Information Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com



Similar documents
IT Security Governance for e-business

CLASSIFICATION SPECIFICATION FORM

IT Governance. What is it and how to audit it. 21 April 2009

IT Governance Regulatory. P.K.Patel AGM, MoF

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

Integrated Information Management Systems

Roles within ITIL V3. Contents

Sytorus Information Security Assessment Overview

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

Certified Information Security Manager (CISM)

Fraud Risk Management

Incorporate CMMI with Corporate Governance Using Enterprise Software Change Management Solutions

Risk Management Policy

Cyber Security solutions

Security Engineering Best Practices. Arca Systems, Inc Boone Blvd., Suite 750 Vienna, VA

Achieving Business Imperatives through IT Governance and Risk

How To Do An Ismart In The Bcan Government

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000

Gobierno de TI Enfrentando al Reto. IT Governance Facing the Challenge. Everett C. Johnson, CPA International President ISACA and ITGI

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Governance and Management of Information Security

Preparing for the Convergence of Risk Management & Business Continuity

Road map for ISO implementation

Introduction to ITIL for Project Managers

COBIT Helps Organizations Meet Performance and Compliance Requirements

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

WHITE PAPER IT SERVICE MANAGEMENT IT SERVICE DESIGN 101

defense through discovery

Italy. EY s Global Information Security Survey 2013

Applied Software Project Management

Privacy Risk Assessments

Information Security Management Systems

INFOCUS. Five Questions to Guide Cybersecurity Risk Management BY EARL CRANE

Performing Effective Risk Assessments Dos and Don ts

ENTERPRISE RISK MANAGEMENT POLICY

Domain 1 The Process of Auditing Information Systems

ISO Information Security Management Systems Foundation

(Instructor-led; 3 Days)

Improving Residual Risk Management Through the Use of Security Metrics

ICTEC. IT Services Issues HELSINKI UNIVERSITY OF TECHNOLOGY 2007 Kari Hiekkanen

Certified Information Systems Auditor (CISA)

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment.

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

IT Governance using COBIT implemented in a High Public Educational Institution A Case Study

Module 7 Study Guide

FINANCIAL INSTITUTIONS: MANAGING OPERATIONAL RISK WITH RSA ARCHER

Preparation Guide. EXIN IT Service Management Executive Consultant/Manager based on ISO/IEC 20000

Lot 1 Service Specification MANAGED SECURITY SERVICES

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

Problem Management Overview HDI Capital Area Chapter September 16, 2009 Hugo Mendoza, Column Technologies

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation.

Certified Software Quality Assurance Professional VS-1085

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

The role of Information Governance in an Enterprise Architecture Framework

Information technology Security techniques Information security management systems Overview and vocabulary

BIG DATA KICK START. Troy Christensen December 2013

Feature. Developing an Information Security and Risk Management Strategy

16) INFORMATION SECURITY INCIDENT MANAGEMENT

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Cisco IT Technology Tutorial Overview of ITIL at Cisco

Outsourcing & Regulatory Compliance Risks

Third Party Risk Management 12 April 2012

Information Security Managing The Risk

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

IT Governance: framework and case study. 22 September 2010

A blueprint for an Enterprise Information Security Assurance System. Acuity Risk Management LLP

CFE 2. Enterprise Risk Management. Study Guide - Supplemental Background Material

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

The Governance of Corporate Forensics using COBIT, NIST and Increased Automated Forensic Approaches

IT governance in Brazil:

Changing data needs from a life cycle perspective in the context of ISO 55000

Procurement Capability Standards

Third-Party Risk Management for Life Sciences Companies

National Approach to Information Assurance

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers)

How small and medium-sized enterprises can formulate an information security management system

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Chapter 10. Corporate Governance. Copyright 2004 South-Western All rights reserved.

Information Security Management System for Microsoft s Cloud Infrastructure

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting

PREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY

Transcription:

Information Technology Governance Steve Crutchley CEO - Consult2Comply www.consult2comply.com

What is IT Governance? Information Technology Governance, IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. The rising interest in IT governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley (USA) and Basel II (Europe)), as well as the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization. 2 2

IT Governance Discipline The discipline of information technology governance derives from corporate governance and deals primarily with the connection between business focus and IT management of an organization. It highlights the importance of IT related matters and states that strategic IT decisions should be owned by the corporate board, rather than by the CISO/CSO or other IT managers. 3 3

Governance Issues Corporate Monitoring Weak Decision making mechanisms Ineffective enforcement and conflict resolution Protecting Personnel records Protecting IP Lack of Financial Resources Good and concise Policies Boundary Identification Understanding Business responsibilities Understanding Stakeholder needs Jurisdiction Identification Understanding Fiduciary responsibilities Setting the Risk Appetite Making the business owners responsible Linking it all together

Legislative Issues 5

What should Information Technology Governance Deliver? Executives should focus on Information Technology Governance, and when properly implemented it should provide the following: 6 6

Risk Issues Understanding Risk Appetite Understanding Risk Acceptance (Who) Understanding Threats and Vulnerabilities Control Linking Understanding Residual Risk Understanding Control Infrastructures Accepting Residual Risk Understanding the Risk Process Ensuring the correct people are involved Risk Assessment v- Risk Cost of Remediation Risk Mitigation Understanding Control Selection process Risk Integration Linking it all together Risk Reporting Risk Differences: Fraud Business Financial Technology Process People Tax Governance

What are the IT Governance Characteristics? A general theme of IT Governance discussions is that the IT capability can no longer be something the business doesn t understand and that IT must also understand the business and its needs. Handling of IT has always been an issue for board-level executives because of the technical nature of IT, therefore, key decisions were left to IT professionals. IT Governance implies a system in which all stakeholders, including the board, internal customers and related areas such as finance, have the necessary input into the decision making process. This will prevent a single stakeholder, typically IT, being blamed for poor decisions. It also prevents users from later complaining that the system does not behave or perform as expected very important for IT 8 8

What are the IT Governance Characteristics (2)? Most importantly - The board needs to understand the overall architecture of its company's IT applications portfolio The board must ensure that management knows what information resources are out there, what condition they are in, and what role they play in generating revenue 9 9

Security Issues

External Threats

Internal Threats

Physical Security

IT Governance Goals The primary goals for information technology governance are: (1) assure that the investments in IT generate business value (2) mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well-defined roles for the responsibility of information, business processes, applications, infrastructure, etc. 14 14

Disciplines to support IT Governance Business Technology Optimization Release Change Business Relationship Strategic Planning Project Governance Enterprise Architecture Incident Organizational Structure Security Training Problem Service Level Service Continuity Financial Availability Asset Supplier Capacity 15 15

What can help you? Understand applicable Compliance landscape ISO 20000/ITIL Service management ISO 27001 security management COBIT/ITGI CMM - Maturity Six Sigma - Quality Balanced Scorecard - Metrics (Monitor, Measure and Manage) Understand Business need and respond accordingly 16 16

Example IT Governance Structure

Harmonization with existing BS/ISO standards & guidelines Additions: ISO 27799 Health Informatics - Security in Health using ISO 17799 ISO 19077 Software Asset ISO 15489 Effective Records ISO 21188 Public Key infrastructure for Financial Services ISO 18044 Incident BS 8470 Secure Disposal of confidential material BS 8549 Security Consultancy Code of Practice

Questions? 19

Thank You! Presenter Steve Crutchley Email: scrutchley@consult2comply.com Telephone: 571 332 8204/703 871 3950 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information