Iob gm's lecture 7th jan 2014  GRC and corporate governance in Financial services
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Iob gm's lecture 7th jan 2014 GRC and corporate governance in Financial services

Uploaded on

GRC and corporate governance

GRC and corporate governance

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Government is by the people, for the people, and of the people <br />
  • How do you handle, where do you start? <br /> Part of the SWOT analysis – strength, weakness, opportunity and threat analysis. <br /> Threat modeling just like any systems such as reliability is a good starting point <br /> Decompose your system, analyze component for susceptibility to the threats, and mitigate the threats. <br />
  • The development was guided by the Software Engineering Institute’s efforts in the late 80’s in building maturity models for software development. <br /> By using such a scale, an organization can determine where it is, define where it wants to go and, if it identifies a gap, it can do an analysis to translate the findings into projects. Reference points can be added to the scale. Comparisons can be performed with what others are doing, if that data is available, and the organization can determine where emerging international standards and industry best practices are pointing for the effective management of security and control. <br />


  • 1. Wishing You All A Very Happy & Prosperous New Year 2014 Your Professional Well-wisher Prof. K. Subramanian
  • 2. Governance, Risk & Compliance in Cyber Era Business Services Assurance in Cyber EraChallenges Before the Financial Services sector Prof. K. Subramanian SM(IEEE, USA), SMACM(USA), FIETE, SMCSI,MAIMA,MAIS(USA),MCFE(USA) Founder Director & Professor, Advanced Center for Informatics & Innovative Learning (ACIIL), IGNOU EX- IT Adviser to CAG of India Ex-Sr. DDG(NIC), Ministry of Comm. & IT Emeritus President, eInformation Systems, Security, Audit Association Former President, Cyber Society of India 01/15/14 Prof.KS@2014 IOB GM's presentation Jan 14 2
  • 3. Agenda • • • • • Introduction Governance components Risk Assurance & Standards & Compliance Assurance Framework & PPP Challenges for Technologists & Businesses 3 3
  • 4. Notable Quotes "The poor have sometimes objected to being governed badly; the rich have always objected to being governed at all." G. K. Chesterton “Ever since men began to modify their lives by using technology they have found themselves in a series of technological traps.” Roger Revelle  “The law is the last interpretation of the law given by the last judge.”- Anon. “Privacy is where technology and the law collide.” --Richard Smith (who traced the ‘I Love You’ and ‘Melissa viruses’) "Technology makes it possible for people to gain control over everything, except over technology" John Tudor 4
  • 5. MEDIATING FACTORS: Environment Culture ORGANIZATIONS 01/15/14 Structure Standard Procedures Politics Management Decisions Chance Prof.KS@2014 IOB GM's presentation Jan 14 INFORMATION TECHNOLOGY 5 5
  • 6. Principles of Good Governance Leadership Selflessness Integrity Objectivity Accountability Openness Honesty 01/15/14 2013 10th september Humane Governance Should be Creative Uses Knowledge for National Wealth and Health creation Understands the economics of Knowledge High Morality Prof.KS@2014 IOB GM's presentation Jan 14 6 6
  • 7. Governance Components Project Governance IT Governance Legal Governance Security Governance Human & Humane Governance 01/15/14 Prof.KS@2014 IOB GM's presentation Jan 14 7 7
  • 8. Cyber Governance Components  Environmental & ICT Infrastructure  Operational (logistics Integration)  Technology (synergy & Convergence)  Network (multi Modal Network)  Operational Integration (Functional)  Professional Integration (HR)  Emotional/Cultural Integration  Technology Integration  Management (HRM & SCM &CRM)  Impact (feed-back correction) 01/15/14 Prof.KS@2014 IOB GM's presentation Jan 14 8 8
  • 9. Corporate Governance Business Assurance Framework Global Phenomena Combined Code of UK and SOX of USA Basel II & III Project Governance IT Governance Human & Humane Governance 01/15/14 India Initiatives 1. Clause 49 2. Basel II & III -RBI 3.SEBI- Corporate Governance Implementation directives 4.Risk management-RBI (Basel 2/3)& TRAI 5. MCA Initiatives 2013 Prof.KS@2014 IOB GM's presentation Jan 14 9 9
  • 10. Global issues with Governance of Cyber Space Information Technology & Business: current status and future Does IT matter? IT--enabled Business - Role of Information, Information Systems - In business - Role of information technology in enabling business - IT dependence Changing Role of the CIO Web 2.0 and 3.0 and governing cyberspace eBusiness, eHealth, eBanking, eGovernance Current Challenges and Issues 01/15/14 Prof.KS@2014 IOB GM's presentation Jan 14 10 10
  • 11. Creating Trust in an Enterprise Today's information explosion is creating challenges for business and technology leaders at virtually every organization. The lack of trusted information and pressure to reduce costs is on the minds of CEOs and senior executives around the world. What's required to solve these challenges is a paradigm shift - from generating and managing silos - of information, of talent and skills, of technologies and of projects to an environment where information is a trusted, strategic asset that is shared across the company. 11
  • 12. Transition: Insurance Audit Assurance & Assurance Layered Framework  Insurance  Audit Pre, Concurrent, Post  IT Audit        Environmental Operational Technology Network Financial Management Impact  Electronics Continuous Audit  Certification  Assurance  Management & Operational Assurance (Risk & ROI)  Technical Assurance (Availability, Serviceability & Maintainability) Financial ASSURANCE  Revenue Assurance (Leakage & Fraud)  Legal Compliance & Assurance (Governance) 12
  • 13. ICT operations and maintenance Project management and construction ICT Transaction/ concession design ICT planning and design ICT technical solutions Marketing and distribution Training Borrowing capacity Capital investment, eg network expansion Business - technical Investment in R & D regulatory developmental Civil society - Investment promotion Legal framework for freedom of information Sales and promotions ICT Risk/venture capital informational Government financial Business – Access to development finance Civil society - ICT Infrastructure strategy Revenue collection Design Parameters informational ICT Regulatory powers – price, quality, interconnections, competition) Government Subsidies Innovation (high risk), eg community telecentres Local customer knowledge Capacity to network Knowledge of user demand, eg technology and information gaps Civil society - technical ICT skills development Expertise in design of ‘relevant’ content A voice for the socially excluded Capacity to mobilise civil society 13 13
  • 14. Operational Integration Professional Integration (HR) Emotional/Cultural Integration ICT & Government Business & Services Integration Multi Technology coexistence and seamless integration Information Assurance Quality, Currency, Customization/Personalization ICE is the sole integrator IT Governance is Important 14 14
  • 15. Managing Interdependencies Critical Issues Infrastructure characteristics (Organizational, operational, temporal, spatial) Environment (economic, legal /regulatory, technical, social/political) Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex) Type of failure (common cause, cascading, escalating) Types of interdependencies (Physical, cyber, logical, geographic) State of operations (normal, stressed /disrupted, repair/restoration) 15
  • 16. Up The Value Chain 16
  • 17. Enabling to rapidly move up the Governance Evolution Staircase 4. Transformation Strategy/Policy People Process Technology 2. Interaction Cost/ Complexity 1. Searchable Database Public response/ email Content mgmt. Increased Presence support staff Governance Publish Knowledge mgmt. E-mail best prac. Existing Content mgmt. Metadata Streamline Data synch. processes Web site Markup Search engine E-mail 3. Transaction Competition Confidentiality/privacy Fee for transaction E-authentication Self-services Skill set changes Portfolio mgmt. Sourcing Inc. business staff BPR Relationship mgmt. Online interfaces Channel mgmt. Legacy sys. links Security Information access 24x7 infrastructure Sourcing Funding stream allocations Agency identity “Big Browser” Job structures Relocation/telecommuting Organization Performance accountability Multiple-programs skills Privacy reduces Integrated services Trigger Change value chain New processes/services Change relationships (G2G, G2B, G2C, G2E) New applications New data structures 5. Outsourcing Define policy and outsource execution Retain monitoring and control Evolve PPP model Outsource service delivery staff Outsource process execution staff Outsource customer facing processes Outsource backend processes Constituent Applications Infrastructure Value Time 17
  • 18. Threat & Vulnerability Management  Authenticating user identities with a range of mechanisms, such as tokens, biometrics and Public Key Infrastructure  Developing user access policies and procedures, rules and responsibilities and a standardized role structure that helps organizations meet and enforce security standards  Centralizing user data stores in a single enterprise directory that enables increased efficiencies in user administration, access control and authentication  Reducing IT operating costs and increasing efficiency by implementing effective user management to support self-service and automate workflow, and by provisioning and instituting flexible user administration 01/15/14  You need an integrated threat and vulnerability management solution to better monitor, report on and respond to complex security threats and vulnerabilities, as well as meet regulatory requirements.  You need to protect both your own information assets and those you are custodian of, such as sensitive customer data.  You want a real-time, integrated snapshot of your security posture.  You want to correlate events from data emerging from multiple security touch points.  You need support from a comprehensive inventory of known threat exposures.  You need to reduce the cost of ownership of your threat and vulnerability management system Prof.KS@2014 IOB GM's presentation Jan 14 18
  • 19. Risk Identification  Assess current security capabilities, including threat management, vulnerability management, compliance management, reporting and intelligence analysis.  Define identify technology requirements for bridging security gaps  Integrated Security Information Management  Develop processes to evaluate and prioritize security intelligence information received from external sources, allowing organizations to minimize risks before an attack  Implement processes that support the ongoing maintenance, evolution and administration of security standards and policies  Determine asset attributes, such as direct and indirect associations, sensitivity and asset criticality, to help organizations allocate resources strategically  Assist in aggregating security data from multiple sources in a central repository or "dashboard" for user-friendly presentation to managers and auditors  Help design and implement a comprehensive security reporting system that provides a periodic, holistic view of all IT risk and compliance systems and outputs  Assist in developing governance programs to enforce policies and accountability 19
  • 20. 9 Rules of Risk Management  There is no return without risk  Rewards to go to those who take risks.  Be Transparent  Risk is measured, and managed by people, not mathematical models.  Know what you Don’t know  Question the assumptions you make  Communicate  Risk should be discussed openly  Diversify  Multiple risk will produce more consistent rewards  Sow Discipline  A consistent and rigorous approach will beat a constantly changing strategy  Use common sense  It is better to be approximately right, than to be precisely wrong.  Return is only half the question  Decisions to be made only by considering the risk and return of the possibilities. RiskMetrics Group 01/15/14 Prof.KS@2014 IOB GM's presentation Jan 14 20
  • 21. Threat Modeling Threat modeling is critical to address security Prevention, detection, mitigation There is no universal model yet Mostly case-by-case Efforts are under way Microsoft threat modeling tool Allows one to uncover security flaws using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) Decompose, analyze and mitigate Insider threat modeling essential 01/15/14 Prof.KS@2014 IOB GM's presentation Jan 14 21
  • 22. Insider Threat Modeling How modeling can help you? An alternative to live vulnerability testing (which is not feasible) Modeling and analysis will reveal possible attack strategies of an insider Modeling and risk analysis can help answer the following questions statically: How secure is the existing setup? Which points are most vulnerable? What are likely attack strategies? Where must security systems be placed? What you cannot model Non-cyber events – disclosures, memory dumps, etc. 01/15/14 Prof.KS@2014 IOB GM's presentation Jan 14 22
  • 23. Calder- Moir IT Governance Framework 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 23
  • 24. CXO Internal Strategic Alliances  CIO & CEO Business Led Info. strategy  CIO & CMO Competitive Edge & CVP  CIO & CTO Cost-Benefit Optimization  CIO & CFO Shareholder Value Maximization  CIO & CHRO Employee Performance and Rewards  CIO & Business Partners Virtual Extended Enterprise 24
  • 25. The Productivity Promise  Capital Productivity (ROI, EVA, MVA)  Material Productivity (60% of Cost)  Managerial Productivity (Information Worker)  Labour Productivity (Enabled by IW)  Company Productivity Micro  Factor Productivity Macro 25
  • 26. CEO-CTO-CIO-CSO CXO & IT Governance Responsibility the roles and responsibilities "These systems should for IT governance, highlighting ensure that both business the parts played by the CEO, and technology managers are business executives, CIO, IT properly engaged in steering committee, identifying compliance technology council, and IT requirements and planning architecture review board compliance initiatives which typically involve complementary adjustments in systems, practices, training and organization" 26
  • 27. Four Faces of a CIO & CIO Management Framework 27
  • 28. Way Forward  Learn more about own Businesses.  Reach out to all Business & Function Heads.  Sharpen Internal Consultancy Competences.  Proactively Seize the Repertoire of Partners  Foster two way flow of IS & Line Talent. 28
  • 29. Standards, Standards, Standards Security Audit Interoperability Interface (systems/devises/comm.) Architecture/Building Blocks/Reusable 01/15/14 HCI (Human Computer Interface) Process Environmental (Physical, Safety) Data Interchange & mail messaging Layout/Imprint Prof.KS@2014 IOB GM's presentation Jan 14 29
  • 30. Importance of Group Standards -no one standard meets all requirements ISO 27001/BS7799 Vs COBIT Vs CMM & PCMM Vs ITIL Mission Mission Business Objectives Business Objectives Business Risks Business Risks Applicable Risks Applicable Risks Internal Controls Internal Controls Review Review 01/15/14 Prof.KS@2014 IOB GM's presentation Jan 14 30
  • 31. “IT Regulations and Policies-Compliance & Management” CREATIVITY VS COMMAND CONTROL Too much Creativity  results in anarchy Too much command & control Kills Creativity We Need a Balancing Act In IT Regulations and Policies-Compliance & Management 31
  • 32. Gouvernance & Assurance Maturity Model 32
  • 33. Assurance in the PPP Environment 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 33
  • 34. Governance - Final Message “In Governance matters Past is no guarantee; Present is imperfect & Future is uncertain“ “Failure is not when we fall down, but when we fail to get up” 34
  • 35. Learning From Experience ======================== 1. The only source of knowledge is experience. -- Einstein 2. One must learn by doing the thing; for though you think you know it, you have no certainty, until you try. -- Sophocles 3. Experience is a hard teacher because she gives the test first, and the lesson afterwards. -- Vernon Sanders Law 4. Nothing is a waste of time if you use the experience wisely. -- Rodin 35
  • 36. Security/Risk Assurance Expectations “To determine how much is too much, so that we can implement appropriate security measures to build adequate confidence and trust” “To derive a powerful logic for implementing or not implementing a security measure” 36
  • 37. Let us Assure Good Governance & Business Assurance in Cyber Era THANK YOU For Interaction: Prof. K. Subramanian Tele: 011-22723557 01/15/14 Prof.KS@2014 IOB GM's presentation Jan 14 37