Bilgi Teknolojileri Risk Yönetimi Uygulamaları Kurumsal Risk Yönetimi Derneği 8 Mart 2011
Ajanda BT risk yönetimi kavramı BT risk yönetimi uygulamaları Risk IT çerçevesi Uygulama örnekleri Sorular ve tartışma Sayfa 2
BT risk yönetimi kavramı Sayfa 3
The top 10 risks for business - 2010 (ranking from 2009 in brackets) 1. Regulation and compliance (2) 2. Access to credit (1) 3. Slow recovery or double-dip recession (No change) 4. Managing talent (7) 5. Emerging markets (12) 6. Cost cutting (No change) 7. Non-traditional entrants (5) 8. Radical greening (4) 9. Social acceptance and CSR (New) 10. Executing alliances and transactions (8) Sayfa 4
Risk impact matrix across the sectors Sayfa 5
Business Risk 2010 Banking and capital markets The top 10 risks for the banking industry 1. Regulatory and compliance risk 2. Geopolitical macroeconomic shocks 3. Reputation risk 4. Residual credit quality issues 5. Weak recovery or double-dip recession 6. Human capital risks, including misaligned compensation structures 7. Organizational change 8. Corporate governance and internal control failures 9. IT risks 10. Reduced profits and valuations Sayfa 6
The challenge of overseeing IT risks and governance European Audit Committee Leadership Network (EACLN) Audit Committee Leadership Network (ACLN) North America Some boards are actively engaged in IT issues Boards and audit committees regularly address IT However, many European boards are much less involved; these boards generally view IT as a lower-level utility rather than a strategic advantage The audit committee is less familiar with the IT staff than the finance staff Boards draw on several resources to enhance their IT capabilities Issues covered: The full board generally hears from the chief information officer (CIO) once a year The audit committee is less familiar with the IT staff than the finance staff Directors supplement their knowledge of IT with internal and external resources Issues covered: Security of data and IT systems Security of data and IT systems Major ERP implementations Major enterprise resource planning (ERP) implementations Outsourcing IT controls over financial reporting Leveraging new technologies The IT aspects of mergers and acquisitions Outsourcing IT controls over financial reporting Leveraging new technologies Source: EACLN ViewPoints; Issue 26: 3 December 2010; Tapestry Networks Source: ACLN ViewPoints; Issue 32: November 2, 2010; Tapestry Networks Sayfa 7
IT Benchmarking Survey 2010 Sayfa 8
Global Information Security Survey 2010: New technology means new risk 60% of respondents perceived an increase in the level of risk they face due to the use of social networking, cloud computing and personal devices in the enterprise. Given current trends towards the use of such things as social networking, cloud computing and personal devices in the enterprise, have you seen or perceived a change in the risk environment facing your organization? 37% Yes, increasing level of risk No, decreasing level of risk 60% Relatively constant level of risk 3% Sayfa 9
GISS 2010: Top 5 IT risks From the following list, which are the top five areas of IT risk for your organization? Continuous availability of critical IT resources 31% 16% 11% 7% 6% Data (e.g., disclosure of sensitive data) 19% 18% 13% 8% 6% Applications and databases (e.g., unsupported applications, system 14% 14% 10% 9% 8% Third-party suppliers and outsourcing (e.g., lack of security, lack of 5% 7% 8% 9% 12% Operations (e.g., operator errors, breakdown of operational processes) 4% 7% 9% 10% 10% Legal and regulatory (e.g., non-compliance with regulations or contracts) 6% 7% 8% 8% 7% Staffing (e.g., mismatch of IT skills, loss of key resources) 3% 5% 6% 9% 10% Infrastructure (e.g., misconfiguration of hardware, inflexible architecture) 3% 6% 8% 10% 6% Programs and projects (e.g., budget overruns, delays, poor quality) 4% 4% 7% 9% 8% Strategy and alignment (e.g., misaligned priorities, lack of business 4% 4% 6% 6% 8% Fraud and theft (e.g., theft of laptops and servers, intentional data 4% 6% 5% 7% 6% Physical environment (e.g., utilities failures, natural disasters) 3% 4% 4% 6% Technology (e.g., wrong technologies, failure to exploit new technologies) 3% 4% 6% Top IT risk 2nd 3rd 4th 5th IT risk Sayfa 10
GISS 2010: Cloud computing 39% of respondents cited the loss of visibility of what happens to company data as an increasing risk when using cloud based solutions. Which of the following new or increased risks have you identified? Data leakage risks Loss of visibility of what happens to company data 39% Unauthorized access 34% Difficulty in technical and procedural monitoring 29% Increased collaboration with individuals outside the enterprise 22% 52% Contract risks 18% Availability risks 17% Challenges in updating internal audit and compliance plans 15% Capacity management risks 13% Performance management risks 11% Sayfa 11
BT risk yönetimi uygulamaları Sayfa 12
Expressing IT risk in business terms IT Risk: Business risk related to the use of IT. Source: Risk IT Framework Sayfa 13
The Risk IT Framework: Overview Source: Risk IT Framework Sayfa 14
The Risk IT Framework: Some key concepts Source: Risk IT Framework Sayfa 15
Risk IT: Generic Risk Scenarios Source: Risk IT Framework Sayfa 16
Source: Risk IT Framework Risk IT: Control selection Sayfa 17
Evolution of threats Sayfa 18
Countering the evolving threat landscape Sayfa 19
GISS 2010: Data leakage controls Which of the following actions has your organization taken to control data leakage of sensitive information? Defined a specific policy for classification and handling of sensitive information 73% Implemented additional security mechanisms for protecting information 65% Utilized internal auditing for testing of controls Implemented content monitoring/filtering tools Defined specific requirements for telecommuting Locked down/restricted use of certain hardware components Restricted or prohibited use of instant messaging or email for sensitive data Implemented log review tools 54% 51% 48% 45% 45% 44% Prohibited use of camera devices within sensitive or restricted areas 29% Restricted access to sensitive information to specific time periods 18% Sayfa 20
Varlık tabanlı BT risk değerlendirme örneği Sayfa 21
Varlık tabanlı BT risk değerlendirme örneği: BT envanter kırılımı IT Inventory Software Inventory Hardware Inventory Data Inventory Location Inventory Application PC Office Software System Software Web Service Software Physical Server Systems Business Application Operating System Software Virtual Server Systems Business Support Applications Middleware Security Systems Reporting Application Development Application Database Management Software Storage Unit Security Application Network Equipment System Management Application Sayfa 22
Finansal denetimde BT risk değerlendirme Kurum Seviyesi Kontroller / İç Kontrol ve İç Denetim Muhasebe Kayıtları / Mali Tablolar İş Süreci 1 İş Süreci 2 İş Süreci 3 İş Süreci 4 Uygulama Kontrolleri A Uygulaması B Uygulaması C Uygulaması BT Genel Kontrolleri Veri Yedekleme 1 Uygulama Geliştirme - 1 Bilgi Güvenliği Veri Yedekleme 2 Uyg. Geliştirme - 2 Sayfa 23
Sorular ve tartışma Sayfa 24
Teşekkür ederiz
Ek: BT risk grupları Sayfa 26
Ernst & Young Generic RiskUniverse Strategic Operations Compliance Financial Governance: Board Performance Tone at The Top Control Environment Corporate Social Responsibility Planning and Resource Allocation: Organizational Structure 3 rd Party Relationships Strategic Planning HR Strategy & Planning Annual Budgeting Forecasting JV s /Alliances and Partnerships Outsourcing Arrangements Special Purpose Entities Tax Planning Major Initiatives: Vision and Direction Planning and Execution Measurement & Monitoring Technology Implementations Business Acceptance Mergers, Acquisition & Divesture: Valuation and Pricing Due Diligence Planning, Execution and Integration Market Dynamics: Competition Macro-Economic Factors Lifestyle Trends Socio-Political Communication & Investor Relations: Media Relations Crisis Communications Misuse of Technology for Communication Employee Communication Sales & Marketing: Marketing Advertising Research & Development Sales and Pricing Technology Enabled Sales Customer/Support Management Supply Chain: Master Planning & Forecasting Procurement & Inventory Production Distribution Transportation & Logistics Indirect Taxes Transfer Pricing People/Human Resources: Culture Recruiting & Retention Development & Performance Succession Planning Compensation and Benefits Pay Programs & Practices Labor Relations Information Technology: IT Management IT Security / Access IT Availability/Continuity IT Spend IT Integrity IT Infrastructure Hazards: Natural Events, Terror & Malicious Acts Outages Physical Assets: Real Estate Property Plant & Equipment Inventory Tax Operations: Tax Technology and Knowledge Management Tax Department Operations Code of Conduct : Ethics Fraud Legal: Contract Liability Intellectual Property Anti-Corruption International Dealings Regulatory: Trade Customs Labor Securities Environment Data Protection & Privacy Product Quality/Safety Health and Safety International Dealings Competitive Practices / Anti-trade Tax Compliance and Audit Management Sales & Marketing Market: Interest Rate Foreign Currency Commodity Derivatives Liquidity Risk Management: Cash Management Funding Hedging Credit & Collections Insurance Accounting and Reporting Accounting, Reporting & Disclosure Internal Control Requirements Capital Structure: Debt Equity Pension Funds Stock Options Sayfa 27
IT Risk Groups IT Management Failure to prioritize technology initiatives and effectively allocate and direct IT resources in order to achieve the strategic corporate goals and objectives IT Security/Access Failure of information systems to adequately protect the critical data and infrastructure from theft, corruption, unauthorized usage, viruses, or sabotage IT Availability/Continuity The inability to recover from, and continue uninterrupted operations in the event of extraordinary events, systems and implementation failures IT Spend IT directly or indirectly contributes to higher operating costs resulting in a material decrease to the company's profitability and earnings. IT Integrity Information systems do not provide reliable information when it is needed or perform so slowly that operations are not efficient IT Infrastructure The computer and telecommunications systems with supporting software do not capture, retain and transfer data in a secure and reliable environment and do not meet the expected requirements of the business at a reasonable cost Sayfa 28