1. IT Risk Advisory Services
Riskpro India Ventures (P) Limited
New Delhi, Mumbai, Bangalore
1
2. Who is Riskpro… Why us?
ABOUT US MISSION
Riskpro is an organisation of member firms
around India devoted to client service Provide integrated risk management
excellence. Member firms offer wide range consulting services to mid-large sized
of services in the field of risk management. corporate /financial institutions in India
Currently it has offices in three major cities Be the preferred service provider for
Mumbai, Delhi and Bangalore and alliances complete Governance, Risk and Compliance
in other cities. (GRC) solutions.
Managed by experienced professionals with
experiences spanning various industries.
VALUE PROPOSITION DIFFERENTIATORS
You get quality advisory, normally delivered
by large consulting firms, at fee levels Risk Management is our main focus
charged by independent & small firms
Over 200 years of cumulative experience
High quality deliverables
Hybrid Delivery model
Multi-skilled & multi-disciplined organisation.
Ability to take on large and complex projects
Timely completion of any task due to delivery capabilities
Affordable alternative to large firms We Hold hands, not shake hands.
2
4. IT Services Landscape
The Backdrop:
o Fast changing IT services market
o Technological advances
o Rising integration of business and technology
o Corporate focus on core competencies
o Maturation of IT vendor management role
Business Need:
o Meeting cost, time-to-market
o Innovation objectives
o Realization by corporates to assemble and integrate services and solutions
o Growing demand from best-in-breed suppliers
o Acquire the right services at the right prices
o Must have deep knowledge of the IT services marketplace
o Understanding its future direction
o New trends in the application and infrastructure services marketplace
4
5. Riskpro
IT Risk Advisory Service Service Offerings
Information Information Information Information Information
Technology Security Security Technology Technology
Service Management Audit Assurance Governance
Management
5
6. IT Service Management How we Do
•Service architecture Scoping
•SLA’s
Consulting •ITSM Assessment
•Control Processes
• Service Delivery
• Release & Resolution
• IT service road mapping
• GAP Analysis
Standardizing •
•
•
Tollgate review
Performance metrics analysis
Compliance review
• Standard pre-assessment
• ISO 20000
Compliances •
•
•
ITIL practices
PDCA cycle alignment
Training- Basic / Advanced
Value Proposition
• Efficient business service delivery processes
• Reduced risk in using external service providers
• Reduced costs
• Enhanced ability to manage business complexities in a diverse operational environment
6
7. Information Security Management How we Do
• Risk Assessment & Management
• IS security policy framework
Consulting •
•
Internal audit procedures
IS controls review
• Penetration testing
• Compliance- IS policies
• IS security implementation review
Standardizing •
•
•
GAP analysis
Performance metrics analysis
Vulnerability assessment
• SAS Type II audits & compliance
• BS 7799 implementation
• ISO 27001/17799 implementation
Compliances •
•
DPA
GLBA
• HIPAA
Value Proposition
• Operational resilience
• Risk reduction
• Secure best practices
• Business continuity preventive approach
7
8. Information Security Audit How we Do
• Operating system audits
• Database audits
Consulting •
•
Networking/ Firewall audits
Application systems – Functionality
assessment
• Web application/Data centre audit
• Institutional risk areas review
• General Controls- Physical
Standardizing security/BCP/BRP
• Change management – Controls & Tracking
• Application Controls- System edits/Access
• IS policies and procedures
Compliances •
•
•
IDS
Forensic auditing
FERPA
Value Proposition
• Robust IT governance framework
• Strategic & operational value through business-risk focused approach
• Pre-emptive risk control capability
• Corporate IT compliance adherence for future business initiatives and IT investments
8
9. IT Assurance How we Do
• Business Continuity Planning
•
Consulting •
Cyber crime investigative services
IT external & internal audits
• IT assessment and benchmarking
• Data protection and privacy
•
Standardizing •
IT security & business flexibility
IT project assurance reviews
• Compliances – IS policies
• SAS 70
• ISAE 3402
Compliances • ISO 27002
• PCI DSS
Value Proposition
• Advanced technologies capabilities advisory
• Proactively manage your technology risks
• Helping you to use data to fullest potential use
• Securing while delivering high performance business results
9
10. IT Governance How we Do
• COBIT and ITIL reviews
•
Consulting •
Identification of IT risks exposure
Risk mitigation controls review
• Balanced scorecard
• Val IT business valuation plan
•
Standardizing •
IT & Business Maturity models
IT governance improvement methods
• Improving IT skills & resources
• ISO 38500/COBIT
•
Compliances •
CMM
TOGAF
• ISO 22301 (new standard)
Value Proposition
• Ensuring your organizational structures & business processes are complaint
• IT support framework enables to meet business strategic objectives
• Useful framework tool for benchmarking the balance and effectiveness of IT governance
practices
10
12. IT Service Management- Detailed Components How we Do
- Systematic defining business case
- Assessment of current- state gaps
Process Excellence - Defining optimum process frameworks
- Training & process deployment
- Effective change management
- Agile readiness- Risk identification & mitigation
- Agile maturity assessment
Agile Services - Process definition and best fit deployment
- Project manager services
- Training and mentoring services
- Lean assessment for end-to-end processes
- Opportunity assessment - Identifying improvements
Lean Six Sigma - Project execution
- Coaching & mentoring for processes
- Training & Certification- GB/BB
- Service model assessment & design
- Process design , documentation
Service Excellence - Maturity evaluation and audits
- Outsourcing service model design
- Configuration management
- Baseline assessment existing vs industry best practice
- Design estimation processes and techniques
Software Estimation - Deployment and continuous improvement process
- Organization performance benchmarking
12
13. Information Security Mgmt- Detailed Components How we Do
- Risk assessment /Developing mitigation strategy
- Business critical function>Outage & Recovery time
Business Continuity - Developing business/IT disaster recovery plan
- BS 25999 implementation support –BCM tools
- BCM audits and training
- Vulnerability & penetration testing
- Static and dynamic analysis (secure code review)
Enterprise Application Security - Security configuration review
- Compliance assessment ( SOX, PCI, HIPAA)
- Remediation plan
- IAM Visualization- Feasibility/Roadmap/Business case
- IAM solution evaluation-
Identity and Access Management - IAM prioritization- TCO & Cost benefit analysis
- IAM Execution- Role management/SSO/Access
- Audit, reporting, Training
-
- Compliance assessment – GAP analysis
- Vendor/ Third party risk assessments
IS Compliance - ISO 27001 advisory (Controls design & Evaluation)
- IS Audit- Risk based/IT security/IT operations/ERP
- IT GRC : Software's, Strategy , framework & roadmap
-
13
14. Information Security Audit- Detailed Components How we Do
- Policy and Procedure Review
- Active Social Engineering
Security Operations
- Third Party Oversight Review
- System Inventory & Documentation
Threat Mitigation
- Physical/Environmental SecurityReview
Security Technologies - Personnel / IT Staff Training
- Internal Vulnerability assessment
Professional Services - Host/ Network Diagnostic Review
- Access Control Review
14
15. IT Assurance - Detailed Components How we Do
- Enterprise Test Strategy
- Test process definition
- Structural code assessment
- Test automation strategy: Tools/ Framework
- Performance Test strategy: Tools
Consulting & Advisory - Security Test strategy: Tools
- Test environment & Data management
- Specialized test strategy
- Tool and product evaluation
- Administration and Management
- Requirement management
- Static Analysis/Structural code evaluation
- Unit and integration testing
- Functional testing ( system, integration cycle)
- Performance testing (Load, volume, Stress , tuning)
Functional/ Support Services - Security testing
- Non-functional testing ( OAT, Usability)
- Regression testing
- Test automation
- Environment management- Data, Release, UAT
15
16. IT Governance - Detailed Components How we Do
Project Portfolio Management High Availability –Disaster
Strategy & Roadmap Recovery Set up
Process Re-engineering Dashboards- Predictive Analysis
Migrations-
Outsourcing Governance
Extract > Transport > Load
Application Portfolio Rationalization Integrations & Upgrades
Production Support-
Performance Management
Implementation /Maintenance
16
18. Compliance related Services Insider Attack
Manage your Compliance Needs Non-Compliance
Dash Board
Your Organization
• We will assist you to ensure your information is secure
• Compliance checks – ISO27001,ITGC,SOX,PCI-DSS and
generic checks
• BCP/DRP solutions
• Long term/Short term goal setting – efficient mitigation*
• Unique reporting – Dashboard based*
• Certification is important but not everything
rather security is
Usually 3-4 Weeks depends on Projects
Long Term
Your Supplier
• Check your IT Suppliers to ensure they follow your
standards Short Term
• Check current implementation of standards
(ISO27001…)
• Hand hold mitigation control implementation
• Increase security of your suppliers
• Dashboard view of all your suppliers and their status
• Checks and repeat checks to ensure security controls
are maintained
• Exit Assessments
Usually 1-2 Weeks depends on Projects
18
19. Security in Software Development
Mobile Malware Phishing
Services on the applications users use
Insider Attack ACH Fraud
S (SDLC) – Secure Your Code/Information
Phases Do you want a Secure Rollout?
Threat model How much security is enough?
Requirements Security in Requirements
engineering
Information Classification Are standards followed?
Architecture Security Is encryption is needed? how?
Design How to API’s interact
HOUSTON methods IT Policy compliant?
XSS,SQL Injection, CSRF?
Coding Code reviews done? Developers & Security?
How to handle buffer overflow Can the code protect itself?
Does Testing involve security? Proof of Concept intrusion
Testing How to handle buffer overflow Risks mitigated?
Do we have a security test plan throughout?
Rollout Can you confidently go to Production?
is there a Security Quality Gate Pass?
19
20. Vulnerability Assessment and Penetration Testing
DDoS Attacks
Your network, servers, computers Fraud
Ethical Hack and Fix Services
Hackers/Disgruntled Employees/Competition/Insider Attacks
Our Services
• Focus on critical business systems for your enterprise
How Can I get access to
• Ethical hacking into your network to find out security issues before a hacker does
Your
• Routers/Switches/UPS/Videoconference systems/Servers/VOIP systems/Firewalls/ and most connected Network/People/Money?
devices on the network, the information can be stolen anywhere if we don’t take proper care
• Dashboard view of vulnerabilities v/s the security risks
• Vulnerabilities mapped to actual business risks (not just telling you to fix the issue but also why to
fix it?, can you live with a risk?)
• Training your IT teams to understand vulnerabilities
May be I should get in How about, the receptionist,
• Year long support in fixing the issues and ensuring your systems stay up to dated with latest security through the WLAN, it seems can I coax her into revealing
patches to be unsecure some info?
May be it is better I access the
router… SNMP? MD 5 Hash
1-2 Weeks onsite & 4 Weeks Offshore Usually Decryption?
Looks like their
Videoconference has a public
That user could be a good IP
target for key logger Trojan! I
We don’t call it Vulnerability can get credit cards!
Hey I have administrator
Scanning, We say “hacking” Access locally so, it’s a gold
mine!
How about launching a attack
That webserver is not at all
on the government using their
patched, lets Deface them!
systems?
20
21. Cloud Specific Security Services
Securing the cloud that you operate on DDoS Attacks Insider Attack
Fraud
Dark Cloud
This is a unique service designed to assess the Cloud Service
Provider platform from an information security risks/threats point
of view.
• Cloud Service Operational/Governance Assessment
(Onsite Interview based): We will check for your cloud
security compliance to well known industry standards including
cloud security alliance.
• Penetration testing of the Cloud Service Provider: This
service would be a intruders perspective on your cloud setup
to see if your customers are protected from different security
risks like espionage, Information theft, customer privacy
exposure, defacements, financial data leakage, Virus/Trojan
insertion, DDoS attacks, etc. Apart from this the report would
also indicate your compliance to different industry standards
like ISO 27001, PCI-DSS, SOX etc.
21
22. Riskpro Clients Our Clients
*Any trademarks or logos used throughout this presentation are the property of their respective owners
22
23. Team Experiences Our Experiences
Our team members have worked at world class Companies
*Any trademarks or logos used throughout this presentation are the property of their respective owners
23
24. RESUMES – Our team Credentials
Co-Founder - Riskpro
CA, CPA, MBA-Finance (USA), FRM (GARP)
Manoj Jain
Over 10 years international experience – 6 years in Bahrain and 4 years USA
15 years exp in risk management consulting and internal audits, Specialization in
Operational Risk, Basel II, Sox and Control design
Worked for Ernst & Young (Bahrain), Arab Investment Company (Bahrain),
Navigant Consulting(USA), Kotak Mahindra Bank (India) and Credit Suisse(India)
Sox Compliance project for Fannie Mae, USA ( $900+ Billion Mortgage Company)
Co- Founder - Riskpro
CA (India), MBA (Netherlands), CIA (USA)
Rahul Bhan
Over 15 years of extensive internal and external audit experience in India and
abroad.
Worked with KPMG United Arab Emirates, PKF South Africa, Ernst and Young
Kuwait, Deloitte Netherlands and KPMG India.
Worked with clients in a wide variety of industries and countries including trading,
retail and consumer goods, NGO, manufacturing and banking and finance. Major
clients include banks, investment companies, manufacturing organizations,
aviation etc.
24
25. RESUMES - Our team Credentials
Co-Founder - Riskpro
Casper Abraham
PGD (Electrical & Electronics & Computer Programming)
30 years of experience in Information & Communications Technology (ICT) Solutions
for Retail, Garments, Manufacturing, Services Industries.
Has created Companies, Divisions, Products, Brands, Teams & Markets.
Consulting in Business, Technology, Marketing & Sales & Strategic Planning.
Advisory, Training, Workshops & Implementation in Systems Thinking, Systems
Modeling & Balanced Scorecard
Worked with TIFR, Mahindra, Ambience, Communico-Graphique & Ionidea Inc, USA,
Sr Vice President – Risk Management
MBA, PDFM,NSE-NCFM, PMP, CSSGB,ISO 9001:2000 I.A,GARP-FBR, ITILV3,CPP-BPM
Hemant Seigell
Professional with 17 years of rich experience into diverse Consumer finance/ Lending
operations ,Risk Management,BPMS, Consumer Banking, NBFC, Management Consulting &
Housing finance in BFSI industry having successfully led key business strategic
engagements across multi-product environment in APAC, Australia and US regions.
Worked with GE, ABN AMRO Bank, Citigroup, Accenture, Deutsche Postbank
Highly skilled and expert Trainer in Risk areas across Credit, Fraud, Operational, Corporate
Risk management.
Specializes in Fraud Control, AML/KYC Compliance ,QA ,ERM and Regulatory governance.
25
26. RESUMES - Our team Credentials
Head - Insurance Risk Advisory services
B.sc, Associate of Indian Institute of Insurance
Licensed Category A Insurance surveyor
R. Gupta
26 years of experience in Insurance advisory services, Loss adjusting for large
corporates,Claims management.
Has assessed more than 4500 high value insurance claims across various industry
sectors.
Risk management inspection
Valuations of fixed assets for insurance purpose.
Head - Human Capital Management
Nilesh Bhatia
Chartered Accountant, Lead Assessor ISO 9000, Six Sigma Trained, Trained on Situational
Leadership, Trained on interviewing skills and Whole Message Model.
Over two decades of international, multi-cultural experience in finance and human resources
viz. internal audit, accounting operations, accounting process review & re-designing, risk
management, business solutioning, six sigma projects, talent acquisition, talent retention,
organization design/redesigning, compensation and appraisal processing, employee and
customer satisfaction surveys, knowledge management and finance services.
Worked with Citicorp/MGF, India Glycol, Delphi, American Express India, American Express
USA, Fidelity International and Macquarie Global Finance Services India.
26
27. RESUMES - Our team Credentials
Head Taxation Risk Advisory
Rajesh Jhalani
B.Com, FCA
Senior Partner with 48 year old Delhi based Chartered Accountant firm, Mehrotra
and Mehrotra
Over 19 years of experience in the field of Audit, Taxation, Company law matters.
Major clients served are NTPC, BHEL, Bank of India, PNB, Airport Authority of
India etc.
Specialist Risk Consultant – ERP & IT Compliance
SAP Certified, MBA (Finance), SAP Security trained (from SAP India), SAP GRC Access
Gourav Ladha
Controls trained (from SAP India)
Over 7 years of experience working in the area of ERP/IT Risk advisory, primarily focusing
on SAP, for ‘Fortune 500’ clients in around 8 countries including US, UK, UAE, Hong Kong,
etc
Specializes in SAP Risk & Controls Advisory, SAP Business Process Controls Audit, SAP
Security & Segregation of Duties Control Audit, ERP Trainings,
Strong Industry experiences ranging from Beverages, Insurance, Energy, FMCG,
Pharmaceutical, Retail, Telecommunication to IT Services
Worked for risk advisory teams of reputed organizations like Ernst & Young, EXL Services
27
28. RESUMES - Our team Credentials
Vice President – Riskpro India
Phanindra Prakash
FCA [India], ACMA [India], CFE [USA], CertIFRS [UK]
Over 16 years of extensive consulting experience which includes financial & systems audit,
process transformation, implementation of internal controls, SOX compliance, fraud audits
& due diligence, US-India taxation
Engaged in consulting roles as trusted advisor to finance, internal audit and information
technology executives of multiple Fortune 1000 companies with project sites in US,
Canada, Europe & Asia
Worked with E&Y and Deloitte Consulting in USA
Some of the major clients served internationally are GE Capital, UBS, McKesson, Eaton,
Imation, Albertsons,
EVP and Head – Telecom Risk Advisory
M.Tech, IIT Kharagpur, India; IES; Doctoral study, research and teaching in Linkpoing
University/Sweden; Lead Auditor (BVQI).
Asok Sit
Over 30 years on International experience in networks and mobile Handsets from top
global companies /institutes like ISRO, Ericsson, Nokia, Nokia Siemens Networks and
based mostly in its head quarter locations in India, EU, USA.
Expertise: Setting up capability, behaviour, culture in turning Risk, Quality, Innovation for
competitive advantage, customer delight and sustainability; key skill sets are Engagement,
Handholding, Coaching, Mentoring and lot of best practices, benchmarking/standards like
CMMI, TL9000, Six Sigma, ISO, SAS 70 etc.
28
29. RESUMES – Our Team
Vice President & Head – IT Risk Advisory
Ravikiran Bhandari
Over 14+ Years of Experience in Information Security and Risk Management & CISM
certified
Headed the Global Information Security team of Daimler (Mercedes-Benz) Worldwide at
Bangalore for 9 years, previously worked at organization like Wipro, Bangalore Labs
Multi-sector experience including Banking, Insurance, Finance, Energy, Manufacturing,
Retail, Hi-Tech & Telecom, and Automobile
Well known Ethical hacker: Was featured in BusinessWorld Magazine in an article about
leading ethical hackers in India and published several articles in Print and Online Media
Rich experience in Information Security Audits across Corporations, 3rd Party Suppliers, Joint
Ventures across several countries in the world including US, UK, China, Germany
29
30. RESUMES - PARTNERSHIPS Credentials
Consultant – Information Security & IT Governance
LLB, CA, CISA, CWA, CS, CFE and others
Anjay Agarwal
Over 15 years of experience in the field of Audit, Taxation, Investigations.
Specializing in the field of Systems Audit, Cybrex Audit, Computer Crime
Investigations, IS Forensics
International Committee Member of Governmental and Regulatory Agencies
Board and Academic Relations Committee of ISACA, USA
Consultant – Quality Management
Founder of PMG, a TQM Consulting Co in Delhi
Piyush Kumar
Mechanical Engineer
20+years experience in TQM concepts.
Strong skill set in various productivity & quality improvement projects including
Six Sigma offerings
Past experiences include reputed organizations like Andersen Consulting, Eicher
Consulting & Nathan & Nathan consultants
30
31. RESUMES - PARTNERSHIPS
Specialist Risk Consultant – Business Continuity
Andrew Hiles
Founder and 15-year Chairman of Survive, the first international user group for Business
Continuity professionals
Founding director and first Fellow of the Business Continuity Institute
Over 25 years international consulting expertise in Risk, Crisis, Emergency, Incident, and
Business Continuity and ICT Disaster Recovery Management
Multi-sector experience including Banking, Insurance, Finance, Oil, Gas, Energy,
Manufacturing, Retail, Hi-Tech & Telecom
Western Press Award for services to business, 1994; BCI/CIR nomination for
lifetime achievement in BC, 1999, London; inducted into BC Hall of Fame by CPM magazine,
2004, Washington DC.
Specialist Risk Consultant – Enterprise Risk Management
Chris E. Mandel
Highly skilled risk and insurance professional with 25 years of experience designing, developing and
implementing large, global corporate risk management programs for Fortune 500 firms.
Principal Consultant and Founder - Excellence in Risk Management, LLC. (Texas, USA) Co-founder
and EVP, Professional Services, rPM3 Solutions, LLC (Maryland, USA).
Past experiences include Head of Global Risk Management for USAA, PepsiCo/Tricon Global and
American National Red Cross
Additional risk and insurance experience at Verizon Corp,. Marsh USA and Liberty Mutual Insurance
Co.
2004 Risk Manager of the Year – 2007 recipient of the Alexander Hamilton Award for “Excellence in
ERM” (at USAA) – former President, Risk and Insurance Management Society, Inc.
31
32. Strategic Alliance - ‘AssureEasy’ GRC Tool
NIIT technologies and RiskPro offer a Unique GRC Management solution on cloud wherein NIIT provides the best in
the breed Application platform and RiskPro brings best in class integrated risk management consulting services
Platform Differentiators Risk Expertise
Cloud hosting model
High performance business results
No CAPEX, Infrastructure Investment
Improved portfolio optimization
No ongoing application/infrastructure
Enhancing organization’s ability for
maintenance cost
effective utilization of risk capital
Unique Delivery model
Extremely Fast Implementation
Highly experienced team of risk professionals with
Out of the box implementation in 2-3 weeks time
plethora of risk domain knowledge and business
Highly configurable and flexible platform
solutions
Customized solutions as per client’s needs
Credibility
Market Differentiators
Platform users include Cognizant , RBS , Fidelity ,
Premier risk consulting firm serving top
NIIT Technologies etc.
corporates/PSU’s as preferred knowledge
High CSAT ratings from existing Customers
partners
Increasing market penetration combined with
System Integration Capabilities
unique value proposition in risk consulting space
Services around solution implementation
Risk Management Capability
/Application and Infrastructure support
Quick client assessment and delivery proposal
Industry packaged solution using domain
across ERM
expertise from NIIT’S vertical teams.
Multi industry and functional domain solutions
32