Extreme risk - how bad tech mgmt destroys firms
Upcoming SlideShare
Loading in...5
×
 

Extreme risk - how bad tech mgmt destroys firms

on

  • 4,995 views

 

Statistics

Views

Total Views
4,995
Slideshare-icon Views on SlideShare
4,758
Embed Views
237

Actions

Likes
18
Downloads
97
Comments
2

11 Embeds 237

http://computational-translation.wikispaces.com 91
https://www.linkedin.com 81
http://inc42.com 22
http://local.visual.ly 11
http://www.linkedin.com 11
http://www.google.com 8
https://www.rebelmouse.com 6
https://twitter.com 3
http://dev.visual.ly 2
http://dev.localhost 1
http://pulse.me&_=1395315490248 HTTP 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

12 of 2

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Thanks Dave. Fixed! Repetitino on purpose, but I'll re-look at it in a couple of days
    Are you sure you want to
    Your message goes here
    Processing…
  • slide 13 '9and', slide 32 seems like the first use of a period, slide 39 'reovery', slide 53 seems redundant with slide 47 the latter is mistake 8 and the former mistake 7 but the text is the same, covering both data and systems, again on slide 61. same with a few other slide in those sections. Maybe you can combine data and system security risks or differentiate more. Good stuff as always.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Extreme risk - how bad tech mgmt destroys firms Extreme risk - how bad tech mgmt destroys firms Presentation Transcript

    • EXTREMERISK 10 WAYS POORLY MANAGED TECH CAN DESTROY YOUR COMPANY
    • dude, failing to manage IT risk is serious
    • you might have to stop doing business altogether stolen data can be used against your customers the press may have a field day on you it will be even worse in social media you could lose critical assets employees or directors could go to jail competitors may learn your secrets you may have to pay fines the trust you've built into your brand may disappear IT can be extremely complex & opaque, may require
    • and just cause you’re a small, nimble start-up does not give you license to be sloppy (especially if you hope to pass exit due diligence)
    • here are 10 obvious, but common, mistakes to avoid…
    • LACK LEADERSHIPMISTAKE
    • LACK LEADERSHIP Leadership must understand the strategic importance of technology risk management They must also be involved with decision-making and communicate like crazy MISTAKE
    • LACK LEADERSHIP Leadership must put in place a technology risk management (TRM) framework that includes the right culture, policies, standards (enterprise requirements), & control procedures They must also be responsible for communications & the quality of firm wide execution MISTAKE
    • LACK LEADERSHIP Leadership must get the right people, in the right roles, at the right time, with the right trainingMISTAKE
    • LACK LEADERSHIP Leadership must ensure that risks are identified and prioritized by likelihood and severityMISTAKE
    • LACK LEADERSHIP Leadership must identify control gaps, prioritize and budget for remediation, & monitor projects to close themMISTAKE
    • LACK LEADERSHIP Leadership must approve & track exceptions MISTAKE
    • LACK LEADERSHIP Line managers must be engaged & accountable for TRM TRM must not be seen as red tape. It must be seen as a core job function of a technology manager (and disciplined/rewarded as such) MISTAKE
    • LACK TRM FRAMEWORKMISTAKE
    • LACK TRM FRAMEWORK ATRM Framework must protect data & IT assets from unauthorized access or disclosure, misuse, and fraudulent modification MISTAKE
    • LACK TRM FRAMEWORK ATRM Framework must ensure data confidentiality, system security, reliability, resiliency, & recoverabilityMISTAKE
    • LACK TRM FRAMEWORK ATRM Framework must define roles & responsibilities MISTAKE
    • LACK TRM FRAMEWORK ATRM Framework must identify & prioritize IT assets MISTAKE
    • LACK TRM FRAMEWORK ATRM Framework must identify & assess impact and likelihood of operational & emerging risk including internal & external networks, hardware, software, interfaces, operations, and human resources The firm must also have a mechanism to identify risk trends externally MISTAKE
    • LACK TRM FRAMEWORK ATRM Framework must methodically & regularly inventory and prioritize risks, controls, exceptions, and gaps MISTAKE
    • LACK TRM FRAMEWORK ATRM Framework must be updated regularly MISTAKE
    • LACK PARTNER OVERSIGHT MISTAKE
    • LACK PARTNER OVERSIGHT IT provided or supported by partners must be in scope & leadership must fully understand outsourcing risks Outsourced IT infrastructure is still part of your TRM. You can’t wash your hands of it * Provision or support includes system development and support, DC ops, network admin, BCP, hosting / cloud and can involve one or more parties in or out of country MISTAKE
    • LACK PARTNER OVERSIGHT Proper due diligence must ensure viability, capability, reliability, & stability of vendorsMISTAKE
    • LACK PARTNER OVERSIGHT Written contracts must define expected risk-related service levels, roles, obligations, & control processes in detail They must also be reviewed regularly * For example, performance targets, service levels, availability, reliability, scalability, compliance, audit, security, contingency planning, disaster recovery and backup MISTAKE
    • LACK PARTNER OVERSIGHT A Service Level Management Framework such as the IT Infrastructure Library (ITIL) must ensure continuing, monitored controls compliance MISTAKE
    • LACK PARTNER OVERSIGHT An exit / backup plan must be in place to switch partners if required MISTAKE
    • LACK PORTFOLIO MANAGEMENT MISTAKE
    • LACK PORTFOLIO MGMT The entire technology portfolio/platform must be managed through it's lifecycle The business must be engaged with portfolio strategy as a key stakeholder MISTAKE
    • LACK PORTFOLIO MGMT Enterprise architecture strategy must be supported by accurate & accessible MIS and asset management data MISTAKE
    • LACK PORTFOLIO MGMT Leadership must define, document, & communicate the target state platform MISTAKE
    • LACK PORTFOLIO MGMT A professional Project / Change Management Framework like Project Management Body Of Knowledge (PMBOK) or ITIL must guide change from current to target MISTAKE
    • LACK PORTFOLIO MGMT A professional Quality Management program should ensure quality of build and operate For example, a documented software development lifecycle (SDLC) should effectively guide development & code quality MISTAKE
    • LACK PORTFOLIO MGMT There must be strong testing & code review controls MISTAKE
    • LACK PORTFOLIO MGMT ITAcquisition must be strategically aligned MISTAKE
    • LACK PORTFOLIO MGMT Technology exit planning must be explicit & tracked MISTAKE
    • LACK SERVICE MANAGEMENT MISTAKE
    • LACK SERVICE MGMT Ongoing IT operations must be guided by a Service Management (SM) Framework like ITILMISTAKE
    • LACK SERVICE MGMT The SM Framework should cover: • Change Management & DevOps • Release & Deployment Management • Capacity Management • Incident Management • Problem Management • Source Code Control • Asset Inventory & Config Management • Backup & Recovery MISTAKE
    • LACK RECOVERABILITY MISTAKE
    • LACK RECOVERABILITY The firm needs a realistic, business-prioritized, strategically-aligned & simple business continuity plan (BCP) that ensures reliability, performance, scalability, availability, and recoverability MISTAKE
    • LACK RECOVERABILITY The BCP should identify critical systems (those that must not go down) as well as recovery point objectives (RPO) and recovery time objectives (RTO) to guide restoration service levels MISTAKE
    • LACK RECOVERABILITY The disaster recovery plan should cover multiple scenarios, expose dependencies, & be tested regularly MISTAKE
    • LACK RECOVERABILITY Backup management must ensure that IT assets can be recovered as soon as required, depending on priority & that dependencies are understood MISTAKE
    • LACK RECOVERABILITY There should be a Communications Plan defined in advance to deal with various scenariosMISTAKE
    • LACK DATA SECURITYMISTAKE
    • LACK DATA SECURITY You must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties MISTAKE
    • LACK DATA SECURITY You must identify levels of data sensitivity and ensure escalating levels of protection based upon the significance / priority of risk. MISTAKE
    • LACK DATA SECURITY You must have end-to-end data protection such as encryption when you are dealing with confidential data Your controls / standards must be in force wherever your data is stored or transmitted MISTAKE
    • LACK DATA SECURITY You must properly dispose of assets that hold confidential data MISTAKE
    • LACK DATA SECURITY You must have a mechanism to monitor security & react as required MISTAKE
    • LACK SYSTEM SECURITY MISTAKE
    • LACK SYSTEM SECURITY You must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties MISTAKE
    • LACK SYSTEM SECURITY You must identify levels of sensitivity & ensure escalating levels of protection based upon the significance / priority of risk MISTAKE
    • LACK SYSTEM SECURITY You must ensure that IT assets are patched as required You must ensure that IT assets are migrated out of production before End-of-Life or End-of-Service MISTAKE
    • LACK SYSTEM SECURITY You must deploy the right level of network security (including anti-virus) across operating systems, network devices, databases, and enterprise mobile devices MISTAKE
    • LACK SYSTEM SECURITY Key points in the infrastructure (perimeter & internal as required) must be protected through intrusion detection & prevention tools such as firewalls MISTAKE
    • LACK SYSTEM SECURITY You must test security using vulnerability assessment & penetration testing regularly MISTAKE
    • LACK SYSTEM SECURITY You must have a mechanism to monitor security and react as required MISTAKE
    • LACK PHYSICAL SECURITY MISTAKE
    • LACK PHYSICAL SECURITY You must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties MISTAKE
    • LACK PHYSICAL SECURITY You must identify levels of sensitivity & ensure escalating levels of protection based upon the significance / priority of risk MISTAKE
    • LACK PHYSICAL SECURITY There must be regular threat and vulnerability assessments MISTAKE
    • LACK PHYSICAL SECURITY You must implement appropriate physical security such as need-to-access-only requirements & security / surveillance systems MISTAKE
    • LACK PHYSICAL SECURITY Critical resources such as air, water, power fire suppression, & communications should be redundant where required MISTAKE
    • LACK ACCESS CONTROLS MISTAKE
    • LACK ACCESS CONTROLS For critical / sensitive systems an individual must not be granted access alone (never- alone principle) MISTAKE
    • LACK ACCESS CONTROLS The transaction process should prevent a single person from initiating, approving, and executing by themselves (segregation of duties) Job rotation is recommended for sensitive functions MISTAKE
    • LACK ACCESS CONTROLS Access should be limited to need-to-know (access-control principle)MISTAKE
    • LACK ACCESS CONTROLS Access should be logged and access rights should be easy to review & modify as access rights change naturally over time MISTAKE
    • LACK ACCESS CONTROLS There must be separate environments for development, testing, and production with controlled access to production where production access is limited and governed by segregation of duties MISTAKE
    • SHARE THIS DECK & FOLLOW ME(please-oh-please-oh-please-oh-please) stay up to date with my future slideshare posts http://www.slideshare.net/selenasol/presentations https://twitter.com/eric_tachibana http://www.linkedin.com/pub/eric-tachibana/0/33/b53
    • CLICK HERE FOR MORE!!!!
    • CREATIVE COMMONS ATTRIBUTIONS & REFERENCES Title Slide: http://www.flickr.com/photos/23754017@N08/ Dude Slide: http://www.flickr.com/photos/karen_od/ Ewok Slide: http://www.flickr.com/photos/daviddurantrejo/ Leadership Slide: http://www.flickr.com/photos/daviddurantrejo/ Tech Risk Mgmt Slide: http://www.flickr.com/photos/daviddurantrejo/ Partner Oversight Slide: http://www.flickr.com/photos/daviddurantrejo/ Service Mgmt Slide: http://www.flickr.com/photos/gageskidmore/ Portfolio Mgmt Slide: http://www.flickr.com/photos/fotomaf/ Recoverability Slide: http://www.flickr.com/photos/karen_od/ Data Security Slide: http://www.flickr.com/photos/daviddurantrejo/ System Security Slide: http://www.flickr.com/photos/daviddurantrejo / Physical Security Slide: http://www.flickr.com/photos/fotomaf/ Access Controls Slide: http://www.flickr.com/photos/daviddurantrejo/ http://www.mas.gov.sg http://www.isaca.org http://coso.org/guidance.htm http://www.itil-officialsite.com http://www.pmi.org Please note that all content & opinions expressed in this deck are my own and don’t necessarily represent the position of my current, or any previous, employers