GRC and corporate governance

1. Wishing You All A Very Happy
&
Prosperous New Year 2014
Your Professional Well-wisher
Prof. K. Subramanian

2. Governance, Risk & Compliance in Cyber Era
Business Services Assurance in Cyber EraChallenges Before the Financial Services sector
Prof. K. Subramanian
SM(IEEE, USA), SMACM(USA), FIETE,
SMCSI,MAIMA,MAIS(USA),MCFE(USA)
Founder Director & Professor, Advanced Center for Informatics &
Innovative Learning (ACIIL), IGNOU
EX- IT Adviser to CAG of India
Ex-Sr. DDG(NIC), Ministry of Comm. & IT
Emeritus President, eInformation Systems, Security, Audit Association
Former President, Cyber Society of India
01/15/14
Prof.KS@2014 IOB GM's presentation Jan 14
2

3. Agenda
•
•
•
•
•
Introduction
Governance components
Risk Assurance & Standards & Compliance
Assurance Framework & PPP
Challenges for Technologists & Businesses
3
3

4. Notable Quotes
"The poor have sometimes objected to being governed
badly; the rich have always objected to being governed at
all." G. K. Chesterton
“Ever since men began to modify their lives by using technology
they have found themselves in a series of technological traps.”
Roger Revelle
 “The law is the last interpretation of the law given by the last
judge.”- Anon.
“Privacy is where technology and the law collide.”
--Richard Smith
(who traced the ‘I Love You’ and ‘Melissa viruses’)
"Technology makes it possible for people to gain control
over everything, except over technology" John Tudor
4

5. MEDIATING FACTORS:
Environment
Culture
ORGANIZATIONS
01/15/14
Structure
Standard Procedures
Politics
Management Decisions
Chance
Prof.KS@2014 IOB GM's
presentation Jan 14
INFORMATION
TECHNOLOGY
5
5

6. Principles of Good Governance
Leadership
Selflessness
Integrity
Objectivity
Accountability
Openness
Honesty
01/15/14 2013
10th september
Humane Governance
Should be Creative
Uses Knowledge for
National Wealth and
Health creation
Understands the
economics of Knowledge
High Morality
Prof.KS@2014 IOB GM's
presentation Jan 14
6
6

7. Governance Components
Project Governance
IT Governance
Legal Governance
Security Governance
Human & Humane Governance
01/15/14
Prof.KS@2014 IOB GM's
presentation Jan 14
7
7

8. Cyber Governance Components
 Environmental & ICT
Infrastructure
 Operational (logistics
Integration)
 Technology (synergy &
Convergence)
 Network (multi Modal
Network)
 Operational Integration
(Functional)
 Professional Integration (HR)
 Emotional/Cultural Integration
 Technology Integration
 Management (HRM & SCM
&CRM)
 Impact (feed-back correction)
01/15/14
Prof.KS@2014 IOB GM's
presentation Jan 14
8
8

9. Corporate Governance
Business Assurance Framework
Global Phenomena
Combined Code of UK
and SOX of USA
Basel II & III
Project Governance
IT Governance
Human & Humane
Governance
01/15/14
India Initiatives
1. Clause 49
2. Basel II & III -RBI
3.SEBI- Corporate
Governance
Implementation
directives
4.Risk management-RBI
(Basel 2/3)& TRAI
5. MCA Initiatives 2013
Prof.KS@2014 IOB GM's
presentation Jan 14
9
9

10. Global issues with Governance of
Cyber Space
Information Technology & Business: current status and
future
Does IT matter? IT--enabled Business
- Role of Information, Information Systems
- In business
- Role of information technology in enabling business
- IT dependence
Changing Role of the CIO
Web 2.0 and 3.0 and governing cyberspace
eBusiness, eHealth, eBanking, eGovernance
Current Challenges and Issues
01/15/14
Prof.KS@2014 IOB GM's
presentation Jan 14
10
10

11. Creating Trust in an Enterprise
Today's information explosion is creating challenges
for business and technology leaders at virtually every
organization. The lack of trusted information and
pressure to reduce costs is on the minds of CEOs and
senior executives around the world.
What's required to solve these challenges is a
paradigm shift - from generating and managing
silos - of information, of talent and skills, of
technologies and of projects to an environment
where information is a trusted, strategic asset
that is shared across the company.
11

12. Transition: Insurance Audit Assurance
&
Assurance Layered Framework
 Insurance
 Audit
Pre, Concurrent, Post
 IT Audit







Environmental
Operational
Technology
Network
Financial
Management
Impact
 Electronics Continuous Audit
 Certification
 Assurance
 Management & Operational
Assurance
(Risk & ROI)
 Technical Assurance
(Availability, Serviceability &
Maintainability)
Financial ASSURANCE
 Revenue Assurance
(Leakage & Fraud)
 Legal Compliance & Assurance
(Governance)
12

13. ICT operations and
maintenance
Project management
and construction
ICT Transaction/
concession design
ICT planning and
design
ICT technical
solutions
Marketing and
distribution
Training
Borrowing capacity
Capital investment,
eg network
expansion
Business - technical
Investment in R & D
regulatory
developmental
Civil society
-
Investment promotion
Legal framework for
freedom of information
Sales and promotions
ICT Risk/venture capital
informational
Government
financial
Business
–
Access to development
finance
Civil society
-
ICT Infrastructure
strategy
Revenue collection
Design Parameters
informational
ICT Regulatory powers
– price, quality,
interconnections,
competition)
Government
Subsidies
Innovation (high risk), eg
community telecentres
Local customer
knowledge
Capacity to
network
Knowledge of user
demand, eg
technology and
information gaps
Civil society - technical
ICT skills development
Expertise in design of
‘relevant’ content
A voice for the
socially excluded
Capacity to mobilise
civil society
13
13

14. Operational Integration
Professional Integration (HR)
Emotional/Cultural Integration
ICT & Government Business & Services Integration
Multi Technology coexistence and seamless integration
Information Assurance
Quality, Currency, Customization/Personalization
ICE is the sole integrator IT Governance is Important
14
14

15. Managing Interdependencies
Critical Issues
Infrastructure characteristics (Organizational, operational,
temporal, spatial)
Environment (economic, legal /regulatory, technical,
social/political)
Coupling and response behavior
(adaptive, inflexible,
loose/tight, linear/complex)
Type of failure (common cause, cascading, escalating)
Types of interdependencies
(Physical, cyber, logical, geographic)
State of operations
(normal, stressed /disrupted, repair/restoration)
15

16. Up The Value Chain
16

17. Enabling to rapidly move up the
Governance Evolution Staircase
4. Transformation
Strategy/Policy
People
Process
Technology
2. Interaction
Cost/
Complexity
1.
Searchable
Database
Public response/
email
Content mgmt.
Increased
Presence support staff
Governance
Publish
Knowledge mgmt.
E-mail best prac.
Existing
Content mgmt.
Metadata
Streamline
Data synch.
processes
Web site
Markup
Search engine
E-mail
3. Transaction
Competition
Confidentiality/privacy
Fee for transaction
E-authentication
Self-services
Skill set changes
Portfolio mgmt.
Sourcing
Inc. business staff
BPR
Relationship mgmt.
Online interfaces
Channel mgmt.
Legacy sys. links
Security
Information access
24x7 infrastructure
Sourcing
Funding stream allocations
Agency identity
“Big Browser”
Job structures
Relocation/telecommuting
Organization
Performance accountability
Multiple-programs skills
Privacy reduces
Integrated services
Trigger
Change value chain
New processes/services
Change relationships
(G2G, G2B, G2C, G2E)
New applications
New data structures
5. Outsourcing
Define policy and
outsource execution
Retain monitoring and control
Evolve PPP model
Outsource service delivery staff
Outsource process execution staff
Outsource customer
facing processes
Outsource backend processes
Constituent
Applications
Infrastructure
Value
Time
17

18. Threat & Vulnerability Management
 Authenticating user identities with a range of
mechanisms, such as tokens, biometrics and
Public Key Infrastructure
 Developing user access policies and
procedures, rules and responsibilities and a
standardized role structure that helps
organizations meet and enforce security
standards
 Centralizing user data stores in a single
enterprise directory that enables increased
efficiencies in user administration, access
control and authentication
 Reducing IT operating costs and increasing
efficiency by implementing effective user
management to support self-service and
automate workflow, and by provisioning and
instituting flexible user administration
01/15/14
 You need an integrated threat and
vulnerability management solution to better
monitor, report on and respond to complex
security threats and vulnerabilities, as well as
meet regulatory requirements.
 You need to protect both your own
information assets and those you are
custodian of, such as sensitive customer data.
 You want a real-time, integrated snapshot of
your security posture.
 You want to correlate events from data
emerging from multiple security touch points.
 You need support from a comprehensive
inventory of known threat exposures.
 You need to reduce the cost of ownership of
your threat and vulnerability management
system
Prof.KS@2014 IOB GM's presentation Jan 14
18

19. Risk Identification
 Assess current security capabilities, including threat management, vulnerability
management, compliance management, reporting and intelligence analysis.
 Define identify technology requirements for bridging security gaps
 Integrated Security Information Management
 Develop processes to evaluate and prioritize security intelligence information received
from external sources, allowing organizations to minimize risks before an attack
 Implement processes that support the ongoing maintenance, evolution and
administration of security standards and policies
 Determine asset attributes, such as direct and indirect associations, sensitivity and asset
criticality, to help organizations allocate resources strategically
 Assist in aggregating security data from multiple sources in a central repository or
"dashboard" for user-friendly presentation to managers and auditors
 Help design and implement a comprehensive security reporting system that provides a
periodic, holistic view of all IT risk and compliance systems and outputs
 Assist in developing governance programs to enforce policies and
accountability
19

20. 9 Rules of Risk Management
 There is no return without risk
 Rewards to go to those who take risks.
 Be Transparent
 Risk is measured, and managed by people,
not mathematical models.
 Know what you Don’t know
 Question the assumptions you make
 Communicate
 Risk should be discussed openly
 Diversify
 Multiple risk will produce more consistent
rewards
 Sow Discipline
 A consistent and rigorous approach will
beat a constantly changing strategy
 Use common sense
 It is better to be approximately right, than
to be precisely wrong.
 Return is only half the question
 Decisions to be made only by considering
the risk and return of the possibilities.
RiskMetrics Group
01/15/14
Prof.KS@2014 IOB GM's presentation Jan 14
20

21. Threat Modeling
Threat modeling is critical to address security
Prevention, detection, mitigation
There is no universal model yet
Mostly case-by-case
Efforts are under way
Microsoft threat modeling tool
Allows one to uncover security flaws using STRIDE
(Spoofing, Tampering, Repudiation, Information Disclosure,
Denial of Service, and Elevation of Privilege)
Decompose, analyze and mitigate
Insider threat modeling essential
01/15/14
Prof.KS@2014 IOB GM's presentation Jan 14
21

22. Insider Threat Modeling
How modeling can help you?
An alternative to live vulnerability testing (which is not feasible)
Modeling and analysis will reveal possible attack strategies of an
insider
Modeling and risk analysis can help answer the following
questions statically:
How secure is the existing setup?
Which points are most vulnerable?
What are likely attack strategies?
Where must security systems be placed?
What you cannot model
Non-cyber events – disclosures, memory dumps, etc.
01/15/14
Prof.KS@2014 IOB GM's presentation Jan 14
22

23. Calder- Moir IT Governance Framework
10th september 2013
Prof. KS@2013 Assocham conf GRC 2013
23

24. CXO Internal Strategic Alliances
 CIO & CEO
Business Led Info. strategy
 CIO & CMO
Competitive Edge & CVP
 CIO & CTO
Cost-Benefit Optimization
 CIO & CFO
Shareholder Value Maximization
 CIO & CHRO
Employee Performance and Rewards
 CIO & Business Partners Virtual Extended Enterprise
24

25. The Productivity Promise
 Capital Productivity
(ROI, EVA, MVA)
 Material Productivity
(60% of Cost)
 Managerial Productivity
(Information Worker)
 Labour Productivity
(Enabled by IW)
 Company Productivity
Micro
 Factor Productivity
Macro
25

26. CEO-CTO-CIO-CSO
CXO & IT Governance
Responsibility
the roles and responsibilities
"These systems should
for IT governance, highlighting
ensure that both business
the parts played by the CEO,
and technology managers are
business executives, CIO, IT
properly engaged in
steering committee,
identifying compliance
technology council, and IT
requirements and planning
architecture review board
compliance initiatives which
typically involve
complementary adjustments
in systems, practices,
training and organization"
26

27. Four Faces of a CIO &
CIO Management Framework
27

28. Way Forward
 Learn more about own Businesses.
 Reach out to all Business & Function Heads.
 Sharpen Internal Consultancy Competences.
 Proactively Seize the Repertoire of Partners
 Foster two way flow of IS & Line Talent.
28

29. Standards, Standards, Standards
Security
Audit
Interoperability
Interface
(systems/devises/comm.)
Architecture/Building
Blocks/Reusable
01/15/14
HCI (Human
Computer Interface)
Process
Environmental
(Physical, Safety)
Data Interchange &
mail messaging
Layout/Imprint
Prof.KS@2014 IOB GM's presentation Jan 14
29

30. Importance of Group Standards -no one standard meets all requirements
ISO 27001/BS7799 Vs COBIT Vs CMM & PCMM Vs ITIL
Mission
Mission
Business Objectives
Business Objectives
Business Risks
Business Risks
Applicable Risks
Applicable Risks
Internal Controls
Internal Controls
Review
Review
01/15/14
Prof.KS@2014 IOB GM's presentation Jan 14
30

31. “IT Regulations and Policies-Compliance & Management”
CREATIVITY VS COMMAND CONTROL
Too much Creativity
 results in anarchy
Too much command & control
Kills Creativity
We Need a Balancing Act
In IT Regulations and Policies-Compliance & Management
31

32. Gouvernance & Assurance
Maturity Model
32

33. Assurance in the PPP Environment
10th september 2013
Prof. KS@2013 Assocham conf GRC 2013
33

34. Governance - Final Message
“In Governance matters
Past is no guarantee;
Present is imperfect
&
Future is uncertain“
“Failure is not when we fall down, but when we fail to get up”
34

35. Learning From Experience
========================
1. The only source of knowledge is experience.
-- Einstein
2. One must learn by doing the thing; for though you think you know it, you
have no certainty, until you try.
-- Sophocles
3. Experience is a hard teacher because she gives the test first, and the lesson
afterwards.
-- Vernon Sanders Law
4. Nothing is a waste of time if you use the experience wisely.
-- Rodin
35

36. Security/Risk Assurance Expectations
“To determine how much is too much, so that we can implement
appropriate security measures to build adequate confidence and
trust”
“To derive a powerful logic for implementing or not
implementing a security measure”
36

37. Let us Assure Good Governance & Business Assurance in Cyber Era
THANK YOU
For Interaction:
Prof. K. Subramanian
ksdir@nic.in
ksmanian48@gmail.com
Tele: 011-22723557
01/15/14
Prof.KS@2014 IOB GM's presentation Jan 14
37