Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IT Risk Management

1,027 views

Published on

Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.

While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.

This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

IT Risk Management

  1. 1. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals IT Risk Management IT Solutions Specialist CEH, Hyper-V MVP tudy.tel Tudor Damian
  2. 2. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Many thanks to our sponsors & partners! GOLD SILVER PARTNERS PLATINUM
  3. 3. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • IT risk overview • COBIT & Risk IT framework –Risk Governance • Risk Appetite and Risk Tolerance –Risk Evaluation –Risk Response • IT risk management as a continuous process • Sources: Agenda
  4. 4. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals IT RISK OVERVIEW Business risk related to the use of IT Image source: coolrisk.com / Artist: Michael Mittag
  5. 5. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • We create information • We use and store information • We destroy information • Technology creates opportunities –Business, education, government, sales of real and electronic goods, e-health, etc. • IT plays an essential role in these activities –Part of its duty is to protect these information assets Information as a key resource
  6. 6. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • Email passwords may be disclosed • Facebook accounts may be used by someone else • Credit card information may be disclosed • Customer information may be stolen • IT service delivery to customers may be poor • IT systems may be obsolete • IT projects may be late or fail • IT systems do not provide any business benefit • Risk of non-compliance with the regulator • Own people may harm the systems IT risk is business risk
  7. 7. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • Opportunity and Risk - two sides of the same coin –Those who manage risk, succeed –Those who do not, fail • Risk is inherent to every enterprise • You don’t really have a choice: every decision taken, every strategy chosen, carries a certain risk Opportunity vs. Risk
  8. 8. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • No organization is unaffected • Businesses are disrupted • Privacy is violated • Organizations suffer direct financial loss • Reputation is damaged The impact of IT risk
  9. 9. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals High Risk Low Cost Low Risk High Cost Risk vs. Investment – an easy decision (?)
  10. 10. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • 87% of small business and 93% of larger organizations experienced a security breach in the last year alone • 85% of breaches took weeks to discover • 96% of breaches were not highly difficult • 97% of breaches were avoidable through simple or intermediate controls • 57% of EU incidents were caused by administrative error, missing hardware, exposed online, or stolen by insiders Some statistics Sources: Center for Media, Data and Society (CMDS) / Verizon / UK Government, Department for Business, Innovation and Skills (BIS)
  11. 11. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Timeline of discovery for cyber attacks (2013) Hours, 9% Days, 8% Weeks, 16% Months, 62% Years, 5% Hours Days Weeks Months Years Source: Verizon
  12. 12. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Cyber crime attacks experienced by US companies (June 2014) VIRUSES, WORMS, TROJANS MALWARE BOTNETS WEB-BASED ATTACKS MALICIOUS CODE PHISHING AND SOCIAL ENGINEERING MALICIOUS INSIDERS STOLEN SERVICES DENIAL OF SERVICE 100% 97% 76% 61% 46% 44% 41% 37% 34% Sources: Ponemon Institute; Hewlett-Packard (HP Enterprise Security)
  13. 13. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Some more statistics Ponemon Institute 2011 Cost of Data Breach Study: United States Verizon 2012 Data Breach Investigations Report Reuters, http://reut.rs/zzrcec Symantec Internal Threat Report 17 WIRED, http://www.wired.com/threatlevel/2012/05/flame/all/1 European Commission-Justice, Data Protection Ponemon Institute Second Annual Benchmark Study on Patient Privacy and Data Security ISACA 2011 Top Business/Technology Issues Survey Symantec 2012 SMB Disaster Preparedness Survey Ponemon Institute True Cost of Compliance Report Thomson Reuters State of Regulatory Reform 2012 eWeek, http://www.eweek.com/c/a/IT-Infrastructure/Unplanned-IT- Downtime- Can-Cost-5K-Per-Minute-Report-549007/ Sources:
  14. 14. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Even more statistics Ponemon Institute 2011 Cost of Data Breach Study: United States Verizon 2012 Data Breach Investigations Report Reuters, http://reut.rs/zzrcec Symantec Internal Threat Report 17 WIRED, http://www.wired.com/threatlevel/2012/05/flame/all/1 European Commission-Justice, Data Protection Ponemon Institute Second Annual Benchmark Study on Patient Privacy and Data Security ISACA 2011 Top Business/Technology Issues Survey Symantec 2012 SMB Disaster Preparedness Survey Ponemon Institute True Cost of Compliance Report Thomson Reuters State of Regulatory Reform 2012 eWeek, http://www.eweek.com/c/a/IT-Infrastructure/Unplanned-IT- Downtime- Can-Cost-5K-Per-Minute-Report-549007/ Sources:
  15. 15. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Statistics overload
  16. 16. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals How is IT Risk ideally handled?
  17. 17. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals COBIT® AND RISK IT FRAMEWORKS www.isaca.org/cobit Image source: coolrisk.com / Artist: Michael Mittag
  18. 18. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • Better accountability and responsibility (ownership) – You get out of the blame game • Better management • Better benefits from IT investments • Better compliance • Better monitoring • Easily compare yourself with others • Everybody’s doing it anyway – ITIL, ISO 27001/2, COSO ERM, PRINCE2, PMBOK, Six Sigma, TOGAF, etc. Why use best practices / frameworks?
  19. 19. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals IT risk in the enterprise risk hierarchy
  20. 20. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Overview – COBIT®, Risk IT and Val IT
  21. 21. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • A comprehensive IT governance and management framework • Addresses every aspect of IT • Ensures clear ownership and responsibilities • A common language for all • Improves IT efficiency and effectiveness • Better management of IT investments • Ensures compliance • A complementary copy is available: – www.isaca.org/cobit COBIT®
  22. 22. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals •Manage 3rd-party Services •Ensure Continuous Service •Ensure Systems Security •Manage Incidents •Manage Data & Operations •Monitor and Evaluate IT Performance •Monitor and Evaluate Internal Control •Ensure Compliance •Provide IT Governance •Acquire & Maintain Application Software •Acquire and Maintain Technology Infrastructure •Manage Changes • Strategic IT Plan • Manage IT Investment • Manage IT Human Resources • Manage IT Risks • Manage Projects PLAN & ORGANIZE ACQUIRE & IMPLEMENT DELIVERY & SUPPORT MONITOR& EVALUATE COBIT® coverage
  23. 23. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • Framework for effective management of IT risk • Complements COBIT® – COBIT® provides a set of controls to mitigate IT risk – Risk IT provides a framework for enterprises to identify, govern and manage IT risk • Enterprises who have adopted COBIT® can use Risk IT to enhance risk management • Integrates the management of IT risk into the overall enterprise risk management (ERM) of the organization • Helps management make well-informed decisions about the extent of the risk, the risk appetite and the risk tolerance of the enterprise • Helps management understand how to respond to risk • Available for ISACA members: – http://isaca.org/RiskIT Risk IT
  24. 24. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • Always connects to business objectives • Aligns the management of IT-related business risk with overall enterprise risk management (ERM) - if applicable • Balances the costs and benefits of managing IT risk • Promotes fair and open communication of IT risk • Establishes the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels • Is a continuous process and part of daily activities Risk IT principles
  25. 25. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • To prioritize and manage IT risk, management needs a clear understanding of the IT function and IT risk – Key stakeholders often do not have a full understanding • IT risk is not just a technical issue – IT experts help to understand and manage aspects of IT risk – Business management is still the most important stakeholder • Business managers determine what IT needs to do to support their business – They set the targets for IT – They are accountable for managing the associated risks Managing and understanding IT risk
  26. 26. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals 1. Define a risk universe and scoping risk management 2. Risk appetite and risk tolerance 3. Risk awareness, communication and reporting: includes key risk indicators, risk profiles, risk aggregation and risk culture 4. Express and describe risk: guidance on business context, frequency, impact, COBIT business goals, risk maps, risk registers 5. Risk scenarios: includes capability risk factors and environmental risk factors 6. Risk response and prioritization 7. A risk analysis workflow: “swim lane” flow chart, including role context 8. IT risk mitigation using COBIT and Val IT Risk IT process model
  27. 27. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • Risk IT Framework – A set of governance practices for risk management – An end-to-end process framework for successful IT risk management – A generic list of common, potentially adverse, IT-related risk scenarios – Tools and techniques to understand concrete risks to business operations • Risk IT Practitioner Guide – Support document for the Risk IT framework – Provides examples of possible techniques to address IT-related risk issues – Building scenarios, based on a set of generic IT risk scenarios – Building risk maps, techniques to describe scenario impact and frequency – Building impact criteria with business relevance – Defining KRIs (Key Risk Indicators) Risk IT publications
  28. 28. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Risk management frameworks and standards compared
  29. 29. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Key activities / Roles Board CEO CRO CIO CFO EnterpriseRisk Committee Business Management BusinessProcess Owner RiskControl Functions HR Complianceand Audit Define IT risk analysis scope I R C I C A R C C Estimate IT risk I R C C I A/R R R C Identify risk response options C C C R A R R I Perform a peer review of IT analysis A/R I I I Perform enterprise IT risk assessment I A R R C I R C R C C Propose IT risk tolerance thresholds I I C R C I A C C C Approve IT risk tolerance A C C C C R C C C C C Assign IT risk policy C A R R R C R R R R C Promote IT risk-aware culture A R R R R R R R R R R Encourage effective communication of IT risk R R R R R R A R R R R RACI charts – IT risk example A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed
  30. 30. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals RISK GOVERNANCE Image source: coolrisk.com / Artist: Michael Mittag
  31. 31. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • Risk Governance – Establish and Maintain a Common Risk View – Integrate with Enterprise Risk Management (ERM) – Make Risk-aware Business Decisions • Risk Evaluation – Collect Data – Analyze Risk – Maintain Risk Profile • Risk Response – Articulate Risk – Manage Risk – React to Events Risk governance, evaluation and response
  32. 32. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals IT Risk Management Responsibilities and Accountability
  33. 33. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals RISK APPETITE AND RISK TOLERANCE Image source: coolrisk.com / Artist: Michael Mittag
  34. 34. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • Risk Appetite: the amount of risk an entity is prepared to accept when trying to achieve its objectives – Defining factors: • The enterprise’s objective capacity to absorb loss (e.g., financial loss, reputation damage) • The (management) culture or predisposition towards risk taking - cautious or aggressive (i.e. what is the amount of loss the enterprise wants to accept to pursue a return?) • Risk Tolerance: the tolerable deviation from the level set by the risk appetite and business objectives – e.g., standards require projects to be completed within estimated budgets and time, but overruns of 10 percent of budget or 20 percent of time are tolerated Risk Appetite and Risk Tolerance
  35. 35. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Risk map
  36. 36. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Sample risk scenarios and risk appetite
  37. 37. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Elements of risk culture
  38. 38. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals RISK EVALUATION Image source: coolrisk.com / Artist: Michael Mittag
  39. 39. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Expressing IT risk in business terms
  40. 40. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals IT scenario development
  41. 41. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals IT risk scenario components
  42. 42. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals RISK RESPONSE Image source: coolrisk.com / Artist: Michael Mittag
  43. 43. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • Identify Key Risk Indicators based on: – Impact – Effort to implement, measure and report – Reliability – Sensitivity • Decide on best response to risk – Avoidance – Reduction/Mitigation – Sharing/Transfer – Acceptance Risk response overview
  44. 44. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals IT RISK AS A CONTINUOUS PROCESS Image source: coolrisk.com / Artist: Michael Mittag
  45. 45. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Risk IT maturity model
  46. 46. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Business Goals IT Goals Process Goals Activity Goal Defining goals and metrics - example Maintain reputation IT can resist to an attack Reduce unauthorized access Understand vulnerabilities and threats Number of incidents with public embarrassment Number of incidents with business impact Number of incidents caused by unauthorized access Frequency of review
  47. 47. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals SUMMARY Image source: coolrisk.com / Artist: Michael Mittag
  48. 48. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals • Use best practices (such as COBIT®) to minimize IT Risks • Start with basic processes • Form a high level IT Strategy Committee • Formulate and implement IT Strategic Plan and IT policies • Allocate resources (budget, people, infrastructure) • Assign roles and responsibilities, authority and accountability (using RACI chart) • Make IT a regular item on the board agenda • Regularly assess, review and monitor IT Risks Summary
  49. 49. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Q & A Image source: coolrisk.com / Artist: Michael Mittag
  50. 50. @ITCAMPRO #ITCAMP15Community Conference for IT Professionals Thank you! IT Solutions Specialist CEH, Hyper-V MVP tudy.tel Tudor Damian

×