IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013



Similar documents
IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Ten key IT considerations for internal audit

Cybersecurity. Considerations for the audit committee

Cybersecurity and internal audit. August 15, 2014

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

IT Governance. What is it and how to audit it. 21 April 2009

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA

Top Ten Technology Risks Facing Colleges and Universities

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Risk Considerations for Internal Audit

Domain 1 The Process of Auditing Information Systems

Cybersecurity The role of Internal Audit

Mitigating and managing cyber risk: ten issues to consider

How To Protect Your Data From Theft

Italy. EY s Global Information Security Survey 2013

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Microsoft s Compliance Framework for Online Services

Security Risk Management Strategy in a Mobile and Consumerised World

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Executive Management of Information Security

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

fs viewpoint

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

How To Transform It Risk Management

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Certified Information Security Manager (CISM)

trends and audit considerations

State of Security Survey GLOBAL FINDINGS

Information Security and Risk Management

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

Business Resiliency Business Continuity Management - January 14, 2014

A NEW APPROACH TO CYBER SECURITY

IT Governance: framework and case study. 22 September 2010

Leveraging a Maturity Model to Achieve Proactive Compliance

Moving Forward with IT Governance and COBIT

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Address C-level Cybersecurity issues to enable and secure Digital transformation

How To Use Risk It

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Information security controls. Briefing for clients on Experian information security controls

Security and Privacy Trends 2014

External Supplier Control Requirements

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Developing National Frameworks & Engaging the Private Sector

Coping with a major business disruption. Some practical advice

Cybersecurity in the States 2012: Priorities, Issues and Trends

Big Data, Big Risk, Big Rewards. Hussein Syed

Information Security Governance:

Privilege Gone Wild: The State of Privileged Account Management in 2015

Internal audit value optimization for insurance organizations

National Cyber Security Policy -2013

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Internal Audit Takes On Emerging Technologies

our enterprise security Empowering business

Cyber Security - What Would a Breach Really Mean for your Business?

Big 4 Information Security Forum

Addressing Cyber Risk Building robust cyber governance

FINRA Publishes its 2015 Report on Cybersecurity Practices

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

Certified Information Systems Auditor (CISA)

Key Considerations of Regulatory Compliance in the Public Cloud

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Company size matters: Perspectives on IT Governance

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

Disaster recovery strategic planning: How achievable will it be?

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

Ecom Infotech. Page 1 of 6

10 Smart Ideas for. Keeping Data Safe. From Hackers

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Cybersecurity. Are you prepared?

Setting goals and measuring the value of Enterprise IT Architecture using COBIT 5 framework

HOW SECURE IS YOUR PAYMENT CARD DATA?

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

Cloud Security Trust Cisco to Protect Your Data

Transcription:

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013 Debbie Lew Agenda Review what is IT governance Review what is IT risk management A discussion of key IT risks to be aware of Page 2 IT risk management training 1

IT governance defined IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. ITGI, Board Briefing on IT Governance Page 3 Meeting stakeholder needs Enterprises exist to create value for their stakeholders. 2012 ISACA. All Rights Reserved. Source: COBIT 5, figure 9. 2012 ISACA All rights reserved. Value creation: realizing benefits at an optimal resource cost while optimizing risk. Page 4 IT risk management training 2

Covering the enterprise end-to-end Key components of a governance system Page 5 Source: COBIT 5, figure 9. 2012 ISACA All rights reserved. Separating governance from management Source: COBIT 5, figure 15. 2012 ISACA All rights reserved. Page 6 6 IT risk management training 3

Separating governance from management Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives. Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. Page 7 7 COBIT 5 process reference model Source: COBIT 5, figure 16. 2012 ISACA All rights reserved. Page 8 8 IT risk management training 4

Ensure Risk Optimization EDM03 Ensure Risk Optimization Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is indentified and managed, and the potential for compliance failures is minimized. Page 9 The risk management lifecycle Establish risk context & governance Frequently monitor effectiveness of risk response (e.g., controls) and report on results Monitor & report Assess risk response Identify value drivers Risk management components Risk culture Policy & mandate Infrastructure & people Methods & practices Information & technology Identify risks Assess risks Develop consistent risk taxonomy and risk repository and align relevant risks with value drivers (strategies, objectives, initiatives) Define consistent assessment criteria based on risk appetite and tolerances and assess relevant risks Conclude on preliminary effectiveness of risk response and develop action plan for monitoring Page 10 Develop risk response Define appropriate risk response strategy (i.e., acceptance, mitigation, avoidance, transfer, etc.) IT risk management training 5

What IT risks should I be aware of? Page 11 Information security Ernst & Young s 2012 Global Information Security Survey found that the information security threats are accelerating significantly faster than the enhancements organizations are making This gap is being driven by the following issues: lack of alignment with the business, identifying resources with the right skills and training, immature processes and architecture, and the emergence of new and evolving technologies Page 12 IT risk management training 6

Business continuity management According to the Ernst & Young 2012 Global Information Security Survey, only 17% of the respondents say their organizations do not have a BCM program in place and BCM was ranked as the #1 spending priority The most common problem we see is the lack of governance integration between the elements of business continuity and disaster recovery. This lack of unified governance often leads to disconnected initiatives, as well as misalignment of business direction and technology strategies, which could hinder timely recovery after a disruption. Page 13 Mobile The advancement in mobile technology has introduced new challenges for the enterprise, including: Potential loss or leakage of important business information Security challenges given range of devices, operating systems, and firmware limitations and vulnerabilities Theft of the device due to the small size Compliance with state, federal and international privacy regulations that vary from one jurisdiction to another as employees travel with mobile devices Navigation of the gray line on privacy and monitoring between personal and company use of the device Page 14 IT risk management training 7

Cloud The move to the cloud has outpaced the organization s ability to understand the following risks: Providers not living up to service level agreements (SLAs), resulting in cloud architecture or deployment challenges Evolving cloud standards increasing the risk that a company s systems won t work with the provider s Legal and regulatory risk in how information is handled in the cloud Information security and privacy risks around the confidentiality, integrity and availability of data Cloud adoption and change management within an organization Page 15 IT risk management Ernst & Young s IT Risk Survey indicates that over 40% of organizations have either just started or have not implemented a IT risk management program at all this despite an evolving IT risk landscape and increased interest from boards, corporate executives and regulators Page 16 IT risk management training 8

Program risk 70% of the major enterprise resource planning (ERP) programs fail to realize at least 50% of business benefits. While companies have invested significantly in increasing their knowledge and capabilities in program and project management, this is not visible in the success rates. The lack of improvement is mainly due to increased complexity in business processes and the emerging technology landscape. Page 17 Software/IT asset management In an environment focused on cost reduction software/it asset management has become a strategic advantage for organizations: Potentially reduces liability risk by maintaining license compliance and avoiding related penalties Lowers potential costs by helping to avoid license and other IT asset overbuying Helps to more efficiently manage the otherwise resource-draining and laborintensive compliance processes Limits potential reputational risks associated with license violations or compliance-related conflicts with vendors Page 18 IT risk management training 9

Social media risk management The social media elements that generate business opportunity for companies to extend their brands are often the same elements that have created IT-related risk: Employees involved in social media inadvertently leaking sensitive company information Criminal hackers re-engineering confidential information (e.g., log-ins and passwords) based on information obtained from employee posts Multiple platforms creating more access for viruses, malware, cross-site scripting and phishing Damage to a brand or company reputation from negative, embarrassing or even incriminating employee or customer posts, even those that are well-intended Failure to establish fully compliant archiving and record retention processes for corporate information shared on social media Page 19 Segregation of duties/identity and access management While segregation of duties (SoD) is considered to be a fundamental control for which organizations have developed strong processes, the complexity of today s enterprise systems leaves many companies struggling This SoD challenge is compounded by the following: The lack of investment in identity and access management or governance, risk and compliance tools Poor visibility to cross system segregation of duties and Reliance on costly and time intensive manual controls Page 20 IT risk management training 10

Data loss prevention and privacy Ernst & Young s 2012 Global Information Security Survey indicates data leakage and data loss prevention remained ranked as a top three priority for IT and IT security executives The vast majority of privacy incidents result from the actions of internal users and trusted third parties, and most have been unintentional During the last decade, significant changes in the approach to privacy have escalated the tension between individuals and organizations. This tension appears in two distinct areas: the market s redefinition of privacy management; and technology s redefinition of privacy invasion. Page 21 Other risks that you re concerned about? Page 22 IT risk management training 11

Recommended reading Information security Business continuity management Mobile Cloud IT risk management Fighting to close the gap: Ernst & Young s 2012 Global Information Security Survey Ready for the challenge: integrated governance the key to effective business continuity management Business continuity management: current trends Mobile device security: understanding vulnerabilities and managing risk Ready for takeoff: preparing for your journey into the cloud The evolving IT risk landscape: the why and how of IT risk management today Use governance, risk and compliance technology to turn risk into results Technology risk management in a cyber world: a C-suite responsibility Program risk Software/IT asset management Social media risk management Segregation of duties/identity and access management Data loss prevention and privacy Building confidence in IT programs: facilitating success through program risk management Strategy deployment through portfolio management: a riskbased approach Effective software asset management: how to reap its benefits Effective software asset management: how to reap its benefits Effective software asset management: how to reap its benefits A risk-based approach to segregation of duties Data loss prevention: keeping your sensitive data out of the public domain Privacy trends 2012: the case Three steps to prepare for a for growing accountability HIPAA audit Page 23 Speaker Bio Debbie is a Senlor Manager leading the IT Governance service line in EY's IT Risk Management Center of Excellence. She is a subject matter resource assisting her clients with assessing and designing IT risk management programs to identify, assess, respond, monitor and report on IT risks. She also conducts IT Governance reviews and assisting IT organizations with assessing, designing and implementing IT governance. Debbie Lew Senior Manager, Advisory Contact Info: Ernst & Young, LLP 2931 Townsgate Road, Suite 100 Westlake Village, CA 91361 Mobile: 661 713 6404 Office: 805 778 7049 Email: Debbie.Lew@ey.com She was a member of the COBIT4.0/4.1 COBIT Steering Committee representing the U.S. and is a SME for the COBIT5 for Risk coming out shortly. She was also a member of ISACA's credentialing task force developing the CRISC certification for IT risk practitioners. Debbie has over 15 years of insurance industry experience prior to joining EY in IT Audit, Strategic Planning and Project Management. She manages IT examinations in support of the financial examinations for the CA, Department of Insurance. She is currently a member of the NAIC IT Working Committee updating the IT examination handbook to COBIT5 ( IT Governance domain subcommittee). Page 24 IT risk management training 12

Ernst & Young Assurance Tax Transactions Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. 2013 Ernst & Young LLP. All Rights Reserved. 1304-1069371_WEST Page 25 IT risk management training 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information