CISO PLATFORM ANNUAL SUMMIT

IT Risk as Business Risk

Wayne Tufek
CISO Platform Annual Summit
November 15-16
Hyatt Regenc...
Agenda
•
•
•
•

Overview of IT risk
What causes IT risk?
The business consequences of IT Risk
Examples
Overview of IT Risk
•
•
•
•

Risk
IT Risk
IT Governance
Risk management
What Causes IT Risk?
• George Westerman from MIT Sloan
•

http://cisr.mit.edu/research/research-overview/classic-topics/it...
The Business Consequences
of IT Risk

Agility
Accuracy
Access
Availability
Source: George Westerman
http://cisr.mit.edu/re...
The Business Consequences
of IT Risk (cont)
Enterprise IT Risks
Availability

Access

Business continuity
DRP

Information...
Example Risk Factors
• Availability
– Alternative site
– Excessive time to restore (RTO, RPO, MTO)
– Special hardware or e...
Example Risk Factors
• Access
– Financial impact of unauthorised modification of
data
– Impact of unauthorised disclosure
...
Example Risk Factors
• Accuracy
– What is the financial impact of incorrect
applications?
– How will inaccuracy impact cus...
Example Risk Factors
• Agility
– Is the system hard coded with custom features
difficult to modify?
– Is the system suppor...
Example
• Single Sign-On implementation
Agility
Accuracy
Access
Availability

Source: George Westerman
http://cisr.mit.edu...
Example
• Moving corporate data to the cloud
Agility
Accuracy
Access
Availability

Source: George Westerman
http://cisr.mi...
Questions
Contact
• wtufek@unimelb.edu.au
• LinkedIn
– http://www.linkedin.com/pub/wayne-tufek/0/338/312
Upcoming SlideShare
Loading in …5
×

ciso-platform-annual-summit-2013-IT risk as business risk

496 views

Published on

Presented by Wayne Tufek at CISO Platform Annual Summit, 2013. Wayne Tufek is currently the IT Security and Risk Manager at the University of Melbourne. His career spans over 17 years as an active hands on practitioner of information security and technology risk management. He has worked in the public sector, Big 4, financial services, consumer products and education sectors.

Published in: Economy & Finance, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
496
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ciso-platform-annual-summit-2013-IT risk as business risk

  1. 1. CISO PLATFORM ANNUAL SUMMIT IT Risk as Business Risk Wayne Tufek CISO Platform Annual Summit November 15-16 Hyatt Regency Mumbai
  2. 2. Agenda • • • • Overview of IT risk What causes IT risk? The business consequences of IT Risk Examples
  3. 3. Overview of IT Risk • • • • Risk IT Risk IT Governance Risk management
  4. 4. What Causes IT Risk? • George Westerman from MIT Sloan • http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/ – Failure of oversight and governance processes (ineffective IT governance) • Series of poor decisions and badly structured IT assets • Locally optimised decisions • Lack of business involvement – Uncontrolled complexity – Inattention to risk • IT risk results from decision-making processes that ignore the full range of business needs that arise from using IT
  5. 5. The Business Consequences of IT Risk Agility Accuracy Access Availability Source: George Westerman http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
  6. 6. The Business Consequences of IT Risk (cont) Enterprise IT Risks Availability Access Business continuity DRP Information protection Knowledge sharing Preventing attacks Accuracy Agility Ability to implement Data Integrity Regulatory compliance major strategic change Source: George Westerman http://cisr.mit.edu/research/researchoverview/classic-topics/it-related-risk/ IT Risk Factors Technology & Infrastructure Applications & Information Configuration management Architecture complexity Degree of standardisation Redundancy Age of technology Data integrity Degree of customisation People & Skills Vendors & Other Partners Policy & Process Organisational Turnover SLAs Controls Skills planning Use of firms standards Degree of standardisation Recruitingtraining Sole source risk Accountability ITBusiness relationship Cost cutting Complexity Funding
  7. 7. Example Risk Factors • Availability – Alternative site – Excessive time to restore (RTO, RPO, MTO) – Special hardware or equipment or a unique environment – Network links
  8. 8. Example Risk Factors • Access – Financial impact of unauthorised modification of data – Impact of unauthorised disclosure – Are duties segregated? – Is access based on the users role? – Can the system track user actions and provide reports? – How effective is the access provisioning/deprovisioning process?
  9. 9. Example Risk Factors • Accuracy – What is the financial impact of incorrect applications? – How will inaccuracy impact customers and the organisation’s reputation? – What regulatory and government compliance is required? – Is there a high level of customisation? – Are calculations performed by any third parties?
  10. 10. Example Risk Factors • Agility – Is the system hard coded with custom features difficult to modify? – Is the system supported by the vendor? – Does the system require hard to obtain technical resources to maintain support? – Can the system be scaled in terms of volume? – Is the documentation adequate? – Does the system run on out of date software
  11. 11. Example • Single Sign-On implementation Agility Accuracy Access Availability Source: George Westerman http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
  12. 12. Example • Moving corporate data to the cloud Agility Accuracy Access Availability Source: George Westerman http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
  13. 13. Questions
  14. 14. Contact • wtufek@unimelb.edu.au • LinkedIn – http://www.linkedin.com/pub/wayne-tufek/0/338/312

×