Business Risk Management - Top 10 Questions to Ask

Similar documents
IT Governance Regulatory. P.K.Patel AGM, MoF

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Project Management: Improving performance, reducing risk When will you think differently about project management?

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Career proposition for software developers and web operations engineers

Overview TECHIS Manage information security business resilience activities

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation.

Cybersecurity The role of Internal Audit

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

ESKISP Direct security testing

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

Integrating Project Management and Service Management

THE EVOLUTION OF CYBERSECURITY

Seamus Reilly Director EY Information Security Cyber Security

Driving Excellence in Implementation and Beyond The Underlying Quality Principles

ESKISP Manage security testing

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

CYBER SECURITY Audit, Test & Compliance

Vulnerability Threat Management

The Association of Change Management Professionals

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

MNLARS Project Audit Checklist

Domain 1 The Process of Auditing Information Systems

Open Group Vulnerability Management Proposal Mike Jerbic, November 16, 2003

Cybersecurity. Considerations for the audit committee

VENDOR MANAGEMENT. General Overview

Skybox Security Survey: Next-Generation Firewall Management

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Accenture Technology Consulting. Clearing the Path for Business Growth

CyberSecurity Solutions. Delivering

Enterprise Risk Management VCU Process

Strategic Business and Operations Framework Understanding the Framework June 30, 2012

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

Click to edit Master title style

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Technology and Cyber Resilience Benchmarking Report December 2013

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Address C-level Cybersecurity issues to enable and secure Digital transformation

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Trends in Information Technology (IT) Auditing

Overview TECHIS Carry out risk assessment and management activities

Cyber security Building confidence in your digital future

Anthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members:

Implementing Enterprise Information Governance: A Practical Approach

Into the cybersecurity breach

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

The PNC Financial Services Group, Inc. Business Continuity Program

Cyber Risks in the Boardroom

IT Governance Charter

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Douglas County School District. Information Technology. Strategic Plan

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT

Business Plan 2012/13

Cyber Security :: Insights & Recommendations for Secure Operations. N-Dimension Solutions, Inc.

The Art of Architecture Transformation. Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Chief Information Security Officer

Cybersecurity: What CFO s Need to Know

The Information Technology Program Manager s Dilemma

Guideline on Vulnerability and Patch Management

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

This presentation will introduce you to the concepts and terminology related to disaster recovery planning for businesses.

How To Write A Cybersecurity Framework

Business Continuity Management & Disaster Recovery GETTING STARTED Checklist for Local Businesses & Organisations

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Avaya Strategic Communications. Consulting. A Strong Foundation for Superior Business Results. Table of Contents. Taking Business Vision to Reality

Internal audit FROM COMPLIANCE TO RISK MANAGEMENT: THE CHANGING ROLE OF INTERNAL AUDIT

State of Oregon s Enterprise Business Continuity Planning Program

Developing a robust cyber security governance framework 16 April 2015

Information Technology

Information Technology Strategic Plan

Seven Practical Steps to Delivering More Secure Software. January 2011

Cybercrime Security Risks and Challenges Facing Business

Transforming Business Processes with Agile Integrated Platforms

Project Management Plan for

ISO27032 Guidelines for Cyber Security

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

44-76 mix 2. Exam Code:MB Exam Name: Managing Microsoft Dynamics Implementations Exam

Development, Acquisition, Implementation, and Maintenance of Application Systems

Cybersecurity and internal audit. August 15, 2014

The IT Strategic Plan

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Transcription:

How to Ace IT Governance Without Tech Expertise 50 POWERFUL QUESTIONS READY TO ASK AT YOUR NEXT BOARD MEETING Corporate Director and Creator of THE BOARDROOM BLUEPRINT TM

OVERVIEW 50 POWERFUL I.T. QUESTIONS READY TO ASK AT YOUR NEXT BOARD MEETING As boards place increasing value on IT governance, those with technology expertise play a leading role. The rest of us can also raise our IT game, by exploring the integration of strategy, technology and risk. It all begins with curiosity and a forum for questions. I first encouraged every director to lean into IT discussions in my blog post entitled, How to Ace Board IT Governance Without Tech Expertise. The piece provided a sample of questions directors can ask about technology. This document contains that list of more than 50 IT-related questions. I hope you find them useful as you engage with technology topics at your next board meeting. For simplicity, the questions have been grouped into four sections: i. ii. Director orientation and background context Alignment of IT with the enterprise and its strategy iii. Responsible use of IT resources and capital investments iv. Risk management This by no means a complete list. I welcome your suggestions of other questions about technology, strategy and risk. Please send your thoughts to: tamara@tamarapaton.com and I will update this document with your contributions. Thank you!

i. DIRECTOR ORIENTATION AND BACKGROUND CONTEXT 1. How critical is IT to sustaining the organization today? And growing our organization tomorrow? Is the enterprise clear on its position relative to technology: pioneer, early adopter, follower or laggard? Is it clear on risk: risk-avoidance or risk-taking? Can you share a recent context in which an IT initiative or asset allowed us to exploit an opportunity? Does IT appear as a regular board agenda item? Is it addressed in a structured manner? 2. How critical is IT to sustaining the organization today? And growing our organization tomorrow? Who manages our enterprise architecture? How long is their planning horizon? How old are our key systems? To what extent are we reliant on external vendors for support? To what extent are our strategically critical processes managed on spreadsheets? How do we audit the ongoing accuracy of our models and systems? What compliance activities do we have in place? How is our enterprise architecture likely to change in the next three to five years?

i. DIRECTOR ORIENTATION AND BACKGROUND CONTEXT (continued) 3. How do we approach IT project management? What resources do we have allocated to IT project management? How are new IT project teams structured? How do we balance representation of business sponsors and IT leaders? How do we balance the vision of senior leaders with the technical perspective of those who use the system each day? 4. How do we assess quality in our IT operations? How is value delivered by IT being measured? How would you describe the past performance record of our IT function? How often do IT projects fail to deliver what they promised? Are end users satisfied with the quality of the IT service What has been the average overrun of IT operational budgets? How much of the IT effort goes to firefighting rather than enabling business improvements?

ii. ALIGNMENT OF I.T. WITH THE ENTERPRISE AND ITS STRATEGY 5. How will IT enable the organization in five years? Are we investing enough to support the organization s strategy? 6. How are emerging technologies and their potential impact on the organization monitored? How does management ensure that its IT resources, systems and technologies are keeping pace with changing business needs? 7. Do we have the right organization structure in IT? Is it sufficiently resilient to support our growth aspirations? Do we have the right skills in house? How do we work with external IT advisors? Is the reporting level of the most senior IT manager commensurate with the importance of IT? Do we have succession plans in place for key IT personnel? Do we have the right level of IT knowledge on the board itself?

iii. RESPONSIBLE USE OF I.T. RESOURCES AND CAPITAL INVESTMENTS 8. 9. Is our IT function performing well? Are we achieving our projected milestones and ROI on key projects? For each new IT project, what is the business case? What is the projected ROI and payback period? How were timelines for this project developed? Who will represent various stakeholders throughout the project? 10. Based on past systems implementations, what are the 3 sources of risk that worry us the most about a new IT project? What plans have we put in place to mitigate key risks? 11. For each new IT project, what did our reference checks on the hardware, software and systems integration partner reveal? How many checks were done? Are their projects of comparable size and scope to ours? Were their project teams staffed/structured in a way that is similar to our plan? Is there any kind of employment history between the two organizations? (e.g., Did the person giving the reference once work at the client?)

iv. RISK MANAGEMENT 12. Are there adequate plans and resources in place to withstand a significant disruption in IT assets? At a high level, what are our business recover plans? 13. 14. How do we manage cyber risk? What cyber security measures do we have in place? How do we protect our data? Should we consider cyber insurance? Do we employ benign hackers to test the strength of our security? How many external cyber attacks did we experience in the past quarter? How did we remediate? What is our approach to internal security threats (e.g., from employees)? What lessons did we learn from a recent security threat? How credible are our cyber security solution providers? How do we manage IT execution risk? For ongoing projects, what feedback mechanisms will provide an early warning to potential problems? How are legal, regulatory and contractual obligations related to IT monitored for compliance? 15. When did management last simulate an IT disaster? What were the learnings?

Copyright 2015 Tamara Paton International Inc. All rights reserved. With gratitude to the clients, colleagues and readers who continue to shape my work. Corporate Director and Creator of THE BOARDROOM BLUEPRINT

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information