Dr bakari presentation

  • 587 views
Uploaded on

 

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
587
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Is IT governing us or are we governing it? Managing ICT Related Risks: Who is Responsible and What Went Wrong?: Dr. Jabiri Kuwe Bakari (BSc. Computer Sc., Msc. (Eng.) Data Communication, Ph.D.) Lecturer & Director, Institute of Educational Technology The Open University of Tanzania E- mail: jabiri.bakari@out.ac.tz Hilton Double Tree Hotel-Osterbay,Slipway Road 8th December, 2010 1©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 2. Agenda• Introduction• An overview of ICT and its Security Problem• ICT related risks• What went wrong• Who is responsible• Lessons from others• What can be done? 2©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 3. Technology Trend • Stone, Iron, Industry, Information Age! • The world has now moved from natural resources to information economy. • Information held by public and private organisation’s information systems is among the most valuable assets in the organisation’s care and is considered a critical resource, enabling these organisations to achieve their objectives 3©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 4. • Because the organizations value have moved from tangible to intangible assets the risks has moved too, hence the overall cooperate risk management should take a new track • Today ICT is in Almost all National Critical Infrastructure 4©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 5. ICT in Critical National infrastructures Private and public organizations, government, and the national security system increasingly depend on an interdependent network of critical physical and information infrastructures. Examples – energy production, transmission, and distribution – telecommunications, – financial services, – transportation sectors: railways, highways, airports etc. – systems for the provision of water and food for human use and consumption – continuity of government. – chemical industry and hazardous materials – agriculture – defence industrial base 5 – gas and oil storage and transportation©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 6. The national economy is increasingly reliant upon certain critical infrastructures and upon cyber based information systems Any compromise or attacks on our infrastructure and information systems may be capable of significantly harming our economy! 6©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 7. Agenda• Introduction• An overview of ICT and its Security Problem• ICT related risks• What went wrong• Who is responsible• Lessons from others• What can be done? 7©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 8. An overview of ICT & its security ProblemInformation security is about protection of ICT assets/resources in terms ofConfidentiality Integrity Availability – (information and services)Access Control to Information Involves: Protective/Proactive, Detective, Holistic View of ICTReactive and/or Recovery Measures security Problem Software (Operating systems, Application software) set of instructions ICT Valuable asset of organizations-Information 8 Valuable asset of©2010 Open University of Tanzania – Dr. Jabiri K. Bakari organizations-Information
  • 9. An overview of ICT security ProblemManaging ICT security is a continuous process by which an organisationdetermines what needs to be protected and why; what it needs to be protectedfrom (i.e. Threats and Vulnerabilities); and how (i.e. mechanisms) to protect itfor as long as it exists. Holistic Approach Malicious software (Virus, requiredAuthorised user worm or denial-of-serviceabusing his/her attack, Backdoors, salamiprivileges e.g. attacks, spyware, etc.) canDisgruntled staff be introduced here ! Physical security of the hardware Valuable asset of the 9 organizations-Information Valuable asset of the©2010 Open University of Tanzania – Dr. Jabiri K. Bakari organizations-Information
  • 10. ICT related risks from the Business Perspective Business risks result from using ICT as business enabler without having in place proper ICT Governance and related risks controls.©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 11. Refer GOLDEN TULIP HOTEL, DAR ES SALAAM 23th August, 2006 Workshop Four Years Ago 11©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 12. 12©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 13. 13©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 14. 14©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 15. 15©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 16. 16©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 17. • Problem by then 17©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 18. Security Management in the organisations - Tanzania At the strategic level (Absence of ICT Security policy, no defined budget for ICT security, Perceived as technical problem and not business risk) At the operational (perceived to belong to the IT Perception Problem departments and in some cases not coordinated) Absence of designated ICT security personnel/unit. 18©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 19. An overview of ICT Security Management in the organisations - Perception Problem Ad-hoc 19©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 20. By Mid – 2007 - A Final Holistic Approach for Managing ICT Security in Organisations was produced Presented in a book: ISBN Nr 91-7155-383-8 The Environment The Organisation General Management’s Mitigation attention & Planning Backing (GL-09) (GL-05) Strategic (Top) Technical Form Awareness Risk Quick & Backing of Assessment/ Operationalisation Management’s Managements Project Scan General staff Analysis (ICT Security Backing Backing Team & Plan (GL-04) (GL-07) (GL-08) Policy, Services & (GL-01) (GL-02) (GL-03) Mechanisms) (GL-11) Review/Audit ICT Security (GL-06) Develop Counter Measures (GL-10) Maintenance (Monitor the Progress) INTRODUCTION OF ICT (GL-12) SECURITY MANAGEMENT PROCESS (INITIALISATION) INTERNALISED & CONTINUOUS PROCESS The Organisation’s goal & services 20 Stakeholders©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 21. Each process maps the Holistic View of the security Problem Users Valuable asset- Information 21©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 22. Management team discussing ICT security Problem This is a technical problem This is a business Problem Users Valuable asset- 22 Information©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 23. Four Years Later - More developments and more problems…. 23©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 24. Agenda• Introduction• An overview of ICT and its Security Problem• What went wrong• Who is responsible• Lessons from others• What can be done? 24©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 25. ICT Service delivery problemsblem 25 ©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 26. ICT Service delivery problemsProblems related to failureof accessing computerizedservices in a number ofconnected offices or outlets. customer at ATM 26©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 27. ICT Service delivery problems 27©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 28. Customers waiting to pay their taxes! 28©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 29. ICT operational incidents Transactions delays Deposit ,Withdraw &Send money using mobile phone 29©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 30. ICT disposal management ICT hardware disposal Sensitive information found from the hard disks 30©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 31. Is IT governing us or are we governing it?©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 32. • Despite of many technical solutions available-The problem of management of ICT-related risks in organisations are increasingly becoming major concerns to many ICT-dependent organisations©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 33. What went Wrong? And why in Tanzania? 33©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 34. ICT Risk Management Drivers – a Comparative Study of Sweden, USA, India, and Tanzania IEEE CRiSIS 2007©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 35. • The interesting questions here was, – what is it that makes the difference? – Is it because of the consequences of globalisation? – Is it because of the different regulations and requirements that need to be complied with in a given country? – Is it because of market pressure or customer demand? – Is it because of different cultures, in that, according to Robbins, national culture continues to be a powerful force in explaining a large proportion of organisations’ behaviour?©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 36. Objectives • The objective of this study was to investigate the effects of some possible ICT risk management drivers on the process of getting senior management involved in ICT risk management, and hence accountable. • The investigation was carried out by taking case study of four countries namely Sweden, USA, India, and Tanzania. • The drivers investigated were mainly – Globalisation, – Market Pressure, – Customer Demand and – Regulatory Requirements.©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 37. Examples of ICT Risk Management Drivers • One condition for global collaboration between different organisations, cultures and time zones is a “common language”, i.e. internationally accepted standards and frameworks. Sarbanes-Oxley Act in • By using these standards and frameworks,- controlled and 2002 (SOX) security Committee of Sponsoring enforced by the US Securities and quality can be defined, agreed and Exchangefollowed Organization’s (COSO) on and Commission up. framework • One further advantage is the fact that offshore Control Objectives for suppliers are normally an related Information and Technology - certified, using these IT standards andgovernance framework frameworks. • Their prospective customers can more easily assess security and quality requirements.©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 38. Research approach, Methodology • Based on the four studies, status and experiences of how ICT risk management is being practised in organisations in Sweden, USA, India and Tanzania was investigated • Findings from the four studies were used as input to investigate senior management’s involvement in the ICT risk management process.©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 39. Studies in the four Countries (Swedish) • Study on Swedish government agencies concerning the use of IT security - Indicated. – lack of support from senior management. – ICT security is not carried out in a systematic way which makes it difficult for the management to prioritise between different risks and countermeasures, causing difficulties in following up the state of security. • The use of models for return on security investment also shows the lack of support from senior managementprobably that The reason for this is Another study was carried out by interviewinganalysis has not gained the using risk information security managers and risk managers at 7of the management approval large Swedish trade and industry organisations making extensive use of ICT, most of them also with large international operations. – The overall summary of the result from the study is that risk analysis is not used as a method to allocate resources for increasing the security level for the ICT systems.©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 40. Studies in the four Countries (USA) • The USA study was based on the “2006 CSI/FBI Computer Crime and Security survey” which is based on the responses of 616 computer security practitioners in US corporations, government agencies, financial institutions, medical institutions and universities . – The survey indicated a substantial decrease in the total dollar amount of financial losses resulting from security breaches. • Probably this due to the Introduction of SOX – “The Sarbanes-Oxley Act has changed the focus of information security in my organisation from technology to one of corporate governance”. • For example, the Act requires that: – CEO and CFO to personally certify the correctness in the financial reports (section 302); – Demands the certification of the underlying (IT) processes (section 404); – Financial events of importance must be reported within four days (section 409); – The person who deliberately destroys documents, physical or electronic, including e-mail, may be sentenced to up to twenty years’ imprisonment (section 802)©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 41. 41©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 42. Studies in the four Countries (India) • The study in India was based on the medium-sized company as a representative of an outsourcing company in India, on the assumption of getting an average indication (2006). • An example was iGATE corporation which was ISO2000 certified, ISO27001 certified, COBIT maturity level 5 and SOX compliant. • The reason they have done this is that they see it is absolutely essential to have these standards and frameworks implemented for them to remain in business. • In India, customer demand and market pressure makes security a top priority for senior management. – several Indian offshore suppliers are listed on the USA stock market and so have to fulfil SOX requirements and have the same level of security in place©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 43. Studies in the four Countries (Tanzania) • The study in Tanzania took place between 2003 and 2006 - the respondents were mainly senior management, Chief Financial Officers, Operational managers, IT Managers and general and technical staff. • The study indicated that the focus of the organisations is on what is commonly known as “Computerisation”. – Very little or no attention at all is paid to managing ICT- related risks. • This was partly found to be due to the following reasons: – not knowing that they are vulnerable to ICT-related risks as a result of computerisation – ICT risk is not seen as a risk to the organisation’s business; – the relaxed culture and lack of formal ICT and ICT security policies and procedures; – believing that ICT security is a technical problem and therefore both ICT in general and ICT security in particular being set aside for more important things.©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 44. Today in Tanzania …©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 45. • Poor Planning and Management of ICT – Lack of alignment between ICT strategy and business strategy – High Cost of ICT with low or unproven return on investment (ROI) • ICT Staff with inadequate skills – Non ICT -ICT staff, coupled with Non ICT –ICT vendors and Sometimes Non ICT - ICT Consultants – Where Relevant skills exist, they are underutilised 45©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 46. • Problems in Acquisition of ICT related Solutions – Ad hock and Uncoordinated ICT initiatives Mostly Vendor OR donor driven solutions – with too much dependence on vendor & Donor – not local tailored 46©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 47. Problem in Acquisition of ICT related Solutions Vendor Tender communicate direct Lack of ICT Evaluation expert to user Tender board team Lack of appropriate ICT expert User Dept PMU Vendor ICT Dept/ They are the expert Division/Dir – Recall Set of Tech. are consulted for Instructions! inspection against the specification/ If software then run in test environment Store Good practice - A lot of security Bad practice implications47 ICT Disposal©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 48. • No proper ICT related Risk Management – Security policy and procedures not in place – Inadequate business continuity measures – Serious ICT operational incidents – ICT not meeting nor supporting compliance requirements 48©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 49. • Obsolete Organization Structure – ICT function seen as only operations not across-cutting – Structure should consider current ICT development and its social-economic impacts 49©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 50. Obsolete Org structures Management Strategic function CEO function Directors Directors Directors Line Line Line Line Line Managers Managers Managers Managers Managers ICT Dept Under staffed Not well utilized especially in public org Operational function No clear job description 50 Not motivated©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 51. Lack of awareness about ICT related Risks to customers – while talking about Internet Banking How many people have read the Bank customer service contract/agreement 51©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 52. • Introduction • An overview of ICT and its Security Problem • What went wrong • Who is responsible • Lessons from others • What can be done? 52©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 53. • Referring to the studies, one can see that Market Pressure and Customer Demand, which lead to regulatory requirements such as SOX, are significant risk management drivers. Globalisation effect SOX Requirements (Including Strong demand frameworks) Strong (Only in some Strong demand cases) Weak demand demand Strong Strong USA demand demand INDIA Market Pressure & Customers Demand Weak Weak TANZANIA demand demand SWEDEN©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 54. • The key point was to get senior management’s backing and involvement in the ICT risk management process • This study shows that even though there are international standards and frameworks for feedback on how the ICT risks are handled in an organisation, Compliance with Regulations seems to be the strongest driver actually effecting involvement of senior managers in the ICT risk management process. • However, in noting this, we also include – but view it as happening in earlier feed-back cycles – that Globalisation, Customer Demand and Market Pressure are drivers that initiate regulations (such as SOX) and thus interact as indicated earlier.©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 55. • Through Regulation (such as SOX), senior managers were in varying degrees held personally accountable; – We have seen for example some sections, as mentioned, are very tough. • However, there is still a need to identify more drivers of ICT risk management in the international and national scenes- it seems important to investigate how national, organisational and security cultures can blend and adapt in order to handle ICT security risks as part of the ordinary business processes.©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 56. Currently empirical data concerning the influence of cultural factors on ICT risk management are weak. We are now researching on how cultural factors might affect or drive the ICT risk management process. 56©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 57. • Introduction • An overview of ICT and its Security Problem • What went wrong • Who is responsible • Lessons from others • What can be done? 57©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 58. ICT is critical and strategic to organization’s business operations ICT involves huge investments and great risks 58©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 59. •Top management and oversight bodies that are vested with day to day planning, organizing, controlling, directing and staffing responsibilities have a broad stake in ensuring everything, including ICT matters, are properly manned and managed. •Boards of Directors are vested with such responsibilities •ICT related risks management requires strategic direction and driving force and that Board is responsible through the CEO. 59©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 60. • Introduction • An overview of ICT and its Security Problem • What went wrong • Who is responsible • Lessons from others • What can be done? 60©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 61. • Cooperate boards compositions to include ICT experts, just like the way we include board members with legal and finance competences • organization’s goal and its strategic objectives well aligned with ICT strategies. • Tender Boards and Tender Evaluation Committees should also include personnel with ICT expertise • Organization structures should be reviewed to place ICT at the strategic level not only technical/operational level • Industry and Academic should facilitate research in ICT risk-related issues, to perfectly foresee the future and potential incoming threats. 61©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 62. Conclusion and Outlook • The principle goal of an organization risk management process should be to protect the organization and its ability to achieve their mission • and therefore ICT related risks management be part of the overall cooperate risk management because the value have moved from tangible to intangible assets 62©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 63. Approaching IT governance • Aligning IT & Business • Managing service delivery for promised service level • Managing Resource for max benefit • Managing Risk to foresee problem and mitigate • Measuring Performance to monitor and report on delivery performance©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 64. How could the management of ICT related Risks be improved, in order to reduce the potential financial damage as a result of computerisation? Answer: A Holistic Approach for Managing ICT Security in Non- Commercial Organisations. A Case Study in a Developing Country Presented in a book: ISBN Nr 91-7155-383-8©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 65. How to Plan and design a suitable ICT Security Management Process©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 66. Its now the intangible economy ! Information is the most valuable asset and is the only commodity that can be stolen without being taken! If organizations do not address these problems then they should expect severe financial damage resulting from Services interruption, reputations damage, Loss of strategic information, liability claims, loss of property, The dependence on ICT to business Core operations makes the ICT an important strategic tool 66©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
  • 67. Thank you! 67©2010 Open University of Tanzania – Dr. Jabiri K. Bakari