More Related Content
Similar to Dr bakari presentation
Similar to Dr bakari presentation (20)
Dr bakari presentation
- 1. Is IT governing us or are we governing it?
Managing ICT Related Risks: Who is Responsible and
What Went Wrong?:
Dr. Jabiri Kuwe Bakari
(BSc. Computer Sc., Msc. (Eng.) Data Communication, Ph.D.)
Lecturer & Director, Institute of Educational Technology
The Open University of Tanzania
E- mail: jabiri.bakari@out.ac.tz
Hilton Double Tree Hotel-Osterbay,Slipway Road
8th December, 2010 1
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 2. Agenda
• Introduction
• An overview of ICT and its Security
Problem
• ICT related risks
• What went wrong
• Who is responsible
• Lessons from others
• What can be done?
2
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 3. Technology Trend
• Stone, Iron, Industry, Information Age!
• The world has now moved from natural
resources to information economy.
• Information held by public and private
organisation’s information systems is
among the most valuable assets in the
organisation’s care and is considered a
critical resource, enabling these
organisations to achieve their objectives
3
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 4. • Because the organization's value have
moved from tangible to intangible assets
the risks has moved too, hence the
overall cooperate risk management should
take a new track
• Today ICT is in Almost all National Critical
Infrastructure
4
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 5. ICT in Critical National infrastructures
Private and public organizations, government, and
the national security system increasingly depend
on an interdependent network of critical physical
and information infrastructures. Examples
– energy production, transmission, and distribution
– telecommunications,
– financial services,
– transportation sectors: railways, highways, airports etc.
– systems for the provision of water and food for human
use and consumption
– continuity of government.
– chemical industry and hazardous materials
– agriculture
– defence industrial base
5
– gas and oil storage and transportation
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 6. The national economy is increasingly
reliant upon certain critical infrastructures
and upon cyber based information
systems
Any compromise or attacks on our
infrastructure and information systems
may be capable of significantly harming
our economy!
6
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 7. Agenda
• Introduction
• An overview of ICT and its Security
Problem
• ICT related risks
• What went wrong
• Who is responsible
• Lessons from others
• What can be done?
7
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 8. An overview of ICT & its security Problem
Information security is about protection of ICT assets/resources in terms of
Confidentiality Integrity Availability – (information and services)
Access Control to Information Involves: Protective/Proactive, Detective,
Holistic View of ICT
Reactive and/or Recovery Measures security Problem
Software (Operating
systems, Application
software) set of
instructions
ICT
Valuable asset of
organizations-Information
8
Valuable asset of
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari organizations-Information
- 9. An overview of ICT security Problem
Managing ICT security is a continuous process by which an organisation
determines what needs to be protected and why; what it needs to be protected
from (i.e. Threats and Vulnerabilities); and how (i.e. mechanisms) to protect it
for as long as it exists. Holistic Approach
Malicious software (Virus, required
Authorised user worm or denial-of-service
abusing his/her attack, Backdoors, salami
privileges e.g.
attacks, spyware, etc.) can
Disgruntled staff
be introduced here !
Physical security of
the hardware
Valuable asset of the 9
organizations-Information Valuable asset of the
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari organizations-Information
- 10. ICT related risks from the Business
Perspective
Business risks result from using ICT as
business enabler without having in place
proper ICT Governance and related risks
controls.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 11. Refer GOLDEN TULIP HOTEL,
DAR ES SALAAM
23th August, 2006 Workshop
Four Years Ago
11
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 17. • Problem by then
17
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 18. Security Management in
the organisations -
Tanzania
At the strategic level (Absence
of ICT Security policy, no
defined budget for ICT
security, Perceived as technical
problem and not business risk)
At the operational (perceived
to belong to the IT
Perception Problem departments and in some
cases not coordinated)
Absence of designated
ICT security
personnel/unit.
18
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 19. An overview of ICT Security Management in
the organisations -
Perception Problem
Ad-hoc
19
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 20. By Mid – 2007 - A Final Holistic Approach for Managing ICT
Security in Organisations was produced
Presented in a book: ISBN Nr 91-7155-383-8
The Environment
The Organisation
General
Management’s Mitigation
attention & Planning
Backing (GL-09)
(GL-05)
Strategic (Top) Technical Form Awareness Risk
Quick & Backing of Assessment/ Operationalisation
Management’s Management's Project
Scan General staff Analysis (ICT Security
Backing Backing Team & Plan
(GL-04) (GL-07) (GL-08) Policy, Services &
(GL-01) (GL-02) (GL-03)
Mechanisms)
(GL-11)
Review/Audit
ICT Security
(GL-06) Develop
Counter
Measures
(GL-10)
Maintenance
(Monitor the
Progress)
INTRODUCTION OF ICT
(GL-12)
SECURITY MANAGEMENT
PROCESS (INITIALISATION)
INTERNALISED & CONTINUOUS PROCESS
The Organisation’s goal & services
20
Stakeholders
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 21. Each process maps the Holistic View of
the security Problem
Users
Valuable asset-
Information
21
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 22. Management team discussing ICT
security Problem
This is a technical
problem
This is a business
Problem
Users
Valuable asset-
22
Information
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 23. Four Years Later - More
developments and more
problems….
23
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 24. Agenda
• Introduction
• An overview of ICT and its Security Problem
• What went wrong
• Who is responsible
• Lessons from others
• What can be done?
24
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 26. ICT Service delivery problems
Problems related to failure
of accessing computerized
services in a number of
connected offices or outlets.
customer at
ATM
26
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 28. Customers waiting to pay their taxes!
28
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 29. ICT operational incidents
Transactions delays
Deposit ,Withdraw &Send
money using mobile phone
29
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 30. ICT disposal management
ICT hardware disposal
Sensitive information found
from the hard disks
30
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 31. Is IT governing us or are we governing
it?
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 32. • Despite of many technical solutions
available-The problem of management
of ICT-related risks in organisations are
increasingly becoming major concerns
to many ICT-dependent organisations
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 33. What went Wrong?
And why in
Tanzania?
33
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 34. ICT Risk Management Drivers – a
Comparative Study of Sweden,
USA,
India, and Tanzania
IEEE CRiSIS 2007
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 35. • The interesting questions here was,
– what is it that makes the difference?
– Is it because of the consequences of
globalisation?
– Is it because of the different regulations and
requirements that need to be complied with in a
given country?
– Is it because of market pressure or customer
demand?
– Is it because of different cultures, in that,
according to Robbins, national culture continues
to be a powerful force in explaining a large
proportion of organisations’ behaviour?
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 36. Objectives
• The objective of this study was to investigate the
effects of some possible ICT risk management
drivers on the process of getting senior
management involved in ICT risk management,
and hence accountable.
• The investigation was carried out by taking case
study of four countries namely Sweden, USA,
India, and Tanzania.
• The drivers investigated were mainly
– Globalisation,
– Market Pressure,
– Customer Demand and
– Regulatory Requirements.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 37. Examples of ICT Risk Management
Drivers
• One condition for global collaboration between
different organisations, cultures and time zones is
a “common language”, i.e. internationally accepted
standards and frameworks.
Sarbanes-Oxley Act in
• By using these standards and frameworks,- controlled and
2002 (SOX) security
Committee of Sponsoring enforced by the US Securities
and quality can be defined, agreed and Exchangefollowed
Organization’s (COSO)
on and Commission
up. framework
• One further advantage is the fact that offshore
Control Objectives for
suppliers are normally an related
Information and
Technology -
certified, using these
IT
standards andgovernance framework
frameworks.
• Their prospective customers can more easily
assess security and quality requirements.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 38. Research approach, Methodology
• Based on the four studies, status and
experiences of how ICT risk management is
being practised in organisations in Sweden,
USA, India and Tanzania was investigated
• Findings from the four studies were used as
input to investigate senior management’s
involvement in the ICT risk management
process.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 39. Studies in the four Countries (Swedish)
• Study on Swedish government agencies concerning the use
of IT security - Indicated.
– lack of support from senior management.
– ICT security is not carried out in a systematic way which
makes it difficult for the management to prioritise between
different risks and countermeasures, causing difficulties in
following up the state of security.
• The use of models for return on security investment also
shows the lack of support from senior managementprobably that
The reason for this is
Another study was carried out by interviewinganalysis has not gained the
using risk information
security managers and risk managers at 7of the management
approval large Swedish
trade and industry organisations making extensive use of
ICT, most of them also with large international operations.
– The overall summary of the result from the study is that
risk analysis is not used as a method to allocate resources
for increasing the security level for the ICT systems.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 40. Studies in the four Countries (USA)
• The USA study was based on the “2006 CSI/FBI Computer Crime and
Security survey” which is based on the responses of 616 computer
security practitioners in US corporations, government agencies,
financial institutions, medical institutions and universities .
– The survey indicated a substantial decrease in the total dollar
amount of financial losses resulting from security breaches.
• Probably this due to the Introduction of SOX
– “The Sarbanes-Oxley Act has changed the focus of information
security in my organisation from technology to one of corporate
governance”.
• For example, the Act requires that:
– CEO and CFO to personally certify the correctness in the financial
reports (section 302);
– Demands the certification of the underlying (IT) processes (section
404);
– Financial events of importance must be reported within four days
(section 409);
– The person who deliberately destroys documents, physical or
electronic, including e-mail, may be sentenced to up to twenty
years’ imprisonment (section 802)
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 42. Studies in the four Countries (India)
• The study in India was based on the medium-sized
company as a representative of an outsourcing
company in India, on the assumption of getting an
average indication (2006).
• An example was iGATE corporation which was ISO2000
certified, ISO27001 certified, COBIT maturity level 5 and
SOX compliant.
• The reason they have done this is that they see it is
absolutely essential to have these standards and
frameworks implemented for them to remain in
business.
• In India, customer demand and market pressure makes
security a top priority for senior management.
– several Indian offshore suppliers are listed on the
USA stock market and so have to fulfil SOX
requirements and have the same level of security in
place
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 43. Studies in the four Countries (Tanzania)
• The study in Tanzania took place between 2003 and 2006 -
the respondents were mainly senior management, Chief
Financial Officers, Operational managers, IT Managers and
general and technical staff.
• The study indicated that the focus of the organisations is on
what is commonly known as “Computerisation”.
– Very little or no attention at all is paid to managing ICT-
related risks.
• This was partly found to be due to the following reasons:
– not knowing that they are vulnerable to ICT-related risks
as a result of computerisation
– ICT risk is not seen as a risk to the organisation’s business;
– the relaxed culture and lack of formal ICT and ICT security
policies and procedures;
– believing that ICT security is a technical problem and
therefore both ICT in general and ICT security in particular
being set aside for more important things.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 45. • Poor Planning and Management of ICT
– Lack of alignment between ICT strategy and
business strategy
– High Cost of ICT with low or unproven return on
investment (ROI)
• ICT Staff with inadequate skills
– Non ICT -ICT staff, coupled with Non ICT –ICT
vendors and Sometimes Non ICT - ICT
Consultants
– Where Relevant skills exist, they are
underutilised
45
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 46. • Problems in Acquisition of ICT related
Solutions
– Ad hock and Uncoordinated ICT
initiatives Mostly Vendor OR donor
driven solutions
– with too much dependence on vendor &
Donor
– not local tailored
46
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 47. Problem in Acquisition of ICT related Solutions
Vendor Tender
communicate direct Lack of ICT
Evaluation expert
to user Tender board team
Lack of
appropriate
ICT expert
User Dept PMU Vendor
ICT Dept/
They are the expert Division/Dir
– Recall Set of
Tech. are consulted for
Instructions!
inspection against the
specification/ If software
then run in test
environment
Store
Good practice - A lot of security
Bad practice implications47
ICT Disposal
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 48. • No proper ICT related Risk Management
– Security policy and procedures not in place
– Inadequate business continuity measures
– Serious ICT operational incidents
– ICT not meeting nor supporting compliance
requirements
48
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 49. • Obsolete Organization Structure
– ICT function seen as only operations not
across-cutting
– Structure should consider current ICT
development and its social-economic impacts
49
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 50. Obsolete Org structures
Management Strategic
function
CEO function
Directors Directors Directors
Line Line Line Line Line
Managers Managers Managers Managers Managers
ICT
Dept
Under staffed
Not well utilized
especially in public org
Operational function
No clear job description
50
Not motivated
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 51. Lack of awareness about ICT
related Risks to customers – while
talking about Internet Banking
How many people have read the
Bank customer service
contract/agreement
51
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 52. • Introduction
• An overview of ICT and its Security
Problem
• What went wrong
• Who is responsible
• Lessons from others
• What can be done?
52
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 53. • Referring to the studies, one can see
that Market Pressure and Customer
Demand, which lead to regulatory
requirements such as SOX, are
significant risk management drivers.
Globalisation effect
SOX
Requirements
(Including Strong demand
frameworks) Strong (Only in some
Strong demand cases)
Weak demand
demand
Strong Strong
USA demand demand INDIA
Market Pressure &
Customers Demand
Weak Weak
TANZANIA demand demand
SWEDEN
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 54. • The key point was to get senior management’s backing
and involvement in the ICT risk management process
• This study shows that even though there are
international standards and frameworks for feedback
on how the ICT risks are handled in an organisation,
Compliance with Regulations seems to be the
strongest driver actually effecting involvement of
senior managers in the ICT risk management process.
• However, in noting this, we also include – but view it as
happening in earlier feed-back cycles – that
Globalisation, Customer Demand and Market Pressure
are drivers that initiate regulations (such as SOX) and
thus interact as indicated earlier.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 55. • Through Regulation (such as SOX), senior
managers were in varying degrees held
personally accountable;
– We have seen for example some sections, as
mentioned, are very tough.
• However, there is still a need to identify more
drivers of ICT risk management in the
international and national scenes- it seems
important to investigate how national,
organisational and security cultures can blend
and adapt in order to handle ICT security risks
as part of the ordinary business processes.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 56. Currently empirical data concerning
the influence of cultural factors on
ICT risk management are weak. We
are now researching on how
cultural factors might affect or
drive the ICT risk management
process.
56
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 57. • Introduction
• An overview of ICT and its Security
Problem
• What went wrong
• Who is responsible
• Lessons from others
• What can be done?
57
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 58. ICT is critical and strategic to organization’s
business operations
ICT involves huge investments and great risks
58
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 59. •Top management and oversight bodies that are vested with
day to day planning, organizing, controlling, directing and
staffing responsibilities have a broad stake in ensuring
everything, including ICT matters, are properly manned and
managed.
•Boards of Directors are vested with such responsibilities
•ICT related risks management requires strategic direction and
driving force and that Board is responsible through the CEO.
59
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 60. • Introduction
• An overview of ICT and its Security
Problem
• What went wrong
• Who is responsible
• Lessons from others
• What can be done?
60
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 61. • Cooperate boards compositions to include ICT
experts, just like the way we include board members
with legal and finance competences
• organization’s goal and its strategic
objectives well aligned with ICT strategies.
• Tender Boards and Tender Evaluation Committees
should also include personnel with ICT expertise
• Organization structures should be reviewed to place
ICT at the strategic level not only
technical/operational level
• Industry and Academic should facilitate research in
ICT risk-related issues, to perfectly foresee the
future and potential incoming threats. 61
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 62. Conclusion and Outlook
• The principle goal of an organization risk
management process should be to protect
the organization and its ability to achieve
their mission
• and therefore ICT related risks management
be part of the overall cooperate risk
management because the value have moved
from tangible to intangible assets
62
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 63. Approaching IT governance
• Aligning IT & Business
• Managing service delivery
for promised service level
• Managing Resource for
max benefit
• Managing Risk to foresee
problem and mitigate
• Measuring Performance to
monitor and report on
delivery performance
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 64. How could the management of ICT
related Risks be improved, in order to
reduce the potential financial damage as
a result of computerisation?
Answer: A Holistic Approach for Managing ICT Security in Non-
Commercial Organisations. A Case Study in a Developing Country
Presented in a book: ISBN Nr 91-7155-383-8
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 65. How to Plan and design a suitable ICT Security Management Process
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 66. It's now the intangible economy !
Information is the most valuable asset and is the only
commodity that can be stolen without being taken!
If organizations do not address these problems then they
should expect severe financial damage resulting from
Services interruption, reputations damage, Loss of
strategic information, liability claims, loss of property,
The dependence on ICT to business Core operations
makes the ICT an important strategic tool
66
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
- 67. Thank you!
67
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari