IBM Global Technology Services Achieving Business Imperatives through IT Governance and Risk Peter Stremus Internet Security Systems, an IBM Company
Introduction : Compliance Value Over the past 15 years in the IT industry, people have been searching for better ways of illustrating (and thus measuring) the value that IT can provide to the business. This presentation provides an example of an executed approach used to successfully illustrate the value of an IT Control Activity for Business and Compliance. This approach can provide a solid foundation to successfully leverage your Compliance investments through the use of Best Practice standards and frameworks. 2
Trends The Financial Industry Competition in the financial industry has become critically dependant on IT as banks now spend the majority of non-compensation costs on IT and communications. Case studies of peers support the decisions made by other financial institutions to move to a fully centralized global IT governance model. Recent economic downturn and declining capital markets have caused banks to tighten financial control and trim costs. Increased criminal activity, such as Internet fraud and terrorism, heighten the need for security and wider reporting capabilities. 3
Trends Legislation & Regulations Sarbanes Oxley Act CMA FSA Terrorism Act 2000 Obscene Publications Act Gramm Leach Bliley Copyright Design & Patents Act Privacy and Electronic Comms. HIPAA Basel II Freedom of Information Act Data Protection Act RIPA 4
Issues - Aligning Business and IT Four levels of IT Risk Strategic Level Decisions on business strategy Programme Level Project Level Operational Level Decisions transforming strategy into action Decisions required to enable implementation of actions Source: Office of Government Commerce, Management of Risk Framework 5
Aligning IT with Business An effective IT risk approach addresses critical performance issues at both the Group level and the BU/LE levels. Group level Key Interests Does IT support the achievement of organizational objectives? Are targeted enterprise-wide IT synergies being achieved? Are IT risks being identified and managed? BU level Key Interests Does IT deliver on its service level commitments? Do investments in IT positively affect business productivity? Are IT costs being managed effectively? Group-level BU-level 6
Challenges: Business Alignment IT Risk Management is a key stakeholder in maintaining a balance between the business needs and the value associated with an IT solution. The business value of IT is dependent upon linking the business process to the supporting IT automation activity. Organization/Business Objectives Competitive/Leader Objectives IT Solution Framework(s) CobiT Profitable Growth ISO 17799 Client Satisfaction ITIL Employer of Choice Strengthen Reputation Risk Assessment Business Goal High-level (Self- Assessment) Compliance Low-level (Detailed) IT Automation Level of Process Automation Business An increasing number of business processes rely on IT automation (e.g. On-line Banking) IT Although the business risk is owned by the business, automating the processes increase the dependency on effective IT risk management. Risk Mitigation Pragmatic IT Risk Mitigation options align a more precise IT solution to support business needs without overengineering. 7
Example: Compliance Approach and Roadmap The approach is executed through 5 phases. Phase 1: Identification Phase 2: Cross-Reference Phase 3: Risk Analysis / Assessment Phase 4: Risk Mitigation Phase 5: Evaluate Results / Value Mapping Identify the organization and business goals, objectives and/or process. Identify the relevant framework(s). Identify the relevant control practices or activities. Execute crossreference mapping to all identified frameworks and standards. Execute crossreference mapping to all identified compliance initiatives. Execute crossreference mapping to all identified IT roles/areas Perform a high level risk analysis/selfassessment and record initial results as a benchmark for maturity measurement. Review selfassessment results and identify probable business and IT owners. Based on risk results, perform a detailed risk assessment to include asset impact, risk realization cost and acceptable level of risk. Identify potential risk mitigation options. (e.g. Products or Services) Identify all associated costs for each mitigation option. Identify any residual risk. Compare costs associated with risk mitigation option against risk realization cost to identify TCO/ROI. Review IT risk mitigation options with the business. If accepted, initiate a project to implement the selected IT risk mitigation option. Map the value associated with the IT activity back to the organization and business goals or objectives. Review the relevance of the IT control activity to the crossreferences for frameworks and compliance. 8
Example: Compliance Business Goal Phase 1: Identification Identify the organization and business goals, objectives and/or process. Identify the relevant framework(s). Identify the relevant control practices or activities. Organization/Business Objectives Client Satisfaction Strengthen Reputation Business Goal #14 Compliance with external laws and regulations (Sarbanes-Oxley, HIPAA, GLBA, etc.) Framework CobiT Version 4 CobiT Process DS 5: Ensure System Security Control Objective DS 5.5: Security Testing, Surveillance and Monitoring Control Activity: Monitor potential and actual security incidents Control Activity: Conduct regular vulnerability assessments Control Objective DS 5.10: Network Security Control Activity: Implement and maintain technical and procedural controls to protect information flows across networks. 9
Example: Compliance Cross-Reference Phase 2: Cross-Reference Execute crossreference mapping to all identified frameworks and standards. Execute crossreference mapping to all identified compliance initiatives. Execute crossreference mapping to all identified IT roles/areas. Frameworks BIT-map 1 Mapping CobiT Versions 3 & 4 to ISO 17799 Versions 2000 & 2005 Aligning CobiT, ITIL and ISO17799 for Business Benefit Compliance Initiatives IT Control Objectives for Sarbanes-Oxley IT Roles/Areas CobiT Role and Responsibility Matrix CobiT_ISO_Matrix Aligning CobiT ITIL and ISO IT Control Objectives for SOX Responsibility Matrix 1 Tool for Framework, Compliance and IT Role Cross-Reference Mapping: http://www.bit-map.com 10
Example: Compliance Risk Analysis/Assessment Phase 3: Risk Analysis / Assessment Perform a high level risk analysis/selfassessment and record initial results as a benchmark for maturity measurement. Review selfassessment results and identify probable business and IT owners. Based on risk results, perform a detailed risk assessment to include asset impact, risk realization cost and acceptable level of risk. High Level Risk Analysis/Self-Assessment Many tools are currently available (e.g. BIT-map, etc.) Review Risk Analysis/Self-Assessment Results Identify Probable Business and IT Owners Detailed Risk Assessment Detailed Risk Assessment consist of 4 main activities Threat Vulnerability Asset Probability / Activity Total Risk Identify the potential threat to the business and the IT systems supporting the process. (X-Force Threat Notification Service) Identify the vulnerability associated with the IT systems supporting the process. (Vulnerability Assessment) Identify the assets located on the vulnerable IT systems. Calculate the probability or identify any current activity. (IDS / IPS / Network Anomaly Detection) = Risk for Unauthorized Access to Sensitive Data 11
Example: Compliance Risk Mitigation Phase 4: Risk Mitigation Identify potential risk mitigation options. (e.g. Products or Services). Identify all associated costs for each mitigation option. Identify any residual risk. Compare costs associated with risk mitigation option against risk realization cost to identify TCO/ROI. Risk = Unauthorized Access to Sensitive Data Risk Mitigation Options CobiT Process DS 5: Ensure System Security Control Objective DS 5.5: Security Testing, Surveillance and Monitoring Control Activity: Monitor potential and actual security incidents Option: Proventia Server Option: Proventia Desktop Control Activity: Conduct regular vulnerability assessments Option: Vulnerability Assessment Internet Scanner Control Objective DS 5.10: Network Security Control Activity: Implement and maintain technical and procedural controls to protect information flows across networks. Option: Intrusion Prevention & Network Anomaly Detection Costs, Residual Risk and TCO Calculate a Business Case 12
Example: Compliance Value Mapping Phase 5: Evaluate Results/ Value Mapping Review IT risk mitigation options with the business. If accepted, initiate a project to implement the selected IT risk mitigation option. Map the value associated with the IT activity back to the organization and business goals or objectives. Review the relevance of the IT control activity to the crossreferences for frameworks and compliance. Organization/Business Objectives Client Satisfaction Strengthen Reputation Business Goal SOX Compliance Business Process Direct Net IT Automation Level of Process Automation Relevance Cross-Reference Mapping the Value Objectives IT Solution Control Activity: Monitor potential and actual security incidents SOX, HIPAA and GLBA relevant ISO17799 (9.4, 9.5, 9.7, 10.4) and ITIL (Security Mgmt. 4.2) relevant Framework CobiT Risk Assessment Unauthorized Access Risk Mitigation Proventia Server and Desktop Vulnerability Assessment IPS/Anomaly Detection 13
IDS vs. IPS (Internet Security Systems) The objective in implementing any control is to ensure the reduction or mitigation of the risk affecting the success in achieving the business goals. The example below illustrates how IDS/IPS help in facilitating the controls to support service availability and compliance with policies and regulations. ISO 17799:2005 Controls 10.4.1 Controls against malicious code 10.6.1 Network controls 10.8.6 Business Information Systems 10.9.3 Publicly available information 11.4.1 Policy on use of network services 11.4.5 Segregation in networks 11.4.6 Network connection control 11.6.2 Sensitive system isolation 12.5.4 Information leakage 12.6.1 Control of technical vulnerabilities 14.1.2 Business continuity and risk assessment 15.1.4 Data protection and privacy of personal information 15.1.5 Prevention of misuse of information processing facilities 15.2.1 Compliance with security policies and standards IDS IPS 14
Issues Addressing Compliance IT governance currently in place. Method for measuring the alignment of IT and the Group strategy. Internal drivers for synergies/group minded IT activities/decisions. 15
Issues Addressing Compliance (cont) Implement a centrally lead approach with respect to Group-wide cost saving projects. Link incentives of Business Managers to Group-wide project leadership performance. Impart a sense of urgency to all Business Division s for implementation Group wide issues. Clear communication of the Group's IT governance objectives to Business Division Management 16
Issues - Impacts Analysts question large IT costs arising in an unclear governance environment. Business Division s might make independent decisions and duplication of effort, i.e. focus on a "cooperative" approach. Isolated decisions potentially lead to negative overall cost implications Regulatory scrutiny. Proof of compliance becomes increasingly difficult - "SOX", Basel II, etc. 17
Information Security Landscape Attributes for IT Risk Management Federalized (Centralized) IT Risk Management Pioneering companies balance center-led template creation and coordination with assessment and mitigation efforts conducted at the local level. IT Security Risk Assessments Pioneering companies are developing frameworks to measure relative internal risk and creating mechanisms to monitor the security controls of the critical external partners. Centrally Coordinated Business Continuity Planning Leading organizations are chartering crossfunctional business continuity governance committees (including IT) to set policies, coordinate planning efforts, establish enterprise priorities, and invest in communication tools. Risk-Based Project Prioritization and Execution Exemplars deploy tools to surface and mitigate critical technological, organizational, and strategic risks across the project management life cycle. Collaboration for Regulatory Compliance Exemplar IT organizations support compliance efforts by tracking and reporting line unit progress, driving standardization across the company, and prioritizing the most critical controls. Comprehensive Sourcing Due Diligence Exemplar organizations conduct extensive due diligence regarding application eligibility for externalization and the fiscal health of service providers. 1Source: The Information Risk Executive Working Council for Chief Information Officers, conducted by the Corporate Executive Board (CEB). 18
Information Security Standards Best Practice ISO/IEC 17799//ISO/IEC 27002 Code of Practice for Information Security Management Provides best practice for information security management. Basis upon which baseline controls can be validated ITIL IT Infrastructure Library Best practice for IT service management COSO Committee of Sponsoring Organisation (of the Treadway Commission) Provides best practice on financial controls COBIT Control Objectives for IT and Related Technology 19
Information Security Standards - Standards ISO/IEC 17799:2005 Code of Practice for Information Security Management ISO/IEC 13335 Guidelines for the Management of IT Security NIST National Institute for Standards and Technology 20
Solution Summary Roadmap Phase 1: Identification Phase 2: Cross-Reference Phase 3: Self-Assessment / Benchmark Phase 4: IT Risk Mitigation Phase 5: Evaluate Results 1.Identify the organisation and business objectives. 2.Identify the business process. 3.Identify the relevant framework(s). 4.Identify the relevant control practices or activities. 1.Execute crossreference mapping to all identified frameworks and standards. 2.Execute crossreference mapping to all identified compliance initiatives. 3.Execute crossreference mapping to all identified IT areas, departments and roles. 1.Perform a high level selfassessment. 2.Record initial results as a benchmark for maturity measurement. 3.Review selfassessment results at both an aggregated level and control practice/activity level. 4.Based on risk results, perform a detailed risk assessment to include asset impact and risk realization cost. 1.Identify potential risk mitigation options. (e.g. Products or Services) 2.Identify all associated costs for each mitigation option. 3.Identify any residual risk. 4.Compare costs associated with risk mitigation option against risk realization cost to identify TCO/ROI. 1.Review IT risk mitigation options with the business. 2.If accepted, initiate a project to implement the selected IT risk mitigation option. 3.Map the value associated with the IT activity back to the organization and business objectives. 4.Review the relevance of the IT activity to the cross-references for frameworks and compliance initiatives. 1 Source: Bit-Map 4VAC GmbH 21
Solution Summary Mapping Compliance Defining the Objectives Extracting value from compliance investments Addressing future compliance initiatives effectively and efficiently With the adoption of an anchor framework, mapping compliance related initiatives can begin. Sarbanes-Oxley and Basel II were among the first to be selected for compliance mapping. 4 22
Solution Summary Risk Mitigation Options The challenge is in balancing a control activity with business needs. 23
Risk Mitigation Options (Cont.) Control Activity: Deploy Internet Security Systems Proventia Integrated Appliance Control Activity: Update latest Express Updates (XPU s) on Proventia appliance 24
Risk Mitigation Activities to Solutions The objective in implementing any control is to ensure the reduction or mitigation of the risk affecting the success in achieving the business goals. The example below illustrates how IDS/IPS help in facilitating the controls to support service availability and compliance with policies and regulations. ISO 17799:2005 Controls Controls against malicious software 10.4.1 Controls against malicious code 10.6.1 Network controls 10.8.6 Business Information Systems 10.9.3 Publicly available information 11.4.1 Policy on use of network services 11.4.5 Segregation in networks 11.4.6 Network connection control 11.6.2 Sensitive system isolation 12.5.4 Information leakage 12.6.1 Control of technical vulnerabilities 14.1.2 Business continuity and risk assessment 15.1.4 Data protection and privacy of personal information 15.1.5 Prevention of misuse of information processing facilities 15.2.1 Compliance with security policies and standards IDS IPS 25
Map IT Activity to Business Objectives With effective IT risk management approach in place, key interests of Credit Suisse are addressed; providing IT alignment with the business. Identify IT Risk Management Cross-reference mapping Risk Assessment Risk Mitigation Options Map IT control practice/activity Group Does IT support the achievement of organizational objectives? Are targeted enterprise-wide IT synergies being achieved? Are IT risks being identified and managed? BU Key Interest Does IT deliver on its service level commitments? Do IT investments positively affect business productivity? Are IT costs being managed effectively? Key Interest Addressed? YES YES YES YES YES YES 26
27