Your SlideShare is downloading. ×
0
EXTREMERISK
10 WAYS POORLY MANAGED TECH
CAN DESTROY YOUR COMPANY
dude, failing to manage IT
risk is serious
you might have to stop doing business altogether
stolen data can be used against your customers
the press may have a field...
and just cause you’re a
small, nimble start-up does
not give you license to be
sloppy (especially if you
hope to pass exit...
here are 10 obvious, but
common, mistakes to
avoid…
LACK
LEADERSHIPMISTAKE
LACK LEADERSHIP
Leadership must
understand the strategic
importance of technology
risk management
They must also be involv...
LACK LEADERSHIP
Leadership must put in place a
technology risk management
(TRM) framework that includes
the right culture,...
LACK LEADERSHIP
Leadership must get the right
people, in the right roles, at
the right time, with the right
trainingMISTAKE
LACK LEADERSHIP
Leadership must ensure that
risks are identified and
prioritized by likelihood and
severityMISTAKE
LACK LEADERSHIP
Leadership must identify
control gaps, prioritize and
budget for remediation, &
monitor projects to close ...
LACK LEADERSHIP
Leadership must approve &
track exceptions
MISTAKE
LACK LEADERSHIP
Line managers must be
engaged & accountable for
TRM
TRM must not be seen as
red tape. It must be seen as
a...
LACK TRM
FRAMEWORKMISTAKE
LACK TRM FRAMEWORK
ATRM Framework must
protect data & IT assets from
unauthorized access or
disclosure, misuse, and
fraudu...
LACK TRM FRAMEWORK
ATRM Framework must
ensure data confidentiality,
system security, reliability,
resiliency, & recoverabi...
LACK TRM FRAMEWORK
ATRM Framework must
define roles & responsibilities
MISTAKE
LACK TRM FRAMEWORK
ATRM Framework must
identify & prioritize IT assets
MISTAKE
LACK TRM FRAMEWORK
ATRM Framework must
identify & assess impact and
likelihood of operational &
emerging risk including in...
LACK TRM FRAMEWORK
ATRM Framework must
methodically & regularly
inventory and prioritize risks,
controls, exceptions, and
...
LACK TRM FRAMEWORK
ATRM Framework must be
updated regularly
MISTAKE
LACK PARTNER
OVERSIGHT
MISTAKE
LACK PARTNER OVERSIGHT
IT provided or supported by
partners must be in scope &
leadership must fully
understand outsourcin...
LACK PARTNER OVERSIGHT
Proper due diligence must
ensure viability, capability,
reliability, & stability of
vendorsMISTAKE
LACK PARTNER OVERSIGHT
Written contracts must define
expected risk-related service
levels, roles, obligations, &
control p...
LACK PARTNER OVERSIGHT
A Service Level Management
Framework such as the IT
Infrastructure Library (ITIL)
must ensure conti...
LACK PARTNER OVERSIGHT
An exit / backup plan must be
in place to switch partners if
required
MISTAKE
LACK PORTFOLIO
MANAGEMENT
MISTAKE
LACK PORTFOLIO MGMT
The entire technology
portfolio/platform must be
managed through it's
lifecycle
The business must be
e...
LACK PORTFOLIO MGMT
Enterprise architecture
strategy must be supported
by accurate & accessible
MIS and asset management
d...
LACK PORTFOLIO MGMT
Leadership must define,
document, & communicate
the target state platform
MISTAKE
LACK PORTFOLIO MGMT
A professional Project /
Change Management
Framework like Project
Management Body Of
Knowledge (PMBOK)...
LACK PORTFOLIO MGMT
A professional Quality
Management program
should ensure quality of
build and operate
For example, a do...
LACK PORTFOLIO MGMT
There must be strong
testing & code review
controls
MISTAKE
LACK PORTFOLIO MGMT
ITAcquisition must be
strategically aligned
MISTAKE
LACK PORTFOLIO MGMT
Technology exit planning
must be explicit & tracked
MISTAKE
LACK SERVICE
MANAGEMENT
MISTAKE
LACK SERVICE MGMT
Ongoing IT operations must
be guided by a Service
Management (SM)
Framework like ITILMISTAKE
LACK SERVICE MGMT
The SM Framework should
cover:
• Change Management & DevOps
• Release & Deployment
Management
• Capacity...
LACK
RECOVERABILITY
MISTAKE
LACK RECOVERABILITY
The firm needs a realistic,
business-prioritized,
strategically-aligned & simple
business continuity p...
LACK RECOVERABILITY
The BCP should identify
critical systems (those that
must not go down) as well as
recovery point objec...
LACK RECOVERABILITY
The disaster recovery plan
should cover multiple
scenarios, expose
dependencies, & be tested
regularly...
LACK RECOVERABILITY
Backup management must
ensure that IT assets can be
recovered as soon as
required, depending on
priori...
LACK RECOVERABILITY
There should be a
Communications Plan
defined in advance to deal
with various scenariosMISTAKE
LACK DATA
SECURITYMISTAKE
LACK DATA SECURITY
You must protect data,
hardware, software, and
networks from accidental or
intentional unauthorized
acc...
LACK DATA SECURITY
You must identify levels of
data sensitivity and ensure
escalating levels of
protection based upon the
...
LACK DATA SECURITY
You must have end-to-end
data protection such as
encryption when you are
dealing with confidential data...
LACK DATA SECURITY
You must properly dispose
of assets that hold
confidential data
MISTAKE
LACK DATA SECURITY
You must have a
mechanism to monitor
security & react as required
MISTAKE
LACK SYSTEM
SECURITY
MISTAKE
LACK SYSTEM SECURITY
You must protect data,
hardware, software, and
networks from accidental or
intentional unauthorized
a...
LACK SYSTEM SECURITY
You must identify levels of
sensitivity & ensure escalating
levels of protection based
upon the signi...
LACK SYSTEM SECURITY
You must ensure that IT
assets are patched as
required
You must ensure that IT
assets are migrated ou...
LACK SYSTEM SECURITY
You must deploy the right
level of network security
(including anti-virus) across
operating systems, ...
LACK SYSTEM SECURITY
Key points in the
infrastructure (perimeter &
internal as required) must be
protected through intrusi...
LACK SYSTEM SECURITY
You must test security using
vulnerability assessment &
penetration testing regularly
MISTAKE
LACK SYSTEM SECURITY
You must have a mechanism
to monitor security and react
as required
MISTAKE
LACK PHYSICAL
SECURITY
MISTAKE
LACK PHYSICAL SECURITY
You must protect data,
hardware, software, and
networks from accidental or
intentional unauthorized...
LACK PHYSICAL SECURITY
You must identify levels of
sensitivity & ensure
escalating levels of protection
based upon the sig...
LACK PHYSICAL SECURITY
There must be regular threat
and vulnerability
assessments
MISTAKE
LACK PHYSICAL SECURITY
You must implement
appropriate physical security
such as need-to-access-only
requirements & securit...
LACK PHYSICAL SECURITY
Critical resources such as air,
water, power fire
suppression, &
communications should be
redundant...
LACK ACCESS
CONTROLS
MISTAKE
LACK ACCESS CONTROLS
For critical / sensitive systems
an individual must not be
granted access alone (never-
alone princip...
LACK ACCESS CONTROLS
The transaction process
should prevent a single person
from initiating, approving, and
executing by t...
LACK ACCESS CONTROLS
Access should be limited to
need-to-know (access-control
principle)MISTAKE
LACK ACCESS CONTROLS
Access should be logged and
access rights should be easy
to review & modify as access
rights change n...
LACK ACCESS CONTROLS
There must be separate
environments for
development, testing, and
production with controlled
access t...
SHARE THIS DECK
& FOLLOW ME(please-oh-please-oh-please-oh-please)
stay up to date with my future
slideshare posts
http://w...
CLICK HERE FOR MORE!!!!
CREATIVE COMMONS ATTRIBUTIONS & REFERENCES
Title Slide: http://www.flickr.com/photos/23754017@N08/
Dude Slide: http://www....
Upcoming SlideShare
Loading in...5
×

Extreme risk - how bad tech mgmt destroys firms

5,282

Published on

Published in: Technology
2 Comments
19 Likes
Statistics
Notes
  • Thanks Dave. Fixed! Repetitino on purpose, but I'll re-look at it in a couple of days
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • slide 13 '9and', slide 32 seems like the first use of a period, slide 39 'reovery', slide 53 seems redundant with slide 47 the latter is mistake 8 and the former mistake 7 but the text is the same, covering both data and systems, again on slide 61. same with a few other slide in those sections. Maybe you can combine data and system security risks or differentiate more. Good stuff as always.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
5,282
On Slideshare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
117
Comments
2
Likes
19
Embeds 0
No embeds

No notes for slide

Transcript of "Extreme risk - how bad tech mgmt destroys firms"

  1. 1. EXTREMERISK 10 WAYS POORLY MANAGED TECH CAN DESTROY YOUR COMPANY
  2. 2. dude, failing to manage IT risk is serious
  3. 3. you might have to stop doing business altogether stolen data can be used against your customers the press may have a field day on you it will be even worse in social media you could lose critical assets employees or directors could go to jail competitors may learn your secrets you may have to pay fines the trust you've built into your brand may disappear IT can be extremely complex & opaque, may require
  4. 4. and just cause you’re a small, nimble start-up does not give you license to be sloppy (especially if you hope to pass exit due diligence)
  5. 5. here are 10 obvious, but common, mistakes to avoid…
  6. 6. LACK LEADERSHIPMISTAKE
  7. 7. LACK LEADERSHIP Leadership must understand the strategic importance of technology risk management They must also be involved with decision-making and communicate like crazy MISTAKE
  8. 8. LACK LEADERSHIP Leadership must put in place a technology risk management (TRM) framework that includes the right culture, policies, standards (enterprise requirements), & control procedures They must also be responsible for communications & the quality of firm wide execution MISTAKE
  9. 9. LACK LEADERSHIP Leadership must get the right people, in the right roles, at the right time, with the right trainingMISTAKE
  10. 10. LACK LEADERSHIP Leadership must ensure that risks are identified and prioritized by likelihood and severityMISTAKE
  11. 11. LACK LEADERSHIP Leadership must identify control gaps, prioritize and budget for remediation, & monitor projects to close themMISTAKE
  12. 12. LACK LEADERSHIP Leadership must approve & track exceptions MISTAKE
  13. 13. LACK LEADERSHIP Line managers must be engaged & accountable for TRM TRM must not be seen as red tape. It must be seen as a core job function of a technology manager (and disciplined/rewarded as such) MISTAKE
  14. 14. LACK TRM FRAMEWORKMISTAKE
  15. 15. LACK TRM FRAMEWORK ATRM Framework must protect data & IT assets from unauthorized access or disclosure, misuse, and fraudulent modification MISTAKE
  16. 16. LACK TRM FRAMEWORK ATRM Framework must ensure data confidentiality, system security, reliability, resiliency, & recoverabilityMISTAKE
  17. 17. LACK TRM FRAMEWORK ATRM Framework must define roles & responsibilities MISTAKE
  18. 18. LACK TRM FRAMEWORK ATRM Framework must identify & prioritize IT assets MISTAKE
  19. 19. LACK TRM FRAMEWORK ATRM Framework must identify & assess impact and likelihood of operational & emerging risk including internal & external networks, hardware, software, interfaces, operations, and human resources The firm must also have a mechanism to identify risk trends externally MISTAKE
  20. 20. LACK TRM FRAMEWORK ATRM Framework must methodically & regularly inventory and prioritize risks, controls, exceptions, and gaps MISTAKE
  21. 21. LACK TRM FRAMEWORK ATRM Framework must be updated regularly MISTAKE
  22. 22. LACK PARTNER OVERSIGHT MISTAKE
  23. 23. LACK PARTNER OVERSIGHT IT provided or supported by partners must be in scope & leadership must fully understand outsourcing risks Outsourced IT infrastructure is still part of your TRM. You can’t wash your hands of it * Provision or support includes system development and support, DC ops, network admin, BCP, hosting / cloud and can involve one or more parties in or out of country MISTAKE
  24. 24. LACK PARTNER OVERSIGHT Proper due diligence must ensure viability, capability, reliability, & stability of vendorsMISTAKE
  25. 25. LACK PARTNER OVERSIGHT Written contracts must define expected risk-related service levels, roles, obligations, & control processes in detail They must also be reviewed regularly * For example, performance targets, service levels, availability, reliability, scalability, compliance, audit, security, contingency planning, disaster recovery and backup MISTAKE
  26. 26. LACK PARTNER OVERSIGHT A Service Level Management Framework such as the IT Infrastructure Library (ITIL) must ensure continuing, monitored controls compliance MISTAKE
  27. 27. LACK PARTNER OVERSIGHT An exit / backup plan must be in place to switch partners if required MISTAKE
  28. 28. LACK PORTFOLIO MANAGEMENT MISTAKE
  29. 29. LACK PORTFOLIO MGMT The entire technology portfolio/platform must be managed through it's lifecycle The business must be engaged with portfolio strategy as a key stakeholder MISTAKE
  30. 30. LACK PORTFOLIO MGMT Enterprise architecture strategy must be supported by accurate & accessible MIS and asset management data MISTAKE
  31. 31. LACK PORTFOLIO MGMT Leadership must define, document, & communicate the target state platform MISTAKE
  32. 32. LACK PORTFOLIO MGMT A professional Project / Change Management Framework like Project Management Body Of Knowledge (PMBOK) or ITIL must guide change from current to target MISTAKE
  33. 33. LACK PORTFOLIO MGMT A professional Quality Management program should ensure quality of build and operate For example, a documented software development lifecycle (SDLC) should effectively guide development & code quality MISTAKE
  34. 34. LACK PORTFOLIO MGMT There must be strong testing & code review controls MISTAKE
  35. 35. LACK PORTFOLIO MGMT ITAcquisition must be strategically aligned MISTAKE
  36. 36. LACK PORTFOLIO MGMT Technology exit planning must be explicit & tracked MISTAKE
  37. 37. LACK SERVICE MANAGEMENT MISTAKE
  38. 38. LACK SERVICE MGMT Ongoing IT operations must be guided by a Service Management (SM) Framework like ITILMISTAKE
  39. 39. LACK SERVICE MGMT The SM Framework should cover: • Change Management & DevOps • Release & Deployment Management • Capacity Management • Incident Management • Problem Management • Source Code Control • Asset Inventory & Config Management • Backup & Recovery MISTAKE
  40. 40. LACK RECOVERABILITY MISTAKE
  41. 41. LACK RECOVERABILITY The firm needs a realistic, business-prioritized, strategically-aligned & simple business continuity plan (BCP) that ensures reliability, performance, scalability, availability, and recoverability MISTAKE
  42. 42. LACK RECOVERABILITY The BCP should identify critical systems (those that must not go down) as well as recovery point objectives (RPO) and recovery time objectives (RTO) to guide restoration service levels MISTAKE
  43. 43. LACK RECOVERABILITY The disaster recovery plan should cover multiple scenarios, expose dependencies, & be tested regularly MISTAKE
  44. 44. LACK RECOVERABILITY Backup management must ensure that IT assets can be recovered as soon as required, depending on priority & that dependencies are understood MISTAKE
  45. 45. LACK RECOVERABILITY There should be a Communications Plan defined in advance to deal with various scenariosMISTAKE
  46. 46. LACK DATA SECURITYMISTAKE
  47. 47. LACK DATA SECURITY You must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties MISTAKE
  48. 48. LACK DATA SECURITY You must identify levels of data sensitivity and ensure escalating levels of protection based upon the significance / priority of risk. MISTAKE
  49. 49. LACK DATA SECURITY You must have end-to-end data protection such as encryption when you are dealing with confidential data Your controls / standards must be in force wherever your data is stored or transmitted MISTAKE
  50. 50. LACK DATA SECURITY You must properly dispose of assets that hold confidential data MISTAKE
  51. 51. LACK DATA SECURITY You must have a mechanism to monitor security & react as required MISTAKE
  52. 52. LACK SYSTEM SECURITY MISTAKE
  53. 53. LACK SYSTEM SECURITY You must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties MISTAKE
  54. 54. LACK SYSTEM SECURITY You must identify levels of sensitivity & ensure escalating levels of protection based upon the significance / priority of risk MISTAKE
  55. 55. LACK SYSTEM SECURITY You must ensure that IT assets are patched as required You must ensure that IT assets are migrated out of production before End-of-Life or End-of-Service MISTAKE
  56. 56. LACK SYSTEM SECURITY You must deploy the right level of network security (including anti-virus) across operating systems, network devices, databases, and enterprise mobile devices MISTAKE
  57. 57. LACK SYSTEM SECURITY Key points in the infrastructure (perimeter & internal as required) must be protected through intrusion detection & prevention tools such as firewalls MISTAKE
  58. 58. LACK SYSTEM SECURITY You must test security using vulnerability assessment & penetration testing regularly MISTAKE
  59. 59. LACK SYSTEM SECURITY You must have a mechanism to monitor security and react as required MISTAKE
  60. 60. LACK PHYSICAL SECURITY MISTAKE
  61. 61. LACK PHYSICAL SECURITY You must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties MISTAKE
  62. 62. LACK PHYSICAL SECURITY You must identify levels of sensitivity & ensure escalating levels of protection based upon the significance / priority of risk MISTAKE
  63. 63. LACK PHYSICAL SECURITY There must be regular threat and vulnerability assessments MISTAKE
  64. 64. LACK PHYSICAL SECURITY You must implement appropriate physical security such as need-to-access-only requirements & security / surveillance systems MISTAKE
  65. 65. LACK PHYSICAL SECURITY Critical resources such as air, water, power fire suppression, & communications should be redundant where required MISTAKE
  66. 66. LACK ACCESS CONTROLS MISTAKE
  67. 67. LACK ACCESS CONTROLS For critical / sensitive systems an individual must not be granted access alone (never- alone principle) MISTAKE
  68. 68. LACK ACCESS CONTROLS The transaction process should prevent a single person from initiating, approving, and executing by themselves (segregation of duties) Job rotation is recommended for sensitive functions MISTAKE
  69. 69. LACK ACCESS CONTROLS Access should be limited to need-to-know (access-control principle)MISTAKE
  70. 70. LACK ACCESS CONTROLS Access should be logged and access rights should be easy to review & modify as access rights change naturally over time MISTAKE
  71. 71. LACK ACCESS CONTROLS There must be separate environments for development, testing, and production with controlled access to production where production access is limited and governed by segregation of duties MISTAKE
  72. 72. SHARE THIS DECK & FOLLOW ME(please-oh-please-oh-please-oh-please) stay up to date with my future slideshare posts http://www.slideshare.net/selenasol/presentations https://twitter.com/eric_tachibana http://www.linkedin.com/pub/eric-tachibana/0/33/b53
  73. 73. CLICK HERE FOR MORE!!!!
  74. 74. CREATIVE COMMONS ATTRIBUTIONS & REFERENCES Title Slide: http://www.flickr.com/photos/23754017@N08/ Dude Slide: http://www.flickr.com/photos/karen_od/ Ewok Slide: http://www.flickr.com/photos/daviddurantrejo/ Leadership Slide: http://www.flickr.com/photos/daviddurantrejo/ Tech Risk Mgmt Slide: http://www.flickr.com/photos/daviddurantrejo/ Partner Oversight Slide: http://www.flickr.com/photos/daviddurantrejo/ Service Mgmt Slide: http://www.flickr.com/photos/gageskidmore/ Portfolio Mgmt Slide: http://www.flickr.com/photos/fotomaf/ Recoverability Slide: http://www.flickr.com/photos/karen_od/ Data Security Slide: http://www.flickr.com/photos/daviddurantrejo/ System Security Slide: http://www.flickr.com/photos/daviddurantrejo / Physical Security Slide: http://www.flickr.com/photos/fotomaf/ Access Controls Slide: http://www.flickr.com/photos/daviddurantrejo/ http://www.mas.gov.sg http://www.isaca.org http://coso.org/guidance.htm http://www.itil-officialsite.com http://www.pmi.org Please note that all content & opinions expressed in this deck are my own and don’t necessarily represent the position of my current, or any previous, employers
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×