Rethink Your Risk Assessment Lifecycle
|
|
- Bridget Williamson
- 8 years ago
- Views:
Transcription
1 Information Security in a Box A Guide for Establishing Baseline Maturity Rethink Your Risk Assessment Lifecycle
2 INFORMATION SECURITY IN A BOX: A GUIDE FOR ESTABLISHING BASELINE MATURITY Use this roadmap to identify the key steps and illustrative timelines for developing an information security function. For detailed guidance on each of these nine focus areas, see Information Security in a Box: A Guide for Establishing Baseline Maturity. 3 Months 6 Months 9 Months 12 Months 15 Months 18 Months Introduction: Design Your Information Security Function Determine the Structure of Your Function Establish a Governance Model 1. Improve the Effectiveness of Your Security Policies Assess Policy Effectiveness Design a Policy Strategy Develop the Full Policy Stack Define a Policy Review Process 2. Develop a Comprehensive Incident Response Process Define Scope and Conduct Groundwork Set Criteria to Detect and Analyze Incidents Prepare to Contain, Eradicate, and Recover from Incidents Ensure Postmortem Learning 3. Streamline Your Regulatory Compliance Program Develop a Rationalized Compliance Framework Streamline Deployment Decisions Assess and Update Compliance Status Structure the Privacy Program 4. Implement an Effective Data Privacy Program Create an Enterprise Privacy Policy Conduct an Impact Assessment Develop a Privacy Breach Response Plan 5. Rethink Your Risk Assessment Lifecycle 6. Build an Effective Metrics Program Create a Risk Assessment Framework Understand the Design Principles of an Effective Metrics Program Build the Risk Assessment Process Create the Framework for Your Metrics Program Define Risk Treatment Options Define Your Metrics Articulate an Enterprise-Level View of Information Risk 7. Implement an Effective Employee Awareness Campaign 8. Create Your Business Continuity and Disaster Recovery Plan Create the Business Case Identify and Understand Employee Behaviors Conduct Groundwork Design Audience-Focused Awareness Efforts Evaluate Effectiveness Develop a Continuity Framework and Recovery Plan Test and Maintain the Plan
3 RETHINK YOUR RISK ASSESSMENT LIFECYCLE: EXECUTIVE SUMMARY A Core Competency That a Surprising Number of Organizations Lack Risk assessments a core competency of Information Security are deployed to support a variety of business and security goals, including identifying new or changed levels of risk, clarifying ownership over risk and risk mitigation activities, uncovering areas with inadequate controls, and quantifying and communicating risk levels to IT and business partners. The routine implementation of new laws affecting the enterprise and the rapid adoption of new technologies create a turbulent environment where organized, clearly articulated risk assessment processes are critical to risk management. Surprisingly few organizations have formalized their risk assessment lifecycles, despite this rapidly changing environment and its inherent threats. Beyond implementing or improving their ability to assess risk of specific targets, such as new projects or third parties, security functions are increasingly being called upon to provide more consultative risk assessments. Business leaders use these assessments to inform strategy and major business decisions and usually require Security to articulate an enterprise-level view of information risks. Obstacles to Maturing This Capability Business stakeholders often see Security as an organization that says no and view risk assessment as the primary bottleneck where business projects are denied or delayed. Therefore, business partners may be averse to partnering with Security to formalize the risk assessment process. Security functions may view the need to continually adapt and evolve risk assessments to meet the needs of specific projects, processes, and workflows as a reason to forego standardization entirely. Conducting assessments ad hoc and failing to work from a common language form the foundation for inefficient, frustrating, and minimally effective risk management. What the Best Companies Do Mature companies adopt risk assessment frameworks that allow them to manage information risk in a structured, comprehensive, and cost-effective way. Progressive companies include business stakeholders in every phase of the risk assessment process from developing the framework to applying treatments and anticipating enterprise-level risks. This strong partnership forms the basis for organization-wide understanding of and participation in risk management. CEB provides insights organized into four actionable steps for rethinking your risk assessment lifecycle: 1. Create a Risk Assessment Framework 2. Build the Risk Assessment Process 3. Define Risk Treatment Options 4. Articulate an Enterprise-Level View of Information Risk Rethink Your Risk Assessment Lifecycle 1
4 Information Security in a Box: A Guide for Establishing Baseline Maturity 2 CEB Information Risk Leadership Council General Manager Warren Thune Executive Director Shvetank Shah Managing Director Kavitha Venkita Practice Manager Jeremy Bergsman Research and Advisory Team Boris Alexandrov Matthew Brumback William Candrick Joshua Downie Yinuo Geng Daniel Howard Parijat Jauhari David Kingston Emma Kinnucan Karolina Laskowska Tim Macintyre Chris Mixter Scott Pedowitz Shilpa Pental Dorota Pietruszewska Carsten Schmidt Alex Stille Content Publishing Solutions Print Designers Nicole Daniels Lindsay Kumpf Contributing Designers Kunal Anand Samira Haksar Casey Labrack Editor Kate Seferian CONFIDENTIALITY AND INTELLECTUAL PROPERTY These materials have been prepared by The Corporate Executive Board Company and its affiliates (CEB) for the exclusive and individual use of our member companies. These materials contain valuable confidential and proprietary information belonging to CEB, and they may not be shared with any third party (including independent contractors and consultants) without the prior approval of CEB. CEB retains any and all intellectual property rights in these materials and requires retention of the copyright mark on all pages reproduced. LEGAL CAVEAT CEB is not able to guarantee the accuracy of the information or analysis contained in these materials. Furthermore, CEB is not engaged in rendering legal, accounting, or any other professional services. CEB specifically disclaims liability for any damages, claims, or losses that may arise from a) any errors or omissions in these materials, whether caused by CEB or its sources, or b) reliance upon any recommendation made by CEB. IREC SYN
5 Use this diagnostic to assess the maturity of your current risk assessment process and to identify gaps in your program. SELF-DIAGNOSTIC A formally documented, high-level risk assessment process is in place, written in business-friendly language, and can be easily articulated to key business stakeholders. I Strongly Disagree I Disagree It Depends I Agree I Strongly Agree Step 1 Common taxonomies for risks, threats, and controls are in place and known to and understood by key business stakeholders. Risk assessment questionnaires are written in business-friendly language and designed to test for business-specific risks. Security works with business process owners, Audit, and HR to identify highrisk business workflows and to define risk assessment criteria. Step 2 Stakeholders involved in risk decision making are aware of and understand their roles and responsibilities regarding risk treatment. Established risk acceptance guidelines are in place and effectively facilitate decision making by business partners and risk owners. Step 3 Scoring Guideline Nascent 8 18 Baseline World Class External and internal analysis is routinely conducted to identify which sources of risk are of greatest concern to peer organizations and of potential relevance to our business. Risk assessments are supplemented with an organizational assessment that benchmarks Security s activities, performance, and goals against those of peer organizations. Step 4 Total Score Source: CEB analysis. Rethink Your Risk Assessment Lifecycle 3
6 DEVELOPING INFORMATION SECURITY S CAPABILITIES Information Security in a Box: A Guide for Establishing Baseline Maturity 4 This study will help you strengthen the maturity of your security organization s ability to rethink your risk assessment lifecycle. Rethink Your Risk Assessment Lifecycle Nascent Baseline World Class No formalized risk assessment framework is in place. Risk assessment questions are generic and have been added to questionnaires over time on an ad hoc basis. Risk owners don t understand their risk treatment and acceptance responsibilities. Security is focused on technical vulnerabilities and cannot articulate emerging risks or top-level information risks from a business perspective. A documented risk assessment framework is in place but is not fully aligned to core business risks. Risk assessment questions themselves are aligned to business risks but are rarely specific enough to generate actionable assessment output. Risk owners know their risk treatment and acceptance responsibilities in theory, but they only reluctantly take part in risk management decisions. Security conducts analysis to anticipate emerging, enterprise-level risks only on an ad hoc basis. Security s risk assessment framework aligns to business risks and is understood by business partners. Risk assessment questions are designed to identify specific business risks, which are in turn mapped to actionable controls. True risk owners routinely and willingly collaborate with Security to make risk management decisions. Security has established a formal process to predict and prepare for new and emerging threat trends. Contact your account director for more details on benchmarking Security s core capabilities.
7 RETHINK YOUR RISK ASSESSMENT LIFECYCLE 1. Create a Risk Assessment Framework 2. Build the Risk Assessment Process 3. Define Risk Treatment Options 4. Articulate an Enterprise-Level View of Information Risk Key Insights Sample Tools and Templates Create a risk assessment framework aligned to core business activities. Risk assessments designed to be in sync with business processes are more effective at uncovering the risks relevant to key business stakeholders. Risk Assessment Process Overview Risk Assessment Lenses and Types Use taxonomies to establish an enterprise-wide understanding of risks, threats, and controls. Uniform, commonly understood definitions for security terms facilitate risk identification and communication across the enterprise. Where applicable, these terms should align to Enterprise Risk Management (ERM) taxonomies. Risk, Control, and Threat Taxonomies Design a standardized risk rating method that business stakeholders can understand. Standardized risk rating methods enable key business stakeholders to understand risk magnitude information they can use to more effectively make risk acceptance and treatment decisions. Where applicable, these methods should align to ERM risk ratings. Risk Rating Criteria Find these and related tools online in the Information Security in a Box Toolkit at Rethink Your Risk Assessment Lifecycle 5
8 Information Security in a Box: A Guide for Establishing Baseline Maturity 6 Risk assessment frameworks establish standardized processes for risk assessment, allowing for a more consistent and therefore more efficient and effective assessment lifecycle. KNOW THE VALUE OF THE FRAMEWORK Risk Assessment Framework Components Identify the type and scope of risk assessments you need. Develop a common language using taxonomies. Be able to talk to business partners about risk. Risk assessment frameworks promote uniform risk identification across the enterprise, cutting down confusion and miscommunication between Security and business partners. Security must consider its organization s unique aspects including business structures, IT business relationships, and business culture to ensure its risk assessment framework produces relevant, actionable results. Become familiar with the range of available risk assessment types. Be able to differentiate between operational and consultative assessments; know the importance of each. Review business activities, goals, and structure to identify priority targets for assessment; ensure planned assessments align to business priorities. Collaborate with crossfunctional partners in Audit, HR, and Legal to reduce overlap and duplication of effort in the assessment process. Establish a common set of terms that define risks, threats, and controls for your organization. Ensure terms are nontechnical and business friendly in nature. Establish a clear, concise, business-aligned process for communicating risk assessment output. Define risk in terms relevant to business partners. Source: CEB analysis. CREATE A RISK ASSESSMENT FRAMEWORK BUILD THE RISK ASSESSMENT PROCESS DEFINE RISK TREATMENT OPTIONS ARTICULATE AN ENTERPRISE-LEVEL VIEW OF INFORMATION RISK
9 Security will need to apply different types of risk assessment in different situations; these assessment types must be defined within the framework. Operational risk assessments remain a vital competency, but Security will increasingly be required to devote time to consultative assessments that reveal risks outside of technologies. UNDERSTAND AVAILABLE RISK ASSESSMENT TYPES Assessment Typology Consultative Identify risks to key business objectives along with risk treatment options that enable business projects to move forward securely. Engage risk owners in threat and vulnerability identification. Present clear, transparent recommendations to inform risk decision making. Also accomplish all operational assessment goals. Examples Business Entity Risk Assessment: Top-down assessment of an operating entity as a whole, designed to identify top risks; output typically bubbles into ERM/board-level reports and informs information risk strategic plans and priorities. Strategy/Advisory Risk Assessment: Assessment of business decisions that are strategic in nature and have significant cost, value, or market position implications, such as switching from company-provided devices to employee-owned devices or entering into a new market Business Process/Workflow Risk Assessment: Assessment of a sequence of business activities that produces a result of observable value; it is designed to uncover vulnerabilities related to workflow and end-user behavior. Business Capability Risk Assessment: Assessment of a collection of business processes, people, and technology that make up an organization s capacity to achieve a specific objective; business capabilities are typically at a high-enough level to have heterogeneous business stakeholders. Examples of business capabilities include onboarding a new employee or managing the order-to-pay cycle. Operational Identify threats and vulnerabilities to technology projects, assets, and systems, and ensure proper controls are in place. Ensure technologies meet security policies, standards, and regulations. Identify areas of potential security investment. Examples Project Risk Assessment: Assessment of new IT projects, such as upgrading to Windows 7, implementing SharePoint, or buying a new payroll system; assessments of changes to existing assets or processes are also included in this category. Asset-Based Risk Assessment: Targeted assessment of existing technology assets, such as applications, infrastructure, or IT systems Vulnerability Scanning: Broad-based, technical testing of infrastructure to uncover potential vulnerabilities in system configuration Third-Party Risk Assessment: Assessment of suppliers and outsourcers providing a product or service with IT components or involving hosting, sharing, or transfer of corporate data Source: CEB analysis. CREATE A RISK ASSESSMENT FRAMEWORK BUILD THE RISK ASSESSMENT PROCESS DEFINE RISK TREATMENT OPTIONS ARTICULATE AN ENTERPRISE-LEVEL VIEW OF INFORMATION RISK Rethink Your Risk Assessment Lifecycle 7
10 Information Security in a Box: A Guide for Establishing Baseline Maturity 8 Enterprise structure can serve as a mental map for Security to determine which assessment types will be most appropriate for which projects, processes, workflows, and assets. KNOW WHICH RISK ASSESSMENTS TO USE AND WHERE TO USE THEM Organizational Design of a Typical Enterprise Schematic Risk Assessment Types Understanding enterprise structure also enables Security to determine which types of assessment it will need to conduct most often and which will take the most time, allowing for better resource and staff allocation. Most security functions will need to conduct more operational assessments but will find consultative assessments require more engagement with business partners and are therefore more time-consuming. Business Objectives and Organizational Structure (e.g., business units, business capabilities) Initiatives and Workflows (e.g., business processes, strategic business initiatives) Components of Initiatives and Workflows (e.g., projects, assets) Business Entity Risk Assessment Business Capability Risk Assessment Business Process/Workflow Risk Assessment Strategy/Advisory Risk Assessment Project Risk Assessment Asset-Based Risk Assessment Vulnerability Scanning/Penetration Testing Third-Party Risk Assessment Consultative Operational Source: CEB analysis. CREATE A RISK ASSESSMENT FRAMEWORK BUILD THE RISK ASSESSMENT PROCESS DEFINE RISK TREATMENT OPTIONS ARTICULATE AN ENTERPRISE-LEVEL VIEW OF INFORMATION RISK
11 Thank You for Your Interest in CEB Research! If you re a member, please log into your account to access the full study. If you would like access to this full study, please contact CEB to learn more. Member Login Contact CEB 2014 CEB. All rights reserved. CIO SYN
CEB Applications Leadership Council. Building an Effective Business Analyst Community
CEB Applications Leadership Council Building an Effective Business Analyst Community CEB Applications Leadership Council Content Publishing Solutions General Manager Warren Thune Executive Director Shvetank
More informationThe Cloud Computing Handbook
CEB Infrastructure Leadership Council The Cloud Computing Handbook Resources to Plan, Build, and Manage Private and Public Cloud Based Infrastructure Services To learn more about this full research or
More informationThe State of Hybrid Cloud
The State of Hybrid Cloud To learn more about this full research or to inquire about membership, contact us: +1-866-913-8101 IT.Support@ executiveboard.com www.cebglobal.com/it CEB Infrastructure Leadership
More informationSourcing Handbook. Tactics and Templates for Sourcing Strategy and Vendor Management. CEB CIO Leadership Council
Sourcing Handbook Tactics and Templates for Sourcing Strategy and Vendor Management CEB CIO Leadership Council A Framework for Member Conversations The mission of CEB Inc. and its affiliates is to unlock
More informationAn Unbalanced Scorecard
An Unbalanced Scorecard Twelve New IT Metrics for an Era of Change CEB CIO Leadership Council A Framework for Member Conversations The mission of CEB Inc. and its affiliates is to unlock the potential
More informationOrganizational Restructuring Toolkit
Organizational Restructuring Toolkit Driving Effective Enterprise Change CEB Applications Leadership Council CEB Infrastructure Leadership Council A Framework for Member Conversations The mission of The
More informationRunning an Effective Office of the CIO
Running an Effective Office of the CIO Key Findings from the Chief of Staff Time Allocation and Responsibilities Survey CEB CIO Leadership Council A Framework for Member Conversations The mission of The
More informationIT Governance. What is it and how to audit it. 21 April 2009
What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures
More informationBusiness Continuity / Disaster Recovery Context
Capability Business Continuity / Disaster Recovery Context What is Business Continuity? The Business Continuity Program Life Cycle Copyright: Virtual Corporation, 1994 2006 Modified U.S. DoD Graphic Normal
More informationBUSINESS PROCESS MANAGEMENT and IT. Helping Align IT with Business
BUSINESS PROCESS MANAGEMENT and IT Helping Align IT with Business Our Business Helping IT organizations streamline Infrastructure Operations Process Development or Re-Engineering Implementation of an ITSM
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationADVISORY SERVICES. Risk management in an evolving world. Making the case for social media governance. kpmg.com
ADVISORY SERVICES Risk management in an evolving world Making the case for social media governance kpmg.com Risk management in an evolving world 3 Why good governance should be the foundation of your social
More informationHow To Transform It Risk Management
The transformation of IT Risk Management kpmg.com The transformation of IT Risk Management The role of IT Risk Management Scope of IT risk management Examples of IT risk areas of focus How KPMG can help
More informationEnhance visibility into and control over software projects IBM Rational change and release management software
Enhance visibility into and control over software projects IBM Rational change and release management software Accelerating the software delivery lifecycle Faster delivery of high-quality software Software
More informationITIL v3 Process Cheat Sheets
CEB Infrastructure Leadership Council ITIL v3 Process Cheat Sheets 2014 CEB. All rights reserved. IEC8051414SYN 1 ITIL v3 Process Cheat Sheets The ITIL v3 process cheat sheets include a definition, description
More informationEnterprise Risk Management & Information Technology
Enterprise Risk Management & Information Technology Presented by Scott Perry and Gary Ross Slalom Consulting, San Francisco Agenda Introductions Session Objectives Overview of Enterprise Risk Management
More informationISE Northeast Executive Forum and Awards
ISE Northeast Executive Forum and Awards October 3, 2013 Company Name: Project Name: Presenter: Presenter Title: University of Massachusetts Embracing a Security First Approach Larry Wilson Chief Information
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationGOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts
GOVERNANCE DEFINED Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts Governance over the use of technology assets can be seen
More information(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
More informationRSA ARCHER OPERATIONAL RISK MANAGEMENT
RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume
More informationProcurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment
Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Project Management Self-Assessment Contents Introduction 3 User Guidance 4 P3M3 Self-Assessment Questionnaire
More informationThe New Model for IT Service Delivery
CEB CIO Executive Board The New Model for IT Service Delivery Volume II: Skills, Deployment, and Integration All Rights Reserved. VOLuME II: SKILLS, DEPLOyMENT, AND INTEGRATION Study roadmap 4 Service
More informationCustomizing Identity Management to fit complex ecosystems
Customizing Identity Management to fit complex ecosystems Advisory Services PwC Security - Identity Management 12 July 2011 Client s challenge One of the world s largest aerospace and defense corporations
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationCertified Information Security Manager (CISM)
Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security
More informationInformation Technology Strategic Plan 2014-2017
Information Technology Strategic Plan 2014-2017 Leveraging information technology to create a competitive advantage for UW-Green Bay Approved December 2013 (Effective January 2014 December 2017) Contents
More informationHow To Change A Business Model
SOA governance and organizational change strategy White paper November 2007 Enabling SOA through organizational change Sandy Poi, Global SOA Offerings Governance lead, associate partner, Financial Services
More informationThe CAM-I Performance Management Framework
The CAM-I Performance Framework HOW TO EVALUATE AND IMPROVE ORGANIZATIONAL PERFORMANCE EXECUTIVE OVERVIEW The CAM-I Performance Framework HOW TO EVALUATE AND IMPROVE ORGANIZATIONAL PERFORMANCE EXECUTIVE
More informationFeature. Developing an Information Security and Risk Management Strategy
Feature Developing an Information Security and Risk Management Strategy John P. Pironti, CISA, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC. He has designed and implemented enterprisewide
More informationBusiness Process Services: A Value-Based Approach to Process Improvement and Delivery
WHITE PAPER Business Process Services: A Value-Based Approach to Process Improvement and Delivery In this white paper, we examine how your business can be improved through business process services. Business
More informationCertified Identity and Access Manager (CIAM) Overview & Curriculum
Identity and access management (IAM) is the most important discipline of the information security field. It is the foundation of any information security program and one of the information security management
More informationNCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation
NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation Market Offering: Package(s): Oracle Authors: Rick Olson, Luke Tay Date: January 13, 2012 Contents Executive summary
More informationThe Business Case for Information Security. White Paper
The Business Case for Information Security White Paper Version 1.0 Background Creating a compelling business case for information security can be a challenge. It s sometimes difficult to identify or articulate
More informationKPMG s Financial Management Practice. kpmg.com
KPMG s Financial Management Practice kpmg.com 1 KPMG s Financial Management Practice KPMG s Financial Management (FM) practice, within Advisory Management Consulting, supports the growing agenda and increased
More informationOperational Risk Management - The Next Frontier The Risk Management Association (RMA)
Operational Risk Management - The Next Frontier The Risk Management Association (RMA) Operational risk is not new. In fact, it is the first risk that banks must manage, even before they make their first
More informationCisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.
Data Sheet Cisco Optimization s Optimize Your Solution using Cisco Expertise and Leading Practices Optimizing Your Business Architecture Today, enabling business innovation and agility is about being able
More informationPlanning, Building, and Commissioning Assets
Solution in Detail Oil and Gas Executive Summary Contact Us Planning, Building, and Commissioning Assets 2013 2014 SAP SE or an SAP affiliate company. Effective Management of Asset Development Managed
More informationRisk Considerations for Internal Audit
Risk Considerations for Internal Audit Cecile Galvez, Deloitte & Touche LLP Enterprise Risk Services Director Traci Mizoguchi, Deloitte & Touche LLP Enterprise Risk Services Senior Manager February 2013
More informationAgile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners
Agile Master Data Management TM : Data Governance in Action A whitepaper by First San Francisco Partners First San Francisco Partners Whitepaper Executive Summary What do data management, master data management,
More informationInformation security governance has become an essential
Copyright 2007 ISACA. All rights reserved. www.isaca.org. Developing for Effective John P. Pironti, CISA, CISM, CISSP, ISSAP, ISSMP Information security governance has become an essential element of overall
More informationState of South Carolina Policy Guidance and Training
DRAFT For Discussion Purposes Only State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Information Systems (IS) Acquisitions, Development, and Maintenance Policy April/May
More informationOperationalizing Data Governance through Data Policy Management
Operationalizing Data Governance through Data Policy Management Prepared for alido by: David Loshin nowledge Integrity, Inc. June, 2010 2010 nowledge Integrity, Inc. Page 1 Introduction The increasing
More informationCommercial Project Management
Solution in Detail R&D Engineering Executive Summary Contact Us Commercial Deliver More for Less More for Less Efficiency Companies that sell projects often need to professionalize core business processes
More informationENTERPRISE RISK MANAGEMENT POLICY
ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving
More informationApplying IBM Security solutions to the NIST Cybersecurity Framework
IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationProcess Assessment and Improvement Approach
Process Assessment and Improvement Approach June 2008 The information contained in this document represents the current view of Virtify on the issues discussed as of the date of publication. Virtify cannot
More informationSeven Ways To Help ERP IN 2014 AND BEYOND
Seven Ways To Help Data Migration During Implementation SPECial REPORT SERIES ERP IN 2014 AND BEYOND CONTENTS INTRODUCTION 3 Develop a Data MigraTION Plan 4 PerfORM a ThOROUgh Gap Analysis 6 COMMIT ResOURCes
More informationAudit Director Roundtable Asia Emerging Risks Report
Audit Director Roundtable Asia Emerging Risks Report Q3 2012 A FRAMEWORK FOR MEMBER CONVERSATIONS The mission of The Corporate Executive Board Company and its affiliates (CEB) is to unlock the potential
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationI S O I E C 2 7 0 0 2 2 0 1 3 I N F O R M A T I O N S E C U R I T Y A U D I T T O O L
15.1 ESTABLISH SECURITY AGREEMENTS WITH SUPPLIERS 15.1.1 EXPECT SUPPLIERS TO COMPLY WITH RISK MITIGATION AGREEMENTS Do you clarify the information security risks that exist whenever your suppliers have
More information14 TRUTHS: How To Prepare For, Select, Implement And Optimize Your ERP Solution
2015 ERP GUIDE 14 TRUTHS: How To Prepare For, Select, Implement And Optimize Your ERP Solution Some ERP implementations can be described as transformational, company-changing events. Others are big disappointments
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationDriving Records & Information Management Transformation: Enabling program adoption
October 2014 Driving Records & Information Management Transformation: Enabling program adoption At a glance As companies work to create structured control over information, they often find that people
More informationCertified Information Professional 2016 Update Outline
Certified Information Professional 2016 Update Outline Introduction The 2016 revision to the Certified Information Professional certification helps IT and information professionals demonstrate their ability
More informationP3M3 Portfolio Management Self-Assessment
Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Portfolio Management Self-Assessment P3M3 is a registered trade mark of AXELOS Limited Contents Introduction
More informationThe College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012
The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why
More informationBusiness Continuity in Healthcare
Business Continuity in Healthcare Cynthia Simeone, CBCP, PMP Director Business Resilience Catholic Health Initiatives Scott Ream President Virtual Corporation 1 Session Speakers Cynthia Simeone, CBCP,
More informationApplications Executive Council Drivers of Business Analyst Effectiveness
Applications Executive Council Drivers of Business Analyst Effectiveness IIBA Building Business Capabilities 2012 Moderator: Mark Tonsetic Senior Research Director A FRAMEWORK FOR MEMBER CONVERSATIONS
More informationENTERPRISE MANAGEMENT AND SUPPORT IN THE TELECOMMUNICATIONS INDUSTRY
ENTERPRISE MANAGEMENT AND SUPPORT IN THE TELECOMMUNICATIONS INDUSTRY The Telecommunications Industry Companies in the telecommunications industry face a number of challenges as market saturation, slow
More informationNEW YORK STATE-WIDE PAYROLL CONFERENCE. Presented to:
NEW YORK STATE-WIDE PAYROLL CONFERENCE Presented to: Felicia Cheek, Practice Leader Global Time to Pay Advisory 15 September 2014 Statement of Confidentiality and Usage Restrictions This document contains
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationKeys to a Successful Outsourcing Transition
Keys to a Successful Outsourcing Transition finance.arvato.com Getting it Right the First Time: Keys to a Successful Outsourcing Transition A large part of success in outsourcing depends on a seamless
More informationKey Considerations for Information Technology Governance. 900 Monroe NW Grand Rapids, MI 49503 (616) 632-8000
Key Considerations for Information Technology Governance What is IT Governance? Big Picture approach to information and data management Sets priorities: Managing performance Delivering value Managing risk
More informationYour Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.
INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc. February 2013 1 Executive Summary Adnet is pleased to provide this white paper, describing our approach to performing
More informationIdentifying Application Performance Risk
Identifying Application Performance Risk Performance Engineering COLLABORATIVE WHITEPAPER SERIES COLLABORATIVE WHITE PAPER SERIES: Identifying Application Performance Risk Under what conditions will an
More informationThe Compliance and Ethics Essentials Toolkit
CEB Compliance and Ethics Leadership Council The Compliance and Ethics Essentials Toolkit Practical Resources to Accelerate the Development of Your Program Contact CEB to Learn More +1-866-913-8103 CELC_Support
More informationCopyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience
Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT-RMM), both developed at Carnegie
More informationMaking A Case For Project Management
AN INTERTHINK CONSULTING WHITE PAPER Making A Case For Project Management An Overview Of Interthink Consulting's Project Management Business Case Approach Contents: Introduction Defining Organizational
More informationHow To Improve Your Business
IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends
More informationTECHNOLOGY IT ROADMAP SERVICE CORE
BE FREE BE FREE OF TECHNOLOGY IT ROADMAP SERVICE CORE TALK TO OUR EXPERTS 1.877.222.8615 www.bestit.com WHY GET AN IT ROADMAP? Enterprise competitive performance is a critical differentiator in today s
More informationDriving Business Value. A closer look at ERP consolidations and upgrades
IT advisory SERVICES Driving Business Value A closer look at ERP consolidations and upgrades KPMG LLP Meaningful business decisions that help accomplish business goals and growth objectives may call for
More informationFortune 500 Medical Devices Company Addresses Unique Device Identification
Fortune 500 Medical Devices Company Addresses Unique Device Identification New FDA regulation was driver for new data governance and technology strategies that could be leveraged for enterprise-wide benefit
More informationIT Risk & Security Specialist Position Description
Specialist Position Description February 9, 2015 Specialist Position Description February 9, 2015 Page i Table of Contents General Characteristics... 1 Career Path... 2 Explanation of Proficiency Level
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationTransform HR into a Best-Run Business Best People and Talent: Gain a Trusted Partner in the Business Transformation Services Group
SAP Services Transform HR into a Best-Run Business Best People and Talent: Gain a Trusted Partner in the Business Transformation Services Group A Journey Toward Optimum Results The Three Layers of HR Transformation
More informationEnabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013
Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices April 10, 2013 Today's Agenda: Key Topics Defining IT Governance IT Governance Elements & Responsibilities
More informationLeveraging a Maturity Model to Achieve Proactive Compliance
Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................
More informationHOW TO USE THE DGI DATA GOVERNANCE FRAMEWORK TO CONFIGURE YOUR PROGRAM
HOW TO USE THE DGI DATA GOVERNANCE FRAMEWORK TO CONFIGURE YOUR PROGRAM Prepared by Gwen Thomas of the Data Governance Institute Contents Why Data Governance?... 3 Why the DGI Data Governance Framework
More informationAgency for State Technology
Agency for State Technology 2015-2018 Statewide Information Technology Security Plan The Way Forward Rick Scott, Governor Jason M. Allison, State CIO Table of Contents From the Desk of the State Chief
More informationMoving Forward with IT Governance and COBIT
Moving Forward with IT Governance and COBIT Los Angeles ISACA COBIT User Group Tuesday 27, March 2007 IT GRC Questions from the CIO Today s discussion focuses on the typical challenges facing the CIO around
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationValidating Enterprise Systems: A Practical Guide
Table of Contents Validating Enterprise Systems: A Practical Guide Foreword 1 Introduction The Need for Guidance on Compliant Enterprise Systems What is an Enterprise System The Need to Validate Enterprise
More informationAn Oracle White Paper November 2011. Financial Crime and Compliance Management: Convergence of Compliance Risk and Financial Crime
An Oracle White Paper November 2011 Financial Crime and Compliance Management: Convergence of Compliance Risk and Financial Crime Disclaimer The following is intended to outline our general product direction.
More informationRoot Cause Analysis Concepts and Best Practices for IT Problem Managers
Root Cause Analysis Concepts and Best Practices for IT Problem Managers By Mark Hall, Apollo RCA Instructor & Investigator A version of this article was featured in the April 2010 issue of Industrial Engineer
More informationDetermining Data Equity: Capture and Calculate Valuation at Risk
Matthew Mikell- IBM Market Manager mgmikell@us.ibm.com IOT North America April 15, 2015 Determining Data Equity: Capture and Calculate Valuation at Risk Agenda Foundations of Capturing Equity Closing Gaps
More informationThe Business Continuity Maturity Continuum
The Business Continuity Maturity Continuum Nick Benvenuto & Brian Zawada Protiviti Inc. 2004 Protiviti Inc. EOE Agenda Terminology Risk Management Infrastructure Discussion A Proposed Continuity Maturity
More informationDEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY
DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY SEPTEMBER 2012 DISCLAIMER Copyright 2012 by The Institute of Internal Auditors (IIA) located at 247 Maitland Ave., Altamonte Springs, Fla., 32701,
More information10 Steps to a Successful Digital Asset Management Implementation by SrIkAnth raghavan, DIrector, ProDuct MAnAgeMent
m a y 2 0 1 2 10 Steps to a Successful Digital Asset Management Implementation Strategies and Best Practices Implementing and deploying enterprise solutions across the organization can be complex, involving
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More informationThe PMO as a Project Management Integrator, Innovator and Interventionist
Article by Peter Mihailidis, Rad Miletich and Adel Khreich: Peter Mihailidis is an Associate Director with bluevisions, a project and program management consultancy based in Milsons Point in Sydney. Peter
More informationStrategic Planning. Key Initiative Overview
David Aron Research Vice President This overview provides a high-level description of the Strategic Planning Key Initiative. IT leaders can use it to create strategies that help the business win, and change
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationGuideline. Records Management Strategy. Public Record Office Victoria PROS 10/10 Strategic Management. Version Number: 1.0. Issue Date: 19/07/2010
Public Record Office Victoria PROS 10/10 Strategic Management Guideline 5 Records Management Strategy Version Number: 1.0 Issue Date: 19/07/2010 Expiry Date: 19/07/2015 State of Victoria 2010 Version 1.0
More informationIT Services Management Service Brief
IT Services Management Service Brief Service Continuity (Disaster Recovery Planning) Prepared by: Rick Leopoldi May 25, 2002 Copyright 2002. All rights reserved. Duplication of this document or extraction
More informationfs viewpoint www.pwc.com/fsi
fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a
More informationA Privacy Officer s Guide to Providing Enterprise De-Identification Services. Phase I
IT Management Advisory A Privacy Officer s Guide to Providing Enterprise De-Identification Services Ki Consulting has helped several large healthcare organizations to establish de-identification services
More information