Blending Corporate Governance with. Information Security

Size: px
Start display at page:

Download "Blending Corporate Governance with. Information Security"

Transcription

1 Blending Corporate Governance with Information Security WHAT IS CORPORATE GOVERNANCE? Governance has proved an issue since people began to organise themselves for a common purpose. How to ensure the power of organisation is harnessed for the agreed purpose, rather than diverted to some other purpose, is a constant theme. The institutions of governance provide a framework within which the social and economic life of countries is conducted. Corporate governance concerns the exercise of power in corporate entities. The OECD provides the most authoritative functional definition of corporate governance: "Corporate governance is the system by which business corporations are directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among different participants in the corporation, such as the board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs. By doing this, it also provides the structure through which the company objectives are set, and the means of attaining those objectives and monitoring performance." However, corporate governance has wider implications and is critical to economic and social well being, firstly in providing the incentives and performance measures to achieve business success, and secondly in providing the accountability and transparency to ensure the equitable distribution of the resulting wealth. The significance of corporate governance for the stability and equity of society is captured in the broader definition of the concept offered by the World Bank: "Corporate governance is concerned with holding the balance between economic and social goals and between individual and communal goals. The governance framework is there to encourage the efficient use of resources and equally to require accountability for the stewardship of those resources. The aim is to align as nearly as possible the interests of individuals, corporations and society." On 21 May 2003, the Commission adopted an Action Plan announcing measures to modernize company law and enhance corporate governance in the European Union. In the Action Plan, the Commission announced that it would confirm the collective responsibility of board members for financial statements and key non- Page 1 /10

2 financial information, increase transparency in intra group relations and transactions with related parties and improve disclosure about corporate governance practices. With regard to the responsibility of board members, the prevailing principle in Europe is - in contrast to the US - collective responsibility for the financial statements. As can be seen from the Action Plan on Company Law and Corporate Governance, the Commission intends to clarify the application of this principle and to extend it to key non-financial information. Further corporate scandals have confirmed a need to clarify that all board members are collectively responsible for financial statements and key non-financial information and that all board members have to be held accountable for their actions and proper conduct of their responsibilities. This is a main difference with Sarbanes Oxley Act where CEO and CFO are personally responsible. On this point, we must notice that in Germany, half of the supervisory board seats of large companies (more then 2,000 employees) are filled by labor representatives. This gives labor control rights over corporate decisions and leads to a kind of negotiated management where labor has voice as an alternative to exit. Many companies are organized in group structures. However, intra group transactions and the group s transactions with related parties often lack transparency seen from the perspective of investors, shareholders and other stakeholders. This can make it difficult for them to assess the true risks of investing in the companies. In relation to transactions within a group and with related parties, the Commission will consider how further improvements can be made in line with International Financial Reporting Standards. Corporate governance practices used differ across Member States. Enhanced disclosure about these practices could provide a useful insight into what happens in practice and to promote best practices. In its Action Plan, the Commission therefore proposed that listed companies should publish an annual corporate governance statement. The main objective would be to collect all relevant information concerning corporate governance elements and practices in listed companies in one single place. This should allow shareholders, investors and other stakeholders to assess whether the company pursues good corporate governance. A recent Business Roundtable report, Securing Cyberspace: Business Roundtable's Framework for the Future asserted that Information security requires CEO attention in their individual companies and as business leaders seeking collectively to promote the development of standards for secure technology. Page 2 /10

3 Boards of directors should consider information security an essential element of corporate governance and a top priority for board review." PRINCIPLES Information security is an important part of the overall business risk and the external business environment that must be intimately understood by the stewards of the business. In establishing this approach, there are five principles that will help guide executive thinking. 1. CEO Involvement The first principle is that the CEO must get involved in the understanding of the security program, the measurement of that program and the relation that program has to business operations. The CEO must take the lead in requiring regular reporting, evaluation and review of information security strategies and execution. He or she must engage with management teams throughout the enterprise to discuss what the security results look like, how security might impact the business, and how risk might be created or alleviated. He must then provide an overall assessment of the organization s security performance, including what is being done well, and what is being done to correct previously identified deficiencies. This assessment must be communicated to the board as well as to shareholders, stakeholders and employees. 2. Organizational Understanding of Information Assets The second principle is that the organization itself has to understand that information assets must be thought of as being as measurable and as tangible as buildings and plants and other valuable business infrastructure. Day-to-day policies and procedures need to reflect the fact that it is up to the organization to protect these assets in the same way. The policies and the procedures that the company creates have to be well thought out, so the culture is built with the understanding that there is some level of risk involved with the normal day-to-day business use of information assets. These assets need to be cared for and protected accordingly. Appropriate individuals within a security management infrastructure must be given both authority and accountability; one without the other is not sufficient. Today, the majority of information security officers are often given authority without accountability. For corporate security to be a serious endeavor, these managers must be empowered. Moreover, organizational cultural politics must be overcome so that the newly empowered security executives can engage with business leaders. The IT group can t fix information security alone; modeling risk enterprise requires a broad Page 3 /10

4 mandate and cooperation between groups inside the organization who may not have traditionally worked together. Policies and procedures must make it plain that everyone who has any interaction with the corporate data assets has specific responsibilities, as well as the authority and the authorization, to proceed to protect those assets and to manage the risk inherent in using them. 3. Integrating Data Storage with the System Lifecycle People would traditionally say, That s the financial management system, or That s the HR system, and then create lifecycle management around those applications without necessarily thinking about the individual data assets that reside on that system. We must begin to follow the information and not the system. If this were better understood, the process of information security would likely be different. Information management and information security must become better aligned and integrated into the way the organization develops, installs, deploys, uses, maintains, monitors and validates the systems that house them. 4. Systems Must Be Tested The concept of governance demands that we evaluate the information security services that have been implemented and find a way to validate that they are working. Testing needs to be done periodically and, as a formal way of responding to defects breaches and violations needs to be established. There also needs to be a way to evaluate and correct deficiencies, as well as a mechanism to communicate the fact that remediation has taken place. Just as you cannot secure what you don t know, you can t establish confidence that information security services are functioning without testing and reporting. Also important is the speed in which a deficiency is remediated and effectively addressed. Information security governance suggests that the company must have a security knowledge management capability not only to understand IT risk, but also to be able to test readiness. Security knowledge management is the ability to transform raw data into information, and information to knowledge. Information security governance suggests that organizations must establish an incident response capability to deal with crisis. This crisis center operates in a continuous mode just like the commander s central command center in a field of battle. Once this knowledge is obtained, then it is possible to translate that into remedial action to deal with the deficiencies and the information security challenges. Then, just like a field commander who might continually exercise troop readiness, company executives can continuously evaluate enterprise response capability by launching exercises to validate information security readiness. Page 4 /10

5 5. Comparative Analysis The fifth principle, every bit as important as the others, is that it is vital for organizations to analyze where they stand in their information security governance efforts compared to others in their industry. The strategy is to have the ability to make informed, strategic decisions as to the company s place in the pack by knowing what others in the industry and the marketplace are doing with respect to securing their information and by studying standards and best guidance. This enables the organization to decide what its investment and commitment to information security should be, above and beyond any established mandatory minimums, based on a risk analysis. One might look at maximums instead, choosing to be ahead of the pack and using information security governance superiority as a competitive advantage. This idea of leveraging information security as a competitive advantage is a valid strategy for some companies. Alternatively, the company might make an informed decision to be a laggard in this area, establishing the bare minimum and using the capital instead to seek competitive advantage in other areas. Anyhow, this is clearly a business decision to be taken at the highest level in the company SHIFTS IN INFORMATION SECURITY PERSPECTIVE To implement these principles, information security stakeholders need to make significant shifts in their perspective. Such shifts allow them to ask the right questions, make better decisions, and select actions appropriate to the effective governance of enterprise security. These shifts are summarized below: From Security is a technical problem : Technical network (hardware, software, infrastructure) Technical requirements (protect the perimeter) Technical assets (desktops, laptops, servers, databases) Technical specialty (in the realm of IT and system administrators) To Security is an enterprise-wide problem : Enterprise network (people, processes, business units) Enterprise requirements (privacy, asset protection) Enterprise assets (customer data, employee data, communication) Enterprise core competency From Security has a technical owner : IT is the driver, owner, and primary benefactor. Page 5 /10

6 Technical personnel are assigned to security. The CSO (Chief Security Officer) is considered a technical advisor To Security is owned by the business : The enterprise is the driver, owner, and primary benefactor. Business personnel understand security and have security responsibilities. The CSO is considered an advisor to the business. From There is an explicit focus on security : Security is sporadically singled out for attention, investment, and justification. Risk assessment is applied to security as a special case. Security is on the agenda to comply with regulatory requirements. To Security is transparent : Security is a requirement of conducting business, considered in normal planning and business conduct cycles. A more secure state results from effective risk management capabilities. Existing security controls meet compliance requirements. From Security is an expense : The benefit of security is not measured or is hard to measure. Return on security investments is not required or quantifiable To Security is an investment : The benefit of security is measurable, measured, and regularly reported. Return on security investment is required and quantifiable in business terms From The goal is security : The focus of security efforts is on threat, vulnerability, and protection. There is no articulated, desired security state. There is a potentially excessive deployment of security technologies undertaken in a piecemeal approach. To The goal is business continuity and ultimately resiliency : The focus of security efforts is on impact, organizational continuity, and preserving trust. Adequate security that meets business objectives is the desired state. Page 6 /10

7 Security costs and risks are in business objectives is the desired state. Security costs and risks are in balance. THE FIVE AREAS OF RESPONSIBILITY An organization that will be successful in implementing an information security governance program needs to divide the work across five areas: 1. The Board of Directors. The program must be very clear about the board s responsibilities. It will assign strategic oversight to the board, and ensure that the strategic oversight is aligned with the actions taken by the executive management team. 2. The CEO. CEO responsibilities will be clearly defined in regard to accountability and authority. The CEO is the top executive and the only one in a position to oversee compliance. It is the CEO s role to assign the responsibility to make sure that accountability and authority are in place. The CEO is also there to set the tone and drive the culture of information security. 3. Executive Committee. The executive committee will be responsible for ensuring that the security programs being put in place are actually aligned with operational and business goal risks. Not too much, and not too little. They must make certain that money is not being wasted on unneeded security and that security is not placing an undue burden on the organization and adversely affecting operations and business objectives. 4. Senior Managers. Senior management will have responsibility for day-to-day monitoring of risks within their area of responsibility. They re accountable for the mechanisms implementing the policies coming out of the security program and for ensuring that operations are secure. 5. Employees. Each individual employee must be aware of the challenges of information security. Ultimately, security is a very personal matter, so each member of the enterprise should have an understanding of information security and why it s important. They should know their individual roles, so they can report accurately through channels. Just as we are trained to ask an un-badged person we see walking through our building, so too should we, as individuals, be taught to challenge information security deficiencies that we encounter. Page 7 /10

8 BUILDING A SECURITY ARCHITECTURE According to our principles, the security architecture must address all components of the enterprise security program not just the technical components: Strategic alignment Business Enablement Process enhancement Security Foundation Security Effectiveness 1. Strategic Alignment Key Components We need an executive level sponsorship for the architecture; it has to be enterprise wide and mandatory in order to have an enterprise wide approach to risk. A current status of the enterprise approach to Information assets risk will provide the Information Security Culture to Page 8 /10

9 gauge what the architecture has to be to be effective and how it will be received. How ready is the organization to adapt to change? Is the architecture going to be a significant change from where they are today? How much has the corporate approach to Information Security been considered? What are the business issues, and strategies that are defined that require an organized approach to IT security? The more the architecture requirements can be directly tied to the business the better. Is there legislation or regulations that are pushing the organization tin a certain direction? The architecture should be an obvious progression from the business requirements and justifiable as such. It should not be based on the current wants that is more typical with technology selection but on the business reason why. 2. Business Enablement Requirements must be people, process and technology driven We must have a consistent application of solution models We must do a zone analysis for end-to-end transaction integrity Security Plans practically applied to all aspects of a business operation network, applications, processes, etc. 3. Process enhancement Key security standards, model and criteria proactively championed through existing enterprise-wide management processes Center of Excellence (COE) approach o Breadth of coverage end-to-end transaction o Depth subject experts o Facilitator roles versus owner Incentive concept to promote security staff as enablers versus roadblocks Roles and responsibilities clearly defined and championed 4. Security Foundation Active executive participation Owner, custodian, stakeholder alignment Assigned responsibility, accountability and authority Security Life Cycle Page 9 /10

10 Business and IT alignment Security process and management fundamentals/foundations/baseline versus wants 5. Security Effectiveness Focus on a few critical objective indicators that truly enhance visibility Internal audit alignment Communication of successes/failures Service Level Agreements (SLA) for customer satisfaction IT Return on Investment (ROI) Critical vendor maintenance contracts Metrics for day-to-day operations Reporting timelines Existing balanced scorecard system CONCLUSION Information security is not a technical issue, but rather a corporate governance responsibility that involves risk management, reporting on controls, testing, training and executive accountability. Without the active engagement of business unit leaders, executive management teams and boards of directors, a sustainable information security program cannot exist. This is no longer a technical problem relegated to the bowels of the enterprise. This is a challenge that requires a coherent information security management framework that aligns with the set of policies and internal controls used by enterprises to establish a culture of compliance and that will support the implementation of information security programs across all industries. The time to embrace information security governance is now. Integration of information security into the core of enterprise management and governance must come about. And, focusing on security experience management will allow us to begin to manage security from a business perspective. Yves LE ROUX CISM, ITIL, CISSP Computer Associates Security Technology Strategist Tel: +33 (0) Mob: + 33 (0) Page 10 /10

Principles of IT Governance

Principles of IT Governance Principles of IT Governance Governance of enterprise IT focuses on delivering services to support top line growth while moving operational savings to the bottom line. The management of IT services has

More information

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013 State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council

More information

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial

More information

Reputation, Brand & Communications

Reputation, Brand & Communications Group Standard Reputation, Brand & Communications Serco is committed to building a positive reputation with its stakeholders, wherever we operate SMS-GS-BC4 Reputation, Brand and Communication December

More information

Best Practices for Planning and Budgeting. A white paper prepared by PROPHIX Software October 2006

Best Practices for Planning and Budgeting. A white paper prepared by PROPHIX Software October 2006 A white paper prepared by PROPHIX Software October 2006 Executive Summary The continual changes in the business climate constantly challenge companies to find more effective business practices. However,

More information

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA

More information

Best practices for planning and budgeting. A white paper prepared by Prophix

Best practices for planning and budgeting. A white paper prepared by Prophix A white paper prepared by Prophix Executive summary The continual changes in the business climate constantly challenge companies to find more effective business practices. However, common budgeting limitations

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...

More information

IT Governance Regulatory. P.K.Patel AGM, MoF

IT Governance Regulatory. P.K.Patel AGM, MoF IT Governance Regulatory Perspective P.K.Patel AGM, MoF Agenda What is IT Governance? Aspects of IT Governance What banks should consider before implementing these aspects? What banks should do for implementation

More information

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013 Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices April 10, 2013 Today's Agenda: Key Topics Defining IT Governance IT Governance Elements & Responsibilities

More information

Data Governance. Unlocking Value and Controlling Risk. Data Governance. www.mindyourprivacy.com

Data Governance. Unlocking Value and Controlling Risk. Data Governance. www.mindyourprivacy.com Data Governance Unlocking Value and Controlling Risk 1 White Paper Data Governance Table of contents Introduction... 3 Data Governance Program Goals in light of Privacy... 4 Data Governance Program Pillars...

More information

Risk Considerations for Internal Audit

Risk Considerations for Internal Audit Risk Considerations for Internal Audit Cecile Galvez, Deloitte & Touche LLP Enterprise Risk Services Director Traci Mizoguchi, Deloitte & Touche LLP Enterprise Risk Services Senior Manager February 2013

More information

5 FAM 670 INFORMATION TECHNOLOGY (IT) PERFORMANCE MEASURES FOR PROJECT MANAGEMENT

5 FAM 670 INFORMATION TECHNOLOGY (IT) PERFORMANCE MEASURES FOR PROJECT MANAGEMENT 5 FAM 670 INFORMATION TECHNOLOGY (IT) PERFORMANCE MEASURES FOR PROJECT MANAGEMENT (CT:IM-92; 08-01-2007) (Office of Origin: IRM/BPC/PRG) 5 FAM 671 WHAT ARE IT PERFORMANCE MEASURES AND WHY ARE THEY REQUIRED?

More information

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6 DOCUMENT REVIEW Document

More information

Seamus Reilly Director EY Information Security sreilly@uk.ey.com 0207 951 3179 Cyber Security

Seamus Reilly Director EY Information Security sreilly@uk.ey.com 0207 951 3179 Cyber Security Seamus Reilly Director EY Information Security sreilly@uk.ey.com 0207 951 3179 Cyber Security An Internal Audit perspective on the threats and responses within the Retail Sector 15 th May 2014 Agenda Introductions

More information

The IBM data governance blueprint: Leveraging best practices and proven technologies

The IBM data governance blueprint: Leveraging best practices and proven technologies May 2007 The IBM data governance blueprint: Leveraging best practices and proven technologies Page 2 Introduction In the past few years, dozens of high-profile incidents involving process failures and

More information

Risk appetite as a dynamic management tool

Risk appetite as a dynamic management tool Risk appetite as a dynamic management tool Background The topic of risk appetite is at the centre of attention currently. There are various reasons for this: the financial crisis, which has made it clear

More information

White Paper Achieving SOX Compliance through Security Information Management. White Paper / SOX

White Paper Achieving SOX Compliance through Security Information Management. White Paper / SOX White Paper Achieving SOX Compliance through Security Information Management White Paper / SOX Contents Executive Summary... 1 Introduction: Brief Overview of SOX... 1 The SOX Challenge: Improving the

More information

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date

More information

IT Governance. What is it and how to audit it. 21 April 2009

IT Governance. What is it and how to audit it. 21 April 2009 What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures

More information

ENTERPRISE RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT POLICY ENTERPRISE RISK MANAGEMENT Approved by the Audit Committee on 14 February 2003 and adopted by resolution of the Board on 28 March 2003 Revisions approved by the Audit and Risk Committee on 14 February

More information

Integrating Project Management and Service Management

Integrating Project Management and Service Management Integrating Project and Integrating Project and By Reg Lo with contributions from Michael Robinson. 1 Introduction Project has become a well recognized management discipline within IT. is also becoming

More information

The Role of the Board in Enterprise Risk Management

The Role of the Board in Enterprise Risk Management Enterprise Risk The Role of the Board in Enterprise Risk Management The board of directors plays an essential role in ensuring that an effective ERM program is in place. Governance, policy, and assurance

More information

The Copenhagen Compliance Governance Framework is based on the Nordic Governance Model

The Copenhagen Compliance Governance Framework is based on the Nordic Governance Model GRC Frameworks Series The Copenhagen Compliance Governance Framework is based on the Nordic Governance Model Nordic companies have transformed regulatory authority and mechanisms of the welfare state to

More information

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Linking Risk Management to Business Strategy, Processes, Operations and Reporting Linking Risk Management to Business Strategy, Processes, Operations and Reporting Financial Management Institute of Canada February 17 th, 2010 KPMG LLP Agenda 1. Leading Practice Risk Management Principles

More information

Principles for An. Effective Risk Appetite Framework

Principles for An. Effective Risk Appetite Framework Principles for An Effective Risk Appetite Framework 18 November 2013 Table of Contents Page I. Introduction... 1 II. Key definitions... 2 III. Principles... 3 1. Risk appetite framework... 3 1.1 An effective

More information

Information Security Governance:

Information Security Governance: Information Security Governance: Designing and Implementing Security Effectively 2 nd Athens International Forum on Security 15 16 Jan 2009 Anestis Demopoulos, CISA, CISSP, CIA President of ISACA Athens

More information

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER Page 1 of 7 A. GENERAL 1. PURPOSE The purpose of the Audit Committee (the Committee ) of the Board of Directors (the Board ) of Teck Resources Limited ( the Corporation ) is to provide an open avenue of

More information

Henry Stewart Occasional Papers: Enterprise Marketing Management November 2008

Henry Stewart Occasional Papers: Enterprise Marketing Management November 2008 Compliments of: Henry Stewart Occasional Papers: Enterprise Marketing Management November 2008 sponsored by Henry Stewart Occasional Papers: Enterprise Marketing Management Putting it all together: Strategies

More information

Generally Accepted Recordkeeping Principles

Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles Information Governance Maturity Model Information is one of the most vital strategic assets any organization possesses. Organizations depend on information to

More information

III. CORPORATE GOVERNANCE IN BANKING ORGANIZATIONS

III. CORPORATE GOVERNANCE IN BANKING ORGANIZATIONS III. CORPORATE GOVERNANCE IN BANKING ORGANIZATIONS The session on corporate governance revolved around issues discussed in the presentations, 1 which focused on facilitating cultural change in banking

More information

Hand IN Hand: Balanced Scorecards

Hand IN Hand: Balanced Scorecards ANNUAL CONFERENCE T O P I C Risk Management WORKING Hand IN Hand: Balanced Scorecards AND Enterprise Risk Management B Y M ARK B EASLEY, CPA; A L C HEN; K AREN N UNEZ, CMA; AND L ORRAINE W RIGHT Recent

More information

Wilhelmenia Ravenell IT Manager Eli Lilly and Company

Wilhelmenia Ravenell IT Manager Eli Lilly and Company Wilhelmenia Ravenell IT Manager Eli Lilly and Company Agenda Introductions The Service Management Framework Keys of a successful Service management transformation Why transform? ROI and the customer experience

More information

FRAMEWORK FOR AN ETHICAL MATURITY INDEX. Authors: Elena Demidenko and Patrick McNutt

FRAMEWORK FOR AN ETHICAL MATURITY INDEX. Authors: Elena Demidenko and Patrick McNutt FRAMEWORK FOR AN ETHICAL MATURITY INDEX Authors: Elena Demidenko and Patrick McNutt Across key Enterprise risk management frameworks, COSO ERM (http://www.coso.org) and ASNZ4360 (ASNZ 4360: 2004 (http://www.standards.com.au)

More information

mysap ERP mysap ERP HUMAN CAPITAL MANAGEMENT

mysap ERP mysap ERP HUMAN CAPITAL MANAGEMENT mysap ERP mysap ERP HUMAN CAPITAL MANAGEMENT mysap ERP: YOUR INDUSTRY. YOUR BUSINESS. YOUR FUTURE. mysap ERP is the world s most complete solution to support the foundation of your business, enabling adaptive

More information

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

Question: 1 Which of the following should be the FIRST step in developing an information security plan? 1 ISACA - CISM Certified Information Security Manager Exam Set: 1, INFORMATION SECURITY GOVERNANCE Question: 1 Which of the following should be the FIRST step in developing an information security plan?

More information

Domain 5 Information Security Governance and Risk Management

Domain 5 Information Security Governance and Risk Management Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association

More information

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting

More information

IT GOVERNANCE WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR

IT GOVERNANCE WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR IT GOVERNANCE WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR PwC April 4, 2013 Agenda The challenge IT Governance defined IT Governance components Next steps Questions THE CHALLENGE The

More information

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015 Office of the Auditor General AUDIT OF IT GOVERNANCE Tabled at Audit Committee March 12, 2015 This page has intentionally been left blank Table of Contents Executive Summary... 1 Introduction... 1 Background...

More information

Corporate Governance. The Foundation for Corporate Citizenship and Sustainable Businesses

Corporate Governance. The Foundation for Corporate Citizenship and Sustainable Businesses Corporate Governance The Foundation for Corporate Citizenship and Sustainable Businesses Corporate Citizenship and Sustainable Businesses Corporate citizenship a commitment to ethical behavior in business

More information

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg. Introduction CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.com June 2015 Companies which adopt CSR or sustainability 1

More information

IT Owes Much to PMOs

IT Owes Much to PMOs IT Owes Much to PMOs Doing More with Less Doing more with less is the mantra of IT organizations reuse and productivity, and nowhere recently have these principles been more effectively applied than in

More information

STRATEGIC INTELLIGENCE WITH BI COMPETENCY CENTER. Student Rodica Maria BOGZA, Ph.D. The Bucharest Academy of Economic Studies

STRATEGIC INTELLIGENCE WITH BI COMPETENCY CENTER. Student Rodica Maria BOGZA, Ph.D. The Bucharest Academy of Economic Studies STRATEGIC INTELLIGENCE WITH BI COMPETENCY CENTER Student Rodica Maria BOGZA, Ph.D. The Bucharest Academy of Economic Studies ABSTRACT The paper is about the strategic impact of BI, the necessity for BI

More information

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30 COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30 Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.net

More information

Information Governance Workshop. David Zanotta, Ph.D. Vice President, Global Data Management & Governance - PMO

Information Governance Workshop. David Zanotta, Ph.D. Vice President, Global Data Management & Governance - PMO Information Governance Workshop David Zanotta, Ph.D. Vice President, Global Data Management & Governance - PMO Recognition of Information Governance in Industry Research firms have begun to recognize the

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

IBM 2010 校 园 蓝 色 加 油 站 之. 商 业 流 程 分 析 与 优 化 - Business Process Management and Optimization. Please input BU name. Hua Cheng chenghua@cn.ibm.

IBM 2010 校 园 蓝 色 加 油 站 之. 商 业 流 程 分 析 与 优 化 - Business Process Management and Optimization. Please input BU name. Hua Cheng chenghua@cn.ibm. Please input BU name IBM 2010 校 园 蓝 色 加 油 站 之 商 业 流 程 分 析 与 优 化 - Business Process Management and Optimization Hua Cheng chenghua@cn.ibm.com Agenda Why BPM What is BPM What is BAM How BAM helps optimization

More information

our enterprise security Empowering business

our enterprise security Empowering business our enterprise security Empowering business Introduction Communication is changing the way we live and work. Ericsson plays a key role in this evolution, using innovation to empower people, business and

More information

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director January IIA / ISACA Joint Meeting Pre-meeting Cybersecurity Update for Internal Auditors Matt Wilson, Risk Assurance Director Introduction and agenda Themes from The Global State of Information Security

More information

White Paper. An Overview of the Kalido Data Governance Director Operationalizing Data Governance Programs Through Data Policy Management

White Paper. An Overview of the Kalido Data Governance Director Operationalizing Data Governance Programs Through Data Policy Management White Paper An Overview of the Kalido Data Governance Director Operationalizing Data Governance Programs Through Data Policy Management Managing Data as an Enterprise Asset By setting up a structure of

More information

Solve Your IT Project Funding Challenges

Solve Your IT Project Funding Challenges RG Perspective Solve Your IT Project Funding Challenges 11 Canal Center Plaza Alexandria, VA 22314 HQ 703-548-7006 Fax 703-684-5189 www.robbinsgioia.com 2013 Robbins Gioia, Inc. 1. Introduction The struggling

More information

General Guidance for Developing, Documenting, Implementing, Maintaining, and Auditing an SQF System. Module 2: System Elements. SQF Code, Edition 7.

General Guidance for Developing, Documenting, Implementing, Maintaining, and Auditing an SQF System. Module 2: System Elements. SQF Code, Edition 7. General Guidance for Developing, Documenting, Implementing, Maintaining, and Auditing an SQF System Module 2: System Elements SQF Code, Edition 7.1 M A Y 2 0 1 3 2013 Safe Quality Food Institute 2345 Crystal

More information

Keeping watch over your best business interests.

Keeping watch over your best business interests. Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation

More information

Trustee Leadership Forum for Retirement Security Inaugural Meeting Summary

Trustee Leadership Forum for Retirement Security Inaugural Meeting Summary Trustee Leadership Forum for Retirement Security Inaugural Meeting Summary On May 17-18, 2011, the Initiative for Responsible Investment hosted a meeting of laboraffiliated public and Taft-Hartley pension

More information

Software Asset Management on System z

Software Asset Management on System z Software Asset Management on System z Mike Zelle Tivoli WW IT Asset Management Marketing SAM in SHARE Project Manager mzelle@us.ibm.com Agenda Why Software Asset Management (SAM) The Discipline of Software

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

The State of Tennessee. Category: Enterprise IT Management Initiatives. Managing by Metrics, A Process Improvement Initiative

The State of Tennessee. Category: Enterprise IT Management Initiatives. Managing by Metrics, A Process Improvement Initiative The State of Tennessee Category: Enterprise IT Management Initiatives Managing by Metrics, A Process Improvement Initiative 2009 NASCIO Recognition Award Nomination For work performed in 2008 Executive

More information

The Professional Risk Managers International Association (PRMIA) Building a Risk Appetite Framework at TD January 31, 2013

The Professional Risk Managers International Association (PRMIA) Building a Risk Appetite Framework at TD January 31, 2013 The Professional Risk Managers International Association (PRMIA) Building a Risk Appetite Framework at TD January 31, 2013 Clare Gaudet, VP Enterprise Risk Governance, TD Bank Group Building a Risk Appetite

More information

FINANCIAL ASSESSMENT CRITERIA (The Assessment Criteria should be read in conjunction with OSFI s Supervisory Framework)

FINANCIAL ASSESSMENT CRITERIA (The Assessment Criteria should be read in conjunction with OSFI s Supervisory Framework) ROLE OF Financial is an independent function responsible for ensuring the timely and accurate reporting and in-depth analysis of the operational results of the operating units (including business lines)

More information

Practical Approaches to Achieving Sustainable IT Governance

Practical Approaches to Achieving Sustainable IT Governance Practical Approaches to Achieving Sustainable IT Governance Beyond Mandates: Getting to Sustainable IT Governance Best Practices Agenda IT Governance Definition IT Governance Principles IT Governance Decisions

More information

INDUSTRY OUTLOOK APRIL 2013. Enterprise Performance Management

INDUSTRY OUTLOOK APRIL 2013. Enterprise Performance Management INDUSTRY OUTLOOK APRIL 2013 Enterprise Performance Management Chief financial officers must address a growing list of modern business imperatives, and EPM can help. Business today is moving at light speed.

More information

Ethics and compliance The advantage of a values-based approach

Ethics and compliance The advantage of a values-based approach Ethics and compliance The advantage of a values-based approach Audit.Tax.Conulting.Financial Adisory. Public companies and their senior executives and board members may be held accountable - personally

More information

CISM (Certified Information Security Manager) Document version: 6.28.11

CISM (Certified Information Security Manager) Document version: 6.28.11 CISM (Certified Information Security Manager) Document version: 6.28.11 Important Note About CISM PDF techexams CISM PDF is a comprehensive compilation of questions and answers that have been developed

More information

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS. www.fic.gov.bc.ca

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS. www.fic.gov.bc.ca Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS www.fic.gov.bc.ca INTRODUCTION The Financial Institutions Commission 1 (FICOM) holds the Board of Directors 2 (board) accountable for the stewardship

More information

Role and Skill Descriptions. For An ITIL Implementation Project

Role and Skill Descriptions. For An ITIL Implementation Project Role and Skill Descriptions For An ITIL Implementation Project The following skill traits were identified as fairly typical of those needed to execute many of the key activities identified: Customer Relationship

More information

Your asset is your business. The more challenging the economy, the more valuable the asset becomes. Decisions are magnified. Risk is amplified.

Your asset is your business. The more challenging the economy, the more valuable the asset becomes. Decisions are magnified. Risk is amplified. Asset management Your asset is your business. The more challenging the economy, the more valuable the asset becomes. Decisions are magnified. Risk is amplified. Data is about more than numbers. It tells

More information

The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies

The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies James Barkley, Simon Property Group, Inc. and David E. Weiss, DDR Corp. Introduction: As lawyers, particularly real estate

More information

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 Carolinas HealthCare System (CHS) Second largest not-for-profit healthcare system

More information

Data Quality Governance: Proactive Data Quality Management Starting at Source

Data Quality Governance: Proactive Data Quality Management Starting at Source Data Quality Governance: Proactive Data Quality Management Starting at Source By Paul Woodlock, Clavis Technologies About the Author: Paul Woodlock is a business process and management expert with nearly

More information

Frontier International

Frontier International International research insights from Frontier Advisors Real Assets Research Team Issue 15, June 2015 Frontier regularly conducts international research trips to observe and understand more about international

More information

MISSION VALUES. The guide has been printed by:

MISSION VALUES. The guide has been printed by: www.cudgc.sk.ca MISSION We instill public confidence in Saskatchewan credit unions by guaranteeing deposits. As the primary prudential and solvency regulator, we promote responsible governance by credit

More information

OPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE.

OPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE. OPTIMUS SBR CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE. Optimizing Results with Business Intelligence Governance This paper investigates the importance of establishing a robust Business Intelligence (BI)

More information

Look around any workplace and you see Information Technology (IT) assets. If you are working in an average office environment, you probably have a

Look around any workplace and you see Information Technology (IT) assets. If you are working in an average office environment, you probably have a 1 Look around any workplace and you see Information Technology (IT) assets. If you are working in an average office environment, you probably have a computer monitor with a CPU at your desk along with

More information

As is the case in many industries today, corporate governance

As is the case in many industries today, corporate governance How Health Care Organizations Risk and Compliance Executives Can Become Strategic Board Advisors Terry Puchley, Partner, PwC, terry.puchley@us.pwc.com Mitchel Harris, Director, PwC, mitchel.s.harris@us.pwc.com

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

OVERVIEW. With just 10,000 customers in your database, the cost of a data breach averages more than $2 million.

OVERVIEW. With just 10,000 customers in your database, the cost of a data breach averages more than $2 million. Security PLAYBOOK OVERVIEW Today, security threats to retail organizations leave little margin for error. Retailers face increasingly complex security challenges persistent threats that can undermine the

More information

Creating HR Service Delivery Success

Creating HR Service Delivery Success Creating HR Service Delivery Success HRO Today Forum Europe 2012 By Brad McCaw, Senior Consultant, London 2012 Towers Watson. All rights reserved. Setting the context Businesses are going through significant

More information

Council of Financial Regulators: Review of Financial Market Infrastructure Regulation

Council of Financial Regulators: Review of Financial Market Infrastructure Regulation 1 December 2011 Manager, Financial Markets Unit Corporations and Capital Markets Division The Treasury Langton Crescent PARKES ACT 2600 By email: CFR-Review-FMI@treasury.gov.au Dear Treasury Council of

More information

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts GOVERNANCE DEFINED Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts Governance over the use of technology assets can be seen

More information

Data Governance for Master Data Management and Beyond

Data Governance for Master Data Management and Beyond Data Governance for Master Data Management and Beyond A White Paper by David Loshin WHITE PAPER Table of Contents Aligning Information Objectives with the Business Strategy.... 1 Clarifying the Information

More information

An RCG White Paper The Data Governance Maturity Model

An RCG White Paper The Data Governance Maturity Model The Dataa Governance Maturity Model This document is the copyrighted and intellectual property of RCG Global Services (RCG). All rights of use and reproduction are reserved by RCG and any use in full requires

More information

Business Continuity / Disaster Recovery Context

Business Continuity / Disaster Recovery Context Capability Business Continuity / Disaster Recovery Context What is Business Continuity? The Business Continuity Program Life Cycle Copyright: Virtual Corporation, 1994 2006 Modified U.S. DoD Graphic Normal

More information

The Business Continuity Maturity Continuum

The Business Continuity Maturity Continuum The Business Continuity Maturity Continuum Nick Benvenuto & Brian Zawada Protiviti Inc. 2004 Protiviti Inc. EOE Agenda Terminology Risk Management Infrastructure Discussion A Proposed Continuity Maturity

More information

Managing Risk at Bank of America Corporation. Overview

Managing Risk at Bank of America Corporation. Overview Managing Risk at Bank of America Corporation Overview Risk is inherent in every material business activity that we undertake. Our business exposes us to strategic, credit, market, liquidity, compliance,

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Creating and Maturing a Service Catalog

Creating and Maturing a Service Catalog Creating and Maturing a Service Catalog By Wendy Kuhn and Pam Erskine Third Sky, Inc. Introduction Developing a service catalog can seem like a simple marketing and communications activity or a daunting

More information

Revitalizing Your CRM Initiative. Why the Need to Revitalize?

Revitalizing Your CRM Initiative. Why the Need to Revitalize? Revitalizing Your CRM Initiative In this three article series, we re considering a few of the most relevant Customer Relationship Management (CRM) practices that can impact the effectiveness of small and

More information

IT Governance: framework and case study. 22 September 2010

IT Governance: framework and case study. 22 September 2010 IT Governance: framework and case study Presenter Yaowaluk Chadbunchachai Advisory Services Ernst & Young Corporate Services Limited Presentation topics ERM and IT governance IT governance framework IT

More information

The real value of corporate governance

The real value of corporate governance Volume 9 No. 1 The real value of corporate governance (c) Copyright 2007, The University of Auckland. Permission to make digital or hard copies of all or part of this work for personal or classroom use

More information

Enhancing Business Performance Through Innovative Technology Solutions

Enhancing Business Performance Through Innovative Technology Solutions Enhancing Business Performance Through Innovative Technology Solutions Contact Center = Customer Experience FIELD SERVICE Customer Service BACK OFFICE CONTACT CENTER BRANCH OFFICE Help Desk HR Finance

More information

Governance, Risk, and Compliance (GRC) White Paper

Governance, Risk, and Compliance (GRC) White Paper Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:

More information

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation Tying It All Together: Practical ERM Integration Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation November 16, 2007 1 Agenda Basis for ERM Integration ERM Objectives ERM Focus

More information

Building a Data Quality Scorecard for Operational Data Governance

Building a Data Quality Scorecard for Operational Data Governance Building a Data Quality Scorecard for Operational Data Governance A White Paper by David Loshin WHITE PAPER Table of Contents Introduction.... 1 Establishing Business Objectives.... 1 Business Drivers...

More information

How to enhance Trust and Value by using COBIT:

How to enhance Trust and Value by using COBIT: How to enhance Trust and Value by using COBIT: Governance and Management Framework CA A.Rafeq, FCA, CISA, CGEIT, CIA, CCSA Managing Director, Wincer Infotech Limited Past President, ISACA, Bangalore Chapter

More information

ENTERPRISE PROJECT MANAGEMENT OFFICE

ENTERPRISE PROJECT MANAGEMENT OFFICE ENTERPRISE PROJECT MANAGEMENT OFFICE QUALITY MANAGEMENT SYSTEM ISO 9001:2008 STATE CHIEF INFORMATION OFFICER CHRIS ESTES DEPUTY STATE CHIEF INFORMATION OFFICER AARON WIENSHIENK DEPARTMENT MANAGER JAMES

More information

Security and Privacy Trends 2014

Security and Privacy Trends 2014 2014 Agenda Today s cyber threats 3 You could be under cyber attack now! Improve 6 Awareness of cyber threats propels improvements Expand 11 Leading practices to combat cyber threats Innovate 20 To survive,

More information

Operations. Group Standard. Business Operations process forms the core of all our business activities

Operations. Group Standard. Business Operations process forms the core of all our business activities Standard Operations Business Operations process forms the core of all our business activities SMS-GS-O1 Operations December 2014 v1.1 Serco Public Document Details Document Details erence SMS GS-O1: Operations

More information

EFFECTIVE VENDOR MANAGEMENT: REAPING LONG-TERM BENEFITS FROM YOUR VENDOR RELATIONSHIPS

EFFECTIVE VENDOR MANAGEMENT: REAPING LONG-TERM BENEFITS FROM YOUR VENDOR RELATIONSHIPS EFFECTIVE VENDOR MANAGEMENT: REAPING LONG-TERM BENEFITS FROM YOUR VENDOR RELATIONSHIPS TERRA FIRMA, AUGUST 2013 Leading organisations have understood for some time that active vendor management, as opposed

More information

OMRON Corporate Governance Policies

OMRON Corporate Governance Policies This document has been translated from the Japanese original for reference purposes only. Where there are any discrepancies between the Japanese original and the translated document, the original Japanese

More information