Your SlideShare is downloading. ×
0
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Xay dung he thong an ninh thong tin cho doanh nghiep   nghiem sy thang
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Xay dung he thong an ninh thong tin cho doanh nghiep nghiem sy thang

2,029

Published on

0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,029
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
192
Comments
0
Likes
7
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Xây d ng H th ng An ninh thông tin cho Doanh nghi p Tài li u th o lu n Nghiêm S Th ng Vice CEO- CTO LienVietPostBankLienVietPostBank
  • 2. M c l c T m nhìn và m c tiêu xây d ng chi n lư c CNTT và An ninh thông tin doanh nghi p Phương pháp ti p c n và mô hình hóa chi n lư c tri n khai Phương pháp mô hình hóa c u thành Nghi p v (Component BusinessPhương pháp mô hình hóa c u thành Nghi p v (Component Business Model) Các v n d ng trong xây d ng và chu n hóa h th ng An ninh thông tin doanh nghi p Các v n d ng trong xây d ng h th ng tuân th và qu n lý r i ro thông tin 2
  • 3. Phân tích hi n tr ng c a h th ng IT và xác đ nh t m nhìn cho CNTT c a Doanh nghi p trong tương lai – G n k t v i nghi p v là quy t sách, nh n m nh giá tr c a CNTT và An ninh thông tin là bi n t m nhìn v kinh doanh thành hi n th c. – Hi u rõ nh ng b t c p còn t n t i đ đưa ra đ nh hư ng tương lai Thi t k xây d ng chi n lư c, xác đ nh các phương án gi i quy t các t n t i cũng như di n gi i phương án có l i nh t cho Doanh nghi p trong đ u tư: T m nhìn & M c tiêu Xây d ng h th ng CNTT và An ninh thông tin Doanh nghi p 3 – Ki n trúc, ng d ng, d li u và h t ng công ngh ; – Mô hình v n hành IT, đ nh v CNTT, An ninh thông tin , đ ng l c chính cho nghi p v Xây d ng l trình chi n lư c, s p x p các th t ưu tiên cho các phương án, và v i phương án đư c l a ch n, đánh giá l i ích tài chính và c th hóa k ho ch. – Danh m c các chương trình – Phân tích đ u tư – L p k ho ch
  • 4. Phương pháp ti p c n và mô hình hóa chi n lư c tri n khai các d án CNTT và An ninh thông tin Doanh nghi p Ph n 1: Giai đo n chu n b Đ xác đ nh ph m vi d án và ch n l a các h th ng phù h p, có ba giai đo n đ u tương ng v i ph n 1 trong d án c a Doanh nghi p. Vi c này s giúp phân tích m t cách toàn di n nh ng yêu c u c a Doanh nghi p đ i v i h th ng An ninh thông tin và s phù h p c a nh ng yêu c u này v i mô hình ho t đ ng và chi n lư c CNTT c a Doanh nghi p. Ba giai đo n bao g m: Giai đo n 1: Chi n lư c và mô hình kinh doanh Giai đo n 2: Xây d ng chi n lư c CNTT Giai đo n 3: Yêu c u doanh nghi p,RFP và l a ch n nhà cung c p M i giai đo n đ u có m t s công vi c m u ch t c n đư c th c hi n. Vi c hoàn t t nh ng nhi m v chính c a giai đo n này s quy t đ nh thành công c a giai đo n k ti p. 4 s quy t đ nh thành công c a giai đo n k ti p. Ph n 2: Tri n khai và sau tri n khai Trong quá trình tri n khai / theo dõi ti n đ và c i ti n quy trình d án. Nh ng công vi c này c n đư c quan tâm ch t ch và c n đư c th c hi n b i m t đơn v tư v n đ c l p.
  • 5. T ng quan các bư c v tri n khai d án CNTT và An ninh thông tin cho Doanh nghi p Giai đo n 1 – Chi n lư c và mô hình kinh doanh Giai đo n 2 – Xây d ng chi n lư c CNTT & An ninh TT Giai đo n 3 .1– Yêu c u doanh nghi p Giai đo n 3.2 – RFP và l a ch n nhà cung c p Giai đo n 4 – Qu n lý d án Ph n 1 – Giai đo n chu n b Ph n 2 – Giai đo n tri n khai, sau tri n khai • Ph ng v n lãnh đ o cao c p • Rà soát ho t đ ng và quy trình kinh • Th c hi n đánh giá năng l c CNTT • Chi ti t hóa các yêu c u v CNTT • Ghi nh n mô hình kinh doanh • Ghi nh n yêu c u kinh doanh, yêu c u • H tr l a ch n • Xây d ng h sơ m i th u (RFP) • H tr đánh giá • V n hành ban qu n lý • Đ m b o ch t lư ng d án • Thi t k và ki m tra 5 doanh • Rà soát liên k t chi n lư c • Đánh giá tính s n sàng • Xây d ng k ho ch hành đ ng • Xây d ng và l a ch n các gi i pháp CNTT • Xây d ng b c tranh toàn c nh CNTT • Phát tri n k ho ch chi n lư c v CNTT ch c năng và yêu c u k thu t • L p l ch tham quan các đ a đi m đ đánh giá •Thương th o h p đ ng các ki m soát • H tr ki m tra ng d ng • Đào t o v r i ro và ki m soát • Qu n lý thay đ i • Đánh giá sau tri n khai • Xác đ nh chi n lư c • Đ ng thu n v n i dung • Đưa ra ý ki n đóng góp • Xác đ nh mô hình tương lai • H p tác trong vi c thu th p thông tin • Đưa ra ý ki n đóng góp • Xác đ nh chi n lư c CNTT • Đ ng thu n v k ho ch th c hi n chi n lư c • Đ ng thu n c a các bên liên quan: – mô hình kinh doanh – yêu c u doanh nghi p – yêu c u ch c năng – yêu c u k thu t • Ch p thu n các nhà cung c p • Ký xác nh n các yêu c u RFP • Ch p thu n các tiêu chí đánh giá • Quy t đ nh gi i pháp đư c ch n • Qu n lý d án • Ch p thu n các ki m soát h th ng và các ki m soát khác • Qu n lý thay đ i • Tri n khai h th ng CNTTDoanhNghip Chunbtrinkhai
  • 6. Ứng dụng học thuyết chiến lược của M. Porter 05 tác động chính có thể gây nguy hiểm vị trí của doanh nghiệp trên thương trường • Mối đe dọa từ các đối thủ cạnh tranh mới. • Quyền mặc cả của nhà cung cấp. • Quyền mặc cả của khách hàng. • Mối đe doạ của các sản phẩm, dịch vụ thay thế. • Sự đua tranh của các doanh nghiệp hiện hữu. 6 Mô hình chuỗi giá trị Porter áp dụng cho doanh nghiệp sản xuất hoặc dịch vụ
  • 7. Các điểm nhấn của học thuyết chiến lược M.Porter + Chiến lược đối phó - Cost leadership (Giảm giá) : Tạo ra các sản phẩm, dịch vụ có giá tốt nhất trong cùng lĩnh vực - Differentiation (Sự khác biệt) : Tạo ra những sản phẩm có chất lượng cao nhưng giá cạnh tranh. Ví dụ : dịch vụ hậu mãi tốt - Focus (Tập trung) : Tập trung vào một phân khúc thị trường nhằm đạt được cả Cost leadership và Differentiation - Các chiến lược bổ sung : Năm 1996, Porter đã mở rộng lý thuyết chiến Ứng dụng học thuyết chiến lược của M. Porter - Các chiến lược bổ sung : Năm 1996, Porter đã mở rộng lý thuyết chiến lược thêm một số yếu tố là vị trí chiến lược, hiệu quả tác nghiệp và dịch vụ khách hàng. + Ứng dụng mô hình Porter - Phân tích tất cả các điểm mạnh, điểm yếu của tất cả các hoạt động - Những hoạt động tạo thêm nhiều giá trị hơn có thể tạo ra các lợi thế cạnh tranh. - Xác định trong chuỗi hoạt động nào ứng dụng CNTT sẽ tạo gia giá trị lớn hơn và hoạt động nào ứng dụng CNTT là phù hợp nhất. 7
  • 8. Ứng dụng Tiêu chuẩn COBIT+ ITIL/ISO 8
  • 9. Phương pháp mô hình hóa C u thành Nghi p v (Component Business Model) 9
  • 10. Phương pháp mô hình hóa C u thành Nghi p v (Component Business Model) Illustrative governance model 10
  • 11. Phương pháp mô hình hóa C u thành Nghi p v (Component Business Model) 11
  • 12. Phương pháp mô hình hóa C u thành Nghi p v (Component Business Model) trong xây d ng các h ng m c CNTT và An ninh thông tin 12
  • 13. Insight Manufacturing Distribution Risk / Fin Mgt Strategy and Planning Service Branch Call Centre Self- Service Sales Sales Marketing Product Manufacturing DeploymentResearch Development Risk Market Risk Analysis & Mgmt Credit Risk Analysis & Mgmt Asset & Liability Policy & Planning Operational Risk Analysis & Mgmt Administration Channel Mgmt Relationship Mgmt Application Mgmt Product Management Portfolio Mgmt Production Inventory Mgmt Financial MgmtPortfolio Market Research Segmentation Business Strategy Customer Analysis Phương pháp mô hình hóa m t doanh nghi p nh m xác đinh đư c các lĩnh v c tr ng tâm v c nghi p v l n CNTT 13 13 Governance Processing Fixed Asset Mgmt Alliance Mgmt Resource Planning Business Architecture Business Unit Mgmt DeploymentResearch Development Compliance Internal Audit Compliance Mgmt Data Business Markets Customer Common Processes Billing Payments Customer Account Collections/ Recovery Deposits Servicing Reconciliations Settlement Specific Processes Trading Custody Financial Capture Valuations Facilities Infrastructure Portfolio Mgmt Production Mgmt Inventory Mgmt Operations Mgmt Financial Mgmt Finance Policies & Control Financial Accounting & Reporting Treasury Cash Inventory Facilities Operations & Maintenance Human Resources HR Management IT Systems Development & Maintenance Portfolio Analysis Source: LienVietBank Institute for Business Value
  • 14. Ki n trúc, T ch c CNTT và Giá tr là 3 phương di n đư c đánh giá trong su t quá trình ti p c n chi n lư c CNTT Kintrúc ng d ngng d ng Công nghCông ngh Thông tinThông tin 1. Phân tích & T m nhìn 2. Thi t k chi n lư c 3. Xây d ng l trình chi n lư c Hi n tr ng c a CNTT và m c tiêu ti n t i trong tương lai Các phương án gi i quy n các b t c p t n t i và l a ch n phương án t i ưu Ý nghĩa v m t tài chính c a phương án đư c l a ch n và l p k ho ch th c hi n Phương pháp mô hình hóa ho t đ ng CNTT nh m xác đ nh đư c các lĩnh v c tr ng tâm v c nghi p v l n Công ngh 14 Giá tr CNTT mang l iGiá tr CNTT mang l i Các chi phí CNTTCác chi phí CNTT Các đ u tư cho CNTTCác đ u tư cho CNTT Môhình VnhànhCNTT Qu n trQu n tr T ch c CNTTT ch c CNTT Các d ch v CNTTCác d ch v CNTT Các quy trình CNTTCác quy trình CNTT Nhân s /Năng l cNhân s /Năng l c Giátr Phân tích hi n tr ng T m nhìn CNTT & g n k t v i nghi p v Lênphươngánvà đánhgiá Chunbdán Danh m c d án Phân tích đ u tư Lpkhochdán Phântíchkhongcách Ki n trúc khái ni m T ch c CNTT
  • 15. Bư c 1 trong ti p c n và xây d ng chi n lư c CNTT CNTT,kinh doanhvàcácquytrìnhxlý Hi n tr ng CNTT 1. Phân tích & T m nhìn Phân tích hi n tr ng ngcách Qu n tr và cơ c u CNTT Các d án CNTT Các tài nguyên và k năng CNTT H th ng và các công nghH th ng và các công ngh Các xu th kinh doanh và công ngh ChinlưcvCNTT,kinh doanhvàcácquytrìnhx T m nhìn và chi n lư c CNTT g n k t v i nghi p v Đ nh nghĩa các nguyên t c và quy t c ch đ o Chi n lư c và t m nhìn kinh doanh đ c thù Xác đ nh nhu c u CNTT ch t Xác đ nh nhu c u CNTT t các nghi p v ch ch t Xác đ nh các đ ng l c CNTT Xác đ nh các đ ng l c cho nghi p v t phía CNTT N m b t đ nh hư ng và chi n lư c v công ngh Phântíchkhongcách Chi phí CNTT Các d ch v và ngu n cung c p CNTT Các d ch v và ngu n cung c p CNTT Các d án CNTT CNTTCNTT N m b t đ nh hư ng và chi n lư c kinh doanh
  • 16. M c tiêu c a các lĩnh v c t p trung – Giai đo n 1 Phương pháp/ Giai đo n Thành ph n Lĩnh v c nghiên c u Phân tích hi n tr ng Qu n tr và cơ c u CNTT Các d án CNTT Chi phí CNTT Các tài nguyên & k năng CNTT H th ng và các công ngh CNTT 16 Giai đo n 1: Phân tích & T m nhìn Các d ch v và ngu n cung c p năng l c CNTT Ki n trúc và ch c năng ng d ng Xây d ng t m nhìn, g n k t CNTT, An ninh thông tin và nghi p v N m b t đ nh hư ng và chi n lư c nghi p v N m b t đ nh hư ng và chi n lư c v công ngh Các xu th nghi p v và công ngh Đ nh nghĩa các nguyên t c và quy t c ch đ o Xác đ nh nhu c u CNTT t các t nghi p v ch ch t Xác đ nh các đ ng l c cho nghi p v t phía CNTT Phân tích kh ang cách Kho ng cách so v i ki n trúc khái ni m Kho ng cách trong mô hình v n hành IT
  • 17. Xác đ nh các h ng m c c n tri n khai theo m c đ ưu tiên c a Nghi p v nh m kéo theo chi n lư c đ u tư CNTT Insight Manufacturing Distribution Risk / Fin Mgt Strategy and Planning Service Branch Call Centre Self- Service Sales Sales Marketing Product Manufacturing DeploymentResearch Development Risk Market Risk Analysis & Mgmt Credit Risk Analysis & Mgmt Asset & Liability Policy & Planning Operational Risk Analysis & Mgmt Administration Channel Mgmt Relationship Mgmt Application Mgmt Product Management Portfolio Mgmt Production Mgmt Inventory Mgmt Financial MgmtPortfolio Analysis Market Research Segmentation Business Strategy Customer Analysis 17 Governance Processing Fixed Asset Mgmt Alliance Mgmt Resource Planning Business Architecture Business Unit Mgmt Compliance Internal Audit Compliance Mgmt Data Business Markets Customer Common Processes Billing Payments Customer Account Collections/ Recovery Deposits Servicing Reconciliations Settlement Specific Processes Trading Custody Financial Capture Treasury Facilities Infrastructure Operations Mgmt Finance Policies & Control Financial Accounting & Reporting Treasury Mgmt Cash Inventory Facilities Operations & Maintenance Human Resources HR Management IT Systems Development & Maintenance Differentiaton Competitive Priority
  • 18. Ch ra ki n trúc CNTT và An ninh thông tin t t m nhìn nghi p v c a Doanh nghi p Electronic Self Service Branches Call centre Mobility Partners Authentication Access Control Content Collaboration Personalisation ID Management Availability Change Management Channels Layer Presentation Layer Management Application Development High Medium Difference Priority 18 Deposits Investments Banking Application CRM Loans Treasury Payments Risk and Compliance Credit Card Collecting Accounting Cash Management Asset Management HR Doc Mgmt BI Information Client History Client Relationship Client catalog Product catalog DW Data Marts Security Management Provisioning Configuration Directory Management Monitoring Portfolio and Process control Architecture control Quality Management Auditing Components Layer Information Layer Business Components Common Components Analytics Client/Product/Segment views
  • 19. Đánh giá CNTT trong ng c nh các ưu tiên v nghi p v s làm n i rõ m u ch t v m c tiêu tri n khai c n thi t Insight Manufacturing Distribution Risk / Fin Mgt Strategy and Planning Service Branch Call Centre Self- Service Sales Sales Marketing Product Manufacturing DeploymentResearch Development Risk Market Risk Analysis & Mgmt Credit Risk Analysis & Mgmt Asset & Liability Policy & Planning Operational Risk Analysis & Mgmt Administration Channel Mgmt Relationship Mgmt Application Mgmt Product Management Portfolio Mgmt Production Mgmt Inventory Mgmt Financial MgmtPortfolio Analysis Market Research Segmentation Business Strategy Customer Analysis 19 Governance Processing Fixed Asset Mgmt Alliance Mgmt Resource Planning Business Architecture Business Unit Mgmt Compliance Internal Audit Compliance Mgmt Data Business Markets Customer Common Processes Billing Payments Customer Account Collections/ Recovery Deposits Servicing Reconciliations Settlement Specific Processes Trading Custody Financial Capture Treasury Facilities Infrastructure Operations Mgmt Finance Policies & Control Financial Accounting & Reporting Treasury Mgmt Cash Inventory Facilities Operations & Maintenance Human Resources HR Management IT Systems Development & Maintenance Differentiaton Competitive Priority Missing Functionality
  • 20. T m nhìn CNTT cũng ch ra đư c cách l a ch n ki n trúc chính đ gi i quy t các b t c p t n t i Electronic Self Service Branches Call centre Mobility Partners Authentication Access Control Content Collaboration Personalisation ID Management Availability Change Channels Layer Presentation Layer Management Application Development High Medium Diff/Low Priority 20 Authentication Access Control Content Collaboration Personalisation Deposits Investments Banking Application CRM Loans Treasury Payments Risk and Compliance Credit Card Collecting Accounting Cash Management Asset Management HR Doc Mgmt BI Information Client History Client Relationship Client catalog Product catalog DW Data Marts Security Management Provisioning Configuration Directory Management Monitoring Portfolio and Process control Architecture control Quality Management Change Management Auditing Components Layer Information Layer Business Components Common Components Analytics Client/Product/Segment views Key EnhancementsNew Capabilities Gaps
  • 21. Vi c xây d ng và đánh giá các phương án chi n lư c đư c ti n hành d a trên các cân nh c v c mô hình khái ni m l n t ch c Tích h p các ki n th c gi a môi trư ng và c đông cchin ng ukinhdoanh 2. Thi t k chi n lư c Xây d ng phương án và so sánh các phương án Ki n trúc ng d ng Ki n trúc công ngh Ki n trúc khái ni m Nh ng đi u c n làm Lachntchcchin lưcCNTTtrongtng phươngáncth Cácyêucukinhdoanh vàmcđưutiên so sánh các phương án Đ nh nghĩa các phương án cho khách hàng c th Đánh giá các phương án và quy t đ nh l a ch n Phân tích r i ro cho các phương án Ki n trúc thông tin Ki n trúc công ngh Cai qu n T ch c / c u trúc CNTT Các d ch v & ngu n cung ng năng l c CNTT Các d ch v & ngu n cung ng năng l c CNTT Các quy trình CNTT Qu n lý nhân s Mô hình v n hành
  • 22. M c tiêu c a các lĩnh v c t p trung – Giai đo n 2 & 3 Phương pháp/ Giai đo n Thành ph n Lĩnh v c nghiên c u Giai đo n 2: Thi t k chi n lư c Ki n trúc khái ni m Ki n trúc ng d ng Ki n trúc h t ng cơ s Ki n trúc thông tin và b o m t Mô hình v n hành Cai qu n T ch c/c u trúc CNTT Các d ch v và ngu n cung ng năng l c CNTT Các quy trình IT 22 lư c Các quy trình IT Qu n lý nhân s Xây d ng phương án và so sánh các phương án Đ nh nghĩa các phương án cho khách hàng c th Phân tích r i ro cho các phương án Đánh giá các phương án và quy t đ n l a ch n Giai đo n 3: L trình chi n lư c Danh m c d án Danh m c các d án nghi p v Danh m c các d án CNTT Phân tích đ u tư Đánh giá chi phí Phân tích đ u tư cho m t s d án quan tr ng L p k ho c d án Đánh giá m c đ ưu tiên và các ti n đ Lên k ho ch đ u tư/ngân sách L p k ho ch d án Chu n b d án Chu n b d án
  • 23. Tham chi u d a trên c u ph n t o ra s m m d o và d n d t vi c l a ch n công ngh và ng d ng CNTT và An ninh thông tin 23 23
  • 24. Technology infrastructure summary Applications (200+ apps.) Development environments EAI Layer Business applications (App 1, App 2, product Portal, FOS, product Manager, Legacy, and others…) UNIX & Windows Scripting .Net Java Notes Websphere, Netweaver (Exchange Infrastructure, Process Integration), Actis EDIMANAGER Perl Visual Basic HTML App ABAP Other dev. packages 24 Technical platforms Storage databases Tier 1 (110 TB) Tier 2 (125 TB) Network infrastructure Systems management HP UX (95) HP Intel Servers (180) Superdoom (2) Notes Servers Windows/ Intel (54) Network Layer — MPLS: Orange, AT&T, VPN: Orange, DWDM: Luxembourg EPT Oracle SQL Server 7,000 Desktops 4,000 Laptops 1508 Printers 119 PDAs DB2 EMC Symetrix EMC Clarion EMC Centera… HP EVA EMC Celera Tape HP OpenView, HP Network Node Manager, HP Insight Manager, CISCO Works, CISCO ACS, Netscout, and Bigbrother App MAXDB Notes
  • 25. Cách ti p c n Process-base s gi i quy t nh ng thách th c k thu t ch y u c a chi n lư c công ngh và b o m t 25 Thi t k đ ti n hóa – nâng c p lũy ti n tính đ n vi c nghi p v và CNTT thay đ i không ng ng Gi m đáng k th i gian phát tri n trong quá trình nâng c p so v i các ti p c n thông thư ng Nh m t i module hóa các công vi c thi t k và th c hi n các quy trình nghi p v Kh năng th c hi n cao mà v n m m d o Service-oriented, loosely-coupled, business process driven components Functional, but heavily customized and inflexible core systems
  • 26. M t vài l a ch n có th đư c đưa ra trong khi xây d ng phương án Ki n trúc ng d ng Ki n trúc công ngh Kintrúc kháinim Qu n tr CNTT L a ch n 1 L a ch n 2 L a ch n 3 26 Qu n tr CNTT T ch c CNTT Cung c p d ch v CNTT Quy trình CNTT Nhân s và k năng CNTT TchcvàquytrìnhCNTT
  • 27. Đ xu t gi i pháp và phương án xây môi trư ng an ninh b o m t doanh nghi p.
  • 28. Mô hình hóa h th ng An ninh thông tin 28
  • 29. Xây d ng và chu n hóa h th ng An ninh thông tin doanh nghi p có th mô hình hóa thành 3 bư c 29
  • 30. Ph n 1: Security Benchmarking 30
  • 31. Ph n 2: Security Risk Assesment 31
  • 32. Ph n 3: Security Strategy Development / ISD Enhancement 32
  • 33. M c tiêu xây d ng chi n lư c b o m t doanh nghi p Các công tác s tri n khai: Phát triển những chiến lược để liên kết bảo mật thông tin với CNTT, kinh doanh, những chiến lược hợp nhất và những sáng kiến. Phân tích ngân sách cho việc bảo mật thông tin và đề xuất (gợi ý) các chiến lược giảm chi phí cho các hoạt động bảo mật thông tin Đánh giá sự hoàn chỉnh (phát triển môt cách hoàn chỉnh) của một hoặc nhiều tính năng bảo mật thuộc Cơ cấu bảo mật doanh nghiệp của chúng tôi và cung cấp lộ Nh ng l i ích ti m năng • Thực hành bảo mật thông tin áp dụng một cách hợp lý, thích hợp cho toàn hệ thống. • Cắt giảm chi phí vận hành bảo mật thông tin và “giải pháp điểm” CNTT • Thành lập, xây dựng trách nhiệm, quyền hạn và trách nhiệm cho việc bảo mật thông tin. • Thống nhất bảo mật an ninh thành một hệ thốngcấu bảo mật doanh nghiệp của chúng tôi và cung cấp lộ trình, những sáng kiến cụ thể để đạt được một mức độ hoàn chỉnh đặc biệt. Đánh giá việc ủy quyền trong vai trò, trách nhiệm bảo mật thông tin, đồng thời cung cấp những đề xuất, gợi ý trong tổ chức và quản trị. Tiêu chuẩn chương trình bảo mật thông tin của khách hàng đối với các chỉ tiêu ngành công nghiệp hoặc tương đương. • Thống nhất bảo mật an ninh thành một hệ thống quản lý kinh doanh cốt lõi. • Mức điều kiện tốt nhất cho việc đầu tư bảo mật thông tin cho yêu cầu của doanh nghiệp và khả năng chịu được rủi ro của tổ chức. • Liên kết tất cả định hướng kinh doanh, chiến lược bảo mật và các hệ thống CNTT. • Các giải pháp bảo mật thiết thực được liên kết chặt chẽ và dễ quản lý.
  • 34. Phương pháp phát tri n h th ng b o m t thông tin doanh nghi p Cơ cấu quản lý hoạt động CNTT (ví dụ ITIL) tiếp tục trưởng thành, phát triển và đạt được những thành công trên diện rộng là những phương pháp hiệu quả cho việc sắp xếp hợp lý hóa và kiểm soát các hoạt động CNTT. Sự gia tăng mức phổ biến của những thành công này buộc những nhà lãnh đạo trong môi trường bảo mật thông tin phải suy nghĩ lại chiến lược đễ thực hiện kiểm soát bảo mật một cách hiệu quả trong bối cảnh tiêu chuẩn của cơ cấu tổ chức CNTT. Một quy trình bảo mật tương quan , hợp nhất nhằm kiểm soát và chuyển quy trình bảo mật thành một cơ cấu tổ chức CNTT hiện đại thông qua một hoặc nhiều phương pháp sau đây: – Sự kiểm soát được thực hiện thông qua quá trình tự vận động (VD: quá trình tự xử lý sự cố) – Sự kiểm soát, quản lý được thực hiện thông qua việc thi hành của một quá trình( vd: xây dựng những tiêu chuẩn và chính sách) – Sự kiểm soát được thực hiện thông qua giao diện (vd: bảo mật trong hợp đồng bên thứ 3)
  • 35. Enterprise Security Framework
  • 36. Đ nh nghĩa cho các h ng m c trong mô hình b o m t doanh nghi p
  • 37. Nhưng l i ích c a mô hình b o m t theo “Process-Based” • Hợp nhất với tiêu chuẩn công nghiệp trong cơ cấu CNTT- Hầu hết cơ cấu tổ chức CNTT là process- based. Một quá trình cơ cấu bảo mật cho phép một sự xác định thẳng thắn quá trình cần thiết cho những yêu cầu và những điểm hợp nhất. • Phát triển bền vững – Các quá trình hợp nhất bảo mật chính thức trong CNTT và các hoạt động kinh doanh đảm bảo cho những yêu cầu trong quá trình bảo mật sẽ được thực hiện một cách cẩn thận, hợp lý. • Sử dụng phương pháp phân tích sự hoàn thành, phát triển – Nhiều mô hình và phương pháp phát triển khả năng, tính năng có thể được sử dụng mà không cần sửa đổi để phân tích hiệu quả của các chương trình bảo mật thông tin vả để tạo ra lộ trình chiến lược dựa trên sự phát triển/ • Cung cấp các số liệu quản lý – Những quy trình có thể được đo lường một cách hiệu quả bằng nhiều• Cung cấp các số liệu quản lý – Những quy trình có thể được đo lường một cách hiệu quả bằng nhiều phương pháp và số liệu cung cấp một loạt các báo cáo quản lý về tình trạng hiện tại của các chương trình bảo mật. • Xây dựng trách nhiệm rõ ràng – Sự sở hữu có thể được chỉ định cho mỗi quá trình bảo mật để bảo đảm rằng chúng được duy trì và thực hiện khi cần thiết. • Thực hiện bảo mật một cách linh hoạt – Vai trò và trách nhiệm của việc bắt đầu, lập kế hoạch, thực hiện, quản lý và kết thúc quá trình bảo mật thông tin có thể được chỉ định tập trung, phân tán, hoặc “các nguồn bên ngoài” phụ thuộc vào kỹ năng yêu cầu và chi phí. • Chi phí kỹ thuật/ Phân tích lợi ích –Khả năng lập phương hướng công nghệ để hỗ trợ cho các quy trình cho phép việc phân tích chi phí/lợi nhuận cho quá trình mua bán công nghệ, hợp nhất và phát triển chiến lược cắt giảm chi phí.
  • 38. T m nhìn mô hình b o m t theo “Process-Based” S k t h p trên nhưng mô hình hi u bi t v ti n trình ho t đ ng ngành công nghi p c th và tiêu chu n qu n lý an toàn b o m t chu n, cho phép th c hi n mô hình hóa chi n lư c t t hơn, nhanh hơn và nhi u thông tin hơn các quy t đ nh qu n lý ng d ng. Trên toàn c nh ho t đ ng doanh nghi p có th xác l p tiêu chu n tăng t c tri n khai nhanh chóng h th ng b o m t và l a ch n thư c đo giá tr đ u tư Key Industry Accelerators: Risk Maps by Industry ValuePrintValuePrint IndustryPrint InformationPrint ServicesPrint Value Level Metrics Định vị triển khai công nghệ thông tin theo ngành dọc.
  • 39. Mô hình t ch c đơn c 39
  • 40. Vòng đ i các chương trình an ninh b o m t thông tin theo COBIT S d ng khung an ninh doanh nghi p và quá trình tri n khai theo thư vi n, doanh nghi p có th b t đ u đánh giá, phát tri n, th c hi n và duy trì m t chương trình b o m t hi u qu .
  • 41. Phương án ti p c n chi n lư c xây d ng h th ng b o m t doanh nghi p Phạm vi và kế hoạch – Xác định những đơn vị, cơ quan có liên quan chính và tiến hành xây dựng lịch trình cho những cuộc gặp gỡ. – Tiến hành xây dựng kế hoạch cho dự án một cách tổng thể. Hiểu rõ tình hình, tình trạng hiện tại – Thu thập và xem xét lại những quy định, tiêu chuẩn và hệ thống dữ liệu một cách hợp lý. – Chỉ đạo gặp gỡ, tiếp xúc với hệ thống bảo mật thông tin và những cá nhân chủ chốt có liên quan. – Vạch ra những kỹ thuật, công nghệ bảo mật để hỗ trợ cho quy trình. – Sắp xếp vai trò và trách nhiệm trong tổ chức để hỗ trợ cho quy trình bảo mật.bảo mật. – Sắp xếp giao diện của quy trình bảo mật và những thứ phụ thuộc liên quan đến quy trình bảo mật, CNTT,doanh nghiệp. Điểm chuẩn và sự phân tích – Xác định phương hướng chính cho sự phát triển – Xác định những rào cản chính để phát triển – Xây dựng những yêu cầu/ đòi hỏi để phát triển cho quy trình bảo mật. – Dữ liệu và sự phân tích những yêu cầu giữa tình trạng hiện tại và sự đòi hỏi. • Đề xuất và hợp lý hóa – Phát triển lộ trình ưu tiên cho sự phát triển – phát thảo những sáng kiến chiến lược dựa trên lộ trình vạch sẵn.
  • 42. Đánh giá thư ng xuyên Theo khung an ninh doanh nghi p và các thư vi n r i ro phát tri n trong quá trình s d ng đ đo s trư ng thành c a các chương trình b o m t thông tin và cung c p m t chi n lư c đ c i thi n.
  • 43. Ví d v phương th c tri n khai phân rã 3 bư c thành 5 bư c 1. Tóm lược : Phát thảo ngắn gọn phạm vi, phương pháp, nội dung chính, những đề xuất quan trọng. 2. Giới thiệu: Nêu ra những nội dung chính của cơ cấu tổ chức dữ liệu, bối cảnh và mục đích, đối tượng người đọc, mức đo lường và sự giả định.đọc, mức đo lường và sự giả định. 3. Mối quan tâm của doanh nghiệp: Phát thảo những sáng kiến, phương hướng trong kinh doanh và CNTT, định hướng luật và pháp chế, tổng thể rủi ro, chiến lược bảo mật và ngân sách. 4. Phân tích sự phát triển: Phát thảo sự phân tích và sự phát triển của quy trình bảo mật, liên quan đến quá trình định nghĩa và các hoạt động, quy trình giao diện, vai trò và quyền hạn, chỉ số đo lường hiệu suất công việc và các báo cáo, cho phép các ứng dụng công nghệ và kỹ thuật. 5. Những sáng kiến chiến thuật trong bảo mật: Phát thảo tổng thể lộ trình để đạt được mức phát triển đã đề ra cho chương trình bảo mật và trình bày những sáng kiến miêu tả những nhân tố cơ bản, thực tiễn, các hoạt động trong dự án, sự giả định và những sáng kiến phụ thuộc, giai đoạn được đo lường, và chi phí cho ngân sách (một lần và sẽ lập lại, định kỳ)
  • 44. Ví d v tri n khai chi ti t chi n lư c
  • 45. Ví d v tri n khai chi ti t chi n lư c
  • 46. Ví d v tri n khai chi ti t chi n lư c
  • 47. Ví d v tri n khai chi ti t chi n lư c
  • 48. Information Security Process Library Mỗi quá trình đã được xác định về các hoạt động sẽ là căn cứ thực hành tốt nhất cho số liệu, vai trò và trách nhiệm và các điểm giao diện trong việc hình thành những công nghệ kỹ thuật dưới dạng cơ bản cho quá trình hợp nhất hiệu quả hoặc tái cơ cấu CNTT và bảo mật. Process Definitions & Activities Chức năng và quyền hạn • IS: Chịu trách nhiệm bảo ảm cho quá trình ánh giá rủi ro ược thực hiện khi cần thiết. Bảo mật thông tin quản lý việc thực thi các thủ tục, tạo iều kiện cho việc thu gom dự liệu, phân tích các lỗ hỏng và các tác ộng ể xác ịnh ược rủi ro, tạo iều kiện phát triển chiến lược hạn chế rủi ro, và tạo ra các báo cáo và tài liệu hỗ trợ khác. • IT: Chịu trách nhiệm về việc xác ịnh hệ thống CNTT và các thành phần tương ứng nào hỗ trợ cho quá trình kinh doanh, bảo trì mối liên hệ giữa hệ thống physical và tài Process Interfaces • Business Impact Analysis (output from) • Vulnerability Assessment (output from) • Compliance Assessment (output from) • Risk Event Identification (output from) • Remediation Decision Support (input to) Enabling Technologies • Risk and Control Library (RCL) • Citadel • TruSecure • Logic Manager KPIs and Reporting • Time to perform a risk assessment • Duration to perform a risk assessment • Number of information assets reviewed • Number of systems reviewed • Number of business processes reviewed giữa hệ thống physical và tài sản thông tin, bảo trì dòng dữ liệu tài sản thông tin và hệ thống tài liệu, và hõ trợ việc xác dịnh các lỗ hổng hệ thống. • Business Process Owners: Chịu trách nhiệm xác ịnh và phân loại tài sản thông tin ược sử dụng trong quá trình kinh doanh của họ, xác ịnh các ứng dụng chính ược sử dụng ể hỗ trợ các quy trình kinh doanh, kiểm tra lại các báo cao phân tích rủi ro và phối hợp với bảo mật thông tin ể tạo ra và quản lý các kế hoạch và chiến lược. • Top 5 most likely threat/vulnerability pairs • Top 5 control weaknesses • Top 5 impact scenarios • Top 5 business processes with the most risk
  • 49. Process Definitions and Activities - example Process Definitions & Activities • Mỗi quá trình xác định các dòng quy trình thực tế tốt nhất và các thủ tục chi tiết đảm bảo quá trình phát triển và các hoạt động tái cơ cấu đạt được hiệu quả và kết quá thuận lợi.
  • 50. Roles and Authorities - example Roles and Authority • Mỗi quy trình xác định các vai trò, trách nhiệm để bảo đảm quyền hạn và trách nhiệm đầy đủ cho quá trình thực hiện và sở hữu.
  • 51. Process Interfaces - example Process Interfaces • Mỗi quá trình xác định sự phụ thuộc và giao diện với những quy trình bảo mật và không bảo mật khác đảm bảo sự phát triển, tái cơ cấu, và những sáng kiến được thành công.
  • 52. Key Performance Indicators and Reporting KPIs and Reporting - example • Mỗi quá trình xác định được nhiều chỉ số đo lường hiệu quả công việc và số liệu để hỗ trợ trong việc giám sát và báo cáo những hoạt động bảo mật thông tin. Time to perform a risk assessment Duration to perform a risk assessment Number of information assets reviewed Top 5 most likely threat/vulnerability pairs Top 5 control weaknesses Top 5 impact scenarios Number of systems reviewed Number of business processes reviewed Top 5 business processes with the most risk
  • 53. Enabling Technologies - example Enabling Technologies • Mỗi quá trình sẽ xác định công nghệ và các nhà cung cấp có thể hỗ trợ trong quá trình tích hợp và tự động hóa quy trình. Những đề xuất trong kỹ thuât công nghệ được thì được đánh giá theo:được thì được đánh giá theo: •Những ứng dụng đã cài đặt được sử dụng để tự đông hóa quá trình. •Những ứng dụng tiềm năng trong tương lai để hỗ trợ việc tự động hóa quy trình. • Những ứng dụng, công nghệ chưa được biết đến, những thứ mà có thể đáp ứng được mục tiêu của quy trình.
  • 54. Enabling Technology – Risk and Control Library
  • 55. Chiến lược xây dựng hệ thống tuân thủ và quản lý rủi ro - C&RM
  • 56. C&RM strategy and roadmap – Project overview Là m t ph n chương trình chi n lư c IS, mô hình sau mo t chi n lư c và l trình t p trung C&RM. Collaboration and Knowledge Sharing Enable Flexible Collaboration for InformationInformation Management and Exploitation Provide the Right Information at the Integration and Externalization Provide Agile, Secure Capabilities to IS Strategy Collaboration for internal and external stakeholders innovation Information at the Right Time to enable business decisions and innovation Capabilities to enable partnerships Managing IS as a Business Compliance & Risk Management Lean and Agile IS Reduce Environmental Complexity and Increase Flexibility to meeting business needs Drive IS Delivery and Risk Management Excellence Drive Benefits Realization from IS investments Drive employee engagement by Developing Our People
  • 57. C&RM strategy and roadmap – Project overview M c tiêu c a d án là phát tri n m t l trình đ nh v chi n lư c qu n lý r i ro ch đ ng và tuân th toàn b . Hình nh sau đây cung c p m t b n tóm t t các phương pháp ti p c n đ phát tri n chi n lư c: Strategy Information Gathering Sessions Existing Documentation Challenges & Pain Points Inputs Methodology & Framework Prioritized C&RM Needs Market / Industry Tools & Techniques Đánh giá t ng quan C&RM Strategy Development • Ti n hành phiên h p thông tin v i các bên liên quan, ch c năng, và nhân viên k thu t • Thu th p và xem xét các tài li u hi n có và đang áp d ng • Phát tri n môi trư ng RM, bao g m t p trung quan sát khu v c mà quy trình, công c , ho c các công ngh có th đư c tăng cư ng • Xác đ nh khu v c mà ngành công nghi p đ ngh th c hành, các công c , ho c các công ngh có th đư c th a hư ng b i mô hình chu n c a doanh nghi p. • L trình chi n lư c phát tri n t ng k t ng n h n và dài h n khu v c quy trình, công c và công ngh đ cho phép tri n khai qu n lý r i ro t ng th . Deliverable RoadmapObservations Recommendations Strategy
  • 58. ITRM Risk Governance Framework Các mô t dư i đây phác th o các y u t khác nhau,c n ph i thi t k đ ng b cho ho t đ ng qu n lý r i ro hi u qu . Strategy Governance and Operating Model Policies and Standards What risk domains are in-scope? Who defines the risk appetite; What are the implications? What's our overall strategy and roadmap; Is it aligned to business needs? What does our capability framework look like, what are our gaps in capabilities?` How do we optimize our risk / cost profile? How do we develop incentive systems to improve risk management? What is the optimal governance structure and operating model across Business, Risk, Finance and IT? Who is accountable? How should we be structured? How / to what degree is independence of risk organization required? What are the set of policies and standards that need to work together? Management Processes Tools Management Reporting Communication, Training and Awareness What is the relationship across various policies? What are the risk management processes that we need to have in place? How do we evaluate the effectiveness (“process adequacy”) of the management processes? What are the overall tools and data architecture? What functions do the tools perform? Do they work effectively together? What are the tiered reports – who is the audience? How do we incorporate KRI and KPI? Do we have an organization-wide communication, training, and awareness program across various program elements and stakeholders?
  • 59. ITRM framework Mô hình ITRM đư c th a hư ng trên cơ s th c t căn c vào vi c đánh giá và phân tích Communication,TrainingandAwareness Physical & Environmental Identity Data Protection Enterprise IT Operations Physical Perimeter Security External & Environmental Threats Contact with Authorities Physical media Handling Equipment Security Federation Access Governance Access Reporting/ Audit Data Platform Integration Privileged User Management Access Management User Account Management Strategy Policies and Standards Governance and Operating Model Data Loss Prevention Data Encryption & Obfuscation Breach Notification & Management Data Lifecycle Analysis Data Classification & Inventory Data Retention & Destruction Escalation and Crisis Mgmt. Maintenance Testing and Exercising Business Impact Analysis Data Backup Recovery Plans and Procedures Recovery Strategies Asset Management SLA, Service Validation & Testing Capacity Management Incident & Problem Management Release Management Configuration & Change Management Key Capability *Security design and architecture sub-capability includes development of application, technical and operations architecture Communication,TrainingandAwareness Infrastructure Security Environmental Security Cyber Threat Mgmt. Identity & Access Mgmt. Secure Development Lifecycle Data Protection Third Party Risk Mgmt. Enterprise Resilience IT Risk & Compliance Mgmt. IT Operations Antivirus & Malware Intrusion Detection Network Admission Control Network/ Application Firewall Proxy/Content Filtering Remote Access Security Monitoring Transmission Encryption Wireless Security Database Security Brand Monitoring Computer & Network Forensics O/S Hardening & Secure Configuration Patch Management Penetration Testing Threat Intelligence Threat Modeling Vulnerability Management Management ReportingManagement Processes Tools Security Design/ Architecture* Security/Risk Requirements Application Role Design/Access Privileges Secure Coding Guidelines Secure Build Security Testing Roll-out & Go-live Application Security Administration Third Party Assessment Program Third Party Compliance (Regulatory, SLA) Remediation and Exception Incident Management and Response Third Party Governance* Regulatory and Standards Research Integrated Req. & Control Framework Risk & Compliance Assessment Policies, Standards & Procedures Issue & Corrective Action Planning Exception Management Sub-capability ITRM Framework Element Supplier Compliance Management
  • 60. C&RM Assessment (Current State Summary & Recommendations)
  • 61. Maturity level – Assessment scoring approach Dư i đây là mô hình kh năng x lý d a trên COBIT 5 đã đư c s d ng đ ghi thành ph n khung ITRM. Process Capability Model* Maturity Level Maturity Level Overview 0 – Incomplete The process is not implemented or fails to achieve its purpose. 1 – Performed Processes are ad hoc and disorganized, but the implemented process achieves its purpose. The implemented process is Planned, Monitored and Adjusted to meet identified 2 – Managed The implemented process is Planned, Monitored and Adjusted to meet identified objectives. 3 – Established The implemented process is tailored and effectively deployed along with the infrastructure needed to provide a closed loop feedback cycle for process improvement. 4 – Predictable A predictable process operates consistently within defined limits to achieve process outcomes and is supported and driven through quantitative information derived from relevant measurement. A standard process is now performed consistently. 5 – Optimized Process is continuously improved to meet relevant current and projected enterprise goals. *Process capability model based on COBIT 5
  • 62. C&RM current state summary D a trên thông tin đ u vào c a Doanh nghi p , b n đ “nhi t “dư i đây tóm t t các m c tiêu hi n nay c n th c hi n RM. ng d ng COBIT V5 vào quá trình đánh giá. Communication,TrainingandAwareness Physical & Environmental Identity Data Protection Enterprise Physical Perimeter Security External & Environmental Threats Contact with Authorities Physical media Handling Equipment Security Federation Access Governance Access Reporting/ Audit Data Platform Integration Privileged User Management Access Management User Account Management Strategy Policies and Standards Governance and Operating Model Data Loss Prevention Data Encryption & Obfuscation Breach Notification & Management Data Lifecycle Analysis Data Classification & Inventory Data Retention & Destruction Escalation and Crisis Mgmt. Maintenance Testing and Exercising Business Impact Analysis Data Backup Recovery Plans and Procedures Recovery Strategies Asset Management SLA, Service Validation & Testing Capacity Management Incident& Problem Management Release Management Configuration & Change Management *Security design and architecture sub-capability includes development of application, technical and operations architecture Communication,TrainingandAwareness Infrastructure Security Environmental Security Cyber Threat Mgmt. Identity & Access Mgmt. Secure Development Lifecycle Data Protection Third Party Risk Mgmt. Enterprise Resilience IT Risk & Compliance Mgmt. IT Operations Antivirus & Malware Intrusion Detection Network Admission Control Network/ Application Firewall Proxy/Content Filtering Remote Access Security Monitoring Transmission Encryption Wireless Security Database Security Brand Monitoring Computer & Network Forensics O/S Hardening & Secure Configuration Patch Management Penetration Testing Threat Intelligence Threat Modeling Vulnerability Management Management ReportingManagement Processes Tools Security Design/ Architecture* Security/Risk Requirements Application Role Design/Access Privileges Secure Coding Guidelines Secure Build Security Testing Roll-out & Go-live Application Security Administration Third Party Assessment Program Third Party Compliance (Regulatory, SLA) Remediation and Exception Incident Management and Response Third Party Governance* Regulatory and Standards Research Integrated Req. & Control Framework Risk & Compliance Assessment Policies, Standards & Procedures Issue & Corrective Action Planning Exception Management 4 - Predictable1- Performed0 - Incomplete 3 - Established2 - Managed Out of Scope5 - Optimized Supplier Compliance Management
  • 63. C&RM priority areas D a trên các phân tích hi n tr ng, khuy n ngh th c hành trong ngành công nghi p và th o lu n v i ngu n l c trong công ty, các thành ph n ITRM sau đây đư c xác đ nh là lĩnh v c ưu tiên đ gi i quy t. ITRM Component Key Observations / Implications IT Risk & Compliance Management • Company A’s agency readiness capabilities related to GxP are not fully established (e.g., compliance practices, computer system validation, vendor management, compliant handling). This subjects Company A to non-compliance with the FDA, EMA, and other regulatory requirements. Infrastructure Security / Cyber Threat Management • The existing Company A network structure is flat and does not utilize a multi-tiered environment. The current network infrastructure potentially exposes Company A resources to external tampering and exploitation. • Configurations for databases have limited security, and unsupported databases exist in Company A’s environment, which increases the risk of breaches.Company A’s environment, which increases the risk of breaches. • Company A’s security monitoring solution does not provide a broad set of information on advanced persistent threats. This increases Company A’s risk exposure to cyber threats. Enterprise Resilience • A secondary datacenter and related operational processes do not exist. In the event of a disaster, this may result in loss of critical business capabilities. • A Business Continuity Plan (BCP) for IS does not exist. Data Protection • Standards and processes for protecting sensitive data may not meet privacy requirements (e.g., use, sharing, control and retention, cross-border data flow). This increases Company A’s risk of unauthorized access to sensitive data. Identity & Access Management • Periodic reviews and recertification of user access is performed on a limited and manual basis, which may lead to orphaned accounts and excessive access. Third Party Risk Management • Formal, enterprise-wide third party risk management strategy and approach does not exist. • Third party assessments are not conducted proactively or for every third party engagement, which may lead to third parties inadequately securing Company A assets. • There is no central third party inventory to support risk management of critical third parties.
  • 64. Infrastructure Security – hi n tr ng và khuy n ngh Description Key Observations Implications Recommendations Protection of networks and the supporting infrastructure • The existing Company A network structure is flat and does not utilize a multi-tiered environment • Configurations for databases have limited security and unsupported databases exist in Company A’s environment • Company A’s security monitoring • Current network infrastructure exposes Company A resources to external tampering and exploitation • Unsecure database configurations increase the risk of breaches • Incomplete security management configurations increases Company A’s risk exposure to cyber threats • Implement a tiered internal network • Enhance database security review processes to track and remediate vulnerabilities timely or implement mitigating controls when remediation is not possible • Enhance security monitoring capabilities to provide real-time S d ng khung ITRM làm cơ s , quan sát các đi m quan tr ng, ý nghĩa và khuy n ngh tương ng cho m i thành ph n ITRM. Infrastructure Security Physical & Environmental Security Cyber Threat Mgmt. Identity & Access Mgmt. Secure Development Lifecycle Data Protection Third Party Risk Mgmt. Enterprise Resilience IT Risk & Compliance Mgmt. IT Operations • Company A’s security monitoring solution does not provide a broad set of information on advanced persistent threats • DHCP IP addresses can be obtained by plugging a device into an Ethernet port • Guest wireless access lacks content filtering controls and provides full access to the Internet • Rule of least privilege is not enforced at the server and database level (e.g., users with administrative privileges) • Although security violations are monitored, they are not reviewed consistently and timely • Insecure protocols (e.g., FTP) are used for internal data transfer A’s risk exposure to cyber threats • Having excessive ports enabled increases the risk of unrestricted and unauthorized access to the network • Company A guest wireless users may use Internet access inappropriately and subject Company A to security risks • Administrative accounts provide little accountability, allowing for a higher chance of system compromise and exposure of confidential data • Lack of timely responses to security violations can increase the risk of damage due to security breaches • Insecure protocols increase the risk of sensitive data being compromised during transmission capabilities to provide real-time analysis of security alerts and logs generated by critical network hardware and applications • Disable public / non-essential Ethernet ports • Implement content filtering capabilities to control Internet content being provided to guest users • As part of the IAM program, periodic access reporting and auditing should be conducted on administrative level application accounts • Enhance security violation review policy for timely review of security notifications • Enable use of secure protocols for data transfer C&RM priority recommendations
  • 65. Description Key Observations Implications Recommendations Prevent unauthorized physical access, damage, and interference to the organization’s premises and information • N/A – Out of scope (IS does not support Physical & Environmental Security at Company A. This is area is supported by a different group.) • N/A – Out of scope (IS does not support Physical & Environmental Security at Company A. This is area is supported by a different group.) • N/A – Out of scope (IS does not support Physical & Environmental Security at Company A. This is area is supported by a different group.) S d ng khung ITRM làm cơ s , quan sát các đi m quan tr ng, ý nghĩa và khuy n ngh tương ng cho m i thành ph n ITRM. Physical & Environmental Security – hi n tr ng và khuy n ngh Infrastructure Security Physical & Environmental Security Cyber Threat Mgmt. Identity & Access Mgmt. Secure Development Lifecycle Data Protection Third Party Risk Mgmt. Enterprise Resilience IT Risk & Compliance Mgmt. IT Operations C&RM priority recommendations
  • 66. Description Key Observations Implications Recommendations Discovering, defining and managing threats and vulnerabilities within information systems and the computing infrastructure • Issues discovered as part of vulnerability assessments, penetration tests, security monitoring are not remediated timely • Third party software is not patched as consistently as Microsoft patches • Lack of timely responses to known vulnerabilities can increase the risk of security breaches • Unpatched software increases the risk of exploitation of known vulnerabilities • Lack of an enterprise threat intelligence / threat model leads to • Enhance vulnerability assessment, penetration test, security monitoring processes for timely review and remediation of high risk security vulnerabilities • Enhance third party patching processes to track and remediate known vulnerabilities timely or S d ng khung ITRM làm cơ s , quan sát các đi m quan tr ng, ý nghĩa và khuy n ngh tương ng cho m i thành ph n ITRM. Cyber Threat Management – hi n tr ng và khuy n ngh Infrastructure Security Physical & Environmental Security Cyber Threat Mgmt. Identity & Access Mgmt. Secure Development Lifecycle Data Protection Third Party Risk Mgmt. Enterprise Resilience IT Risk & Compliance Mgmt. IT Operations patches • Standardized threat intelligence / threat modeling process is not utilized consistently across the organization • Brand monitoring of external websites is not routinely performed • Capability to perform in house computer or network forensics is limited intelligence / threat model leads to an incomplete threat landscape and inability to properly assign risk values and determine risk responses • Lack of continuous brand monitoring can lead to reputational damage due to references made to Company A’s trademarks, products, etc. Lack of in-house forensic specialists may result in limited ability to support legal / compliance matters known vulnerabilities timely or implement mitigating controls when remediation is not possible • Implement a threat model strategy that can identify threats, assess the probability of potential harm and determine countermeasures to mitigate the risk • Implement an organizational brand monitoring strategy incorporating research on pending trademark registration applications, domain name acquisitions, social media usage, and entity filings • Consider creating an in-house cyber forensics team to manage the examination of digital media in accordance with legal / compliance requirements in the event of an investigation C&RM priority recommendations
  • 67. S d ng khung ITRM làm cơ s , quan sát các đi m quan tr ng, ý nghĩa và khuy n ngh tương ng cho m i thành ph n ITRM. Description Key Observations Implications Recommendations Access to information, information processing facilities, and business processes controlled on the basis of business and security requirements • Periodic reviews and recertification of user access is performed on a limited and manual basis • A standards-based user provisioning solution is not utilized to automate provisioning to Company A applications • Lack of periodic reviews and recertification may lead to orphaned accounts and excessive access • Lack of an IAM governance and framework can lead to users having excessive entitlements (i.e., administrative, privileged, non- privileged) that are not required as • Establish process for periodic access reporting and auditing • Leverage the core IAM capabilities coming out of Parent A and Company A’s Integration and Externalization program to govern and manage activities such as provisioning, lifecycle management, Identity & Access Management – hi n tr ng và khuy n ngh Infrastructure Security Physical & Environmental Security Cyber Threat Mgmt. Identity & Access Mgmt. Secure Development Lifecycle Data Protection Third Party Risk Mgmt. Enterprise Resilience IT Risk & Compliance Mgmt. IT Operations Company A applications • Process to manage the role lifecycle, access recertifications, etc. is limited • Management of privileged accounts (i.e., tracking, removal) is not performed consistently throughout the organization • Company A currently does not have a password management mechanism • Company A currently has little to no processes or solutions for access reporting and auditing • Formal Role Based Access Control (RBAC) does not exist; closest example of RBAC in Company A’s environment is AD security groups that provide access • No governed or structured federation taking place at Company A privileged) that are not required as part of their job function • Inconsistent processes utilized to create identities and grant access to required applications, systems, and platforms • Untimely granting of access to applications, systems, and platforms • Increase in reliance on help desk and other support functions • Requirement to manage and administer identities and access rights for non-Company A resources • Inconsistent management and oversight of privileged accounts provisioning, lifecycle management, RBAC, single sign-on (SSO), self- service, etc. C&RM priority recommendations
  • 68. Description Key Observations Implications Recommendations Integrate security as a critical component into organizations software development, integration, and maintenance processes • IS is not typically involved in each stage of the software design process • Security guidelines / requirements around the development of software applications are limited • Accounts with administrative application access are not • Lack of IS involvement may expose software to security gaps • Lack of security guidelines / requirements can result in products being development without the appropriate security controls in place • Excessive / unmanaged • Enhance the SDLC framework to better include IS participation in solution design prior to implementation • Enhance security guidelines to reflect lifecycle of development, review, approval and deployment of new products / solutions S d ng khung ITRM làm cơ s , quan sát các đi m quan tr ng, ý nghĩa và khuy n ngh tương ng cho m i thành ph n ITRM. Secure Development Lifecycle – hi n tr ng và khuy n ngh Infrastructure Security Physical & Environmental Security Cyber Threat Mgmt. Identity & Access Mgmt. Secure Development Lifecycle Data Protection Third Party Risk Mgmt. Enterprise Resilience IT Risk & Compliance Mgmt. IT Operations application access are not reviewed, approved or attested by the IS team • Testing systems against security requirements prior to production release is not consistently done across the organization • Excessive / unmanaged administrative accounts provide little accountability, allowing for a higher chance of system compromise and exposure of confidential data • Security vulnerabilities may not be tested and mitigated prior to production release new products / solutions • As part of the IAM program, periodic access reporting and auditing should be conducted on administrative level application accounts • Security testing should be performed on systems prior to production release C&RM priority recommendations
  • 69. Description Key Observations Implications Recommendations Helps organizations identify and manage risks and opportunities associated with information management and data protection • Practices for protecting sensitive data may not meet privacy requirements (e.g., use, sharing, control and retention, cross-border data flow) • Process around data classification is not followed consistently throughout the organization • Lack of privacy requirements increases the organization’s risk to protect the data from unauthorized access • Security controls to protect the data from unauthorized access may not be implemented on data incorrectly classified • Rationalize data privacy requirements and formulate approach to manage Company A’s sensitive data • Implement an enterprise-wide data classification standard and approach • Leverage Parent A’s record management policy to back data up S d ng khung ITRM làm cơ s , quan sát các đi m quan tr ng, ý nghĩa và khuy n ngh tương ng cho m i thành ph n ITRM. Data Protection – hi n tr ng và khuy n ngh Infrastructure Security Physical & Environmental Security Cyber Threat Mgmt. Identity & Access Mgmt. Secure Development Lifecycle Data Protection Third Party Risk Mgmt. Enterprise Resilience IT Risk & Compliance Mgmt. IT Operations throughout the organization • Company A leverages Parent A’s Record Management policy, but does not actively follow the data retention and data destruction processes • Process and controls around Data Loss Prevention (DLP) do not exist • Process and controls around data lifecycle analysis do not exist • Process and controls around data encryption and obfuscation (e.g., database) are limited classified • Lack of records management may limit the organization’s ability to classify, store, use, share and destroy data • Lack of a DLP solution can increase the risk of a data breach due to limited monitoring, detecting & blocking data while in-use, in-motion and at-rest • If not properly managed, appropriate protection and usage controls to protect the data may not be implemented • Data that is not properly encrypted increases the risk of it being viewed by unauthorized individuals management policy to back data up for historical purposes and removed / destroyed for decommissioned devices / media in accordance with record management policy • Implement an enterprise-wide DLP solution to detect and prevent unauthorized attempts to copy or move sensitive data • Prioritize business processes and implement protection and usage controls against private / sensitive data • Implement a data encryption framework that encrypts private / sensitive data C&RM priority recommendations
  • 70. Description Key Observations Implications Recommendations To maintain the security of the organization’s information and information processing facilities that are accessed or managed by external parties • Formal, enterprise-wide third party risk management strategy and approach does not exist • Structured risk management of the third party lifecycle at Company A is limited from a security perspective (evaluate & select, contract & on-board, manage & Lack of formal third party risk management and oversight may prevent Company A from identifying critical vendors and third parties essential to business operations Limited third party assessments may lead to vendors and third parties inadequately securing Implement an enterprise-wide third party risk management strategy and approach Develop a third-party risk management framework and processes, including a third-party risk assessment questionnaire Develop and maintain an inventory S d ng khung ITRM làm cơ s , quan sát các đi m quan tr ng, ý nghĩa và khuy n ngh tương ng cho m i thành ph n ITRM. Third Party Risk Management – hi n tr ng và khuy n ngh Infrastructure Security Physical & Environmental Security Cyber Threat Mgmt. Identity & Access Mgmt. Secure Development Lifecycle Data Protection Third Party Risk Mgmt. Enterprise Resilience IT Risk & Compliance Mgmt. IT Operations contract & on-board, manage & monitor, terminate & off-board) • Company A requires a third party questionnaire to be completed before a third party is engaged, however, this is only completed for known third party engagements to IS; there may be other third party engagements where this questionnaire is not completed • A centralized third party inventory does not exist parties inadequately securing Company A sensitive assets Lack of a third party inventory may prevent Company A from properly managing critical vendors and third parties Develop and maintain an inventory of existing third parties and corresponding risk ratings Perform proactive third party risk assessments (based on risk-levels) and confirm third party capabilities meet security requirements For GxP compliance, establish and execute vendor management capabilities C&RM priority recommendations
  • 71. Description Key Observations Implications Recommendations Business-owned, business-driven process that establishes a fit-for- purpose strategic and operational framework that proactively improves an organization’s resilience against the disruption of its • A secondary datacenter and related processes to operationalize do not exist • Mature enterprise resilience program does not exist (e.g., limited formal escalation and crisis management processes, data resiliency, simulation testing) • Lack of a secondary datacenter may result in loss of critical business capabilities in the event of a disaster • Critical business processes may not be recovered timely in the event business continuity plans are invoked • IS may not be operational within • Implement a secondary data center providing resiliency for critical systems and data • Re-evaluate the enterprise resilience program to include: • Business impact analysis, including recovery time objectives (RTO) and recovery point S d ng khung ITRM làm cơ s , quan sát các đi m quan tr ng, ý nghĩa và khuy n ngh tương ng cho m i thành ph n ITRM. Enterprise Resilience – hi n tr ng và khuy n ngh Infrastructure Security Physical & Environmental Security Cyber Threat Mgmt. Identity & Access Mgmt. Secure Development Lifecycle Data Protection Third Party Risk Mgmt. Enterprise Resilience IT Risk & Compliance Mgmt. IT Operations against the disruption of its ability to achieve its key objectives resiliency, simulation testing) • Business Continuity Plan (BCP) for IS does not exist • IS may not be operational within expected timeframes in the event of a disaster (RTO) and recovery point objectives (RPO) are reviewed and attested by the business • Critical business processes are tested on an end-to-end basis. • Broader cross-business scenarios such as a large scale cyber attack or large scale vendor site outage are considered • Establish and implement a business continuity plan for IS C&RM priority recommendations
  • 72. Description Key Observations Implications Recommendations Services that address an organization’s business security requirements and supporting strategies and architectures for establishing an enterprise level security and risk management program • Company A’s agency readiness capabilities related to GxP are not fully established (e.g., compliance practices, computer system validation, vendor management, compliant handling) • Formal risk management office does not exist • Lack of mature agency readiness capabilities may subject Company A to non-compliance with the FDA • Lack of an independent risk management office may cause difficulties enforcing compliance to risk management policies • Lack of a risk management policy • Establish and implement an IS Quality Program for GxP Compliance (compliance practices, computer system validation, vendor management, personnel requirements, compliant handling) • Validate GxP systems and remediate as required S d ng khung ITRM làm cơ s , quan sát các đi m quan tr ng, ý nghĩa và khuy n ngh tương ng cho m i thành ph n ITRM. IT Risk & Compliance Management – hi n tr ng và khuy n ngh Infrastructure Security Physical & Environmental Security Cyber Threat Mgmt. Identity & Access Mgmt. Secure Development Lifecycle Data Protection Third Party Risk Mgmt. Enterprise Resilience IT Risk & Compliance Mgmt. IT Operations management program does not exist • Official risk management policy does not exist; currently under the IS policy • Proactive corrective action tracking and remediation process is not performed consistently across the organization • Risk Management is not typically involved in development of processes and suitable controls managed by other teams • Formal education, training, and awareness associated with business operations and risk management / information security is minimal • Lack of a risk management policy may prevent disparate groups from understanding what standards should be utilized; potentially leading to inconsistencies across the organization • Lack of timely responses to identified issues (e.g., process / control deficiencies) may increase the risk of process or system compromise • Lack of risk management involvement may result in processes and controls not being developed in accordance with risk management standards • Lack of formal training may prevent Company A resources from understanding the current risk landscape and their roles and responsibilities remediate as required • Develop a risk management office to formalize a risk management framework including defining roles and responsibilities, policies, standards, and procedures: • Implement an in house- assessment strategy prioritizing action items for known issues (e.g., risk & control assessments, internal / external audits) • Expand the risk management role to include oversight and administration of new policies, standards, controls, etc. • Develop formal training and awareness education program for employees and third parties that access Company A data and applications C&RM priority recommendations
  • 73. Description Key Observations Implications Recommendations To provide a management system, including policies and a framework to enable the effective management and implementation of IT services • A formal and structured approach to manage service level agreements (SLA) software releases, testing / validation and changes in production is limited • A standardized capacity planning process is not utilized consistently across the organization • Lack of SLAs, release management capabilities, testing / validation, managing changes in production may lead to end users experiencing confusion and difficulties with systems, outages impacting productivity, and security vulnerabilities • Enhance the use of SLAs; enhance release management and testing / validation capabilities; and enhance management of changes in the production environment • Implement a capacity management strategy and approach to evaluate if capacity meets current and future S d ng khung ITRM làm cơ s , quan sát các đi m quan tr ng, ý nghĩa và khuy n ngh tương ng cho m i thành ph n ITRM. IT Operations – hi n tr ng và khuy n ngh Infrastructure Security Physical & Environmental Security Cyber Threat Mgmt. Identity & Access Mgmt. Secure Development Lifecycle Data Protection Third Party Risk Mgmt. Enterprise Resilience IT Risk & Compliance Mgmt. IT Operations across the organization vulnerabilities • Lack of adequate capacity planning may lead to service disruptions due to infrastructure components not meeting the needs of the business capacity meets current and future business requirements *Note: No prioritized recommendations for this area. C&RM priority recommendations
  • 74. Strategy & Roadmap
  • 75. Level 0 – C&RM “I Can” capabilities Ki n ngh cho các thành ph n c a chi n lư c và l trình giúp kích ho t mô hình C&RM. ITRM Component Recommended Initiatives “I Can” IT Risk & Compliance Management • Establish and Implement IS Quality Program for GxP Compliance • Identify, Validate, and Remediate GxP Systems • I can have formal processes and guidance as it relates to GxP • I can determine that vendors have appropriate quality systems and controls in place • I can have up-to-date relevant personnel records (e.g., training requirements, job descriptions) • I can measure quantitative risk of systems within the environment • I can leverage a common methodology for system validation and remediation • I can identify GxP systems and their validation state • I can restrict access to sensitive layers in Company A’s network (e.g., data Infrastructure Security / Cyber Threat Management • Establish Network Tier Segmentation • Enhance Database Security • Enhance Securing Monitoring • I can restrict access to sensitive layers in Company A’s network (e.g., data tier, backup tier) • I can further secure databases by applying required safeguards and measures • I can analyze and identify trends related to network security threats Enterprise Resilience • Establish Secondary Datacenter and Operationalize • Establish IS BCP • I can implement appropriate disaster recovery measures that align with the recovery time objectives (RTOs) and recovery point objectives (RPOs) of the business • I can resume normal IS operations within appropriate timeframes Data Protection • Rationalize Data Privacy Requirements and Formulate Approach • I can determine what controls are required to be compliant with privacy requirements • I can identify where sensitive data is Identity & Access Management • Establish Process for Recurring Access Certification • I can understand who has access to what systems • I can regularly review user access reports and certify system access Third Party Risk Management • Establish Third Party Risk Management Program • I can have formal processes and guidance when managing third party risks • I can manage third party risks via assessments stored in a central inventory
  • 76. Level 1 – C&RM capability timeline Tóm t t kh năng và đ t các kh năng trên l trình th i gian. Year 1 Year 2 Year 3 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 IT Risk & Compliance Management Infrastructure Security / Cyber IS Quality Program established Capability for system validation & remediation ready Company A network tier segmentation in place & related activities ongoing Database security approach rolled out Security / Cyber Threat Management Enterprise Resiliency Data Protection Identity & Access Management Third Party Risk Management Database security approach rolled out Enhanced security monitoring ready Datacenter established & operationalized IS BCP published & in place Data privacy requirements rationalized & approach executed Access recertification process applied in Company A environment Third Party Risk Management Program established and operationalized
  • 77. Level 2 – C&RM roadmap Based on discussions and current state analysis, the following roadmap is recommended to address C&RM priority areas. Roll-Out Build IS Program Dependency Plan Vision Design Year 1 Year 2 Year 3 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 IT Risk & Compliance Management Infrastructure IS Quality Program for GxP Compliance System Validation & Remediation Network Tier Segmentation Infrastructure Security / Cyber Threat Management Enterprise Resiliency Data Protection Identity & Access Management Third Party Risk Management Database Security Security Monitoring Secondary Datacenter IS BCP Access Certification Parent A IAM Strategy Company A Externalized IAM Strategy / IAM Governance Data Privacy Requirements Notes on C&RM roadmap: 1) Beyond the Roll-Out phase, ongoing activities (e.g., updates, maintenance, business as usual) are required for each roadmap initiative IM&E Data Classification Third Party Risk Management Program
  • 78. Level 3 – Key activities for each C&RM capability Year 1 Year 2 Year 3 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 IT Risk & Compliance Management IS Quality Program for GxP Compliance Roll-Out Build IS Program Dependency Plan Vision Design Define governance model Design quantitative risk methods, vendor assessment, personnel approach Build program, vendor / personnel / quantitative risk approaches Rollout quantitative risk / vendor / personnel processesManagement Infrastructure Security / Cyber Threat Management System Validation & Remediation Complete transfer to business as usual processes Plan system validation / remediation approach Develop validation / remediation analysis and risk rating methods Establish centralized system registry Execute system validation & remediation Network Tier Segmentation Review infrastructure / network tier requirements Design target state infrastructure / network Initiate infrastructure / network tier activities Continue activities to tier network / infrastructure Define infrastructure / network tier strategy Develop migration / production test schedule
  • 79. Level 3 – Key activities for each C&RM capability Year 1 Year 2 Year 3 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Infrastructure Security / Cyber Threat Management Roll-Out Build IS Program Dependency Plan Vision Design Database Security Develop database security plan Design approach for implementing enhanced security Implement security configurations and database updates Rollout configurations and database updates Security Monitoring Review security monitoring strategy and requirements Enterprise Resiliency Review security monitoring strategy and requirements Select security monitoring vendor Identify and prioritize endpoints Implement security solution and customize Complete transfer to business as usual Secondary Datacenter Determine disaster recovery capabilities and requirements Prioritize systems that require recovery Establish disaster recovery infrastructure Continue to incorporate prioritized systems in disaster recovery capabilities IS BCP Define business continuity requirements Identify recovery approach options by scenario Develop scenario-based IS recovery playbooks Test recovery approach
  • 80. Level 3 – Key activities for each C&RM capability Year 1 Year 2 Year 3 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Data Protection Roll-Out Build IS Program Dependency Plan Vision Design Data Privacy Requirements Define data privacy strategy Identify compliance gaps to privacy and legal requirements and design approach Develop enterprise data and asset inventory Execute approach for data privacy compliance Rationalize data privacy and legal requirements Identity & Access Management Third Party Risk Management Access Certification Deploy access certification process and solution Operationalize access certification and continue to integrate systems Coordinate with existing IAM activities to assess access review / certification capabilities Define access review / certification processes and guidelines Third Party Risk Management Program Define third party risk management strategy Define third party risk lifecycle, risk rating, and assessment processes Build third party risk inventory Execute assessments and third party risk management processes Establish third party risk oversight structure
  • 81. Supporting MaterialsSupporting Materials
  • 82. Glossary of Key Terms
  • 83. Glossary of key terms Term Definition Access Reporting / Auditing This functionality allows comparison of user access activity (aggregated from various systems) with user rights and presents access policy exceptions and violations on a report or a dashboard so that the enterprise can take remediation measures to maintain compliance. Business Continuity Plan (BCP) Plan for continuing operations in the event of impacted operations. Control Objectives for Information and Related Technology (COBIT) Framework created by ISACA for IT management and governance. It is a supporting toolset to bridge the gap between control requirements, technical issues and business risks. COBIT 5 Process Capability Model Process capability is defined on a six point scale from 0 to 5. This scale represents increasing capability of the implemented process, from not achieving the process purpose through meeting current and projected business goals. Data Privacy Process / methodology to manage and maintain private data via risk assessments, remediation plans, monitoring progress, management reporting, responsibilities within the organization, etc.monitoring progress, management reporting, responsibilities within the organization, etc. Good x Practices (GxP) Quality guidelines to determine whether a product is safe and meets its intended use. Guides quality manufacturing in regulated industries including food, drugs, medical devices and cosmetics. Least Privilege Practice of limiting access to the minimal level that will allow normal functioning. This principle translates to giving people the lowest level of user rights that they can have and still do their jobs. The principle is also applied to things other than people, including programs and processes. Network Tier Segmentation Logical separation of network layers (e.g., web, application, database). Recovery Point Objective (RPO) Point in time where data must be recovered after a business interruption; for example, the end of previous day's processing. Recovery Time Objective (RTO) The period of time in which systems, applications, or functions must be recovered after a business interruption. Role Based Access Control (RBAC) It is a method of enforcing controlled access to an enterprise’s systems and data based on a person’s role in the business. It is a way of determining whether every person gets access to only what is needed by that person to do perform their duties. Security Incident & Event Monitoring (SIEM) Technology that provides real-time monitoring and analysis of security alerts generated by network hardware and applications.
  • 84. Project Tear SheetsProject Tear Sheets
  • 85. Level 4 – IS Quality Program for GxP Compliance Establish governance for GxP compliance with policies, standards, work instructions, processes that support agency readiness capabilities and system compliance requirements Develop a quantitative GxP compliance assessment to evaluate applicable, regulated systems in Company A’s environment Develop a vendor compliance assessment to assess Company A’s vendors for GxP compliance For Company A personnel, determine job description requirements and appropriate training has been performed Project Objectives 1. Define governance model 2. Agency readiness, system / vendor / personnel compliance req’s defined 3. Design approach for IS Quality program (assessment, execution) 4. Develop quantitative system compliance and vendor assessments 5. Develop system validation / remediation processes 6. Execute vendor assessments for GxP compliance 7. Assess job descriptions and execute training on required Project Activities • Governance model established • Policies and procedures aligned with FDA regulatory requirements • Developed readiness criteria to meet FDA requirements • Program approach designed and communicated – funding obtained • System validation assessment / remediation process defined • Vendor assessment for GxP compliance executed • Personnel trained on job requirements, training is documented • Transferred to business as usual for maintaining compliance Project Outcomes Project Leader Project Manager GxP Specialist Business Analyst Business Owners System Owners IS Teams Compliance / Security IS is the overall owner and approver of process and procedures, including computer system validation and computer system maintenance Quantitative risk assessment are tailored to current GxP regulations Company A IS is ultimately responsible for compliance determination There is alignment between IS and the business on GxP activities 7. Assess job descriptions and execute training on required processes 8. Complete transfer to business as usual process Vendors are contractually obligated to meet Company A’s quality and regulatory compliance requirements For GxP vendor assessments, there may be linkages to the Third Party Risk Management program that should be coordinated Job descriptions for applicable Company A personnel exist and can be leveraged for personnel compliance activities Dependencies Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 • Transferred to business as usual for maintaining compliance Budget Request Deliverables Assumptions Milestones Project Timeline 6 months to establish (Q3 2013); execution duration varies Resource Cost: ~$425K Execution costs may vary Resources Key Stakeholders 1 Program Approach Design 2 3 IS Quality Program In Place Program Governance 4 6 7 8 5 Vendor Assessment and Personnel Activities In Execution
  • 86. Level 4 – System Validation & Remediation Establish a recurring process to validate and remediate systems for GxP compliance Utilize a centralized system registry for systems that manage sensitive, GxP data Develop risk ranking and system classification guidelines Project Objectives 1. Identify systems that manage sensitive, GxP data 2. Perform compliance analysis to determine regulatory risk rating 3. Utilize centralized system registry (database exists) 4. Develop and socialize validation / remediation plan based on risk rating 5. Perform validation gap assessment (first on high risk systems) 6. Begin remediation efforts for systems to be validated and Part 11 compliant Project Activities • Regulated systems identified (e.g., location, business owner) • Systems classified by risk • System registry operational • Validation / remediation plan socialized • Areas of non-compliance identified • Systems remediated to be Part 11 compliant • Transferred to business as usual for ongoing validation / remediation Project Outcomes Project Leader Project Manager GxP Specialist Business Analyst Business Owners System Owners IS Teams Compliance / Security Priority of system validation will be based on risk rating There is alignment between IS and the business on GxP activities compliant 7. Complete transfer to business as usual process A structured IS Quality governance model exists System registry will leverage existing CMDB database Remediation efforts for systems will not fully be known until validation gap assessments are completed; also, these assessments cannot be performed until systems have been risk rated Dependencies Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Budget Request Deliverables Assumptions Milestones Project Timeline Validation / Remediation Plan Validation and Remediation In Execution Risk Rating Model and Registry In Place 4 months to establish (Q3 2013); execution duration varies Resource Cost: ~$425K Execution costs may vary Resources Key Stakeholders 2 4 3 5 1 6 7
  • 87. Level 4 – Network Tier Segmentation Create tiers or separation of layers within Company A’s infrastructure / network (e.g., application tier, database tier) Enhance security of Company A’s infrastructure / network via tiers to limit exposure of unauthorized users / access Project Objectives 1. Define infrastructure / network tier strategy and requirements 2. Develop migration and production test schedule 3. Design target state infrastructure / network 4. Execute design of tiered infrastructure / network 5. Pilot: Test systems and databases in tiered infrastructure / network 6. Complete transition of systems onto tiered infrastructure / network Project Activities • Strategy and requirements defined • Migration schedule finalized • Target state infrastructure / network architecture established • Tiered infrastructure / network in place • System and data testing complete and issues remediated • Environment fully tiered Project Outcomes Resource Cost: ~$625K Execution costs may vary Project Leader Project Manager Enterprise Architecture Systems Analyst Systems Engineer Business Owners System Owners IS Teams Compliance / Security Infrastructure Operations Project scope ends after successful pilot and transfer to business as usual Ongoing deployment is managed by operations team Any downtime will be agreed to (alignment between IS and the business) Systems and databases ready for tier activities Ongoing tuning and maintenance (e.g., firewalls, network components) required Dependencies 7 months to establish (Q3 2013); migration to tiers varies Resources Key Stakeholders Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Budget Request Deliverables Assumptions Milestones Project Timeline 1 Tier Strategy and Requirements 3 4 Tier Activities In Execution 5 6 2 Tier Target State Design
  • 88. Level 4 – Database Security Secure databases by applying required safeguards and measures Enhance database security review processes to track and remediate vulnerabilities timely or implement mitigating controls when remediation is not possible Enhance database security to mitigate the risk of unauthorized access, use, disclosure and modification of data Project Objectives 1. Develop and socialize security remediation plan 2. Identify database security gaps 3. Develop approach for legacy databases that cannot be remediated via updates or patches 4. Pilot: Sample set of databases (more current, legacy, size, etc.) 5. Execute database security remediation plan and establish ongoing maintenance Project Activities • Database security gaps identified • Remediation plan for database security established • Secure approach for legacy databases developed • Pilots executed and validated • Database security rolled-out and ongoing maintenance in place Project Outcomes Resource Cost: ~$325K Rollout / maintenance costs varies Project Leader Project Manager Systems Analyst DB Security Specialist Business Owners System / Database Owners IS Teams Compliance / Security Infrastructure Operations Project scope ends after successful pilot and transfer to business as usual Ongoing deployment is managed by operations team There is alignment between IS and the business on database security activities Databases ready for security activities Infrastructure / network tier segmentation has been completed and is in place Dependencies 4 months to establish (Q3 2013); security rollout varies Resources Key Stakeholders Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Budget Request Deliverables Assumptions Milestones Project Timeline 3 Database Security Remediation Plan 5 Database Security In Execution 1 2 4 Database Security Gap Analysis
  • 89. Level 4 – Security Monitoring Enhance security monitoring capabilities to provide real-time analysis of security alerts and logs generated by critical network hardware and applications Assess existing vendor and potential new vendors to help enhance security monitoring; select vendor Project Objectives 1. Define security monitoring strategy and requirements 2. Identify and assess security monitoring vendors; select vendor 3. Identify and prioritize endpoints where monitoring is required 4. Implement security solution and customize (tune) endpoints 5. Pilot: Test monitoring, alerts, logs, etc. and validate test results 6. Complete transfer to business as usual process Project Activities • Strategy and requirements defined • Vendor selected and contractual relationship established • Inventory of required endpoints and risk profiles • Security monitoring solution deployed; configurations and updates implemented • Events / incident testing complete and issues remediated • Process transferred to security team for ongoing monitoring and support Project Outcomes Resource Cost: ~$375K Vendor/ongoing activities not included Project Lead Project Manager Enterprise Architecture System Analyst System Engineer Security Specialist System Owners and Teams IS Teams Compliance / Security Infrastructure Operations Security vendor will provide configuration requirements and settings There is alignment between IS and stakeholders on security monitoring activities Alignment with Parent A on vendor and security monitoring solution Infrastructure / network tier segmentation has been completed and is in place Configuration settings have been applied and “tuned” for critical network devices Dependencies 11 months to establish (Q1 2014 - transfer to business as usual) Resources Key Stakeholders Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 support Budget Request Deliverables Assumptions Milestones Project Timeline 1 Strategy and Requirements 2 Security Monitoring Solution Implemented 3 4 5 6 Vendor Selected and Security Monitoring Design
  • 90. Level 4 – Secondary Datacenter Implement a secondary data center providing resiliency for critical systems and data Implement appropriate disaster recovery measures that align with the recovery time objectives (RTOs) and recovery point objectives (RPOs) of the business Test and validate end-to-end recovery of critical business processes Project Objectives 1. Determine disaster recovery (DR) capabilities and requirements 2. Select secondary datacenter 3. Prioritize systems requiring recovery for business critical processes 4. Develop and enhance end-to-end disaster recovery approach for recovery of business critical systems 5. Build disaster recovery infrastructure Project Activities • Disaster recovery capabilities and requirements established • Secondary datacenter selected and contractual relationship established • Inventory of target systems and prioritization • Alignment of resiliency solution with appropriate businesses through evaluation of business impacts, interdependencies, RTOs, and RPOs Project Outcomes Resource Cost: ~$475K Vendor/ongoing activities not included Project Lead Project Manager Enterprise Architecture Business Analyst Systems Analyst Business Owners System Owners IS Teams Compliance / Security Infrastructure Operations A formal business continuity model exists DR vendor will provide support on developing governance model and processes There is alignment between IS and business on DR activities 5. Build disaster recovery infrastructure 6. Pilot: Recovery of critical business functions 7. Establish disaster recovery capabilities for in scope systems Business critical system have been identified, prioritized, and agreed upon RTOs and RPOs have been established for each critical system and have been approved by the business Dependencies 9 months to establish (Q4 2013 – transfer to business as usual) Resources Key Stakeholders Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 RPOs • Infrastructure in place for timely recovery of critical business operations • Successful recovery of critical business operations • Disaster recovery capabilities established for in scope systems Budget Request Deliverables Assumptions Milestones Project Timeline 1 DR Capabilities and Requirements / Datacenter Selected 2 3 DR Infrastructure Established 4 5 6 7 Critical System Inventory and Solution Design DR Capabilities Established
  • 91. Level 4 – IS BCP Develop and operationalize a business continuity plan for IS Build capability to resume normal IS operations within appropriate timeframes Project Objectives 1. Define business continuity requirements for IS 2. Design and socialize governance procedures 3. Identify recovery approach options by scenario (e.g., unavailability of primary work area) and time of day (e.g., start of day, end of day) 4. Develop detailed scenario-based IS recovery playbooks based on recovery approach Project Activities • IS business continuity requirements defined • Governance documentation published • IS recovery approach developed • Detailed recovery playbooks (e.g., communication protocols, procedures) published • Recovery approach successfully tested • Transferred to business as usual for business continuity plan Project Outcomes Resource Cost: ~$150K Maintenance costs not included Project Lead Project Manager Business Analyst Systems Analyst System Owners IS Teams Compliance / Security Infrastructure Operations There are existing business continuity models to leverage There is alignment between IS and stakeholders on BCP activities recovery approach 5. Test recovery approach for most likely scenarios 6. Complete transfer to business as usual process Critical systems and applications for IS recovery have been identified IS team are ready and able to participate in testing process Dependencies 7 months to establish (Q4 2013 – transfer to business as usual) Resources Key Stakeholders Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 • Transferred to business as usual for business continuity plan maintenance Budget Request Deliverables Assumptions Milestones Project Timeline 1 IS BCP Requirements 2 3 4 5 6 BCP Approach Tested and Validated BCP Procedures and Playbook
  • 92. Level 4 – Data Privacy Requirements Rationalize data privacy requirements and formulate approach to manage Company A’s sensitive data Develop a dynamic system inventory providing details on systems that contain sensitive data Project Objectives 1. Define data privacy strategy 2. Identify data privacy and legal requirements 3. Identify data flow for systems that manage sensitive data and areas where controls should be enhanced 4. Identify compliance gaps to privacy and legal requirements 5. Develop an enterprise data and asset inventory for sensitive data instances (e.g., server location, data type, data location) 6. Develop and execute approach for data privacy compliance Project Activities • Data privacy strategy defined • Data privacy and legal requirements identified • Data flow analysis and privacy controls assessment complete • Data privacy gaps identified • System management inventory established • Approach for data privacy requirements rationalized • Remediation of compliance gaps Project Outcomes Budget RequestProject Timeline Resource Cost: ~$650K Execution costs may vary Project Lead Project Manager Business Analyst Data Privacy SME Data Privacy Business Owners System / Data Owners IS Teams Compliance / Security Operations Legal council attests to privacy regulations and legal obligations Compliance posture will be reassessed upon changes to privacy or legal requirements There is alignment between Data Privacy group, IS and business stakeholders on data privacy activities Information Management and Exploitation (IM&E) data classification has been established System inventory with details on privacy compliance will need to be supported by robust technology Dependencies 12 months to establish (Q2 2014); execution duration varies Resources Key Stakeholders Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Budget Request Deliverables Assumptions Milestones Project Timeline 2 Data Privacy Strategy 3 4 5 6 1 Data Privacy Requirements Data Privacy Inventory Data Privacy Compliance in Execution
  • 93. Level 4 – Access Certification Develop an enterprise-wide approach to review / certify user access privileges and entitlements Develop an automated tool to assist in the periodic review / certification of user access privileges and entitlements Integrate with Company A / Parent A access management and review / certification activities Project Objectives 1. Coordinate with the IAM team to assess access review / certification capabilities 2. Define access review / certification processes and guidelines 3. Develop access review / certification approach 4. Develop or leverage a solution to automate access review / certification 5. Pilot: Access review / certification solution with sample set of systems Project Activities • Access review / certification capabilities assessed • Access review / certification processes and guidelines published • Access review / certification approach established • Automated review / certification tool developed and piloted • Continued system integration with access review / certification solution and transfer to business as usual process Project Outcomes Resource Cost: ~$325K Product/ongoing activities not included Project Lead Project Manager Business Analyst System Analyst System Engineer Business Owners System Owners IS Teams Compliance / Security Infrastructure Operations Quest system (currently in place) may be leveraged Integration with overall Parent A/Company A IAM activities (governance, identity lifecycle management, provisioning, role based access control) There is alignment between IS and business on access review / certification activities systems 6. Continue to integrate systems into access review / certification solution Impact of overall Parent A/Company A IAM strategy to Company A Externalized IAM and Compliance & Risk Management Parent A/Company A access review / certification solution Dependencies 9 months to establish (Q1 2014); integration duration varies Resources Key Stakeholders Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Budget Request Deliverables Assumptions Milestones Project Timeline 1 2 3 4 5 6 Review / Certification Capabilities Assessed Review / Certification Processes, Guidelines, Approach Review / Certification Solution Established
  • 94. Level 4 – Third Party Risk Management Program Implement an enterprise-wide third party risk management program Establish and perform proactive third party risk assessments (based on risk-levels) and confirm third party capabilities meet security requirements Develop and maintain an inventory of existing third parties and corresponding risk ratings Project Objectives 1. Define third party risk management strategy 2. Develop third party risk oversight structure with roles & responsibilities 3. Define third party risk lifecycle (evaluate & select, contract & on- board, manage & monitor, terminate & off-board), risk rating, and assessment processes 4. Build central inventory of third parties with associated risk rating 5. Conduct assessments and rollout third party risk management Project Activities • Third party risk management strategy defined • Oversight for third party risk management established • Processes for third party risk lifecycle, risk rating, and assessments defined • Utilization of third party inventory to manage risk • Proactive assessments performed for all third party engagements and any issues are reviewed and addressed • Transferred to business as usual for ongoing third party risk Project Outcomes Resource Cost: ~$200K Ongoing costs may vary Project Lead Project Manager Business Analyst Business Owners System / Data Owners IS Teams Compliance / Security IS will have the authority to enforce third party engagements being subject to third party risk management program There is alignment between IS and business on third party risk management activities 5. Conduct assessments and rollout third party risk management processes 6. Complete transfer to business as usual process For third party assessments, there may be linkages to the GxP vendor assessment activities that should be considered Central inventory of third parties may be enabled with technology / tool; if so, inventory would be dependent on the build of this technology / tool Dependencies 6 months to establish (Q4 2013); rollout duration varies Resources Key Stakeholders Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 • Transferred to business as usual for ongoing third party risk management Budget Request Deliverables Assumptions Milestones Project Timeline 2 Third Party Risk Management Strategy 3 4 5 6 1 Third Party Risk Oversight and Processes Third Party Risk Inventory Third Party Risk Management Ongoing
  • 95. ITRM Framework Definitions
  • 96. ITRM framework definitions Protection of networks and the supporting infrastructure Antivirus & Malware Prevention, timely detection, and removal of malware, including but not limited to computer viruses, computer worms, Trojan horses, spyware and adware. Intrusion Detection Monitor network and / or system activities for malicious activities or policy violations. Network Admission Control Control access to a company network by integrating with user authentication, validating devices, verifying the device’s compliance with security policy, and remediating devices before permitting access to the network. Network / Application Firewall Restrict access to or from a private network to prevent unauthorized access to hosts, services and applications. Detect and block web application attacks based on current threats and exploits. Infrastructure Security Proxy / Content Filtering Implement content-filtering web proxy server for administrative control over the content that may be relayed through network egress points. Remote Access Implement controls and mechanisms to restrict access to authorized users from remote locations. Security Monitoring Monitor security events and information from a wide variety of sources, including third-party devices and hosts. Transmission Encryption Implement information security controls to protect sensitive data traveling over private networks or the Internet, whether wired or wireless. Wireless Security Prevent unauthorized access or damage to wireless networks and systems accessed from them. Database Security Implement information security controls to protect databases and stored data against compromises of their confidentiality, integrity and availability.
  • 97. ITRM framework definitions (continued) Prevent unauthorized physical access, damage, and interference to the organization’s premises and information Physical Perimeter Security Defining secure areas to be protected by appropriate controls allowing access only to authorized personnel. External & Environmental Threats Protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster. Contact with Authorities Defining and maintaining appropriate contacts with relevant authorities to contact during emergencies. Physical media Handling Policies and procedures to prevent unauthorized disclosure, modification, removal or destruction of assets. Physical & Environmental Security Handling Equipment Security Implement appropriate physical controls to protect infrastructure from theft, damage and compromise.
  • 98. ITRM framework definitions (continued) Discovering, defining and managing threats and vulnerabilities within information systems and the computing infrastructure Brand Monitoring Analysis of Internet sites to determine if the company’s brand is being improperly represented or used for fraudulent purposes. Computer & Network Forensics Gathering, retaining, analyzing and preserving the integrity of computer and network related data to support investigations for a variety of reasons such as fraud, computer crime or theft of intellectual property. O/S Hardening & Secure Configuration Implement and maintain secure configurations on operating systems including the removal of non-essential software, restricting file access permissions, securely configuring services and disabling or restricting system level accounts. Patch Management Acquiring, testing, and installation of system changes to address software flaws, including the removal or mitigation of security vulnerabilities. Cyber Threat Management mitigation of security vulnerabilities. Penetration Testing Evaluating the security of a computer system or network by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization's systems) and insiders (who have some level of authorized access). Threat Intelligence Implement processes and mechanisms to mine internal log information and correlate with external intelligence to facilitate improved risk response and make informed decisions related to security measures. Threat Modeling Analysis of threats against the organization’s valuable assets to identify weaknesses and opportunities to improve the security and prevent damage. Vulnerability Management Identifying, quantifying, prioritizing, tracking and remediating the vulnerabilities in a system , reducing the risks resulting from exploitation of published technical vulnerabilities.
  • 99. ITRM framework definitions (continued) Access to information, information processing facilities, and business processes controlled on the basis of business and security requirements Federation Enables access to internal systems for business partners and vendors without creating their identities (based on virtual trust model). Access Governance Involves creation of Enterprise roles, processes to manage the role lifecycle, access re-certifications & remediation and Segregation of Duties polices & other business rules. Access Reporting / Audit Provides Integrated Reporting around current user access (who has access to what) and centralized audit (approvals, key user operations). Data Platform Integration Provides the ability to connect and integrate with end systems to complement Account Management, Access Management, Privilege Management, Password Management and Federation. Identity & Access Management Privileged User Management Complements User Account Management with Privileged Account Management by streamlining request, assignment and revocation of passwords. Access Management Management of fine-grain authorization for targets via centralized policy store, with policy administration, decision, information and enforcement. User Account Management Provisioning/de-provisioning, involves management of user identities across systems (user-id) and coarse grain privileges and including password self-service.
  • 100. ITRM framework definitions (continued) Integrate security as a critical component into organizations software development, integration, and maintenance processes Security / Risk Requirements Define explicit system security / risk requirements including functional, technical and user access requirements. Security Design / Architecture Defining security related aspects of the technical, operations and application architecture including such areas as user authentication, authorization, data segregation, data protection, logging and monitoring, secure interfaces between components and user provisioning mechanisms. Application Role Design / Access Privileges Design access privileges and associated templates to enable access to specific application functions and data, restricting access to those individuals who are permitted while enforcing appropriate segregation of duties. Secure Coding Establish and implement guidelines for secure application coding to reduce the potential of vulnerabilities Secure Development Lifecycle Secure Coding Guidelines Establish and implement guidelines for secure application coding to reduce the potential of vulnerabilities resulting from coding errors. Secure Build Construct applications and supporting infrastructure leveraging the security / risk requirements as well as industry demonstrated security practices; Configure access privileges and provision access to enable users to perform required business functions. Security Testing Test system against security requirements including 1) proper functioning of user access rights to enable users to perform required business functions while appropriately restricting access to data and 2) identification and mitigation of system security vulnerabilities. Roll-out & Go-live Releasing the new application / system in the production environment after completing stages of the secure system development lifecycle, including support and resolution of system access issues. Application Security Administration Coordination, implementation, administration of user access privileges including maintenance of and enhancements to user access profiles and provisioning of user access.
  • 101. ITRM framework definitions (continued) Helps organizations identify and manage risks and opportunities associated with information management and data protection Data Retention & Destruction Storing data for backup and historical purposes, and enabling retired devices and media to have their contents securely removed, destroyed, or overwritten. Data Loss Prevention Identify, monitor, and protect data in use, data in motion and data at rest through content inspection and contextual security analysis within a centralized management framework. Data Encryption & Obfuscation Convert data from an understandable form to a non-understandable form to reduce the potential of access by unauthorized users. Breach Notification & Management Provide notification of a data or privacy breach to affected individuals, regulatory authorities, covered entities and media. Data Protection Management Data Lifecycle Analysis Prioritize business processes and document the flow of sensitive data through those business processes while identifying protection and usage controls (lifecycle includes data collection / creation, storage, use, transfer and destruction). Data Classification & Inventory Information is classified in terms of its value, legal requirements, sensitivity, and criticality to the organization.
  • 102. ITRM framework definitions (continued) To maintain the security of the organization’s information and information processing facilities that are accessed or managed by external parties Third Party Assessment Program Regularly assess the risks to the organization’s information and information processing facilities accessible or managed by third parties. Third Party Governance Define third-party agreements and contracts to enable access, process, or manage the third-party organization’s information or information processing facilities meet requirements. Third Party Compliance (Regulatory, SLA) Regularly assess third parties to determine compliance with organizational security policies and meet predefined SLA’s. Remediation and Exception Develop procedures to manage and remediate information security risks posed by third parties and exceptions to organizational security policies. Third Party Risk Management Exception exceptions to organizational security policies. Incident Management and Response Define third-party agreements related to incident response in event of a security breach or restoration of services in event of an outage.
  • 103. ITRM framework definitions (continued) Business-owned, business-driven process that establishes a fit-for-purpose strategic and operational framework that proactively improves an organization’s resilience against the disruption of its ability to achieve its key objectives Escalation and Crisis Management An escalation process is used to escalate problems and issues – to determine if a disaster should be “declared”. A declaration will be performed by an executive crisis management team. This declaration will be performed based on predefined criteria and procedures. Maintenance The strategies and plans should be dynamic and updated regularly to remain current with system enhancements and changing business requirements. This recovery maintenance should be integrated into the change management system and process. Testing and Exercising Testing the strategy and plans identifies gaps within the recovery strategy and plans. It enables organizations to recover within the agreed upon recovery objectives. It provides a metric that will be integrated into the governance program. It also serves to train individuals within the organization. Enterprise Resilience Exercising integrated into the governance program. It also serves to train individuals within the organization. Recovery Plans and Procedures The recovery plans and procedures should contain detailed guidance and procedures for restoring a data center, system, network or application. The procedures should be integrated with the problem management or business continuity plan development system. Recovery Strategies Recovery strategies should be developed for data centers, computer rooms and applications. The recovery strategy should enable the applications and systems to be recovered within the recovery objectives that were agreed upon with the business functions and risk steering committee. Business Impact Analysis The BIA helps to identify and prioritize critical IT systems and components. The BIA should be aligned with the business processes and their Maximum Tolerable Downtime (MTD). The primary objective from the BIA is to derive a Recovery Point Objective (RPO) and a Recovery Time Objective (RTO). Data Backup A foundational element is that production data and storage should have frequent, scheduled backups, taken offsite. For highly critical data that storage should be mirrored or replicated to a secondary location. The data backup solution must align with the RPO.
  • 104. ITRM framework definitions (continued) Services that address an organization’s business security requirements and supporting strategies and architectures for establishing an enterprise level security and risk management program Regulatory and Standards Research Relevant statutory, regulatory, and contractual requirements and the organization’s approach to meet these requirements are explicitly defined, documented, and kept up to date. Integrated Req. & Control Framework Rationalized requirements and controls integrated from multiple industry standards, frameworks and policies. Risk & Compliance Assessment Risk assessments to identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. Policies, Standards & Procedures Management of guiding principles used to set direction in an organization. IT Risk & Compliance Management Issue & Corrective Action Planning Steps that management takes to track, manage and remove the causes of an existing non-conformity or risks. Exception Management Practice of investigating, resolving and handling exception occurrences.
  • 105. ITRM framework definitions (continued) To provide a management system, including policies and a framework to enable the effective management and implementation of IT services Asset Management Define a broad asset inventory and assign appropriate owners. SLA, Service Validation & Testing Define Service Level Agreements (SLA) to respond to service requests. Define processes to summarize the appropriate level of validation and testing is performed before making any changes in the production environment. Release Management Define processes to effectively manage software releases or any other changes in the production environment. Configuration & Change Management Define processes to review and manage changes to configurations and systems consistently with the appropriate level of validation and approvals. IT Operations Capacity Management Define processes to enable IT capacity to meet current and future business requirements effectively. Incident & Problem Management Define processes to restore business as soon as possible or to respond to service requests.
  • 106. To be Continue…. Thank you !Thank you !

×