Achieving Business Imperatives through IT Governance and Risk

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Achieving Business Imperatives through IT Governance and Risk"

Transcription

1 IBM Global Technology Services Achieving Business Imperatives through IT Governance and Risk Peter Stremus Internet Security Systems, an IBM Company

2 Introduction : Compliance Value Over the past 15 years in the IT industry, people have been searching for better ways of illustrating (and thus measuring) the value that IT can provide to the business. This presentation provides an example of an executed approach used to successfully illustrate the value of an IT Control Activity for Business and Compliance. This approach can provide a solid foundation to successfully leverage your Compliance investments through the use of Best Practice standards and frameworks. 2

3 Trends The Financial Industry Competition in the financial industry has become critically dependant on IT as banks now spend the majority of non-compensation costs on IT and communications. Case studies of peers support the decisions made by other financial institutions to move to a fully centralized global IT governance model. Recent economic downturn and declining capital markets have caused banks to tighten financial control and trim costs. Increased criminal activity, such as Internet fraud and terrorism, heighten the need for security and wider reporting capabilities. 3

4 Trends Legislation & Regulations Sarbanes Oxley Act CMA FSA Terrorism Act 2000 Obscene Publications Act Gramm Leach Bliley Copyright Design & Patents Act Privacy and Electronic Comms. HIPAA Basel II Freedom of Information Act Data Protection Act RIPA 4

5 Issues - Aligning Business and IT Four levels of IT Risk Strategic Level Decisions on business strategy Programme Level Project Level Operational Level Decisions transforming strategy into action Decisions required to enable implementation of actions Source: Office of Government Commerce, Management of Risk Framework 5

6 Aligning IT with Business An effective IT risk approach addresses critical performance issues at both the Group level and the BU/LE levels. Group level Key Interests Does IT support the achievement of organizational objectives? Are targeted enterprise-wide IT synergies being achieved? Are IT risks being identified and managed? BU level Key Interests Does IT deliver on its service level commitments? Do investments in IT positively affect business productivity? Are IT costs being managed effectively? Group-level BU-level 6

7 Challenges: Business Alignment IT Risk Management is a key stakeholder in maintaining a balance between the business needs and the value associated with an IT solution. The business value of IT is dependent upon linking the business process to the supporting IT automation activity. Organization/Business Objectives Competitive/Leader Objectives IT Solution Framework(s) CobiT Profitable Growth ISO Client Satisfaction ITIL Employer of Choice Strengthen Reputation Risk Assessment Business Goal High-level (Self- Assessment) Compliance Low-level (Detailed) IT Automation Level of Process Automation Business An increasing number of business processes rely on IT automation (e.g. On-line Banking) IT Although the business risk is owned by the business, automating the processes increase the dependency on effective IT risk management. Risk Mitigation Pragmatic IT Risk Mitigation options align a more precise IT solution to support business needs without overengineering. 7

8 Example: Compliance Approach and Roadmap The approach is executed through 5 phases. Phase 1: Identification Phase 2: Cross-Reference Phase 3: Risk Analysis / Assessment Phase 4: Risk Mitigation Phase 5: Evaluate Results / Value Mapping Identify the organization and business goals, objectives and/or process. Identify the relevant framework(s). Identify the relevant control practices or activities. Execute crossreference mapping to all identified frameworks and standards. Execute crossreference mapping to all identified compliance initiatives. Execute crossreference mapping to all identified IT roles/areas Perform a high level risk analysis/selfassessment and record initial results as a benchmark for maturity measurement. Review selfassessment results and identify probable business and IT owners. Based on risk results, perform a detailed risk assessment to include asset impact, risk realization cost and acceptable level of risk. Identify potential risk mitigation options. (e.g. Products or Services) Identify all associated costs for each mitigation option. Identify any residual risk. Compare costs associated with risk mitigation option against risk realization cost to identify TCO/ROI. Review IT risk mitigation options with the business. If accepted, initiate a project to implement the selected IT risk mitigation option. Map the value associated with the IT activity back to the organization and business goals or objectives. Review the relevance of the IT control activity to the crossreferences for frameworks and compliance. 8

9 Example: Compliance Business Goal Phase 1: Identification Identify the organization and business goals, objectives and/or process. Identify the relevant framework(s). Identify the relevant control practices or activities. Organization/Business Objectives Client Satisfaction Strengthen Reputation Business Goal #14 Compliance with external laws and regulations (Sarbanes-Oxley, HIPAA, GLBA, etc.) Framework CobiT Version 4 CobiT Process DS 5: Ensure System Security Control Objective DS 5.5: Security Testing, Surveillance and Monitoring Control Activity: Monitor potential and actual security incidents Control Activity: Conduct regular vulnerability assessments Control Objective DS 5.10: Network Security Control Activity: Implement and maintain technical and procedural controls to protect information flows across networks. 9

10 Example: Compliance Cross-Reference Phase 2: Cross-Reference Execute crossreference mapping to all identified frameworks and standards. Execute crossreference mapping to all identified compliance initiatives. Execute crossreference mapping to all identified IT roles/areas. Frameworks BIT-map 1 Mapping CobiT Versions 3 & 4 to ISO Versions 2000 & 2005 Aligning CobiT, ITIL and ISO17799 for Business Benefit Compliance Initiatives IT Control Objectives for Sarbanes-Oxley IT Roles/Areas CobiT Role and Responsibility Matrix CobiT_ISO_Matrix Aligning CobiT ITIL and ISO IT Control Objectives for SOX Responsibility Matrix 1 Tool for Framework, Compliance and IT Role Cross-Reference Mapping: 10

11 Example: Compliance Risk Analysis/Assessment Phase 3: Risk Analysis / Assessment Perform a high level risk analysis/selfassessment and record initial results as a benchmark for maturity measurement. Review selfassessment results and identify probable business and IT owners. Based on risk results, perform a detailed risk assessment to include asset impact, risk realization cost and acceptable level of risk. High Level Risk Analysis/Self-Assessment Many tools are currently available (e.g. BIT-map, etc.) Review Risk Analysis/Self-Assessment Results Identify Probable Business and IT Owners Detailed Risk Assessment Detailed Risk Assessment consist of 4 main activities Threat Vulnerability Asset Probability / Activity Total Risk Identify the potential threat to the business and the IT systems supporting the process. (X-Force Threat Notification Service) Identify the vulnerability associated with the IT systems supporting the process. (Vulnerability Assessment) Identify the assets located on the vulnerable IT systems. Calculate the probability or identify any current activity. (IDS / IPS / Network Anomaly Detection) = Risk for Unauthorized Access to Sensitive Data 11

12 Example: Compliance Risk Mitigation Phase 4: Risk Mitigation Identify potential risk mitigation options. (e.g. Products or Services). Identify all associated costs for each mitigation option. Identify any residual risk. Compare costs associated with risk mitigation option against risk realization cost to identify TCO/ROI. Risk = Unauthorized Access to Sensitive Data Risk Mitigation Options CobiT Process DS 5: Ensure System Security Control Objective DS 5.5: Security Testing, Surveillance and Monitoring Control Activity: Monitor potential and actual security incidents Option: Proventia Server Option: Proventia Desktop Control Activity: Conduct regular vulnerability assessments Option: Vulnerability Assessment Internet Scanner Control Objective DS 5.10: Network Security Control Activity: Implement and maintain technical and procedural controls to protect information flows across networks. Option: Intrusion Prevention & Network Anomaly Detection Costs, Residual Risk and TCO Calculate a Business Case 12

13 Example: Compliance Value Mapping Phase 5: Evaluate Results/ Value Mapping Review IT risk mitigation options with the business. If accepted, initiate a project to implement the selected IT risk mitigation option. Map the value associated with the IT activity back to the organization and business goals or objectives. Review the relevance of the IT control activity to the crossreferences for frameworks and compliance. Organization/Business Objectives Client Satisfaction Strengthen Reputation Business Goal SOX Compliance Business Process Direct Net IT Automation Level of Process Automation Relevance Cross-Reference Mapping the Value Objectives IT Solution Control Activity: Monitor potential and actual security incidents SOX, HIPAA and GLBA relevant ISO17799 (9.4, 9.5, 9.7, 10.4) and ITIL (Security Mgmt. 4.2) relevant Framework CobiT Risk Assessment Unauthorized Access Risk Mitigation Proventia Server and Desktop Vulnerability Assessment IPS/Anomaly Detection 13

14 IDS vs. IPS (Internet Security Systems) The objective in implementing any control is to ensure the reduction or mitigation of the risk affecting the success in achieving the business goals. The example below illustrates how IDS/IPS help in facilitating the controls to support service availability and compliance with policies and regulations. ISO 17799:2005 Controls Controls against malicious code Network controls Business Information Systems Publicly available information Policy on use of network services Segregation in networks Network connection control Sensitive system isolation Information leakage Control of technical vulnerabilities Business continuity and risk assessment Data protection and privacy of personal information Prevention of misuse of information processing facilities Compliance with security policies and standards IDS IPS 14

15 Issues Addressing Compliance IT governance currently in place. Method for measuring the alignment of IT and the Group strategy. Internal drivers for synergies/group minded IT activities/decisions. 15

16 Issues Addressing Compliance (cont) Implement a centrally lead approach with respect to Group-wide cost saving projects. Link incentives of Business Managers to Group-wide project leadership performance. Impart a sense of urgency to all Business Division s for implementation Group wide issues. Clear communication of the Group's IT governance objectives to Business Division Management 16

17 Issues - Impacts Analysts question large IT costs arising in an unclear governance environment. Business Division s might make independent decisions and duplication of effort, i.e. focus on a "cooperative" approach. Isolated decisions potentially lead to negative overall cost implications Regulatory scrutiny. Proof of compliance becomes increasingly difficult - "SOX", Basel II, etc. 17

18 Information Security Landscape Attributes for IT Risk Management Federalized (Centralized) IT Risk Management Pioneering companies balance center-led template creation and coordination with assessment and mitigation efforts conducted at the local level. IT Security Risk Assessments Pioneering companies are developing frameworks to measure relative internal risk and creating mechanisms to monitor the security controls of the critical external partners. Centrally Coordinated Business Continuity Planning Leading organizations are chartering crossfunctional business continuity governance committees (including IT) to set policies, coordinate planning efforts, establish enterprise priorities, and invest in communication tools. Risk-Based Project Prioritization and Execution Exemplars deploy tools to surface and mitigate critical technological, organizational, and strategic risks across the project management life cycle. Collaboration for Regulatory Compliance Exemplar IT organizations support compliance efforts by tracking and reporting line unit progress, driving standardization across the company, and prioritizing the most critical controls. Comprehensive Sourcing Due Diligence Exemplar organizations conduct extensive due diligence regarding application eligibility for externalization and the fiscal health of service providers. 1Source: The Information Risk Executive Working Council for Chief Information Officers, conducted by the Corporate Executive Board (CEB). 18

19 Information Security Standards Best Practice ISO/IEC 17799//ISO/IEC Code of Practice for Information Security Management Provides best practice for information security management. Basis upon which baseline controls can be validated ITIL IT Infrastructure Library Best practice for IT service management COSO Committee of Sponsoring Organisation (of the Treadway Commission) Provides best practice on financial controls COBIT Control Objectives for IT and Related Technology 19

20 Information Security Standards - Standards ISO/IEC 17799:2005 Code of Practice for Information Security Management ISO/IEC Guidelines for the Management of IT Security NIST National Institute for Standards and Technology 20

21 Solution Summary Roadmap Phase 1: Identification Phase 2: Cross-Reference Phase 3: Self-Assessment / Benchmark Phase 4: IT Risk Mitigation Phase 5: Evaluate Results 1.Identify the organisation and business objectives. 2.Identify the business process. 3.Identify the relevant framework(s). 4.Identify the relevant control practices or activities. 1.Execute crossreference mapping to all identified frameworks and standards. 2.Execute crossreference mapping to all identified compliance initiatives. 3.Execute crossreference mapping to all identified IT areas, departments and roles. 1.Perform a high level selfassessment. 2.Record initial results as a benchmark for maturity measurement. 3.Review selfassessment results at both an aggregated level and control practice/activity level. 4.Based on risk results, perform a detailed risk assessment to include asset impact and risk realization cost. 1.Identify potential risk mitigation options. (e.g. Products or Services) 2.Identify all associated costs for each mitigation option. 3.Identify any residual risk. 4.Compare costs associated with risk mitigation option against risk realization cost to identify TCO/ROI. 1.Review IT risk mitigation options with the business. 2.If accepted, initiate a project to implement the selected IT risk mitigation option. 3.Map the value associated with the IT activity back to the organization and business objectives. 4.Review the relevance of the IT activity to the cross-references for frameworks and compliance initiatives. 1 Source: Bit-Map 4VAC GmbH 21

22 Solution Summary Mapping Compliance Defining the Objectives Extracting value from compliance investments Addressing future compliance initiatives effectively and efficiently With the adoption of an anchor framework, mapping compliance related initiatives can begin. Sarbanes-Oxley and Basel II were among the first to be selected for compliance mapping. 4 22

23 Solution Summary Risk Mitigation Options The challenge is in balancing a control activity with business needs. 23

24 Risk Mitigation Options (Cont.) Control Activity: Deploy Internet Security Systems Proventia Integrated Appliance Control Activity: Update latest Express Updates (XPU s) on Proventia appliance 24

25 Risk Mitigation Activities to Solutions The objective in implementing any control is to ensure the reduction or mitigation of the risk affecting the success in achieving the business goals. The example below illustrates how IDS/IPS help in facilitating the controls to support service availability and compliance with policies and regulations. ISO 17799:2005 Controls Controls against malicious software Controls against malicious code Network controls Business Information Systems Publicly available information Policy on use of network services Segregation in networks Network connection control Sensitive system isolation Information leakage Control of technical vulnerabilities Business continuity and risk assessment Data protection and privacy of personal information Prevention of misuse of information processing facilities Compliance with security policies and standards IDS IPS 25

26 Map IT Activity to Business Objectives With effective IT risk management approach in place, key interests of Credit Suisse are addressed; providing IT alignment with the business. Identify IT Risk Management Cross-reference mapping Risk Assessment Risk Mitigation Options Map IT control practice/activity Group Does IT support the achievement of organizational objectives? Are targeted enterprise-wide IT synergies being achieved? Are IT risks being identified and managed? BU Key Interest Does IT deliver on its service level commitments? Do IT investments positively affect business productivity? Are IT costs being managed effectively? Key Interest Addressed? YES YES YES YES YES YES 26

27 27

Compliance Applicata. Milano, 7 febbraio 2007. Dr. Jean Paul Ballerini Sr. Technology Solutions Expert

Compliance Applicata. Milano, 7 febbraio 2007. Dr. Jean Paul Ballerini Sr. Technology Solutions Expert Compliance Applicata Milano, 7 febbraio 2007 Dr. Jean Paul Ballerini Sr. Technology Solutions Expert Legislazione e Normative Terrorism Act 2000 Sarbanes Oxley Act FSA CMA HIPAA Here is another one Obscene

More information

Balancing Compliance and Operational Security Demands

Balancing Compliance and Operational Security Demands SESSION ID: GRC-W01 Balancing Compliance and Operational Security Demands Steve Winterfeld Bank Information Security Officer CISSP, PCIP What is more important? Compliance with laws / regulations Following

More information

Governance, Risk, and Compliance (GRC) White Paper

Governance, Risk, and Compliance (GRC) White Paper Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:

More information

Using QUalysgUard to Meet sox CoMplianCe & it Control objectives

Using QUalysgUard to Meet sox CoMplianCe & it Control objectives WHITE PAPER Using QualysGuard to Meet SOX Compliance & IT Objectives Using QualysGuard To Meet SOX Compliance and IT Objectives page 2 CobIT 4.0 is a significant improvement on the third release, making

More information

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements

More information

Surviving an Identity Audit

Surviving an Identity Audit What small and midsize organizations need to know about the identity portion of an IT compliance audit Whitepaper Contents Executive Overview.......................................... 2 Introduction..............................................

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013 IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma IT Governance, Risk and Compliance (GRC) : A Strategic Priority Joerg Asma Agenda Introductions An Overview of IT Governance Risk & Compliance (IT-GRC) The Value Proposition Implementing an IT-GRC Program

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

QRadar SIEM 6.3 Datasheet

QRadar SIEM 6.3 Datasheet QRadar SIEM 6.3 Datasheet Overview Q1 Labs flagship solution QRadar SIEM is unrivaled in its ability to provide an organization centralized IT security command and control. The unique capabilities of QRadar

More information

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Enhancing IT Governance, Risk and Compliance Management (IT GRC) Enhancing IT Governance, Risk and Compliance Management (IT GRC) Enabling Reliable eservices Tawfiq F. Alrushaid Saudi Aramco Agenda GRC Overview IT GRC Introduction IT Governance IT Risk Management IT

More information

IT Audit in the Cloud

IT Audit in the Cloud IT Audit in the Cloud Pavlina Ivanova, CISM ISACA-Sofia Chapter Content: o 1. Introduction o 2. Cloud Computing o 3. IT Audit in the Cloud o 4. Residual Risks o Used Resources o Questions 1. ISACA Trust

More information

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza Information Security Management System (ISMS) Overview Arhnel Klyde S. Terroza May 12, 2015 1 Arhnel Klyde S. Terroza CPA, CISA, CISM, CRISC, ISO 27001 Provisional Auditor Internal Auditor at Clarien Bank

More information

What Should IS Majors Know About Regulatory Compliance?

What Should IS Majors Know About Regulatory Compliance? What Should IS Majors Know About Regulatory Compliance? Working Paper Series 08-12 August 2008 Craig A. VanLengen Professor of Computer Information Systems/Accounting Northern Arizona University The W.

More information

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, 2004 9:00 AM

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, 2004 9:00 AM Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance RSA Security and Accenture February 26, 2004 9:00 AM Agenda Laura Robinson, Industry Analyst, RSA Security Definition of

More information

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.

More information

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance

More information

Practical Guidance for Auditing IT General Controls. September 2, 2009

Practical Guidance for Auditing IT General Controls. September 2, 2009 Practical Guidance for Auditing IT General Controls Chase Whitaker, CPA, CIA September 2, 2009 About Hospital Corporation of America $28B annual revenue $24B total assets $4.6B EBDITA $673M Net Income

More information

Trends in Information Technology (IT) Auditing

Trends in Information Technology (IT) Auditing Trends in Information Technology (IT) Auditing Padma Kumar Audit Officer May 21, 2015 Discussion Topics Common and Emerging IT Risks Trends in IT Auditing IT Audit Frameworks & Standards IT Audit Plan

More information

Preemptive security solutions for healthcare

Preemptive security solutions for healthcare Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare

More information

Debate Session II No More Mr. Nice Guy! Tightening the screws on Cloud Security. Thursday 27 March 2014 10:20 10:50 am Iben Rodriguez

Debate Session II No More Mr. Nice Guy! Tightening the screws on Cloud Security. Thursday 27 March 2014 10:20 10:50 am Iben Rodriguez Debate Session II No More Mr. Nice Guy! Tightening the screws on Cloud Security Thursday 27 March 2014 10:20 10:50 am Iben Rodriguez Security products tested Overview Business model aligned with enterprises

More information

IT Security & Compliance. On Time. On Budget. On Demand.

IT Security & Compliance. On Time. On Budget. On Demand. IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount

More information

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government

More information

Certified Software Quality Assurance Professional VS-1085

Certified Software Quality Assurance Professional VS-1085 Certified Software Quality Assurance Professional VS-1085 Certified Software Quality Assurance Professional Certified Software Quality Assurance Professional Certification Code VS-1085 Vskills certification

More information

The 2011 Standard of Good Practice for Information Security. June 2011

The 2011 Standard of Good Practice for Information Security. June 2011 The 2011 Standard of Good Practice for Information Security June 2011 Published by Information Security Forum Limited Tel: +44 (0)20 7213 1745 Fax: +44 (0)20 7213 4813 Email: info@securityforum.org Web:

More information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act

More information

World Intrusion Detection and Intrusion Prevention Systems Markets

World Intrusion Detection and Intrusion Prevention Systems Markets Brochure More information from http://www.researchandmarkets.com/reports/365289/ World Intrusion Detection and Intrusion Prevention Systems Markets Description: This Frost & Sullivan research service entitled

More information

fs viewpoint www.pwc.com/fsi

fs viewpoint www.pwc.com/fsi fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a

More information

IT Security & Compliance Risk Assessment Capabilities

IT Security & Compliance Risk Assessment Capabilities ATIBA Governance, Risk and Compliance ATIBA provides information security and risk management consulting services for the Banking, Financial Services, Insurance, Healthcare, Manufacturing, Government,

More information

Strengthen security with intelligent identity and access management

Strengthen security with intelligent identity and access management Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers

More information

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan WHITE PAPER Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan Introduction to Data Privacy Today, organizations face a heightened threat landscape with data

More information

Impact of New Internal Control Frameworks

Impact of New Internal Control Frameworks Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com

More information

Certified Information Security Manager (CISM)

Certified Information Security Manager (CISM) Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security

More information

SecureVue Product Brochure

SecureVue Product Brochure SecureVue unifies next-generation SIEM, security configuration auditing, compliance automation and contextual forensic analysis into a single platform, delivering situational awareness, operational efficiency

More information

WHITE PAPER. Best Practices for Wireless Network Security and Sarbanes-Oxley Compliance

WHITE PAPER. Best Practices for Wireless Network Security and Sarbanes-Oxley Compliance WHITE PAPER Best Practices for Wireless Network Security and Sarbanes-Oxley Compliance Best Practices for Wireless Network Security and Sarbanes-Oxley Compliance The objective of this white paper is to

More information

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012 The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why

More information

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture

More information

Moving Forward with IT Governance and COBIT

Moving Forward with IT Governance and COBIT Moving Forward with IT Governance and COBIT Los Angeles ISACA COBIT User Group Tuesday 27, March 2007 IT GRC Questions from the CIO Today s discussion focuses on the typical challenges facing the CIO around

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

Achieving Regulatory Compliance through Security Information Management

Achieving Regulatory Compliance through Security Information Management www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations

More information

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Importance of Effective Internal Controls and COSO COSO

More information

Achieving SOX Compliance with Masergy Security Professional Services

Achieving SOX Compliance with Masergy Security Professional Services Achieving SOX Compliance with Masergy Security Professional Services The Sarbanes-Oxley (SOX) Act, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 (and commonly called

More information

Information Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com

Information Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com Information Technology Governance Steve Crutchley CEO - Consult2Comply www.consult2comply.com What is IT Governance? Information Technology Governance, IT Governance is a subset discipline of Corporate

More information

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s

More information

Boosting enterprise security with integrated log management

Boosting enterprise security with integrated log management IBM Software Thought Leadership White Paper May 2013 Boosting enterprise security with integrated log management Reduce security risks and improve compliance across diverse IT environments 2 Boosting enterprise

More information

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing Contents Introduction Why GRC Assessment Benefits of Cloud computing and Problem Statement Key Speculations & Problems faced by Cloud service user s in Today s time Threats, Vulnerabilities and related

More information

Information Security Management Systems

Information Security Management Systems Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector

More information

Effectively Using CobiT in IT Service Management

Effectively Using CobiT in IT Service Management Effectively Using CobiT in IT Service Management Crown copyright material is reproduced with the permission of the Controller of HMSO and Queen s Printer for Scotland. ITIL is a Registered Trade Mark of

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

Information Security Management System for Microsoft s Cloud Infrastructure

Information Security Management System for Microsoft s Cloud Infrastructure Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System

More information

CYBER SECURITY INFORMATION SHARING & COLLABORATION

CYBER SECURITY INFORMATION SHARING & COLLABORATION Corporate Information Security CYBER SECURITY INFORMATION SHARING & COLLABORATION David N. Saul Senior Vice President & Chief Scientist 28 June 2013 Discussion Flow The Evolving Threat Environment Drivers

More information

The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh. May 20 th, 2013

The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh. May 20 th, 2013 The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh May 20 th, 2013 Companies are leveraging mobile computing today Three major consumption models: 1. Improving productivity Improving employee

More information

CORE Security and GLBA

CORE Security and GLBA CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com

More information

IBM Internet Security Systems October 2007. FISMA Compliance A Holistic Approach to FISMA and Information Security

IBM Internet Security Systems October 2007. FISMA Compliance A Holistic Approach to FISMA and Information Security IBM Internet Security Systems October 2007 FISMA Compliance A Holistic Approach to FISMA and Information Security Page 1 Contents 1 Executive Summary 1 FISMA Overview 3 Agency Challenges 4 The IBM ISS

More information

Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES

Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES SOX COMPLIANCE Achieving SOX Compliance with Professional Services The Sarbanes-Oxley (SOX)

More information

The Role of Internal Audit In Business Continuity Planning

The Role of Internal Audit In Business Continuity Planning The Role of Internal Audit In Business Continuity Planning Dan Bailey, MBCP Page 0 Introduction Dan Bailey, MBCP Senior Manager Protiviti Inc. dan.bailey@protiviti.com Actively involved in the Information

More information

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach by Philippe Courtot, Chairman and CEO, Qualys Inc. Information Age Security Conference - London - September 25

More information

Governance and Management of Information Security

Governance and Management of Information Security Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information

More information

An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011

An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011 An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011 Brian McLean, CISSP Sr Technology Consultant, RSA Changing Threats and More Demanding Regulations External

More information

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000 Preparation Guide Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000 Edition June 2015 Copyright 2015 EXIN All rights reserved. No part of this publication may be published,

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

A Sarbanes-Oxley Roadmap to Business Continuity

A Sarbanes-Oxley Roadmap to Business Continuity A Sarbanes-Oxley Roadmap to Business Continuity NEDRIX Conference June 23, 2004 Dr. Eric Schmidt eschmidt@controlsolutions.com Control Solutions International TECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT

More information

Using Assurance Models in IT Audit Engagements

Using Assurance Models in IT Audit Engagements Using Assurance Models in IT Audit Engagements Adrian Baldwin, Yolanta Beres, Simon Shiu Trusted Systems Laboratory HP Laboratories Bristol HPL-2006-148R1 January 29, 2008* audit, assurance, compliance,

More information

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for

More information

Information & Asset Protection with SIEM and DLP

Information & Asset Protection with SIEM and DLP Information & Asset Protection with SIEM and DLP Keeping the Good Stuff in and the Bad Stuff Out Professional Services: Doug Crich Practice Leader Infrastructure Protection Solutions What s driving the

More information

Information Security Risk Management

Information Security Risk Management Information Security Risk Management Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net

More information

WHITEPAPER. Compliance: what it means for databases

WHITEPAPER. Compliance: what it means for databases WHITEPAPER Compliance: what it means for databases Introduction Compliance is the general term used to describe the efforts made by many (typically larger) organizations to meet regulatory standards. In

More information

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities. Managing business infrastructure White paper Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities. September 2008 2 Contents 2 Overview 5 Understanding

More information

The Value of Vulnerability Management*

The Value of Vulnerability Management* The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda

More information

IT Risk Management Life Cycle and enabling it with GRC Technology

IT Risk Management Life Cycle and enabling it with GRC Technology IT Risk Management Life Cycle and enabling it with GRC Technology Debbie Lew (debbie.lew@ey.com), Senior Manager, E&Y Steven Jones (steven.jones@ey.com), Senior Manager, E&Y Overview 1. What is risk management?

More information

Improving Residual Risk Management Through the Use of Security Metrics

Improving Residual Risk Management Through the Use of Security Metrics Improving Residual Risk Management Through the Use of Security Metrics Every investment in security should be effective in reducing risk, but how do you measure it? Jonathan Pagett and Siaw-Lynn Ng introduce

More information

Making Compliance Work for You

Making Compliance Work for You white paper Making Compliance Work for You with application lifecycle management Rocket bluezone.rocketsoftware.com Making Compliance Work for You with Application Lifecycle Management A White Paper by

More information

How to Lock Down Data Privacy at the IT Worker Level

How to Lock Down Data Privacy at the IT Worker Level About this research note: Management & Staffing notes offer guidance on effectively managing people within an IT operation and dealing with associated leadership, staffing, and project management issues.

More information

BADM 590 IT Governance, Information Trust, and Risk Management

BADM 590 IT Governance, Information Trust, and Risk Management BADM 590 IT Governance, Information Trust, and Risk Management Information Technology Infrastructure Library (ITIL) Spring 2007 By Po-Kun (Dennis), Tseng Abstract: This report is focusing on ITIL framework,

More information

GLOBAL STANDARD FOR INFORMATION MANAGEMENT

GLOBAL STANDARD FOR INFORMATION MANAGEMENT GLOBAL STANDARD FOR INFORMATION MANAGEMENT Manohar Ganshani Businesses have today expanded beyond local geographies. Global presence demands uniformity within the processes across disparate locations of

More information

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA www.pwc.com Vulnerability Management (TVM) Protecting IT assets through a comprehensive program Chicago IIA/ISACA 2 nd Annual Hacking Conference Introductions Paul Hinds Managing Director Cybersecurity

More information

Data Management & Protection: Roles & Responsibilities

Data Management & Protection: Roles & Responsibilities Data Management & Protection: Roles & Responsibilities Document Version: 1.0 Effective Date: December, 2008 Original Issue Date: December, 2008 Most Recent Revision Date: November 29, 2011 Approval Authority:

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

IT Governance Dr. Michael Shaw Term Project

IT Governance Dr. Michael Shaw Term Project IT Governance Dr. Michael Shaw Term Project IT Auditing Framework and Issues Dealing with Regulatory and Compliance Issues Submitted by: Gajin Tsai gtsai2@uiuc.edu May 3 rd, 2007 1 Table of Contents: Abstract...3

More information

Ecom Infotech. Page 1 of 6

Ecom Infotech. Page 1 of 6 Ecom Infotech Page 1 of 6 Page 2 of 6 IBM Q Radar SIEM Intelligence 1. Security Intelligence and Compliance Analytics Organizations are exposed to a greater volume and variety of threats and compliance

More information

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments

More information

HP and netforensics Security Information Management solutions. Business blueprint

HP and netforensics Security Information Management solutions. Business blueprint HP and netforensics Security Information Management solutions Business blueprint Executive Summary Every day there are new destructive cyber-threats and vulnerabilities that may limit your organization

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA

More information

INFORMATION SYSTEMS. Revised: August 2013

INFORMATION SYSTEMS. Revised: August 2013 Revised: August 2013 INFORMATION SYSTEMS In November 2011, The University of North Carolina Information Technology Security Council [ITSC] recommended the adoption of ISO/IEC 27002 Information technology

More information

CLASSIFICATION SPECIFICATION FORM

CLASSIFICATION SPECIFICATION FORM www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information

More information

Enforcive / Enterprise Security

Enforcive / Enterprise Security TM Enforcive / Enterprise Security End to End Security and Compliance Management for the IBM i Enterprise Enforcive / Enterprise Security is the single most comprehensive and easy to use security and compliance

More information

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive

More information

Feature. Log Management: A Pragmatic Approach to PCI DSS

Feature. Log Management: A Pragmatic Approach to PCI DSS Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who

More information

Domain 5 Information Security Governance and Risk Management

Domain 5 Information Security Governance and Risk Management Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association

More information

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management Course: Information Security Management in e-governance Day 1 Session 3: Models and Frameworks for Information Security Management Agenda Introduction to Enterprise Security framework Overview of security

More information

Enterprise Risk Management

Enterprise Risk Management Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA What is Risk Management? Risk management is a process, effected by an entity's

More information

HP Application Security Center

HP Application Security Center HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and

More information

Operational Risk Management in a Debt Management Office

Operational Risk Management in a Debt Management Office Operational Risk Management in a Debt Management Office Based on Client Presentation January 2008 Outline The importance of operational risk management (ORM) International best practice A high-level perspective,

More information

SITA Service Management Strategy Implementation. Presented by: SITA Service Management Centre

SITA Service Management Strategy Implementation. Presented by: SITA Service Management Centre SITA Service Management Strategy Implementation Presented by: SITA Service Management Centre Contents What is a Service? What is Service Management? SITA Service Management Strategy Methodology Service

More information

Global Technology Audit Guide. Auditing IT Governance

Global Technology Audit Guide. Auditing IT Governance Global Technology Audit Guide Auditing IT Governance Global Technology Audit Guide (GTAG ) 17 Auditing IT Governance July 2012 GTAG Table of Contents Executive Summary... 1 1. Introduction... 2 2. IT

More information