IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

Size: px
Start display at page:

Download "IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013"

Transcription

1 IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013 Debbie Lew Agenda Review what is IT governance Review what is IT risk management A discussion of key IT risks to be aware of Page 2 IT risk management training 1

2 IT governance defined IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. ITGI, Board Briefing on IT Governance Page 3 Meeting stakeholder needs Enterprises exist to create value for their stakeholders ISACA. All Rights Reserved. Source: COBIT 5, figure ISACA All rights reserved. Value creation: realizing benefits at an optimal resource cost while optimizing risk. Page 4 IT risk management training 2

3 Covering the enterprise end-to-end Key components of a governance system Page 5 Source: COBIT 5, figure ISACA All rights reserved. Separating governance from management Source: COBIT 5, figure ISACA All rights reserved. Page 6 6 IT risk management training 3

4 Separating governance from management Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives. Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. Page 7 7 COBIT 5 process reference model Source: COBIT 5, figure ISACA All rights reserved. Page 8 8 IT risk management training 4

5 Ensure Risk Optimization EDM03 Ensure Risk Optimization Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is indentified and managed, and the potential for compliance failures is minimized. Page 9 The risk management lifecycle Establish risk context & governance Frequently monitor effectiveness of risk response (e.g., controls) and report on results Monitor & report Assess risk response Identify value drivers Risk management components Risk culture Policy & mandate Infrastructure & people Methods & practices Information & technology Identify risks Assess risks Develop consistent risk taxonomy and risk repository and align relevant risks with value drivers (strategies, objectives, initiatives) Define consistent assessment criteria based on risk appetite and tolerances and assess relevant risks Conclude on preliminary effectiveness of risk response and develop action plan for monitoring Page 10 Develop risk response Define appropriate risk response strategy (i.e., acceptance, mitigation, avoidance, transfer, etc.) IT risk management training 5

6 What IT risks should I be aware of? Page 11 Information security Ernst & Young s 2012 Global Information Security Survey found that the information security threats are accelerating significantly faster than the enhancements organizations are making This gap is being driven by the following issues: lack of alignment with the business, identifying resources with the right skills and training, immature processes and architecture, and the emergence of new and evolving technologies Page 12 IT risk management training 6

7 Business continuity management According to the Ernst & Young 2012 Global Information Security Survey, only 17% of the respondents say their organizations do not have a BCM program in place and BCM was ranked as the #1 spending priority The most common problem we see is the lack of governance integration between the elements of business continuity and disaster recovery. This lack of unified governance often leads to disconnected initiatives, as well as misalignment of business direction and technology strategies, which could hinder timely recovery after a disruption. Page 13 Mobile The advancement in mobile technology has introduced new challenges for the enterprise, including: Potential loss or leakage of important business information Security challenges given range of devices, operating systems, and firmware limitations and vulnerabilities Theft of the device due to the small size Compliance with state, federal and international privacy regulations that vary from one jurisdiction to another as employees travel with mobile devices Navigation of the gray line on privacy and monitoring between personal and company use of the device Page 14 IT risk management training 7

8 Cloud The move to the cloud has outpaced the organization s ability to understand the following risks: Providers not living up to service level agreements (SLAs), resulting in cloud architecture or deployment challenges Evolving cloud standards increasing the risk that a company s systems won t work with the provider s Legal and regulatory risk in how information is handled in the cloud Information security and privacy risks around the confidentiality, integrity and availability of data Cloud adoption and change management within an organization Page 15 IT risk management Ernst & Young s IT Risk Survey indicates that over 40% of organizations have either just started or have not implemented a IT risk management program at all this despite an evolving IT risk landscape and increased interest from boards, corporate executives and regulators Page 16 IT risk management training 8

9 Program risk 70% of the major enterprise resource planning (ERP) programs fail to realize at least 50% of business benefits. While companies have invested significantly in increasing their knowledge and capabilities in program and project management, this is not visible in the success rates. The lack of improvement is mainly due to increased complexity in business processes and the emerging technology landscape. Page 17 Software/IT asset management In an environment focused on cost reduction software/it asset management has become a strategic advantage for organizations: Potentially reduces liability risk by maintaining license compliance and avoiding related penalties Lowers potential costs by helping to avoid license and other IT asset overbuying Helps to more efficiently manage the otherwise resource-draining and laborintensive compliance processes Limits potential reputational risks associated with license violations or compliance-related conflicts with vendors Page 18 IT risk management training 9

10 Social media risk management The social media elements that generate business opportunity for companies to extend their brands are often the same elements that have created IT-related risk: Employees involved in social media inadvertently leaking sensitive company information Criminal hackers re-engineering confidential information (e.g., log-ins and passwords) based on information obtained from employee posts Multiple platforms creating more access for viruses, malware, cross-site scripting and phishing Damage to a brand or company reputation from negative, embarrassing or even incriminating employee or customer posts, even those that are well-intended Failure to establish fully compliant archiving and record retention processes for corporate information shared on social media Page 19 Segregation of duties/identity and access management While segregation of duties (SoD) is considered to be a fundamental control for which organizations have developed strong processes, the complexity of today s enterprise systems leaves many companies struggling This SoD challenge is compounded by the following: The lack of investment in identity and access management or governance, risk and compliance tools Poor visibility to cross system segregation of duties and Reliance on costly and time intensive manual controls Page 20 IT risk management training 10

11 Data loss prevention and privacy Ernst & Young s 2012 Global Information Security Survey indicates data leakage and data loss prevention remained ranked as a top three priority for IT and IT security executives The vast majority of privacy incidents result from the actions of internal users and trusted third parties, and most have been unintentional During the last decade, significant changes in the approach to privacy have escalated the tension between individuals and organizations. This tension appears in two distinct areas: the market s redefinition of privacy management; and technology s redefinition of privacy invasion. Page 21 Other risks that you re concerned about? Page 22 IT risk management training 11

12 Recommended reading Information security Business continuity management Mobile Cloud IT risk management Fighting to close the gap: Ernst & Young s 2012 Global Information Security Survey Ready for the challenge: integrated governance the key to effective business continuity management Business continuity management: current trends Mobile device security: understanding vulnerabilities and managing risk Ready for takeoff: preparing for your journey into the cloud The evolving IT risk landscape: the why and how of IT risk management today Use governance, risk and compliance technology to turn risk into results Technology risk management in a cyber world: a C-suite responsibility Program risk Software/IT asset management Social media risk management Segregation of duties/identity and access management Data loss prevention and privacy Building confidence in IT programs: facilitating success through program risk management Strategy deployment through portfolio management: a riskbased approach Effective software asset management: how to reap its benefits Effective software asset management: how to reap its benefits Effective software asset management: how to reap its benefits A risk-based approach to segregation of duties Data loss prevention: keeping your sensitive data out of the public domain Privacy trends 2012: the case Three steps to prepare for a for growing accountability HIPAA audit Page 23 Speaker Bio Debbie is a Senlor Manager leading the IT Governance service line in EY's IT Risk Management Center of Excellence. She is a subject matter resource assisting her clients with assessing and designing IT risk management programs to identify, assess, respond, monitor and report on IT risks. She also conducts IT Governance reviews and assisting IT organizations with assessing, designing and implementing IT governance. Debbie Lew Senior Manager, Advisory Contact Info: Ernst & Young, LLP 2931 Townsgate Road, Suite 100 Westlake Village, CA Mobile: Office: She was a member of the COBIT4.0/4.1 COBIT Steering Committee representing the U.S. and is a SME for the COBIT5 for Risk coming out shortly. She was also a member of ISACA's credentialing task force developing the CRISC certification for IT risk practitioners. Debbie has over 15 years of insurance industry experience prior to joining EY in IT Audit, Strategic Planning and Project Management. She manages IT examinations in support of the financial examinations for the CA, Department of Insurance. She is currently a member of the NAIC IT Working Committee updating the IT examination handbook to COBIT5 ( IT Governance domain subcommittee). Page 24 IT risk management training 12

13 Ernst & Young Assurance Tax Transactions Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US Ernst & Young LLP. All Rights Reserved _WEST Page 25 IT risk management training 13

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations

More information

Ten key IT considerations for internal audit

Ten key IT considerations for internal audit Insights on governance, risk and compliance February 2013 Ten key IT considerations for internal audit Effective IT risk assessment and audit planning Contents Introduction... 2 Information security...

More information

Cybersecurity. Considerations for the audit committee

Cybersecurity. Considerations for the audit committee Cybersecurity Considerations for the audit committee Insights on November 2012 governance, risk and compliance Fighting to close the gap Ernst & Young s 2012 Global Information Security Survey 2012 Global

More information

Cybersecurity and internal audit. August 15, 2014

Cybersecurity and internal audit. August 15, 2014 Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

More information

IT Governance. What is it and how to audit it. 21 April 2009

IT Governance. What is it and how to audit it. 21 April 2009 What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures

More information

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data

More information

Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA vandeke@gmail.com 11.16.2013

Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA vandeke@gmail.com 11.16.2013 Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA vandeke@gmail.com 11.16.2013 AGENDA IT s Changing Landscape ISACA s Response Vision and Mission COBIT 5

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015 Internal audit of cybersecurity Presentation to the Atlanta IIA Chapter January 2015 Agenda Executive summary Why is this topic important? Cyber attacks: increasing complexity arket insights: What are

More information

Data Protection. Understanding the Effectiveness of a Data Protection Program. IIA: Almost Free Seminar. 21 June 2011

Data Protection. Understanding the Effectiveness of a Data Protection Program. IIA: Almost Free Seminar. 21 June 2011 Understanding the Effectiveness of a Data Protection Program IIA: Almost Free Seminar 21 June 2011 Agenda Data protection overview Case studies Ernst & Young s point of view Understanding the effectiveness

More information

Facing Information Security Challenges

Facing Information Security Challenges AKTINA Event Information Security & Cloud Challenges March 17, 2016 Facing Information Security Challenges ISACA Cyprus Chapter Paschalis Pissarides CRISC, CISM, CISA Immediate Past President (2010-2014)

More information

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response

More information

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

The Changing IT Risk Landscape Understanding and managing existing and emerging risks The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015

More information

COBIT 5 An Overview. 12 th June, COBIT is a registered trademark of the Information Systems Audit and Control Association

COBIT 5 An Overview. 12 th June, COBIT is a registered trademark of the Information Systems Audit and Control Association COBIT 5 An Overview 12 th June, 2012 COBIT is a registered trademark of the Information Systems Audit and Control Association Agenda Organizational Concerns COBIT 5 An Introduction COBIT 4.1 Vs. COBIT

More information

Risk Considerations for Internal Audit

Risk Considerations for Internal Audit Risk Considerations for Internal Audit Cecile Galvez, Deloitte & Touche LLP Enterprise Risk Services Director Traci Mizoguchi, Deloitte & Touche LLP Enterprise Risk Services Senior Manager February 2013

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape January 2013 Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape At a glance Threats to data security both

More information

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Certified Identity and Access Manager (CIAM) Overview & Curriculum Identity and access management (IAM) is the most important discipline of the information security field. It is the foundation of any information security program and one of the information security management

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015 Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key

More information

Personal Information Threats & Risks: Responding to an Evolving Landscape with an Integrated Data Protection Approach

Personal Information Threats & Risks: Responding to an Evolving Landscape with an Integrated Data Protection Approach Personal Information Threats & Risks: Responding to an Evolving Landscape with an Integrated Data Protection Approach Don MacPherson January 2012 Discussion Items 1. Threats and risks to personal information

More information

Security and Privacy Trends 2014

Security and Privacy Trends 2014 2014 Agenda Today s cyber threats 3 You could be under cyber attack now! Improve 6 Awareness of cyber threats propels improvements Expand 11 Leading practices to combat cyber threats Innovate 20 To survive,

More information

Executive Management of Information Security

Executive Management of Information Security WHITE PAPER Executive Management of Information Security _experience the commitment Entire contents 2004, 2010 by CGI Group Inc. All rights reserved. Reproduction of this publication in any form without

More information

trends and audit considerations

trends and audit considerations Bring your own device (BYOD) trends and audit considerations SIFMA IT audit session 4 October 2012 Disclaimer Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited,

More information

The transformation of IT Risk Management. kpmg.com

The transformation of IT Risk Management. kpmg.com The transformation of IT Risk Management kpmg.com The transformation of IT Risk Management The role of IT Risk Management Scope of IT risk management Examples of IT risk areas of focus How KPMG can help

More information

Harness Enterprise Risks With Oracle Governance, Risk and Compliance

Harness Enterprise Risks With Oracle Governance, Risk and Compliance Hardware and Software Engineered to Work Together Harness Enterprise Risks With Oracle Governance, Risk and Compliance Is the plethora of financial, operational and regulatory policies and mandates overwhelming

More information

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director High Value Audits: An Update on Information Technology Auditing Robert B. Hirth Jr., Managing Director The technology landscape and its impact on internal audit Technology is playing an ever-growing role

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

State of Security Survey GLOBAL FINDINGS

State of Security Survey GLOBAL FINDINGS 2011 State of Security Survey GLOBAL FINDINGS CONTENTS Introduction... 4 Methodology... 6 Finding 1: Cybersecurity is important to business... 8 Finding 2: The drivers of security are changing... 10 Finding

More information

Internal audit value optimization for insurance organizations

Internal audit value optimization for insurance organizations Internal audit value optimization for insurance organizations Webinar May 13, 2015 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

Security Risk Management Strategy in a Mobile and Consumerised World

Security Risk Management Strategy in a Mobile and Consumerised World Security Risk Management Strategy in a Mobile and Consumerised World RYAN RUBIN (Msc, CISSP, CISM, QSA, CHFI) PROTIVITI Session ID: GRC-308 Session Classification: Intermediate AGENDA Current State Key

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

COMMUNIQUE. Information Technology (IT) Governance Guidance

COMMUNIQUE. Information Technology (IT) Governance Guidance COMMUNIQUE 14-COM-002 July 14, 2014 Information Technology (IT) Governance Guidance The Credit Union Prudential Supervisors Association (CUPSA) has established an IT Risk Working Group to focus on IT governance

More information

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Enhancing IT Governance, Risk and Compliance Management (IT GRC) Enhancing IT Governance, Risk and Compliance Management (IT GRC) Enabling Reliable eservices Tawfiq F. Alrushaid Saudi Aramco Agenda GRC Overview IT GRC Introduction IT Governance IT Risk Management IT

More information

Disaster recovery strategic planning: How achievable will it be?

Disaster recovery strategic planning: How achievable will it be? Disaster recovery strategic planning: How achievable will it be? Amr Ahmed Ernst & Young Advisory Services, Executive Director amr.ahmed@ey.com Christopher Rivera Ernst & Young Advisory Services, Manager

More information

Cybersecurity in the States 2012: Priorities, Issues and Trends

Cybersecurity in the States 2012: Priorities, Issues and Trends Cybersecurity in the States 2012: Priorities, Issues and Trends Commission on Maryland Cyber Security and Innovation June 8, 2012 Pam Walker, Director of Government Affairs National Association of State

More information

Social Networking and its Implications on your Data Security

Social Networking and its Implications on your Data Security Social Networking and its Implications on your Data Security Canadian Chamber of Commerce of the Philippines June 8, 2011 Warren R Bituin Partner -SGV & Co. About the Speaker Warren R. Bituin SGV & Co./Ernst

More information

IT Management & Governance Diagnostic Program

IT Management & Governance Diagnostic Program IT & Governance Diagnostic Program Prepared for Sample IT Company This report was prepared by Info-Tech Research Group for Sample IT Company on 2015-05-20. Data is comprised of 6 responses. IT & Governance

More information

Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enablement Services

Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enablement Services Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enablement Services Managing Governance, Risk, and Compliance for Cloud Information Security Introduction Businesses today are

More information

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14 www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the

More information

fs viewpoint www.pwc.com/fsi

fs viewpoint www.pwc.com/fsi fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a

More information

www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014

www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 Agenda Key Definitions Risks Business Continuity Management Program BCM Capability Assessment Process BCM Value Proposition

More information

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements

More information

Developing National Frameworks & Engaging the Private Sector

Developing National Frameworks & Engaging the Private Sector www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012

More information

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013 Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices April 10, 2013 Today's Agenda: Key Topics Defining IT Governance IT Governance Elements & Responsibilities

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

IT Governance: framework and case study. 22 September 2010

IT Governance: framework and case study. 22 September 2010 IT Governance: framework and case study Presenter Yaowaluk Chadbunchachai Advisory Services Ernst & Young Corporate Services Limited Presentation topics ERM and IT governance IT governance framework IT

More information

Financial services regulatory compliance. Changing demands require the right perspective

Financial services regulatory compliance. Changing demands require the right perspective Financial services regulatory compliance Changing demands require the right perspective The role of compliance is being elevated as regulatory demands increase. Compliance leaders are facing the greatest

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

OVERVIEW. With just 10,000 customers in your database, the cost of a data breach averages more than $2 million.

OVERVIEW. With just 10,000 customers in your database, the cost of a data breach averages more than $2 million. Security PLAYBOOK OVERVIEW Today, security threats to retail organizations leave little margin for error. Retailers face increasingly complex security challenges persistent threats that can undermine the

More information

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things Cyber security Digital Customer Experience Digital Employee Experience Digital Insight Internet of Things Payments IP Solutions Cyber Security Cloud 2015 CGI IT UK Ltd Contents... Securing organisations

More information

A NEW APPROACH TO CYBER SECURITY

A NEW APPROACH TO CYBER SECURITY A NEW APPROACH TO CYBER SECURITY We believe cyber security should be about what you can do not what you can t. DRIVEN BY BUSINESS ASPIRATIONS We work with you to move your business forward. Positively

More information

our enterprise security Empowering business

our enterprise security Empowering business our enterprise security Empowering business Introduction Communication is changing the way we live and work. Ericsson plays a key role in this evolution, using innovation to empower people, business and

More information

Moving Forward with IT Governance and COBIT

Moving Forward with IT Governance and COBIT Moving Forward with IT Governance and COBIT Los Angeles ISACA COBIT User Group Tuesday 27, March 2007 IT GRC Questions from the CIO Today s discussion focuses on the typical challenges facing the CIO around

More information

One Part ITIL, One Part COBIT The ingredients for repeatable and controlled processes to support IT services

One Part ITIL, One Part COBIT The ingredients for repeatable and controlled processes to support IT services One Part ITIL, One Part COBIT The ingredients for repeatable and controlled processes to support IT services Mark Thomas, COBIT SIG President June 15, 2012 Pittsburgh Local Interest Group LIG Name goes

More information

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Importance of Effective Internal Controls and COSO COSO

More information

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell. COBIT 5 for Risk CS 3-7: Monday, July 6 4:00-5:00 Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.net Disclaimer of Use and Association Note: It is understood that

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

Address C-level Cybersecurity issues to enable and secure Digital transformation

Address C-level Cybersecurity issues to enable and secure Digital transformation Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

Ecom Infotech. Page 1 of 6

Ecom Infotech. Page 1 of 6 Ecom Infotech Page 1 of 6 Page 2 of 6 IBM Q Radar SIEM Intelligence 1. Security Intelligence and Compliance Analytics Organizations are exposed to a greater volume and variety of threats and compliance

More information

SAP GRC Technology Embed security and controls through technology

SAP GRC Technology Embed security and controls through technology www.pwc.com SAP GRC Technology Embed security and controls through technology Maximize the benefit from GRC technology Background Managing governance, risk and compliance continues to be a challenge for

More information

Important announcement

Important announcement Important announcement The coming together of IT Lab and JMC IT Spring 2015 1 Top UK technology and managed services providers IT Lab and JMC IT merge to create a truly national 300 strong company Our

More information

Best Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP

Best Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP Best Practices in Incident Response SF ISACA April 1 st 2009 Kieran Norton, Senior Manager Deloitte & Touch LLP Current Landscape What Large scale breaches and losses involving credit card data and PII

More information

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Cloud Assurance: Ensuring Security and Compliance for your IT Environment Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware

More information

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Protecting your brand in the cloud Transparency and trust through enhanced reporting Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business

More information

Information Technology Auditing for Non-IT Specialist

Information Technology Auditing for Non-IT Specialist Information Technology Auditing for Non-IT Specialist IIA Pittsburgh Chapter October 4, 2010 Agenda Introductions What are General Computer Controls? Auditing IT processes controls Understanding and evaluating

More information

Company size matters: Perspectives on IT Governance

Company size matters: Perspectives on IT Governance www.pwc.com/ca/technology-consulting Company size matters: Perspectives on IT Governance versus large Canadian organizations and IT Governance PwC conducted research for the 4th edition of the IT Governance

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

Key Cyber Risks at the ERP Level

Key Cyber Risks at the ERP Level Key Cyber Risks at the ERP Level Process & Industrial Products (P&IP) Sector December, 2014 Today s presenters Bhavin Barot, Sr. Manager Deloitte & Touche LLP Goran Ristovski, Manager Deloitte & Touche

More information

Risk IT A set of guiding principles and. the first framework to help enterprises identify, govern and effectively manage IT risk.

Risk IT A set of guiding principles and. the first framework to help enterprises identify, govern and effectively manage IT risk. Risk IT A set of guiding principles and the first framework to help enterprises identify, govern and effectively manage IT risk. In business today, risk plays a critical role. Almost every business decision

More information

Big 4 Information Security Forum

Big 4 Information Security Forum San Francisco ISACA Chapter Proudly Presents: Big 4 Information Security Forum A Day-Long, Multi-Session Event, being held in San Francisco @ the Sir Francis Drake Hotel! *** PLEASE NOTE THIS EVENT WILL

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4 State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes

More information

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014 Aalborg Universitet Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

www.pwc.co.uk Cyber security Building confidence in your digital future

www.pwc.co.uk Cyber security Building confidence in your digital future www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in

More information

Certified Information Security Manager (CISM)

Certified Information Security Manager (CISM) Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security

More information

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper ARRA HITECH Stimulus HIPAA Security Compliance Reporter White Paper ARRA HITECH AND ACR2 HIPAA SECURITY The healthcare industry is in a time of great transition, with a government mandate for EHR/EMR systems,

More information

National Cyber Security Policy -2013

National Cyber Security Policy -2013 National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information

More information

Key Considerations of Regulatory Compliance in the Public Cloud

Key Considerations of Regulatory Compliance in the Public Cloud Key Considerations of Regulatory Compliance in the Public Cloud W. Noel Haskins-Hafer CRMA, CISA, CISM, CFE, CGEIT, CRISC 10 April, 2013 w_haskins-hafer@intuit.com Disclaimer Unless otherwise specified,

More information

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects Cloud Computing An insight in the Governance & Security aspects AGENDA Introduction Security Governance Risks Compliance Recommendations References 1 Cloud Computing Peter Hinssen, The New Normal, 2010

More information

Under control 2015 Hot topics for IT internal audit in financial services. An Internal Audit viewpoint

Under control 2015 Hot topics for IT internal audit in financial services. An Internal Audit viewpoint Under control 2015 Hot topics for IT internal audit in financial services An Internal Audit viewpoint Introduction Welcome to our fourth annual review of the IT hot topics for IT internal audit in financial

More information

Information Security Governance:

Information Security Governance: Information Security Governance: Designing and Implementing Security Effectively 2 nd Athens International Forum on Security 15 16 Jan 2009 Anestis Demopoulos, CISA, CISSP, CIA President of ISACA Athens

More information

Enterprise Security Architecture

Enterprise Security Architecture Enterprise Architecture -driven security April 2012 Agenda Facilities and safety information Introduction Overview of the problem Introducing security architecture The SABSA approach A worked example architecture

More information

IASA Speaker: Alvin Tan

IASA Speaker: Alvin Tan Enterprise Security Architecture IASA Speaker: Alvin Tan Definition Compliant to International Organization for Standardization (ISO) Standard 17799 Necessary requirements for people, processes, and technologies

More information

KEY TRENDS AND DRIVERS OF SECURITY

KEY TRENDS AND DRIVERS OF SECURITY CYBERSECURITY: ISSUES AND ISACA S RESPONSE Speaker: Renato Burazer, CISA,CISM,CRISC,CGEIT,CISSP KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures

More information

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources EXECUTIVE STRATEGY BRIEF Securing the Cloud Infrastructure Cloud Resources 01 Securing the Cloud Infrastructure / Executive Strategy Brief Securing the Cloud Infrastructure Microsoft recognizes that trust

More information

Reaching for the cloud: the potential and the reality of using cloud-based platforms. Speaker: Michael Michaelides October 22, 2015

Reaching for the cloud: the potential and the reality of using cloud-based platforms. Speaker: Michael Michaelides October 22, 2015 Reaching for the cloud: the potential and the reality of using cloud-based platforms Speaker: Michael Michaelides October 22, 2015 Within today s financial services (FS) marketplace, speed to market, agility

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

XBRL & GRC Future opportunities?

XBRL & GRC Future opportunities? XBRL & GRC Future opportunities? Suzanne Janse Deloitte NL Paul Hulst Deloitte / Said Tabet EMC Presenters Suzanne Janse Deloitte Netherlands Director ERP (SAP, Oracle) Risk Management GRC software Paul

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

IT Service Management ITIL, COBIT

IT Service Management ITIL, COBIT IT Service Management ITIL, COBIT Bülent Ekuklu Business Development Executive IBM Global Services Global Conditions are Changing 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% Agriculture Manufacturing Service

More information

The IBM data governance blueprint: Leveraging best practices and proven technologies

The IBM data governance blueprint: Leveraging best practices and proven technologies May 2007 The IBM data governance blueprint: Leveraging best practices and proven technologies Page 2 Introduction In the past few years, dozens of high-profile incidents involving process failures and

More information

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue. Seamless Mobile Security for Network Operators Build a secure foundation for winning new wireless services revenue. New wireless services drive revenues. Faced with the dual challenges of increasing revenues

More information