Risk Response Strategy: – Avoidance: exiting the activities giving rise to risk – Reduction: taking action to reduce the likelihood or impact related to the risk – Alternative Actions: deciding and considering other feasible steps to minimize risks – Share or Insure: transferring or sharing a portion of the risk, to finance it – Accept: no action is taken, due to a cost or benefit decision ValueConsult IT Risk Management 22
  • 23. Risk Types and Examples • Hazard risk Liability torts, Property damage, Natural catastrophe • Financial risk Pricing risk, Asset risk, Currency risk, Liquidity risk • Operational risk Customer satisfaction, Product failure, Integrity, Reputational risk • Strategic risks Competition, Social trend, Capital availability ValueConsult IT Risk Management 23
  • 24. ERM Processes • Establishing Context Understanding current conditions the organization operates on an internal, external and risk management context • Identifying Risks Documenting material threats to organization’s achievement of its objectives and representation of areas the organization may exploit for competitive advantage • Analyzing/Quantifying Risks Creating probability distributions of outcomes for each material risk ValueConsult IT Risk Management 24
  • 25. ERM Processes (cont’d) • Integrating Risks Aggregating all risk distributions, reflecting correlations and portfolio effects, formulating results of impact on company key performance metrics • Assessing or Prioritizing Risks Determining contribution of each risk to aggregate risk profile, and doing prioritization • Treating or Exploiting Risks Crafting strategies for controlling and exploiting various risks • Monitoring and Reviewing Measuring and monitoring risk environment and performance of risk management strategies ValueConsult IT Risk Management 25
  • 26. ERM Objectives • Companies manage risks and have various departments or functions ("risk functions") that identify and manage particular risks • Each risk function varies in capability and how it coordinates with other risk functions • Main goal and challenge is improving this capability, coordination, integration of output to provide a unified picture of risk for stakeholders and improving organization's ability to manage enterprise risks effectively ValueConsult IT Risk Management 26
  • 27. ERM Challenges • Identifying executive sponsors • Establishing a common risk language or glossary • Describing the enterprise’s risk appetite (take or not) • Identifying and describing risks in risk inventory • Implementing risk-ranking methodology to prioritize risks within and across functions • Setting up Risk Committee and or Chief Risk Officer to coordinate certain activities of entire risk functions ValueConsult IT Risk Management 27
  • 28. ERM Challenges (cont’d) • Establishing ownership for particular risks and responses • Calculating Cost-Benefit Analysis of risk management effort. • Developing action plans to ensure risks are appropriately managed • Developing consolidated reporting for various stakeholders • Monitoring results of actions taken in mitigating risk • Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities • Developing technical ERM framework that enables secure participation by third parties and remote employees ValueConsult IT Risk Management 28
  • 29. Risk Functions • Strategic planning Identifying external threats and competitive opportunities, along with strategic initiatives to address them • Marketing Understanding target customer to ensure product or service alignment with its requirements • Compliance & Ethics Monitoring compliance with code of conduct and directing fraud investigations • Accounting / Financial compliance Complying with Sarbanes-Oxley which identifies financial reporting risks ValueConsult IT Risk Management 29
  • 30. Risk Functions (cont’d) • Law Department Managing litigation and analyzing emerging legal trends that impact the organization • Insurance Ensuring proper insurance coverage for the organization • Treasury Ensuring cash is sufficient to meet business needs, while managing risk related to commodity pricing or foreign exchange • Operational Quality Assurance Verifying operational output is tolerable ValueConsult IT Risk Management 30
  • 31. Risk Functions (cont’d) • Operations management Ensuring business runs day-to-day and related barriers are surfaced for resolution • Credit Ensuring any credit provided to customers is appropriate to their ability to pay • Customer service Ensuring customer complaints are handled promptly and root causes are reported to operations for resolution • Internal audit Evaluating effectiveness of entire risk functions and recommending improvements ValueConsult IT Risk Management 31
  • 32. Internal Audit Role • Beside IT Audit, they play an important role in evaluating organization risk management processes and advocating continued improvement • Should not take any direct responsibility for making risk management decisions for the enterprise or managing risk management function • Perform an annual risk assessment of the enterprise • Develop audit engagements plan • Involves review of various risk assessments performed by enterprise: strategic plans, competitive benchmarking, and SOX top-down risk assessment • Considering prior audits, and interviewing variety of senior management ValueConsult IT Risk Management 32
  • 34. IT Risk Concept • Part of business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise • Consists of IT-related events that could potentially impact the business • Occur both uncertain frequency and magnitude • It creates challenges in meeting strategic goals and objectives • Due to IT’s importance to the overall business, IT risk should be treated like other key business risks. ValueConsult IT Risk Management 34
  • 35. Risk IT Framework • Framework – Integrate the management of IT risk with the overall ERM – Compare assessed IT risk with risk appetite and risk tolerance of the organization – Understand how to manage the risk ValueConsult IT Risk Management 35
  • 36. Risk IT Categories  IT Benefit/Value enabler Missed opportunity to increase business value by IT enabled or improved processes  IT Program/Project delivery Related to the management of IT related projects intended to enable or improve business  IT Operation and Service Delivery Day by day IT operations and service delivery that can bring issues, inefficiency to the business operations of an organization ValueConsult IT Risk Management 36
  • 37. Risk Assessment ISACA Risk IT Information Security Risk Management for ISO 27001 IT Risk Assessment Frameworks CRAMM Information Security Toolkit OCTAVE (Operationally Critical Threat, Asset, Vulnerability Evaluation) ValueConsult IT Risk Management 37
  • 38. IT Risk ASSESSMENT •Definition of risk assessment The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat. ValueConsult IT Risk Management 38
  • 39. IT Risk ASSESSMENT Components of risk assessment • Threats to, and vulnerabilities of, processes and/or assets (including both physical and information assets) • Impact on assets based on threats and vulnerabilities • Probabilities of threats (combination of the likelihood and frequency of occurrence) ValueConsult IT Risk Management 39
  • 41. ISACA Risk IT Risk IT: A Balance is Essential • Risk and value are two sides of the same coin. • Risk is inherent to all enterprises. BUT Enterprises need to ensure that opportunities for value creation are not missed by trying to eliminate all risk. ValueConsult IT Risk Management 41
  • 42. Risk IT Extends Val IT and COBIT Risk IT complements and extends COBIT and Val IT to make a more complete IT governance guidance resource. ValueConsult IT Risk Management 42
  • 43. IT-related Risk Management Risk IT is not limited to information security. It covers all ITrelated risks, including: • Late project delivery • Not achieving enough value from IT • Compliance • Misalignment • Obsolete or inflexible IT architecture • IT service delivery problems ValueConsult IT Risk Management 43
  • 44. Guiding Principles of Risk IT  Always connect to enterprise objectives.  Align the management of IT-related business risk with overall enterprise risk management.  Balance the costs and benefits of managing risk.  Promote fair and open communication of IT risk. ValueConsult IT Risk Management 44
  • 45. Guiding Principles of Risk IT  Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels.  Understand that this is a continuous process and an important part of daily activities. ValueConsult IT Risk Management 45
  • 46. Key Risk IT Content: The “What” • Key content of the Risk IT framework includes: • Risk management essentials • In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture • In Risk Evaluation: Describing business impact and risk scenarios • In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation • Section on how Risk IT extends and enhances COBIT and Val IT (Note: Risk IT does not require the use of COBIT or Val IT.) ValueConsult IT Risk Management 46
  • 47. Key Risk IT Content: The “What” • Process model sections that contain: • Descriptions • Input-output tables • RACI (Responsible, Accountable, Consulted, Informed) table • Goals and Metrics Table • Maturity model is provided for each domain • Appendices • Reference materials • High-level comparison of Risk IT to other risk management frameworks and standards • Glossary 47
  • 48. IT Risk Communication • IT risk communication flows are: – Expectation • what the organization expects as final result • what are the expected behavior of employee and management • Encompasses strategy, policies, procedures, awareness training – Capability • It indicates how the organization is able to manage the risk – Status • Information of the actual status of IT risk • Encompasses risk profile of the organization, Key Risk Indicator, events, root cause of loss events ValueConsult IT Risk Management 48
  • 49. IT Risk Communication (cont’d) • An effective information should be       Clear Concise Useful Timely Aimed at the correct target audience Available on a need to know basis ValueConsult IT Risk Management 49
  • 50. Risk IT Three Domains ValueConsult IT Risk Management 50
  • 51. Risk Governance • Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return • RG1 Establish and Maintain a Common Risk View RG1.1 Perform enterprise IT risk assessment RG1.2 Propose IT risk tolerance thresholds RG1.3 Approve IT risk tolerance RG1.4 Align IT risk policy RG1.5 Promote IT risk aware culture RG1.6 Encourage effective communication of IT risk ValueConsult IT Risk Management 51
  • 52. Risk Governance (cont’d) • RG2 Integrate With ERM RG2.1 Establish and maintain accountability for IT risk management RG2.2 Coordinate IT risk strategy and business risk strategy RG2.3 Adapt IT risk practices to enterprise risk practices RG2.4 Provide adequate resources for IT risk management RG2.5 Provide independent assurance over IT risk management ValueConsult IT Risk Management 52
  • 53. Risk Governance (cont’d) • RG3 Make Risk-aware Business Decisions RG3.1 Gain management buy in for the IT risk analysis approach RG3.2 Approve IT risk analysis RG3.3 Embed IT risk consideration in strategic business decision making RG3.4 Accept IT risk RG3.5 Prioritize IT risk response activities ValueConsult IT Risk Management 53
  • 54. Risk Evaluation • Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms • RE1 Collect Data RE1.1 Establish and maintain a model for data collection RE1.2 Collect data on the operating environment RE1.3 Collect data on risk events RE1.4 Identify risk factors ValueConsult IT Risk Management 54
  • 55. Risk Evaluation (cont’d) • RE3 Maintain Risk Profile RE3.1 Map IT resources to business processes RE3.2 Determines business criticality of IT resources RE3.3 Understand IT capabilities RE3.4 Update risk scenario components RE3.5 Maintain the IT risk register and iT risk map RE3.6 Develop IT risk indicators ValueConsult IT Risk Management 55
  • 56. Risk Evaluation (cont’d) • RE2 Analyze Risk RE2.1 Define IT risk analysis scope RE2.2 Estimate IT risk RE2.3 Identify risk response options RE2.4 Perform a peer review of IT risk analysis ValueConsult IT Risk Management 56
  • 57. Risk Response • Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities • RR1 Articulate Risk RR1.1 Communicate IT risk analysis results RR1.2 Report IT risk management activities and state of compliance RR1.3 Interpret independent IT assessment findings RR1.4 Identify IT related opportunities ValueConsult IT Risk Management 57
  • 58. Risk Response (cont’d) • RR2 Manage Risk RR2.1 Inventory controls RR2.2 Monitor operational alignment with risk tolerance thresholds RR2.3 Respond to discovered risk exposure and opportunity RR2.4 Implement controls RR2.5 Report IT risk action plan progress ValueConsult IT Risk Management 58
  • 59. Risk Response (cont’d) • RR3 React to Events RR3.1 Maintain incident response plans RR3.2 Monitor IT risk RR3.3 Initiate incident response RR3.4 Communicate lessons learned from risk events ValueConsult IT Risk Management 59
  • 60. Risk/Response Definition The purpose of defining a risk response is to bring risk in line with the defined risk tolerance for the enterprise after due risk analysis. In other words, a response needs to be defined such that future residual risk (=current risk with the risk response defined and implemented) is as much as possible (usually depending on budgets available) within risk tolerance limits. ValueConsult IT Risk Management 61
  • 61. Risk IT Benefits and Outcomes Accurate view on current and near-future IT-related events End-to-end guidance on how to manage IT-related risks Understanding of how to capitalise on the investment made in an IT internal control system already in place Integration with the overall risk and compliance structures within the enterprise Common language to help manage the relationships Promotion of risk ownership throughout the organisation Complete risk profile to better understand risk ValueConsult Management IT Risk 62
  • 62. Risk IT Evaluation • The link between IT risk scenarios and ultimate business impact needs to be established to understand the effect of adverse events • Risk IT prescribe different methods – – – – – – COBIT Information criteria Balanced scorecard Extended balanced scorecard Westerman COSO Factor Analysis of Information Risk ValueConsult IT Risk Management 63
  • 63. Risk IT Scenarios • The hearth of risk evaluation process • Scenarios can be derived in two different and complementary ways: – A top-down approach from the overall business objectives to the most likely risk scenarios that can impact them – A bottom-up approach where a list of generic risk scenarios are applied to the organization situation – Each risk scenarios is analyzed determining frequency and impact, based on the risk factors ValueConsult IT Risk Management 64
  • 64. Risk IT Response • Risk avoidance, exiting the activities that give rise to the risk • Risk mitigation, adopting measures to detect, reduce the frequency and/or impact of the risk • Risk transfer, transferring to others part of the risk, by outsourcing dangerous activities or by insurance • Risk acceptance: deliberately running the risk that has been identified, documented and measured • Key risk indicators: metrics capable of showing that organization is subject or has a high probability of being subject to a risk exceeding the defined risk appetite ValueConsult IT Risk Management 65
  • 65. Relationship with ISACA Frameworks • Risk IT Framework complements ISACA’s COBIT • COBIT provides a comprehensive framework for the control and governance of businessdriven information-technology-based (ITbased) solutions and services • COBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk ValueConsult IT Risk Management 66
  • 66. Relationship with ISACA Frameworks (cont’d) • Risk IT sets good practices for the ends by providing a framework for enterprises to identify, govern and manage IT risk • Val IT allows business managers to get business value from IT investments, by providing a governance framework • VAL IT can be used to evaluate the actions determined by Risk management process ValueConsult IT Risk Management 67
  • 67. Relationship With Other Frameworks • Risk IT accept Factor Analysis of Information Risk terminology and evaluation process • ISO 27005 For a comparison of Risk IT processes and those foreseen by ISO/IEC 27005 standard • ISO 31000 The Risk IT Practitioner Guide appendix 2 • COSO The Risk IT Practitioner Guide appendix 4 ValueConsult IT Risk Management 68
  • 68. Information Security Risk Management for Iso/IEC 27001/ISO 27005 ISO/IEC 27000 Family of Standards • ISO/IEC 27001 based on BS7799 by British Standards Institution • Adopts “plan-do-check-act” process model • Information Security Management System (ISMS) standard (ISO/IEC 27001) • Formal specification  mandates specific requirements • Adoption of ISO/IEC 27001 allows for formal audit and certification to explicit standard • Risk management based on ISO/IEC 27000 standards ValueConsult IT Risk Management 69
  • 69. Information Security Risk Management for Iso/IEC 27001/ISO 27005 ISO/IEC 27005 • Information security risk management standard • Does not specify, recommend or name any specific risk analysis method • Does specify a structured, systematic and rigorous process from analysis risks to creating the risk treatment plan ValueConsult IT Risk Management 70
  • 70. CRAMM Information security risk toolkit • Provides staged and disciplined approach towards IT risk assessment Source: http://www.cramm.com/overview/howitworks.htm ValueConsult IT Risk Management 71
  • 71. CRAMM Information security risk toolkit Asset identification and valuation • • • • Physical Software Data Location Threat and vulnerability assessment • • • • • Hacking Viruses Failures of equipment or software Wilful damage or terrorism Errors by people Countermeasure selection and recommendation ValueConsult IT Risk Management 72
  • 72. CERT OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation Framework by Software Engineering Institute (1999) • Components of information security risk evaluation • Processes with required inputs, activities, outputs • Phase 1: Build asset-based threat profiles • Phase 2: Identify Infrastructure Vulnerabilities • Phase 3: Develop security strategy and plans Self-directed information security risk evaluation Analysis team includes people from business units and IT department ValueConsult IT Risk Management 73
  • 76. Understanding Risks in the Systems Development Life Cycle Business Application Development Alternative Software Development Strategies Information Systems Maintenance Practices Project Management Practices System Development Tools and Productivity Aids Software Development Process Improvement Practices Auditing Systems Development, Acquisition and Maintenance ValueConsult IT Risk Management 77
  • 77. Business Application Development An Individual Application or Project is Initiated by • A new opportunity that relates to new or existing business process • A problem that relates to an existing business process • A new opportunity that will enable the organization to take advantage of technology • A problem with the current technology Traditional Systems Development Life Cycle Phases • Phase 1—Feasibility • Phase 2—Requirements definition • Phase 3—Design • Phase 4—Development • Phase 5—Implementation ValueConsult IT Risk Management 78
  • 78. Business Application Development Roles and Responsibilities of Groups and Individuals • • • • • • • • • • Senior management User management Project Steering committee Project Sponsor Systems development management Project manager Systems development project team User project team Security officer Quality assurance ValueConsult IT Risk Management 79
  • 79. Business Application Development Risks Associated with Software Development • Potential risks exist when poor or inadequate SDLC methodologies are utilized • Systems designed using a poor methodology may not meet the users needs and often exceed limits of financial resources • Merely following a methodology does not ensure success of a development project ValueConsult IT Risk Management 80
  • 80. Business Application Development Structured Analysis, Design, and Development Techniques • Develop system context diagrams • Perform hierarchical data flow/control flow decomposition • Develop control transformations • Develop mini-specifications • Develop data dictionaries • Define all external events—inputs from external environment • Define single transformation data flow diagrams from each external event ValueConsult IT Risk Management 81
  • 81. Traditional System Development Life Cycle (SDLC) Approach Phase 1 - Feasibility Study • Define a time frame • Determine an optimum alternative/solution in meeting business needs and general information resource requirements or estimates • Determine if an existing system can correct the situation with slight or no modification • Determine if a vendor product offers a solution • Determine the approximate cost • Determine if the solution fits the business strategy ValueConsult IT Risk Management 82
  • 82. Business Application Development Phase 2 - Requirements Definition • Identify and consult stakeholders to determine their expectations • Analyze requirements to detect and correct conflicts and determine priorities • Identify system bounds and how the system should interact with its environment • Convert user requirements into system requirements • Record requirements in a structured format • Verify that requirements are complete, consistent, unambiguous, verifiable, modifiable, testable and traceable • Resolve conflicts between stakeholders • Resolve conflicts between the requirements set and the resources that are available ValueConsult IT Risk Management 83
  • 83. Traditional System Development Life Cycle (SDLC) Approach Software Acquisition • • • • • • • Decision made to acquire not develop Occurs after Requirements phase Request for proposal (RFP) contents Topics of discussion with users about vendors Contract contents Contract management Integrated Resource Management Systems • Fully integrated corporate solution • SAP, Peoplesoft, Oracle Financials, etc. • Impact on way the corporation does business • Need to conduct a impact and risk assessment ValueConsult IT Risk Management 84
  • 84. Traditional System Development Life Cycle (SDLC) Approach Phase 3 - Design • User involvement • Key design activities • Software baselining • End of design phase Phase 4 - Development • Key activities • Programming methods and techniques • On-line programming facilities (Integrated Development Environment - IDE) • Programming languages • High-level • Object-oriented • Scripting [such as SH(SHELL), PERL, TCL, Python, JAVAScript and VB Script] • Low-level assembler • Fourth generation • Decision support or expert systems • Program debugging ValueConsult IT Risk Management 85
  • 85. Traditional System Development Life Cycle (SDLC) Approach Phase 4 - Development (continued) • Testing • Elements of a software testing process • Test plan • Conduct and report test results • Address outstanding issues • General testing levels • Unit testing • Interface or integration testing • System testing • Final acceptancce testing ValueConsult IT Risk Management 86
  • 86. Traditional System Development Life Cycle (SDLC) Approach Phase 4 - Development (continued) • Testing (continued) • Other types of testing - related terminology • Alpha and beta testing • Pilot testing • Whitebox testing • Blackbox testing • Function/validation testing • Regression testing • Parallel testing • Sociability testing • Automated applicating testing ValueConsult IT Risk Management 87
  • 87. Traditional System Development Life Cycle (SDLC) Approach Phase 5 - Implementation • Planning for implementation • Formal plan • Data conversion • Acceptance testing • Certification and accreditation process Post-Implementation Review • Assess adequacy • Evaluate projected cost benefits • Develop recommendations • Develop an action plan • Assess the development project process ValueConsult IT Risk Management 88
  • 89. Logical Access Exposures and Controls Remote access security risks include: Remote access security controls include: Denial of service Policy and standards Malicious third parties Proper authorizations Misconfigured communications software Identification and authentication mechanisms Misconfigured devices on the corporate computing infrastructure Encryption tools and techniques, such as the use of VPN Host systems not secured appropriately System and network management Physical security issues over remote users’ computers ValueConsult IT Risk Management 90
  • 90. Logical Access Exposures and Controls Remote access using personal digital assistants (PDAS) control issues to address include: • • • • • • • • Compliance Approval Standard PDA applications Due care PDA applications Synchronization Encryption Virus detection and control ValueConsult IT Risk Management 91
  • 91. Logical Access Exposures and Controls Authorization Issues • Access issues with mobile technology • These devices should be strictly controlled both by policy and by denial of use. Possible actions include: • Banning all use of transportable drives in the security policy • Where no authorized used of USB ports exists, disabling use with a logon script which removes them form the system directory • If they are considered necessary for business use, encrypting all data transported or saved by these devices • Audit logging in monitoring system access • provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID ValueConsult IT Risk Management 92
  • 92. Logical Access Exposures and Controls Authorization Issues • Audit logging in monitoring system access • Access rights to system logs • A periodic review of system-generated logs can detect security problems, including attempts to exceed access authority or gain system access during unusual hours. Audit logging in monitoring system access • Tools for audit trails (logs) analysis • Audit reduction tools • Trends/variance-detection tools • Attack signature-detection tools ValueConsult IT Risk Management 93
  • 93. Logical Access Exposures and Controls Authorization Issues • Audit logging in monitoring system access • Cost consideration • Audit concerns • Patterns or trends that indicate abuse of access privileges, such as concentration on a sensitive application • Violations (such as attempting computer file access that is not authorized) and/or use of incorrect passwords • Restrict and monitor access to computer features that bypass cost consideration • Generally, only system software programmers should have access to: • Bypass label processing (BLP) • System exits • Special system logon IDs ValueConsult IT Risk Management 94
  • 94. Risk in Change Control and Management
  • 95. Information Systems Maintenance Practices Change Management Process Overview - POSB Lucky Draw Fraud Case • Deploying changes • Documentation • Testing program changes • Emergency changes • Deploying changes back into production • Change exposures (unauthorized changes) ValueConsult IT Risk Management 96
  • 96. Information Systems Maintenance Practices Configuration Management Library Control Software • Executable and source code integrity • Source code comparison System Change Procedures and the Program Migration Process • Evaluate the adequacy of the organization’s procedures • Identify system changes • Review documentation • Evaluate adequacy of procedures ValueConsult IT Risk Management 97
  • 98. Network Infrastructure Security LAN Security • Local area networks facilitate the storage and retrieval of programs and data used by a group of people. LAN software and practices also need to provide for the security of these programs and data. LAN risk and issues • Dial-up access controls ValueConsult IT Risk Management 99
  • 99. Network Infrastructure Security Client-Server Security • Control techniques in place • Securing access to data or application • Use of network monitoring devices • Data encryption techniques • Authentication systems • Use of application level access control programs Client/server risks and issues • Access controls may be weak in a client-server environment. • Change control and change management procedures. • The loss of network availability may have a serious impact on the business or service. • Obsolescence of the network components • The use of modems to connect the network to other networks • e connection of the network to public switched telephone networks may be weak • Changes to systems or data • Access to confidential data and data modification may be unauthorized • Application code and data may not be located on a single machine enclosed in a secure computer room, as with mainframe computing ValueConsult IT Risk Management 100
  • 100. Network Infrastructure Security Internet Threats and Security Passive attacks • Network analysis • Eavesdropping (Video: Wireshark Wireless Password Sniffing) • Traffic analysis Active attacks • • • • • • • • • Brute-force attack Masquerading Packet replay Message modification Unauthorized access through the Internet or web-based services Denial of service Dial-in penetration attacks E-mail bombing and spamming E-mail spoofing ValueConsult IT Risk Management 101
  • 101. Network Infrastructure Security Internet Threats and Security • Threat impact • Loss of income • Increased cost of recovery • Increased cost of retrospectively securing systems • Loss of information • Loss of trade secrets • Damage to reputation • Legal and regulatory noncompliance • Failure to meet contractual commitments • Legal action by customers for loss of confidential data ValueConsult IT Risk Management 102
  • 102. Network Infrastructure Security Internet Threats and Security • Causal factors for internet attacks • Availability of tools and techniques on the Internet • Lack of security awareness and training • Exploitation of security vulnerabilities • Inadequate security over firewalls • Internet security controls Firewall Security Systems • Firewall general features • Firewall types • Router packet filtering • Application firewall systems • Stateful inspection ValueConsult IT Risk Management 103
  • 103. Network Infrastructure Security Firewall Security Systems • Examples of firewall implementations • Screened-host firewall • Dual-homed firewall • Demilitarized zone (DMZ) Firewall issues • • • • • • A false sense of security The circumvention of firewall Misconfigured firewalls What constitutes a firewall Monitoring activities may not occur on a regular basis Firewall policies ValueConsult IT Risk Management 104
  • 104. Network Infrastructure Secuity Intrusion Detection Systems (IDS) An IDS works in conjunction with routers and firewalls by monitoring network usage anomalies. • Network-based IDSs • Host-based IDSs Components: • Sensors that are responsible for collecting data • Analyzers that receive input from sensors and determine intrusive activity • An administration console • A user interface ValueConsult IT Risk Management 105
  • 105. Network Infrastructure Security Types of Intrusion Detection Systems (IDS) • Signature-based • Statistical-based • Neural networks Features • • • • • • Intrusion detection Gathering evidence on intrusive activity Automated response Security monitoring Interface with system tolls Security policy management ValueConsult IT Risk Management 106
  • 106. Network Infrastructure Security Intrusion Detection Systems (IDS) • Limitations: • Weaknesses in the policy definition • Application-level vulnerabilities • Backdoors into applications • Weaknesses in identification and authentication schemes ValueConsult IT Risk Management 107
  • 107. Network Infrastructure Security Encryption • Key elements of encryption systems • Encryption algorithm • Encryption key • Key length • Private key cryptographic systems • Public key cryptographic systems • Elliptical curve cryptosystem (ECC) • Quantum cryptography • Digital signatures ValueConsult IT Risk Management 108
  • 108. Network Infrastructure Security Encryption (Continued) • Digital signatures • Data integrity • Authentication • Nonrepudiation • Replay protection • Public key infrastructure • Digital certificates • Certificate authority (CA) • Registration authority (RA) • Certificate revocation list • Certification practice statement (CPS) ValueConsult IT Risk Management 109
  • 109. Network Infrastructure Security Encryption (Continued) • Use of encryption in OSI protocols • Secure sockets layer (SSL) • Secure Hypertext Transfer Protocol (S/HTTP) • IP security • SSH • Secure multipurpose Internet mail extensions (S/MIME) • Secure electronic transactions (SET) ValueConsult IT Risk Management 110
  • 111. PRM Processes • Planning how risk is managed within particular project • Plans include risk management tasks, responsibilities, activities and budget • Assigning a healthy skepticism risk officer responsible for foreseeing potential project problems • Maintaining live project risk database (risk profile) • Each risk should have these attributes: opening date, title, short description, probability and importance ValueConsult IT Risk Management 112
  • 112. PRM Processes (cont’d) • Creating anonymous risk reporting channel • Each team member should have the possibility to report risks that he/she foresees in the project • Preparing mitigation plans for risks that are chosen to be mitigated • Identify how the risk will be handled – what, when, by whom and how will it be done to avoid it or minimize consequences if it becomes a liability • Summarizing planned and faced risks, effectiveness of mitigation activities, and effort spent for the risk management ValueConsult IT Risk Management 113
  • 114. THANK YOU! THANK YOU ValueConsult IT Risk Management 115

Notas del editor

  1. Training slides on InformationTechnology Risk Management
  2. Image credit: blogs.adobe.com
  3. Requirements definition is concerned with identifying and specifying the requirements of the system chosen for development during the feasibility study. Requirements include descriptions of what a system should do, how users will interact with a system, conditions under which the system will operate and the information criteria the system should meet. CobiT’s framework principles for information criteria shows that this includes issues associated with effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability. The requirements definition phase deals with these issues.To accomplish the above in the requirements definition phase:Identify and consult stakeholders to determine their expectations.Analyze requirements to detect and correct conflicts and determine priorities.Identify system bounds and how the system should interact with its environment. Convert user requirements into system requirements (e.g., an interactive user interface prototype that demonstrates screen look and feel).Record requirements in a structured format. Historically, requirements have been recorded in a written requirements specification, possibly supplemented by some schematic models. Commercial requirements management tools now are available that allow requirements and related information to be stored in a multiuser database.Verify that requirements are complete, consistent, unambiguous, verifiable, modifiable, testable and traceable. Because of the high cost of rectifying requirements problems in downstream development phases, effective requirements reviews have a large payoff. Resolve conflicts between stakeholders.Resolve conflicts between the requirements set and the resources that are available.IS auditors are involved at this stage to determine whether adequate security requirements have been defined to address, at a minimum, the confidentiality, integrity and availability requirements of the system. This includes whether adequate audit trails are defined as part of the system, as these affect the auditor’s ability to identify issues for proper follow-up.