Info sec 2011 julen c mohanty

731 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
731
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
5
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Info sec 2011 julen c mohanty

  1. 1. Bangalore<br />IT Governance & Risk Management<br />Julen C. Mohanty<br />Citicorp Services India Ltd<br />17th June 2011, The Oberoi, Bangalore <br />
  2. 2. DISCLAIMERS<br />Any views or opinions showcased in this presentation are solely those of the author and may not necessarily represent those of the Citigroup.<br />This document is meant for use of ITNEXT or it’s affiliated members. Has to be used within ITNEXT or it’s affiliated members and not to be forwarded to anyone outside ITNEXT or it’s affiliated members.<br />
  3. 3. INDEX<br /><ul><li> What is Governance
  4. 4. What is Risk management
  5. 5. Classification if IT Risk
  6. 6. IT Risk in ERM
  7. 7. IT Governance Process
  8. 8. IT Risk Evaluation
  9. 9. IT Risk Scenarios
  10. 10. IT Risk Tolerance
  11. 11. How to Act on Risk
  12. 12. IT Risk Controls</li></li></ul><li>What is Governance<br />Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures.<br />IT Governance primarily deals with connections between business focus and IT management. The goal of clear governance is to assure the investment in IT generate business value and mitigate the risks that are associated with IT projects.<br />
  13. 13. What is Risk Management<br />Risk management is the identification, assessment, and prioritization of risks <br /> followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.<br />Risk = Threat ∗ Vulnerability ∗ Asset<br />Severity of Risk = Likelihood * Impact<br />Residual Risk = Risk - Control<br /><ul><li> Risk and value are two sides of the same coin.
  14. 14. Risk is inherent to all enterprises.</li></ul>Enterprises need to ensure that opportunities for value creation are not missed by trying to eliminate all risk. <br />
  15. 15. Classification of IT Risk<br />IT Benefit/ Value Enablement Risk<br />IT Program/ Project Delivery Risk<br />IT Operations / Service Delivery Risk<br /><ul><li>Technology Enabler for new business Initiative
  16. 16. Technology Enabler for efficient Operations
  17. 17. Project Quality
  18. 18. Project Overrun
  19. 19. Project Relevance
  20. 20. IT Service Interruptions
  21. 21. Security Issues
  22. 22. Compliance Issues</li></li></ul><li>IT Risk in ERM<br />Enterprise Risk<br />Market Risk<br />Credit Risk<br />Operational Risk<br />Compliance<br />Strategic Risk<br />Environmental Risk<br />IT RISK<br />IT Benefit/ Value Enablement Risk<br />IT Program/ Project Delivery Risk<br />IT Operations/ Service Delivery Risk<br />
  23. 23. IT Governance Process<br />Risk Governance<br /><ul><li> Define, Establish & Maintain a Common Risk View
  24. 24. Integrate with ERM
  25. 25. Make Risk-aware Business Decisions</li></ul>Risk Governance Essentials:<br /><ul><li> Responsibility and accountability for risk
  26. 26. Risk appetite and tolerance
  27. 27. Awareness and communication
  28. 28. Risk culture</li></ul>Risk Evaluation Essentials:<br />Risk Response Essentials:<br />Business Objectives<br /><ul><li> Risk scenarios
  29. 29. Business impact descriptions
  30. 30. Key risk indicators (KRIs)
  31. 31. Risk response definition and prioritization</li></ul>Risk Evaluation<br />Risk Response<br />Communication<br /><ul><li> List down risks
  32. 32. Manage Risk
  33. 33. React to events
  34. 34. Collect Data
  35. 35. Analyze Risk
  36. 36. Maintain Risk Profile</li></li></ul><li>IT Risk Evaluation <br />COBIT Information Criteria<br /><ul><li> Effectiveness
  37. 37. Efficiency
  38. 38. Confidentiality
  39. 39. Integrity
  40. 40. Availability
  41. 41. Compliance
  42. 42. Reliability</li></li></ul><li>IT Risk Evaluation <br />Balanced Scorecard<br /><ul><li> Financial
  43. 43. Customer
  44. 44. Internal
  45. 45. Growth</li></li></ul><li>IT Risk Evaluation <br />Extended Balanced Scorecard<br /><ul><li> Financial</li></ul> - Share Value<br /> - Profit<br /> - Revenue<br /> - Cost of Capital <br /><ul><li> Customer</li></ul> - Market Share<br /> - Customer Satisfaction & Service<br /><ul><li> Internal</li></ul> - Internal & Regulatory Compliance<br /><ul><li> Growth</li></ul> - Competitive Advantage<br /> - Reputation <br />
  46. 46. IT Risk Evaluation <br />Westerman’s 4’A’s<br /><ul><li> Agility
  47. 47. Accuracy
  48. 48. Access
  49. 49. Availability</li></li></ul><li>IT Risk Evaluation <br />COSO ERM<br /><ul><li> Strategic
  50. 50. Operations
  51. 51. Reporting
  52. 52. Compliance</li></li></ul><li>IT Risk Evaluation <br />FAIR<br /><ul><li> Productivity
  53. 53. Cost of Response
  54. 54. Cost of Replacement
  55. 55. Competitive Advantage
  56. 56. Legal
  57. 57. Reputation</li></li></ul><li>IT Risk Scenarios <br />Event<br /><ul><li> Disclosure
  58. 58. Modification
  59. 59. Theft
  60. 60. Ineffective Design</li></ul>Threat Type<br /><ul><li> Malicious
  61. 61. Accidental/ Error
  62. 62. Failure</li></ul>Asset/ Resource<br /><ul><li> People& Organization
  63. 63. Process
  64. 64. Infrastructure
  65. 65. Application</li></ul>IT Risk Scenarios<br />Time<br /><ul><li> Duration
  66. 66. Timing of Occurrence
  67. 67. Time of detect</li></ul>Actor<br /><ul><li> Internal (Staff, Contractor)
  68. 68. External (Competitor, Outsider, Business Partner, Regulator, Market)</li></li></ul><li>IT Risk Tolerance <br />Critically Unacceptable<br />Unacceptable<br />Severity <br />Acceptable<br />Opportunity<br />Frequency<br />
  69. 69. How to Act on Risk<br />PLAN<br />DO<br />PLAN<br />DO<br />CHECK<br />ACT<br />CHECK<br />ACT<br />PLAN (What, When, How)<br />DO <br />(Identify & Analyze )<br />Monitor & Reporting <br />(Watchful)<br />CHECK & ACT <br />(Mitigate & Control)<br />Continuous & Interlocked Process. <br />Definitely not Separate events<br />
  70. 70. IT Risk Controls<br />Business Objectives<br />Align With ERM<br />Control<br />IT Risk Management<br />Balance Cost/ Benefit of IT Risk<br />Accountability<br />Top Management Commitment<br />Communication<br />Function as part of Daily Activities<br />
  71. 71. Thank You<br />julenmohanty@gmail.com<br />www.twitter.com/julenmohanty<br />www.linkedin.com/julenmohanty<br />

×