This document discusses key considerations for IT internal audits related to information security and business continuity management. It outlines several audits that an IT internal audit function can perform to evaluate an organization's information security strategy and program, including assessments of the information security program, the threat and vulnerability management program, and performing vulnerability assessments. It also discusses how business continuity has increased in importance given disruptions from events like natural disasters and infrastructure failures, and the need for organizations to have effective business continuity management. The document provides context around risks to information from both internal and external threats and how IT internal audit can help evaluate controls.
1) Security audits evaluate the level of information security in an organization across technical, physical, and administrative controls.
2) There are three main types of security audits: external audits conducted by a third party, internal audits done within a company by other units or headquarters, and self-audits conducted by in-house personnel.
3) The objectives of security audits are to assess the adequacy and effectiveness of security measures and management controls through evaluating physical security processes, defining roles and responsibilities, and focusing on high-risk areas.
Understanding this course help you have an idea on how the audit assessment is performed and where the focus lies. General controls take a large percentage of the entire Audit function and should be paid adequate attention during the session.
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
Roadmap to security operations excellenceErik Taavila
This document outlines a roadmap for security operations excellence with three levels:
Level 1 focuses on initial security operations like planning risk management, collecting asset information, and operating basic security tools.
Level 2 is forming security operations through monitoring for events, protecting from known threats, and reacting to incidents using tools like a SIEM and advanced firewall.
Level 3 optimizes security operations through analyzing logs for bad behavior, preventing further damage, and hardening defenses against new threats using tools like malware sandboxing and forensics.
The document discusses the NIST Cybersecurity Framework, which provides guidelines for critical infrastructure security and management of cybersecurity risks. It was created through a collaboration between government and industry to help organizations manage and reduce cybersecurity risks. The framework consists of five concurrent and continuous functions - Identify, Protect, Detect, Respond, Recover. It also outlines implementation tiers from Partial to Adaptive to help organizations determine their cybersecurity risk management practices. The framework is meant to be flexible and not prescriptive in order to accommodate different sectors and risks profiles.
IT Infrastructure Audit would help organization to understand its current IT environment, have an action plan to realize the optimal benefits from its IT infrastructure investment. IIA is about safeguard assets, maintain data integrity & operate effectively to achieve the organization goals. Documentation of policies, procedures, practices & org structures designed to provide reasonable assurance that business objectives would be achieved & undesired events will be prevented or detected and corrected.
Defining an IT Auditor,
IT Auditor Certifications & ISACA,
IT Audit Phases,
Preparing to be Audited,
How IT auditor audits an Applications,
Auditing technology for Information System.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
1) Security audits evaluate the level of information security in an organization across technical, physical, and administrative controls.
2) There are three main types of security audits: external audits conducted by a third party, internal audits done within a company by other units or headquarters, and self-audits conducted by in-house personnel.
3) The objectives of security audits are to assess the adequacy and effectiveness of security measures and management controls through evaluating physical security processes, defining roles and responsibilities, and focusing on high-risk areas.
Understanding this course help you have an idea on how the audit assessment is performed and where the focus lies. General controls take a large percentage of the entire Audit function and should be paid adequate attention during the session.
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
Roadmap to security operations excellenceErik Taavila
This document outlines a roadmap for security operations excellence with three levels:
Level 1 focuses on initial security operations like planning risk management, collecting asset information, and operating basic security tools.
Level 2 is forming security operations through monitoring for events, protecting from known threats, and reacting to incidents using tools like a SIEM and advanced firewall.
Level 3 optimizes security operations through analyzing logs for bad behavior, preventing further damage, and hardening defenses against new threats using tools like malware sandboxing and forensics.
The document discusses the NIST Cybersecurity Framework, which provides guidelines for critical infrastructure security and management of cybersecurity risks. It was created through a collaboration between government and industry to help organizations manage and reduce cybersecurity risks. The framework consists of five concurrent and continuous functions - Identify, Protect, Detect, Respond, Recover. It also outlines implementation tiers from Partial to Adaptive to help organizations determine their cybersecurity risk management practices. The framework is meant to be flexible and not prescriptive in order to accommodate different sectors and risks profiles.
IT Infrastructure Audit would help organization to understand its current IT environment, have an action plan to realize the optimal benefits from its IT infrastructure investment. IIA is about safeguard assets, maintain data integrity & operate effectively to achieve the organization goals. Documentation of policies, procedures, practices & org structures designed to provide reasonable assurance that business objectives would be achieved & undesired events will be prevented or detected and corrected.
Defining an IT Auditor,
IT Auditor Certifications & ISACA,
IT Audit Phases,
Preparing to be Audited,
How IT auditor audits an Applications,
Auditing technology for Information System.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Every organization has security concerns. ePlus Security Consulting Services can help you make sense of it all. Contact ePlus today to start addressing today's security challenges.
Cybersecurity Incident Management Powerpoint Presentation Slides are designed for information technology experts. Our data security PowerPoint theme combines high-quality design with info accumulated by industry experts. Represent the present situation of the target organization’s information security management using our patterned PPT slideshow. The innovative data visualizations aid in compiling data such as the analysis of the current IT department with considerable convenience. Communicate the cybersecurity framework roadmap and kinds of cyber threats with the help of this PowerPoint layout. Demonstrate the cybersecurity risk management action plan through the tabular format included in this PPT presentation. Illustrate the cybersecurity contingency plan. Our information security management system PowerPoint templates deck helps you in defining risk handling responsibilities of your personnel. Elucidate the role of the management in successful information security governance. Our PPT deck also outlines the costs involved in cybersecurity management and staff training. Showcase an impact analysis with a dash of visual brilliance. Smash the download button and start designing. Our Cybersecurity Incident Management Powerpoint Presentation Slides are topically designed to provide an attractive backdrop to any subject. Use them to look like a presentation pro. https://bit.ly/3zWo1hb
The United Nations uses a risk management process that involves assessing the criticality of programs to balance security risks. It uses a risk matrix to determine risk levels and requires a program criticality assessment for activities with high or very high residual risks. The assessment evaluates the contribution of activities to strategic results and their likelihood of implementation against criteria to designate them as Priority 1 activities that are lifesaving or directed by the Secretary-General. Risk level and program criticality are determined separately without consideration of each other.
This document provides an overview and agenda for a presentation on ISO 27001 and information security management systems (ISMS). It introduces key terms like information security, the CIA triad of confidentiality, integrity and availability. It describes the components of an ISMS like policy, procedures, risk assessment and controls. It explains that ISO 27001 specifies requirements for establishing, implementing and maintaining an ISMS. The standard is popular because it can be used by all organizations to improve security, comply with regulations and build trust. Implementing an ISMS also increases awareness, reduces risks and justifies security spending.
These are slides from local security chapters meetup, Here I tried to explain the challenges in appsec and complete framework for different life cycle of secure software development cycle
Sample IT Best Practices Audit report.
An objective, self service tool for CIO’s by CIOs.
Identify and prioritize issues.
Solve the root causes.
Justify Investments.
Improve user productivity.
Maximize existing assets.
Reduce IT costs.
Improve IT service.
Reallocate IT resources to drive the business.
The document discusses auditing IT infrastructure including hardware, networks, and telecommunications devices. It provides details on objectives of IT audits such as assessing continuity, management/maintenance, and security of systems. It also discusses standards and guidelines for auditing such as CobiT, ISO 27001, and reviewing hardware assets, network design, security, backups, and telecommunication agreements and invoices.
Cyber Security Layers - Defense in Depth
7P's, 2D's & 1 N
People
Process
Perimeter
Physical
Points (End)
Network
Platform
Programs (Apps)
Database
Data
The document discusses data classification and monitoring. It defines key terms like data classification and monitoring. It outlines the goals of data classification including identifying who needs what data and understanding how valuable data is. Monitoring tools can provide access reports and minimize log retention times. The benefits of classification include understanding what data exists and complying with regulations. The document discusses how to classify data, consider security, use monitoring tools, and establish processes for access management and reporting.
Han van Thoor participated in the Certification Europe Information Security Breakfast Seminar in November 2011. Han van Thoor Managing Director of Jumper Consulting Ltd. The presentation discussed the current challenges within the security, in conjunction with the following topics:
Managing management and peers
Risk Assessment
Statement of Applicability
Post certification
Benefits
Further details on ISO 27001 Information Security Management System certification on our website http://www.certificationeurope.com/iso-27001-information-security.html
The document outlines an agenda for an information security essentials workshop. It discusses key topics like the principles of information security around confidentiality, integrity and availability. It also covers security governance structures, roles and responsibilities, risk management, information system controls and auditing information security. The objectives are to provide an overview of information security, describe approaches to auditing it, and discuss current trends.
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
This document outlines an agenda for a security awareness seminar on ISO27k standards and compliance regulations. It discusses the causes of security incidents, defines risk as a vulnerability that could be exploited by a threat, and examines threat agents like humans, machines, and nature. It also summarizes objectives of compliance programs to reduce risks and meet standards, provides an overview of regulations like Sarbanes-Oxley (SOX) and Basel II, and notes SOX applies to public companies in the US and internationally.
Information Security Governance and Strategy Dam Frank
The document discusses information security governance and strategy based on ISO 38500:2008. It covers key aspects of IT governance including evaluating who makes IT decisions, directing the implementation of decisions, and monitoring conformance. The six principles of IT governance outlined are responsibility, strategy, acquisition, performance, conformance, and human behavior. An IT governance model is illustrated showing how the principles relate to evaluating, directing, and monitoring IT processes.
ISO 22301 Business Continuity ManagementRamiro Cid
Presentation of ISO 22301 Societal Security - Business Continuity Management Systems, main concepts, basic terms, content of the standard, clauses, mandatory documentation, related standards, comparision with BS25999-2, benefits of ISO 22301 implementation, etc.
This document discusses cyber resilience frameworks. It defines cyber resilience as the ability to continuously deliver intended outcomes despite adverse cyber events. Cyber resilience involves people, processes, technology, and facilities working together. Frameworks like NIST SP 800-160 v2, the DHS Cyber Resilience Review, and the MITRE Cyber Resiliency Engineering Framework provide guidance on implementing cyber resilience. NIST focuses on engineering systems for resilience while DHS assesses operational readiness and MITRE emphasizes anticipating, withstanding, recovering from, and adapting to cyber attacks. The document compares cybersecurity to cyber resilience and explains how the frameworks help organize concepts to improve cyber defenses.
Information Security Awareness
Tips to improve infosec awareness in any organization
To learn more visit http://www.SnapComms.com/solutions/employee-security-awareness
This document discusses various threats to information security and safeguards organizations can implement. The three main sources of threats are human error, malicious human activity, and natural disasters. Some key threats include hacking, viruses, unauthorized data disclosure through actions like phishing. Technical safeguards include identification & authentication like passwords, encryption, firewalls, malware protection. Human safeguards involve policies, training, account management and monitoring. Senior management must establish security policies, assess risks, and ensure all necessary safeguards are in place to protect the organization's information systems and data. The organization should also have an incident response plan to deal with security breaches when they do occur.
This training creates the awareness of the security threats facing individuals, business owner’s, and corporations in today’s society and induces a’ plan-protection’ attitude. It enriches individuals, students’, business owners’ and workers’ approach to handling these threats and responding appropriately when these threats occur.
This document provides an overview of ISO27001's risk assessment approach, which involves identifying assets, threats, vulnerabilities and controls to determine inherent and residual risks. Key steps include identifying high value assets, threats against those assets, vulnerabilities that could be exploited by threats, inherent risk levels without controls, existing controls, and residual risk levels with controls in place. Risks still above thresholds after controls would be added to an information security risk register for ongoing treatment and monitoring.
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
Maclear specializes in enterprise governance, risk and compliance (eGRC) solutions. The IT GRC Solution integrates various business functions such as IT governance, policy management, risk management, compliance management, audit management, and incident management. Enables an automated and workflow driven approach to managing, communicating and implementing IT policies and procedures across the enterprise
Read More at: http://www.maclear-grc.com/
Every organization has security concerns. ePlus Security Consulting Services can help you make sense of it all. Contact ePlus today to start addressing today's security challenges.
Cybersecurity Incident Management Powerpoint Presentation Slides are designed for information technology experts. Our data security PowerPoint theme combines high-quality design with info accumulated by industry experts. Represent the present situation of the target organization’s information security management using our patterned PPT slideshow. The innovative data visualizations aid in compiling data such as the analysis of the current IT department with considerable convenience. Communicate the cybersecurity framework roadmap and kinds of cyber threats with the help of this PowerPoint layout. Demonstrate the cybersecurity risk management action plan through the tabular format included in this PPT presentation. Illustrate the cybersecurity contingency plan. Our information security management system PowerPoint templates deck helps you in defining risk handling responsibilities of your personnel. Elucidate the role of the management in successful information security governance. Our PPT deck also outlines the costs involved in cybersecurity management and staff training. Showcase an impact analysis with a dash of visual brilliance. Smash the download button and start designing. Our Cybersecurity Incident Management Powerpoint Presentation Slides are topically designed to provide an attractive backdrop to any subject. Use them to look like a presentation pro. https://bit.ly/3zWo1hb
The United Nations uses a risk management process that involves assessing the criticality of programs to balance security risks. It uses a risk matrix to determine risk levels and requires a program criticality assessment for activities with high or very high residual risks. The assessment evaluates the contribution of activities to strategic results and their likelihood of implementation against criteria to designate them as Priority 1 activities that are lifesaving or directed by the Secretary-General. Risk level and program criticality are determined separately without consideration of each other.
This document provides an overview and agenda for a presentation on ISO 27001 and information security management systems (ISMS). It introduces key terms like information security, the CIA triad of confidentiality, integrity and availability. It describes the components of an ISMS like policy, procedures, risk assessment and controls. It explains that ISO 27001 specifies requirements for establishing, implementing and maintaining an ISMS. The standard is popular because it can be used by all organizations to improve security, comply with regulations and build trust. Implementing an ISMS also increases awareness, reduces risks and justifies security spending.
These are slides from local security chapters meetup, Here I tried to explain the challenges in appsec and complete framework for different life cycle of secure software development cycle
Sample IT Best Practices Audit report.
An objective, self service tool for CIO’s by CIOs.
Identify and prioritize issues.
Solve the root causes.
Justify Investments.
Improve user productivity.
Maximize existing assets.
Reduce IT costs.
Improve IT service.
Reallocate IT resources to drive the business.
The document discusses auditing IT infrastructure including hardware, networks, and telecommunications devices. It provides details on objectives of IT audits such as assessing continuity, management/maintenance, and security of systems. It also discusses standards and guidelines for auditing such as CobiT, ISO 27001, and reviewing hardware assets, network design, security, backups, and telecommunication agreements and invoices.
Cyber Security Layers - Defense in Depth
7P's, 2D's & 1 N
People
Process
Perimeter
Physical
Points (End)
Network
Platform
Programs (Apps)
Database
Data
The document discusses data classification and monitoring. It defines key terms like data classification and monitoring. It outlines the goals of data classification including identifying who needs what data and understanding how valuable data is. Monitoring tools can provide access reports and minimize log retention times. The benefits of classification include understanding what data exists and complying with regulations. The document discusses how to classify data, consider security, use monitoring tools, and establish processes for access management and reporting.
Han van Thoor participated in the Certification Europe Information Security Breakfast Seminar in November 2011. Han van Thoor Managing Director of Jumper Consulting Ltd. The presentation discussed the current challenges within the security, in conjunction with the following topics:
Managing management and peers
Risk Assessment
Statement of Applicability
Post certification
Benefits
Further details on ISO 27001 Information Security Management System certification on our website http://www.certificationeurope.com/iso-27001-information-security.html
The document outlines an agenda for an information security essentials workshop. It discusses key topics like the principles of information security around confidentiality, integrity and availability. It also covers security governance structures, roles and responsibilities, risk management, information system controls and auditing information security. The objectives are to provide an overview of information security, describe approaches to auditing it, and discuss current trends.
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
This document outlines an agenda for a security awareness seminar on ISO27k standards and compliance regulations. It discusses the causes of security incidents, defines risk as a vulnerability that could be exploited by a threat, and examines threat agents like humans, machines, and nature. It also summarizes objectives of compliance programs to reduce risks and meet standards, provides an overview of regulations like Sarbanes-Oxley (SOX) and Basel II, and notes SOX applies to public companies in the US and internationally.
Information Security Governance and Strategy Dam Frank
The document discusses information security governance and strategy based on ISO 38500:2008. It covers key aspects of IT governance including evaluating who makes IT decisions, directing the implementation of decisions, and monitoring conformance. The six principles of IT governance outlined are responsibility, strategy, acquisition, performance, conformance, and human behavior. An IT governance model is illustrated showing how the principles relate to evaluating, directing, and monitoring IT processes.
ISO 22301 Business Continuity ManagementRamiro Cid
Presentation of ISO 22301 Societal Security - Business Continuity Management Systems, main concepts, basic terms, content of the standard, clauses, mandatory documentation, related standards, comparision with BS25999-2, benefits of ISO 22301 implementation, etc.
This document discusses cyber resilience frameworks. It defines cyber resilience as the ability to continuously deliver intended outcomes despite adverse cyber events. Cyber resilience involves people, processes, technology, and facilities working together. Frameworks like NIST SP 800-160 v2, the DHS Cyber Resilience Review, and the MITRE Cyber Resiliency Engineering Framework provide guidance on implementing cyber resilience. NIST focuses on engineering systems for resilience while DHS assesses operational readiness and MITRE emphasizes anticipating, withstanding, recovering from, and adapting to cyber attacks. The document compares cybersecurity to cyber resilience and explains how the frameworks help organize concepts to improve cyber defenses.
Information Security Awareness
Tips to improve infosec awareness in any organization
To learn more visit http://www.SnapComms.com/solutions/employee-security-awareness
This document discusses various threats to information security and safeguards organizations can implement. The three main sources of threats are human error, malicious human activity, and natural disasters. Some key threats include hacking, viruses, unauthorized data disclosure through actions like phishing. Technical safeguards include identification & authentication like passwords, encryption, firewalls, malware protection. Human safeguards involve policies, training, account management and monitoring. Senior management must establish security policies, assess risks, and ensure all necessary safeguards are in place to protect the organization's information systems and data. The organization should also have an incident response plan to deal with security breaches when they do occur.
This training creates the awareness of the security threats facing individuals, business owner’s, and corporations in today’s society and induces a’ plan-protection’ attitude. It enriches individuals, students’, business owners’ and workers’ approach to handling these threats and responding appropriately when these threats occur.
This document provides an overview of ISO27001's risk assessment approach, which involves identifying assets, threats, vulnerabilities and controls to determine inherent and residual risks. Key steps include identifying high value assets, threats against those assets, vulnerabilities that could be exploited by threats, inherent risk levels without controls, existing controls, and residual risk levels with controls in place. Risks still above thresholds after controls would be added to an information security risk register for ongoing treatment and monitoring.
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
Maclear specializes in enterprise governance, risk and compliance (eGRC) solutions. The IT GRC Solution integrates various business functions such as IT governance, policy management, risk management, compliance management, audit management, and incident management. Enables an automated and workflow driven approach to managing, communicating and implementing IT policies and procedures across the enterprise
Read More at: http://www.maclear-grc.com/
This document provides an overview of IT strategy and governance for executives. It discusses the importance of aligning IT with business strategy and having proper governance structures in place. Key points include:
- IT strategy should define how technology will support business goals and priorities through investments, applications, and infrastructure.
- IT governance ensures IT goals are met, risks mitigated, and value delivered to business. It focuses on strategic alignment, value delivery, risk management, resource management, and performance.
- Common pitfalls of IT strategy include lack of ownership, not tracking progress, failing to realize ROI, and not having proper governance structures.
- Strong IT governance with board oversight and an IT steering committee is needed to successfully
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
This document discusses I.T. strategy, risk management, and governance. It begins with an introduction of Steve Howse, the president of Millington & Associates, and his background. The document then discusses what I.T. strategy and governance entail and why they are important. It introduces the "20 questions" framework as a tool to assess I.T. strategy, risk, and governance. The questions are categorized into strategic issues, internal control issues, and risk issues. The document dives deeper into examples of risks and what organizations can do to address risks such as dedicating board members to I.T. committees and ensuring business continuity plans are tested.
The WLS value proposition is:
-Extensive IT business experience and capability
-Demonstrated IT risk and compliance delivery
-Proven commercial experience with practical perspectives
-Low overhead compared to larger service providers results in a more competitive service
-Flexibility in service provision to reflect your business budgetary and resource requirements
PwC Transforming Internal Audit to Drive Digital ValueEileen Chan
Internal audit functions are facing increasing expectations to provide strategic value related to companies' digital transformations and IT investments. However, many internal audit functions continue following outdated approaches such as conducting the same IT audits each year. To effectively meet rising expectations, internal audit must evolve by focusing on technology risks associated with business strategy achievement, gaining a holistic understanding of IT risks and opportunities, and leveraging data analytics and continuous auditing. Aligning internal audit's work more closely with strategic priorities will allow it to become a proactive advisor on technology issues and help optimize returns from significant IT investments.
Your Challenge
Risk is an unavoidable part of IT. And what you don't know, can hurt you. The question is, do you tackle risk head-on or leave it to chance?
Get a handle on risk management quickly using Info-Tech's methodology and reduce unfortunate IT surprises.
Our Advice
Critical Insight
1. IT risk is business risk.
Every IT risk has business implications. Create an IT risk management program that shares risk accountability with the business.
2. Risk is money.
It’s impossible to make intelligent decisions about risks without knowing what they’re worth.
3. You don’t know what you don’t know.
And what you don’t know can hurt you – so find out. To find hidden risks, you need a structured approach.
Impact and Result
Stop leaving IT risk to chance. Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success by 53%.
Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they happen.
Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks that matter most to the organization.
Share accountability for IT risk with business stakeholders and have them weigh-in on prioritizing investments in risk response activities.
CGI Group Inc. is a global IT consulting firm with 68,000 professionals in over 400 offices across 40 countries. The document is a pitch presentation for CGI Group prepared by analysts at Capital Markets Group. It provides an overview of CGI's business segments, management team, the IT consulting industry, and makes an investment thesis arguing that CGI is well-positioned to benefit from industry growth and further acquisitions. Key risks discussed include economic weakness in Europe and high client concentration.
Innovation connections quick guide managing ict risk for business pdfAbdulbasit Almauly
This document provides guidance on managing ICT risks for small to medium businesses. It discusses:
1) The importance of risk management and identifying risks before undertaking new business activities or decisions. 2) Common risk management methodologies like risk registers and risk matrices to document and evaluate risks. 3) Major types of ICT risks for businesses related to falling behind technology, poor purchasing decisions, lack of organizational commitment, and missed innovation opportunities. 4) Steps to identify and manage risks when assessing and procuring new ICT products and services.
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
The results of this year’s Internal Audit Capabilities and Needs Survey show that, not surprisingly, cybersecurity represents a major focus for internal audit programs, but it is far from the only pressing issue on internal audit’s plate
ISACA is a global nonprofit focused on IT governance, assurance and security. It was founded in 1969 and now has over 100,000 members worldwide. ISACA provides certifications in areas like information systems audit, IT governance, and security. It also develops frameworks like COBIT for enterprise IT governance. ISACA membership offers opportunities for professional development, networking, and advancement in fields like IT auditing, security, risk management and governance.
Current enterprise information security measures continue to fail us. Why is ...Livingstone Advisory
Conventional information security measures continue to fail our businesses in today’s rapidly changing world of cyber-risk. Adverse cyber-events manifest themselves as the usual suspects including data breaches, information theft, ransom- and malware, viruses, payment card fraud, DDOS attacks or physical loss – to name but a few.
Problem is, the tally of adverse events keeps mounting up. While headline adverse cyber incidents are now reported in the media with regularity, this represents the tip of the cyber-risk iceberg. Most known events are either unreported or hidden from public disclosure. Not helping, is the industry analysis suggesting that, on average, nearly half of all adverse cyber-risk events impacting organisations are self-inflicted and avoidable. No industry is untouched.
Delivered at the CIO Summit in Melbourne, Australia in November 2016, in this presentation, Rob offers valuable strategic insights into the problem and why it continues to be a problem.
He outlines some practical steps that will be helpful for CIOs and CISOs in reshaping their own organisation’s approach in building a more effective and resilient information security capability.
This document provides an overview of a presentation on building an internal control framework for IT governance. It discusses key benefits to the audience, the current state of IT governance standards and challenges, areas not adequately covered by existing standards, and recommendations for the framework.
The presentation will compare leading IT governance standards, highlight similarities and differences, and gaps not addressed. It will also recommend internal controls focusing on strategic alignment, financial performance, risk management, growth, and service delivery. An internal control framework is proposed that takes a holistic view encompassing governance, management, use of IT, and the relationship between corporate strategy, digital business models, and organization structures.
Mission Critical Global Technology Group (MCGlobalTech) provides information security and IT infrastructure management consulting services. They help organizations comply with industry standards and federal regulations to strengthen their security posture. MCGlobalTech assesses clients' security gaps and develops customized solutions involving governance, processes, and technology controls. Their full lifecycle of services includes assessment, planning, implementation, and continuous monitoring.
IT Governance and Compliance: Its Importance and the Best Practices to Follow...GrapesTech Solutions
With new technology coming in every day, the need for IT governance and compliance is essential. IT governance and compliance are not only necessary for consumers but also for businesses. A strong IT governance plan can help add immense value to your business.
Many businesses are not aware of the importance of IT governance and Its Compliance. Hence it is important first to understand IT Governance and the Compliance Standards.
Explore the Significance of IT Governance and Compliance in 2024. Explore best practices for effective management, ensuring security, and meeting regulatory standards in the dynamic IT landscape.
This document discusses the IT industry in India. It provides an introduction to the major components of the IT industry in India, including IT services, business process outsourcing, software products and engineering services, and hardware. It notes some of the top players in the Indian IT industry and provides revenue figures. It also discusses IT as a service (ITaaS) delivery model. The document then outlines some of the key drivers for success and risks faced by industry players, including cybersecurity risks, political and regulatory risks, risks from changes in technology and automation, and provides mitigation strategies for three of the top risks. It also discusses risk management standards and guidelines and provides an overview of the COSO enterprise risk management framework and Wipro
Rockland Professional Services provides IT risk assessment services to clients. Their methodology involves 4 phases: 1) Understanding the business, 2) Identifying the IT universe, 3) Conducting a risk assessment, and 4) Preparing a report. They identify critical applications and infrastructure, assess risks based on impact and likelihood, and produce a risk heat map and IT audit plan to summarize the results.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
2. 2
Executive Summary
Identifying and addressing risk is singularly one of an organization’s most important duties
for its employees, shareholders, suppliers and customers. Considerations related to
information technology are central to any organization’s effort to ensure that issues are
addressed quickly and thoroughly.
The jagged economic landscape — complicated by advancing technologies, such as cloud,
social media and mobile devices — can challenge the ability of an IT internal audit to provide
comfort to executives already overwhelmed with rapidly expanding opportunities and
pressures caused by shrinking margins.
Further, considerations around continuity management, information security, regulatory
compliance and the execution of major complex programs can also muddy the waters,
reducing executives’ clarity and limiting an organization’s ability to address risk and,
ultimately, grow.
Regardless of the rigor of a strong risk assessment process, audit leadership is often left with
lingering questions: What did we miss? What audits best address our risks? How should we
answer questions that might be posed from the audit committee about how we are addressing
a specific risk?
Helping to provide clarity, this thought leadership lists 10 considerations to consider related
to information technology. Knowing these considerations, sharing and discussing them with
clients and mapping out a strategy to make sure they are addressed is a simple, yet crucial
step toward generating confidence that the IT audit function is doing its job. Armed with
strong data and new technology, and leveraging leading practices and strong collaboration
with the organization’s risk function, IT internal audit executives can use this list to help
enrich clients’ understanding of the dangers that could imperil their very survival, and build a
strategic plan to address them.
4. 4
Introduction
Increasing quality and confidence in the IT internal audit risk assessment
Increasing your level of confidence in the risk assessment process is one of the most
fundamental ways to focus on mitigating overall enterprise risk, determining appropriate
levels of effort and resources and identifying where to add value. In a worst-case scenario, an
organization’s risks can proliferate at a far faster rate than its ability to provide coverage.
Organizations need to have the ability to identify and address key risk areas and the agility to
quickly close the gaps through:
• Identifying and understanding the “risks that matter”
• Differentially investing in the risks that are “mission critical” to the organization
• Effectively assessing risks across the business and driving accountability and ownership
• Demonstrating the effectiveness of risk management to investors, analysts and regulators.
As many organizations prepare for risk assessment discussions, consider our perspective on
the leading practices that will help increase your organization’s level of confidence in
addressing these critical questions.
• How do we look around the corner?
• How do we know we identified all the right risks?
5. 5
As many companies face considerations in their internal audit processes, thoughtful
executives will need to understand which IT trends to consider in their critical internal audit
plans, including which of the following IT risk assessment techniques apply to their
organizations’ respective challenges and assessment needs. The 10 key IT internal audit
considerations outlined in this paper are aligned with, and provide connection to, leading
practices designed to help ensure robust performance in the IT internal audit process.
6. 6
IT risk assessment techniques: leading practices Basic versus leading practice IT risk
assessment techniques to consider
Basic
Leading
• IT Internal audit issues
• IT Sarbanes-Oxley (SOX) and external
audit issues
• Root causes from past IT issues
• Competitor and peer risks
• Industry trends
• Third-party external IT risk data
• Analyst reports
• Analytics run but limited summarization of
data
• Business and IA leadership struggle to spot
trends in data
• Risk analytics based on most critical
questions IT, business and IA need to answer
• Trending and period-to-period comparisons
can identify emerging risks
or changes to existing risks
• Efforts aligned with other “big data”
initiatives
• Focus on IT stakeholders
• Heavy emphasis on “home office”
stakeholders
• Point in time engagement primarily during
annual IT risk assessment
• IT and business leaders not trained on risk
management
• Includes operational and global
stakeholders beyond IT
• Risk management embedded in IT
leadership training
• Risk scenario planning workshops for
significant IT risks
• Continuous dialogue with stakeholders
(monthly, quarterly meetings)
• Risk committee utilized to review risk
assessment changes
7. 7
• IT subject matter resources participating in
select interviews to draw out key risks
• Surveys used to confirm risk assessment
results with lower-level IT management not
interviewed
• Stakeholders self-assessing risk based on
IT governance, risk and compliance (GRC)
solution containing dynamic risk database
• IT internal audit attending interviews with
little participation from other risk
management functions or operational audit
• IT risk assessment viewed as “IT internal
audit’s risk assessment”
• IT risk assessment collaboratively
developed by internal audit (operational and
IT) and other risk management functions and
IT
• SOX, external audit and other risk
management functions participating in
interviews
• Risk assessment embedded within strategic
planning process
• Impact and likelihood utilized for
prioritization
• Audits prioritization based heavily on IT
competencies available in IA department
• Categorize IT risks within each of
following: availability, confidentiality,
integrity, effectiveness and efficiency
• Relevance to strategic objectives utilized to
prioritize IT risks
• Audits executed based on value to
organization and connection to strategic
objectives
• Relatively static internal audit plan
• Dynamic IT internal audit plan that
changes throughout the year and is reset at
selected milestones (e.g., quarter, trimester,
bi-annually)
• Relatively static internal audit plan • IT
internal audit plan addressing unified
framework of all IT compliance needs
beyond just SOX (e.g., PCI, FISMA, HIPAA,
ISO27001)
8. 8
• External IT audit plan and internal audit
reliance strategy integrated and optimized
10. 10
Company Profile
Wipro Infotech Ltd
Wipro Technologies is the global technology services divisionof Wipro Ltd. (NYSE:WIT). Wipro
offers a full portfolio of services across industries, delivering measurable business benefits for their
customers with six sigma consistency.
WHO IS WIPRO
Ranked as 7 th best software services company in the world byBusiness Week (Infotech 100,
November 2002), Wipro servesover 300 global leaders including Boeing, Nationwide,Ericsson,
Toshiba, Cisco, Seagate,Putnam Investments,United Technologies, Best Buy, Digital, Friends
Provident,IBM, Microsoft, NCR, Thames Water,Transco and Sony.From the first day in dealing with
Wipro, there's been nothing but quality, character,highest integrity, highest quality work.As a joint
venture, you wouldn't find a better partner. As asupplier, you wouldn't find a higher quality partner.
Some quick facts about Wipro:
India's most valuable company (Business Today, 2001).
Listed at NYSE (WIT). Part of the TMT (Technology-Media-Telecom) Index of the New
York Stock Exchange.
Over 20 years of IT Consulting, Systems Integration andEngineering Services experience.
30 offices worldwide, 18,000 IT practitioners anddomain consultants.
More than 300 customers across USA,Europe and Japan(50 of these are Fortune 500
companies) .
USD 736Mn revenues (Year 2001-2002), CumulativeAnnual Growth Rate (CAGR) of 45%
over the last fiveyears .
Quality leadership: Most mature Six Sigma program inthe industry. World's first PCMM,
CMMi and CMM level5 company
11. 11
HISTORY
Founded in 1945, Wipro has diversified into InformationTechnology, Consumer Care and Lighting,
Engineering andHealthcare. Wipro’s diversification into IT happened in 1980and since then there has
been no looking back. Wipro hadrevenues of USD 736Mn in March 2002.
Milestones
1980:Diversification into Information Technology1990:Incorporation of Wipro-GE medical
systems1992:Going global with global IT services division1993:Business innovation award for
offshoredevelopment1995:Wipro gets ISO 9001 quality certification, re-certified twice for mature
processes1997:Wipro gets SEI CMM level 3 certification,enterprise wide processes
defined1998:Wipro first software services company in the worldto get SEI CMM level 51999:Wipro's
market capitalization is the highest inIndia2000:Start of the Six Sigma initiative, defects prevention
practices initiated at project level2001:First Indian company to achieve the "TL9000certification" for
industry specific qualitystandards2001:World's first PCMM Level 5 company2001:Ranked 87 among
100 best performing technologycompanies globally (BusinessWeek, June 2001)2002:World’s first
CMMi ver 1.1 Level 5 company2002:Ranked the 7th software services company in theworld by
BusinessWeek (Infotech 100, November 2002)
.
DISASTER RECOVERY PLANNING
An estimated 94% of companies without a tested crisis plango out of business after a severe loss of
service.With increased dependency on IT Infrastructure to run business effectively and efficiently,
organizations need toknow how to protect the business if the IT Infrastructurefails. 'Disaster-Recovery
Plans' articulate the means to protectorganizations in case of such eventualities.Wipro offers a
comprehensive solution that helpsorganizations face any eventuality of this kind and ensuresthat
organizations recover smoothly from the disaster in theshortest possible timeThe offering covers:
Study of the existing IT Infrastructure set-up at varioussites of the organization and of the
existing disaster recovery practices.
Identification of threats to the services, arising out of the faults in IT products and services of
theorganization.
Conducting Risk Analysis and Business Impact Analysis(BIA) of various threats to the
resources/functions andcategorizing the risks based on the impact.
Designing and recommending solutions to cover theresources from the threats (risks).
12. 12
Implementation of the recommended solutions includinghot sites, high availability solutions,
networks andstorage systems
WIPRO INFRASTRUCTURE
Wipro is geared for global delivery with offices anddevelopment centers that span the
globe.
Locations spanning the globe27 offices worldwide
Over 1,450,000+ sq. ft. of development facilities
30 development centers worldwide
state-of-the-art communication facilities
Giga speed cabling - guaranteed 10MBPS to desktop
30+ international links - data, voice and video
Data, voice and video, ISDN back-up for fullredundancy. Wipro campuses are designed to
providecomfortable and productive work environments. Inaddition to cutting-edge facilities,
they featureworkspaces that enable creative thinking and encourage participatory and
proactive value systems. Wipro’scommitment to the environment and safety consciousnessis
reflected in their ISO 14001 certification.Business continuityWipro provide multi-site
services to global customers andhave the relevant experience, processes and
methodologiesfor a successful transition. Robust business continuity plans are in place for
data, systems and people
WIPRO VISION IN 2008
13. 13
QUALITY AT WIPRO
Quality consulting and software quality
At Wipro, quality is like integrity - non-negotiable. Wipro pursue quality with a missionary zeal and
have put in placerobust processes to ensure that Wipro deliver quality withsix-sigma consistency.
Veloci-Q, our holistic, enterprise widequality approach integrates multiple quality processes like
Six Sigma, SEI CMM, PCMM and CMMi to deliver measurable business benefits with
enhanced productivity upto35%, cost savings upto 35% and faster time-to-market upto75%.
Salient features of our quality program
Most mature Six Sigma program in the industry-ensuresthat 91 % of our projects are completed
schedule, muchabove the industry average of 55%
Worlds first company to be awarded PCMM Level5 andCMMI Level 5
World’s first SEI CMM ver 1.1 Level 5 software servicescompany
Defect preventation-post release defect rates at less than0.2 per KLOC,amongst the lowest in the
industry
Cycle time reduction due to lower rework rate
Cost of failure avoidance and high project visibility
What it means for customers
The assurance that quality will never be compromised be it product, process or service quality. That's
why Wipro is preferred partner for global leaders such as Thomas Cook,nPower, Home Depot,
Seagate,Lucent, Nokia, EastmanChemicals and 300 others
SERVICES OFFERED
SERVICES OFFERED BY WIPRO LTD.
IT services
Application Development & Maintenance
Architecture Consulting
Business-t0-employee(B2E) solution
Business intelligence &data warehousing
Business Process Management (BPM)
16. 16
Information Security
Traditional security models focus on keeping external attackers out. The reality is that there
are as many threats inside an organization as outside. Mobile technology, cloud computing,
social media, employee sabotage — these are only a few of the internal threats organizations
face. Externally, it’s not just about the lone hacker who strikes for kicks.
Overall, the risk environment is changing. Often, security professionals complain that they
are too busy reacting to immediate issues and have no time to anticipate what may be lurking
around the corner. To have any hope of protecting your organization’s critical assets, the
business and security teams need to understand where your information lives, inside or
outside. Identifying what your organization classifies as its most important information and
applications, where they reside and who has or may need access to them will enable the
business to understand which areas of the security program are most vulnerable to attack.
Although organizations have been dealing with opportunistic cyber-attacks for years, many
now find themselves the target of more sophisticated and persistent efforts. These attacks are
focused on a single objective, often lasting over a long period of time and until the desired
target is obtained. They leave few signs of disturbance because they are designed to remain
hidden to acquire as much sensitive information as possible. In our experience, those at the
greatest risk are information-intensive entities or organizations with intellectual property that
is most attractive in emerging economies.
Unfortunately, many organizations have no idea they are compromised until it is too late. In
considering the audits below, IT internal audit can play a critical role in evaluating the
organization’s information security strategy and supporting program and partnering to
improve the level of control.
17. 17
The audits that make an impact Key IT internal audit considerations
Information security program assessment —
Evaluates the organization’s information
security program, including strategy,
awareness and training, vulnerability
assessments, predictive threat models,
monitoring, detection and response,
technologies and reporting.
• How comprehensive is the existing
information security program?
• Is information security embedded within the
organization, or is it an “IT only”
responsibility?
• How well does the organization self-assess
threats and mitigate the threats?
Threat and vulnerability management
program assessment — Evaluates the
organization’s threat and vulnerability
management (TVM) program including
threat intelligence, vulnerability
identification, remediation, detection,
response, and countermeasure planning.
• How comprehensive is the existing TVM
program?
• Is the TVM program aligned with business
strategy and the risk appetite of the
organization?
• Are the components of TVM integrated with
one another, as well as with other security
and IT functions?
• Do processes exist to make sure identified
issues are appropriately addressed and
remediation is effective?
Vulnerability assessment — Performs a
regular attack and penetration (A&P) review.
These should not be basic A&Ps that only
scan for vulnerabilities. Today we suggest
risk-based and objective-driven penetration
assessments tailored to measure the
company’s ability to complicate, detect and
respond to the threats that the company is
most concerned about.
• What mechanisms are in place to
complicate attacks the organization
is concerned about?
• What vulnerabilities exist, and
are exploits of these
vulnerabilities detected?
• What is the organization’s response
time when intrusion is detected
19. 19
Business Continuity Management
As organizations grow in size and complexity within the world of the “extended enterprise,”
the impact of non-availability of any resources has magnified. High-profile events caused by
natural disasters and technology infrastructure failures have increased awareness of the need
to develop, maintain and sustain business continuity programs. Although these large-scale
events — such as the March 2011 Japanese earthquake and tsunami — dramatically
challenge the existence of some companies, there are smaller, less impactful but more
frequent disruptions that cause many executives to question their organization’s ability to
react and recover. These big disasters, as well as the smaller disruptions, have prompted
leading executives to hope for the best but prepare for the worst by investing in effective
business continuity management (BCM).
Effective BCM is rising in importance on the corporate agenda. Volatile global economies
have shrunk margins for error. Companies that previously would have survived a significant
disaster or disruption may now find the same event pushing their corporate existence to the
brink. Executives are realizing that effective BCM may be the only buffer between a small
disruption and bankruptcy. Ernst & Young’s 2012 Global Information Security Survey found
that BCM was once again viewed as the “top priority” in the next 12 months by survey
respondents.
While BCM should be viewed as an enterprise-wide risk and effort, the reality is that it is
often IT that is asked to lead critical planning activities and serve as lead facilitator. IT
systems and disaster recovery procedures are a cornerstone of the broader BCM plan, thus IT
internal audit is well positioned to evaluate broader BCM procedures.
20. 20
The audits that make an impact Key IT internal audit considerations
Business continuity program integration and
governance audit — Evaluates the
organization’s overall business continuity
plan, including program governance, policies,
risk assessments, business impact analysis,
vendor/third-party assessment, strategy/plan,
testing, maintenance, change management
and training/awareness.
• Does a holistic business continuity
plan exist for the organization?
• How does the plan compare to
leading practice?
• Is the plan tested?
Threat and vulnerability management
program assessment — Evaluates the
organization’s threat and vulnerability
management (TVM) program including
threat intelligence, vulnerability
identification, remediation, detection,
response, and countermeasure planning.
Disaster recovery audit — Assesses IT’s
ability to effectively recover systems and
resume regular system performance in the
event of a disruption or disaster.
Crisis management audit — Reviews the
organization’s crisis management plans,
including overall strategy/plan, asset
protection, employee safety, communication
methods, public relations, testing,
maintenance, change management and
training/awareness.
• Are crisis management plans aligned with
broader business continuity plans?
• Are plans comprehensive and do they
involve the right corporate functions?
• Are plans well communicated?
22. 22
Mobile
Mobile computing devices (e.g., laptops, tablet PCs, smartphones) are in widespread use,
allowing individuals to access and distribute business information from anywhere and at any
time. With the increase in mobile device capabilities and subsequent consumer adoption,
these devices have become an integral part of how people accomplish tasks, both at work and
in their personal lives. The increasing demand for information from the mobile workforce is
driving changes in the way organizations support and protect the flow of information. With
any technological advancement come new challenges for the enterprise, including:
• Potential loss or leakage of important business information
• Security challenges given range of devices, operating systems, and firmware
limitations and vulnerabilities
• Theft of the device due to the small size
• Compliance with state, federal and international privacy regulations that vary from
one jurisdiction to another as employees travel with mobile devices
• Navigation of the gray line on privacy and monitoring between personal and company
use of the device.
IT internal audit’s knowledge of the organization’s mobile strategy needs to evolve as
quickly as the mobile landscape. Evaluating these risks and considering the audits below will
help audit add value to the organization while confirming key risks are well managed.
23. 23
The audits that make an impact Key IT internal audit considerations
Mobile device configuration review —
Identifies risks in mobile device settings and
vulnerabilities in the current implementation.
This audit would include an evaluation of
trusted clients, supporting network
architecture, policy implementation,
management of lost or stolen devices, and
vulnerability identification through network
accessibility and policy configuration.
•How has the organization implemented
“bring your own device” (BYOD)?
•Are the right policies/mobile strategies in
place?
•Are mobile devices managed in a consistent
manner?
•Are configuration settings secure and
enforced through policy?
•How do we manage lost and stolen devices?
•What vulnerabilities exist, and how do we
manage them?
Mobile application black box assessment —
Performs audit using different front-end
testing strategies: scan for vulnerabilities
using various tools, and manually verify scan
results. Attempts to exploit the vulnerabilities
identified in mobile web apps.
•What vulnerabilities can be successfully
exploited?
•How do we respond when exploited, and do
we know an intrusion has occurred?
Mobile application gray box assessment —
Combines traditional source code reviews
(white box testing) with front-end (black
box) testing techniques to identify critical
areas of functionality and for symptoms of
•How sound is the code associated with the
mobile applications used within the
organization?
•What vulnerabilities can be exploited within
24. 24
common poor coding practices. Each of these
“hot spots” in the code should be linked to
the live instance of the application where
manual exploit techniques can verify the
existence of a security vulnerability.
the code?
26. 26
Cloud
Many organizations are looking to cloud computing to increase the effectiveness of IT
initiatives, reduce cost of in-house operations, increase operational flexibility and generate a
competitive advantage. This is attained by shifting to using IT services, as organizations no
longer need to build and maintain complex internal IT infrastructures. Cloud computing is
evolving at a fast pace, giving companies a variety of choices when they’re looking to
restructure their IT organization. However, like most technology changes, cloud computing
presents its share of risks and challenges, which are too often overlooked or not fully
understood by businesses that are quick to embrace it. These risks and challenges include:
• Providers not performing as needed to meet service level agreements (SLAs),
resulting in cloud architecture or deployment challenges
• Evolving cloud standards increasing the risk that a company’s systems won’t work
with the provider’s
• Legal and regulatory risk in how information is handled in the cloud
• Information security and privacy risks around the confidentiality, integrity and
availability of data
• Cloud adoption and change management within an organization
IT internal audit needs to understand how the organization is embracing cloud technologies
and the risks the business faces based on the adopted cloud strategy.
27. 27
Drivers for cloud computing
Business agility
Perhaps the major accelerant for cloud adoption is the ability to elastically scale IT resource
availability up and down depending on the momentary or capacity needs of the business. This
resolves a long-standing dilemma for large organizations, which forecast demand for their IT
resources yet typically end up with more capacity than they need or worse,less than they need
because of business changes during the installation process. Cloud-based IT services can grow or
shrink as business requirements change, without requiring long implementation times or aggressive
capital investment.
Pay-as-you-go versus install-and-own
The shift in up-front capital requirements from the user to the service provider is extremely
attractive to large and small organizations alike. This flexibility allows them to remain as a
cloud customer and buy access to the infrastructure and application they need, as they need
them. Instead of paying for it all up front, including more capacity than they may need right
away, cloud customers pay only for what they use — and only when they use it.
Cost saving
A report by the Brookings Institution found that government agencies can save 25% to 50% of their
IT cost and increase their business agility by migrating IT infrastructure to cloud services.
Innovation platform for growth cloud
Cloud computing services reduce IT barriers to entry, allowing start-ups to emerge with lower
infrastructure start-up costs than were necessary pre-cloud. This cost saving allows for increases in
innovation. This will likely allow organizations to allocate more time to strategy and enablement by
leveraging the cloud.
28. 28
Infrastructure utilization
Better network efficiency results in lower power consumption and smaller carbon footprints. This
comes from virtualizing hardware and software resources and providing them as a service to multiple
users simultaneously.
Market research
Research points to ongoing rapid adoption of both public and private cloud services, which tends to
become a self-fulfilling prophecy.
29. 29
The audits that make an impact Key IT internal audit considerations
Cloud strategy and governance audit —
Evaluates the organization’s strategy for
utilizing cloud technologies. Determines
whether the appropriate policies and controls
have been developed to support the
deployment of the strategy. Evaluates
alignment of the strategy to overall company
objectives and the level of preparedness to
adopt within the organization.
• Is there a strategy around the use of cloud
providers?
• Are there supporting policies to
follow when using a cloud provider?
Are policies integrated with legal,
procurement and IT policies?
Cloud security and privacy review —
Assesses the information security practices
and procedures of the cloud provider. This
may be a review of their SOC 1, 2 and/or 3
report(s), a review of their security SLAs
and/or an on-site vendor audit. Determines
whether IT management worked to negotiate
security requirements into their contract with
the provider. Reviews procedures for
periodic security assessments of the cloud
provider(s), and determine what internal
security measures have been taken to protect
company information and data.
• Has a business impact
assessment been conducted for
the services moving to the
cloud?
• Does your organization have
secure authentication protocols
for users working in the cloud?
• Have the right safeguards been
contractually established with the
provider?
Cloud provider service review — Assesses
• What SLAs are in place for uptime,
issue management and overall
30. 30
the ability of the cloud provider to meet or
exceed the agreed-upon SLAs in the contract.
Areas of consideration should include
technology, legal, governance, compliance,
security and privacy. In addition, internal
audit should assess what contingency plans
exist in case of failure, liability agreements,
extended support, and the inclusion of other
terms and conditions as part of the service
contracts, as well as availability, incident,
and capacity management and scalability.
service?
• Has the cloud provider been meeting or
exceeding the SLAs? What issues have
there been?
• Does the organization have an
inventory of uses of external cloud
service providers, sponsored both
within IT and directly by the business
units?
32. 32
IT Risk Management
As the IT risk profile and threat landscape rapidly changes and risks increase, companies need to
change their mindset and approach toward IT risk to address a new normal. Now more than ever,IT
issues are issues of importance to the C-suite, elevating the need for boards of directors, audit
committees, general counsels and chief risk officers to work alongside IT leaders and information
security and privacy officers to fully address their organization’s risk management level of due care,
approach and preparedness and to implement an IT risk management program that is adequate and
effective in managing cyber risks. It is critically important that IT functions are able to effectively
address the following questions:
• Can you articulate your strategy to identify, mitigate and monitor IT risks to the audit
committee?
• How do you know that you have identified all key IT risks that would prevent the company
from achieving corporate strategies, objectives and initiatives?
• How do you make sure your risk framework continues to be relevant and continues to identify
pertinent risks to keep the company out of trouble?
The Securities and Exchange Commission, other regulators, and the audit committee have
increased their focus on companies managing risks holistically. Company stakeholders/
shareholders expect the company to focus risk management activities and resources on areas
with the greatest impact. Internal audit is uniquely positioned to help drive growth and create
value for the company through reviewing IT risk management activities.
33. 33
IT Risk Managementprogram
1) IT risk governance & compliance monitoring and reporting.
Ownership, accountability, and oversight are the cornerstones of any risk management
program. The risk governance component of the ITRM program should have a strong
leader, an executive who can juggle strategic and tactical enterprise initiatives across
diverse and distributed IT environments. The overall governance of an ITRM program
is supported by the IT risk dashboard to enable ongoing (compliance) monitoring and
reporting on program effectiveness and risk posture. This is where organizations put
in place their processes to assess compliance with policies, standards, procedures, and
regulatory requirements. Monitoring and reporting capabilities are designed to
provide management with organizational views and trend analyses for risks, control
issues, and vulnerabilities
34. 34
2) Business drivers, regulatory requirements and (IT) risk strategy.
Most organizations do not spend enough time clearly defi ning those critical business
issues or business drivers that create the need for an ITRM program. These drivers
must be aligned with business objectives, regulatory requirements, and board of
directors and executive management directives. Without such alignment, there is the
potential for confusion in coordinating various agendas and communicating the
overall enterprise risk vision. This vision should encompass risktolerance guidance,
risk processes, expectations for the risk management function, and the integration of
risk processes such as IT security into standard IT operations.
3) Organization/Risk identification and pro fi ling/Policies and standards.
ITRM should be supported by a proper definition of roles and responsibilities. In
addition, the ITRM program must defi ne policies, standards, and guidelines that are
fair to all stakeholders, and that provide an effective management of the operational
procedures themselves. This includes specifying who has ownership and
accountability for defining the organization’s IT risk procedures, and for providing
the oversight and guidance for formulating them. Since organizations operate in a
constantly changing risk environment, the organization needs to define a consistent
process for identifying and classifying risk. This includes defining a taxonomy for
risks and internal controls, risk ratings, prioritization of gaps, and parameters for the
frequency of IT risk and internal controls assessments. Risk profiling reveals the gaps
in a company’s processes for managing its risks across the spectrum of potential
exposures — legal, political, economic, social, technological, environmental,
reputational, cultural, and marketing. Risk prioritization indicates the relative
importance of the risk, including the likelihood of the threat, the degree of
vulnerability and the potential business impact
4) Process, risk and control framework.
The organization should have a framework incorporating an IT process,risk and control
framework (a library) with associations to regulatory, leading practices and internal
requirements. In addition, the organization needs to design methodologies and procedures to
enable a sustainable and repeatable assessment of IT risk in support of ITRM goals.
35. 35
5) Risk processes and operational procedures.
Processes and operational procedures represent the heart of the execution phase of an ITRM
program and should be directly linked to the chosen risk management standard. This is the
critical point for ITRM. Core components should include:
• Scenario analysis for disasters and events
• Incident loss management to capture events and estimate their fi nancial impact
• Assurance and regulatory coordination for the risk management processes to support the
continuous enhancement of IT-oriented risk data and processes
• Risk metrics and reporting to achieve continuous insight in risk exposure
• Issues management to operationalize the handling of issues
• Risk acceptance for the residual risks by management
• Threat and vulnerability management • Crisis management during disasters or major events
• Awareness and training to increase the capabilities to achieve operational excellence in
ITRM
36. 36
The audits that make an impact Key IT internal audit considerations
IT risk management strategy assessment —
Assesses the framework and process IT has
embedded within the function to assess and
manage risks. Evaluates the actions taken to
mitigate risks and the level of accountability
within the process.
• How well does IT identify risks?
• What is done once a risk is
identified?
• Are IT risk management processes
followed?
• Does your IT risk program cover
all of IT including shadow IT?
• Is responsibility for risk coverage
clearly defined?
• How are IT risks identified,
remediated or accepted?
IT governance audit — Evaluates the
processes IT has in place to govern capital
allocation decisions, project approvals and
other critical decisions.
• Do formalized processes for governing
IT exist?
• What can be done to increase business
confidence in IT governance?
• Are your IT governance processes and
requirements applicable across all of
IT?
• Are there formal charters, mandates
and responsibilities documented and
followed by key steering committees?
IT risk assessment — Participates in IT’s
own risk assessment (as opposed to the
independent IT internal audit risk
assessment) as an advisory audit. Evaluates
the risks identified and provide insight given
your unique perspective on the IT
• Is there a comprehensive risk
assessment performed to identify all IT
risks?
• Is the IT risk assessment process
effective?
37. 37
organization. • How can the process be enhanced?
• Is there an opportunity to coordinate
the IT internal audit risk
assessment with IT’s own risk
assessment?
39. 39
Software/IT asset management
With increased focus on cost reduction in a global economy struggling to recover, effective
software asset management and IT asset management can make a significantly positive
impact by helping to reduce license-related expenses, improve IT service management by
more efficiently managing IT asset inventories, better manage compliance-related risk and
even improve overall operating efficiencies.
Leading IT directors and the chief information officers to whom they report are realizing that
effectively managing software assets can be a strategic advantage. For example, effective
asset management:
• Potentially reduces liability risk by maintaining license compliance and avoiding
related penalties
• Lowers potential costs by helping to avoid license and other IT asset “overbuying“
• Helps to more efficiently manage the otherwise resource-draining and labor-intensive
compliance processes
• Limits potential reputational risks associated with license violations or compliance-
related conflicts with vendors
Software licenses currently account for about 20% of typical IT costs, and the already
pervasive use of software continues to rise. At the same time, many IT directors are
noticing that their software vendors have become more diligent in ensuring that their
customers remain in compliance. IT leaders, members of the C-suite and shareholders have
come to expect increasingly more from their investments, including those that rely on IT
functions.
40. 40
It is critical that IT auditors thoroughly understand software and IT asset management
processes and controls. It’s not just about cost management — strong IT asset management
processes affect the following, as examples:
•IT service management — IT asset management is critical to effectively locate and service
assets, replace and retire existing assets, etc.
•Information security — Without a clear view of existing IT assets and software, it’s
difficult to prioritize and evaluate the associated security risk of those assets.
•IT contract management — It is understandable that without an effective way to manage
an organization’s IT assets, it may be equally difficult to understand what contracts exist with
vendors for those assets, whether they are managed in a cost-effective manner and whether
any violations from contracts may exist.
41. 41
The audits that make an impact Key IT internal audit considerations
IT and software asset management process
and control audit — Assesses the design and
effectiveness of processes and controls IT
has deployed related to software and IT asset
management.
Reviews the impact of these processes on
related IT processes such as IT service
management, IT contract management and
information security.
• Do we have a comprehensive
approach to IT asset and software
management?
• How well do we manage software
license costs?
• Is there an IT and software asset
management technology solution in
place to support these processes? If
not, should there be?
Software license review — Performs a
review of significant software license
agreements (e.g., ERPs) and evaluate the
effectiveness of IT’s software asset
management process in practice. Assesses
opportunities for cost reduction from
improving the management of software
licenses.
• Are there opportunities to renegotiate
software licensing agreements based on
the way we actually utilize software
versus the way original contracts were
negotiated?
• Are we violating any existing
contractual agreements?
IT contract management assessment —
Evaluates the IT organization’s ability to
manage contracts and how effectively IT and
supply chain coordinate to manage costs and
negotiate effective agreements.
•Are IT asset and software contracts
planned, executed, managed and
monitored effectively?
•Are there “shadow IT” contractual
agreements executed in other parts of
the organization?
42. 42
The benefits of effective SAM
A holistic consideration of SAM involves managing and improving all aspects of software
assets across most operational and organization components of the company. This big-picture
view not only helps companies build a more strategic and integrated approach to software
licenses, it also helps increase the number of benefits associated with effective management
and their potential impact. Among those benefits:
Cost control:
• Less legal- and compliance-related expenses, including software audits.
• Better management of operational costs related to maintaining license compliance. For
example, securing better software licensing contracts — in which deployment and technical
architecture are clearly outlined and understood — helps
companies to negotiate more favorable deals with software vendors, thereby lowering overall
costs of their software procurement. Cost avoidance is achieved by rationalizing the software
portfolio to reduce redundant, overlapping or nolonger-necessary software licenses.
Reduction of risks:
• Contractual risk – Effective SAM helps to optimize clients’ negotiating position with their
vendors, outsourcers and potential merger & acquisition partners. Companies armed with
complete and insightful information will be better able to prevent third-party providers from
inserting increased risk premiums into their offers.
• Reputational risk – Clients may face public disclosure of under-licensing, which could
lead to significant adverse media coverage and penalties.
43. 43
Financial and budgetary risk –
While settlements of vendor audits are normally confidential, vendor audit activity has been
increasing. There have been settlements in many cases in multiples of millions of Euros per
vendor for unlicensed application. A recent Gartner report indicates that more than 50% of
their clients polled have been audited by at least one software vendor in the last 12 months
Information security risk –
Inadequately licensed software introduces the possibility that clients may have deployed
counterfeit and potentially unauthorized software. There is a risk that such software may
include malicious code and be operating at sub-standard levels.
Optimization of current assets and process:
• Enables license overpayment recovery.
• Facilitates preparations for mergers and acquisitions.
• Helps make vendor audits more time- and resource-efficient and delivers stronger
negotiating position through better management of license-related contracts.
• Helps IT leaders make better decisions through the use of better information.
• Increased confidence by both internal and external stakeholders.
• Promotes more efficient IT systems; less time and money spent toward compliance, and
more into making IT a more effective and strategic contributor to overall company goals and
objectives.
44. 44
Five stages of the software asset life cycle
1. Plan :Activities performed prior to software procurement, including evaluating technical and
organizational requirements for the software asset,planning the required quality and quantity
(which impacts scale of discount), make-or-buy decisions, reviewing the inventory, etc. This
step also includes software portfolio rationalization.
2. Acquisition — Identification of potential vendors and negotiation of the most cost-efficient
contract and volume license deal are vital within this stage. At this time, the purchases/leases
are executed; received goods are checked,tagged and entered into the software asset
inventory.
45. 45
3. Deployment : Deployment begins when the software asset is made available for use.
Effective deployment helps to ensure the usage is recorded properly within the databases as
the foundation for many SAM procedures.
4. Manage : The keys to effective management are enhancing productivity within the existing
infrastructure and sustaining user satisfaction. Increased transparency can be established by
managing the distribution of software assets,license inventory, software upgrades and
maintenance activities. More sophisticated SAM facilities enable organizations to monitor
usage of software,enabling them to revoke software where it is not used and redeploy it to
another user,or to a license pool for future deployment.
5. Retire:Software asset retirement involves the planning and execution of orderly disposal of
the software assets,closing of contracts and licenses and proper de-installation. Where
licenses can be re-used,organizations should ensure software license availability is captured
for use by others in the organization. At the end of this stage,software assets may be disposed
of, sold or donated if feasible within the license contract.
47. 47
Social Media Risk Management
The social media elements that generate business opportunity for companies to extend
their brands are often the same elements that have created IT-related risk. Like the
borderless nature of social media itself, the various risks surrounding social media can
be borne by multiple enterprise functions at the same time, challenging companies to
understand how, when and where to engage their IT functions or plug risk coverage
gaps. Legal, compliance, regulatory, operational and public relations issues are at the
top of the list of potential IT-related social media risks that can ultimately cause
erosion of customers, market share and revenue. For example, on most of the popular
sites (Twitter, Facebook and LinkedIn), users are able to create company profiles and
communicate on behalf of the organization through social media channels. This can
create marketplace confusion because of multiple messages and different audiences,
policies and practices. Other more specific headline-grabbing examples of social
media-related risks include:
•Employees involved in social media inadvertently leaking sensitive company
information
•Criminal hackers “re-engineering” confidential information (e.g., log-ins and
passwords) based on information obtained from employee posts
•Employee misuse of social applications while at work
•Hacked, faked or compromised corporate or executive Twitter or Facebook fan page
or individual accounts
•Multiple platforms creating more access for viruses, malware, cross-site scripting
and phishing
•Damage to a brand or company reputation from negative, embarrassing or even
incriminating employee or customer posts, even those that are well-intended
48. 48
•Failure to establish complete and fully compliant archiving and record-retention
processes for corporate information shared on social media, especially in the health
care, financial services and banking industries
IT is heavily relied on to enable social media strategies in coordination with
marketing strategies. It is critical that IT internal audit has an understanding of the
organization’s social media strategy as well as the related IT risk. IT internal audit
must add value by providing leading practice enhancements and assurance that key
risks are mitigated.
But in addition to the many opportunities that social media generates, there are also
many new challenges. Social media — and everyone who has internet access — can
quickly build a company’s brand, but it can, with equal, speed crush it. The many
potential challenges include data security, privacy concerns, regulatory and
compliance requirements, issues over employees’ use of work time and company
tools to engage in social media.
Some companies respond to specific social media-related challenges quickly by
enacting piecemeal solutions. This approach frequently results in lost time, energy
and money as executives are then forced to react to other social media-related issues
not originally addressed.
Leading practice companies are investing in a holistic, enterprise-wide social media
strategy, one that encompasses all efforts to protect and strengthen the brand and that
is robust and flexible enough to accommodate constantly changing technological
advances. Such an approach crosses all organizational lines, impacting human
resources, IT, legal, marketing, sales departments, customers, clients and suppliers.
49. 49
The audits that make an impact Key IT internal audit considerations
Social media risk assessment Collaborates
with the IT organization to assess the social
media activities that would create the highest
level of risk to the organization. Evaluates
the threats to the organization’s information
security through the use of social media. This
audit may be combined with a social media
governance audit to then confirm policies
have been designed to address the highest
risks to the organization.
•Does the organization understand
what risks exist related to social
media?
•How well are the identified risks
managed?
Social media governance audit — Evaluates
the design of policies and procedures in place
to manage social media within the
organization. Reviews policies and
procedures against leading practices.
•Does a governance process exist for
social media within the organization?
•How well are policies related to social
media known amongst employees?
Social media activities audit — Audits the
social media activities of the organization
and its employees against the policies and
procedures in place. Identifies new risks and
assist in developing policies and controls to
address the risks.
•Are social media activities aligned to
policy?
•What corrective actions need to be put
in place given activity?
•How does existing activity affect brand
and reputation?
51. 51
Data loss prevention and privacy
Over the last few years, companies in every industry sector around the globe have seen their
sensitive internal data lost, stolen or leaked to the outside world. A wide range of high-profile
data loss incidents have cost organizations millions of dollars in direct and indirect costs and
have resulted in tremendous damage to brands and reputations. Many types of incidents have
occurred, including the sale of customer account details to external parties and the loss of
many laptops, USB sticks, backup tapes and mobile devices, to name a few. The vast
majority of these incidents resulted from the actions of internal users and trusted third parties,
and most have been unintentional. As data is likely one of your organization’s most valuable
assets, protecting it and keeping it out of the public domain is of paramount importance. To
accomplish this, a number of data loss prevention (DLP) controls must be implemented,
combining strategic, operational and tactical measures. However, before DLP controls can be
effecively implemented, your organization must understand the answer to these three
fundamental questions:
• What sensitive data do you hold?
• Where does your sensitive data reside, both internally and with third parties?
• Where is your data going?
52. 52
The audits that make an impact Key IT internal audit considerations
Data governance and classification audit —
Evaluates the processes management has put
in place to classify data, and develop plans to
protect the data based on the classification.
•What sensitive data do we hold — what is
our most important data?
•Where does our sensitive data reside, both
internally and with third parties?
•Where is our data going?
DLP control review — Audits the controls in
place to manage privacy and data in motion,
in use and at rest. Considers the following
scope areas: perimeter security, network
monitoring, use of instant messaging,
privileged user monitoring, data sanitation,
data redaction, export/save control, endpoint
security, physical media control, disposal and
destruction, and mobile device protection.
•What controls do we have in place to
protect data?
•How well do these controls operate?
•Where do our vulnerabilities exist, and
what must be done to manage these
gaps?
Privacy regulation audit — Evaluates the
privacy regulations that affect the
organization, and assess management’s
response to these regulations through policy
development, awareness and control
procedures.
•How well do we understand the
privacy regulations that affect our
global business? For example, HIPAA
is potentially a risk to all organizations,
not just health care providers or payers.
•Do we update and communicate
policies in a timely manner?
55. 55
Conclusion
Understanding the risks addressed in this thought leadership, sharing, and discussing them
with clients and mapping out a strategy to make sure they are addressed is a simple, yet
crucial step toward IT internal audit performance success. Coupled with strong data, new
technology, global leading practices and strong collaboration with the organization’s risk
function, IT internal audit executives can use this list to help provide their clients’
organizations with competitive advantage.
Helping to provide clarity, this thought leadership lists 10 considerations to consider related
to information technology. Knowing these considerations, sharing and discussing them with
clients and mapping out a strategy to make sure they are addressed is a simple, yet crucial
step toward generating confidence that the IT audit function is doing its job. Armed with
strong data and new technology, and leveraging leading practices and strong collaboration
with the organization’s risk function, IT internal audit executives can use this list to help
enrich clients’ understanding of the dangers that could imperil their very survival, and build a
strategic plan to address them.
57. 57
Bibliography
Books-
IT Audit, Control, and Security by Robert Moeller (Author)
CISA: Certified Information Systems Auditor Study Guide
Website-
www.isaca.org
www.wikipedia.org/
www.kpit.com/
www.ey.com/
https://home.kpmg.com/us/en/home.html