Enhancing IT Governance, Risk and Compliance Management (IT GRC) Enabling Reliable eservices Tawfiq F. Alrushaid Saudi Aramco
Agenda GRC Overview IT GRC Introduction IT Governance IT Risk Management IT Compliance IT GRC Framework Implementation Approach ٢
GRC Overview Internal system Enforcement Hazards Laws, Regulations & Controls Governance Risk Management Compliance Management ٣
Corporate Governance History The East Asian Financial Crisis (1997) Corporate collapses and massive bankruptcies (early 2000s) ENRON MCI (WorldCom) AOL Arthur Andersen Tyco Compliance with Corporate regulations & law Sarbanes-Oxley Act Compliance with Frameworks HIPAA COBIT ISO/IEC 38500 ٤
IT Governance Overview Definition IT governance is a structure of processes that govern decision making around investment decisions in eservices, client relationships, project management and other important IT operational areas. ٥
IT Governance Strategic Alignment Value Delivery Resource Management Policies Standards & Guidelines Controls Roles & Responsibilities and Processes Risk Management Performance Measurement ٦
IT Compliance Management IT Business Unites Planning Projects Support Operations Information Security BS29555 COSO CMMI ITIL ٧
IT Risk Management Components Operational Risk IT Strategic Risk Business Continuity Risk Third Party Risk Information Security Risk ٨ ٨
IT Risk Management Processes Training & Awareness Policy Standards Guidelines Risk Evaluation Collect Data, Analyze & Risk Profile Risk Response Articulate, Manage & React Planning Programs Projects Operations Alerts Escalation Dashboard Roles & Responsibilities (Charter) Risk Governance ٩ ٩
IT Risk Management Process in Action ERM Risk Register Risk Response IT Risk Register IT Risk Register Risk Evaluation Risk Governance ١٠ ١٠
IT GRC Business Drivers Business is more dependent on IT IT environment is more complex Less time between IT failures and organizational impact Increase in threats related to IT Increase in regulations, standards and controls ١١
Taking an Integrated Approach to GRC GRC Managing controls across multiple regulations Rapid deployment of new standards or regulation Similar knowledge domain and require common awareness and training program Single GRC automation platform Provide a holistic view of Organization Speed up remediation Minimize your total controls documentation, testing and auditing costs. Optimize resources Governance Standard 1 Standard 2 Standard 3 Standard 4 Controls Risk Management Compliance Management Training & Awareness Law, Policies, Regulations ١ ٢ Dashboard ١٢
IT GRC Framework IT GRC Supporting IT Programs, & Initiatives Supporting Standards, Frameworks & Methodologies Supporting IT Organizations ١٣ ١٣
IT GRC Supporting Frameworks & Standards COBIT Plan & Organize Acquire & Implement Deliver & Support Monitor & Evaluate IT s Enterprise Architecture IT Risk Mangm. Application Development Service Management Information Security Management Business Continuity Management Internal Controls Lean Six Sigma Process Improvement ١٤
eservices Reliability Framework IT Governance, Risk and Compliance Management (IT GRC) IT Portfolio Management Reliable IT Processes Reliable IT Infrastructure Reliable eservices ١٥
Mapping IT GRC Model To eservices GRC Model
IT GRC Value for eservices IT Governance IT Risk Management IT Strategy Risk IT Operation Risk Information Security Business Continuity IT Third Party Risk IT Compliance Value for eservices Implementing and enhancing IT policies, IT Controls, IT value delivery, Resource management and Performance management will enhance the alignment with customer demand Respond to changes in technology, economy & demand Minimize the failure of Technologies, Processes & People to ensure Service Delivery Ensure Data integrity to protect customers data (authentication & encryption) Implement high availability solutions, disaster recovery plans to ensure Service Continuity Manage the performance, quality and risk of service providers and contractors Adhere to eservices regulations and standards to enhance customer trust and confidence ١٧
IT GRC Maturity Model Unaware Fragmented Integrated Aligned Optimized IT GRC Maturity Ad hoc approach to managing programs and Initiatives Success is not measured Tactical approach to meet program objectives Silos of projects in place w/o integration Information is not shared between Programs New requirements within a silo are addressed without considering other areas Measurement is difficult Silos are broken down Information is shared across Programs New requirements are rapidly addressed by a common Framework Programs benefits are measured Strategic approach to aligning Programs with the overall business Silos are nonexistent Automation is consolidated wherever possible Business benefits are measured Strategic approach to IT optimization Business benefits are measured and improved year over year Time ١٨
IT GRC Implementation Approach Conduct Awareness Identify IT GRC Requirements Select critical IT processes Leverage industry standards and frameworks Conduct maturity assessment Establish IT Governance landscape Establish IT risk Universe Define Unified IT GRC Management Framework Establish improvement Roadmap Standardize IT GRC Controls, Process & practices in line with industry Standards, framework and best practices Integrate IT GRC Controls, Process practices with IT Core processes Establish KGIs, KPIs & KRIs Enhance monitoring, reporting, alerting, and escalation of IT GRC Provide IT risk Dashboards Automate Establish IT GRC maturity levels, goals & Identify Gaps ١٩
IT Governance, Risk and Compliance (GRC) Program Business and Other IT Programs Strategic Alignment IT Governance IT Standards & Guidelines Management IT Portfolio Management IT Processes Maturity Assessment Risk Governance IT Risk Management IT Strategy Risk Information Protection Risk Business Continuity Management Operational Risk Third-Party Risk Common IT Control Framework Compliance Risk IT Compliance Management IT Standards & Guidelines Compliance Management Industrial Standards & Frameworks Compliance Management Third-Party Compliance Management Common IT Awareness & Training Framework Common IT GRC Dashboard ٢٠
Q&A Thank You Q&A
Linked Slides
IT Strategic Risk The risk resulting from the lack of alignment with the business, lack of responsiveness to economic changes, industry changes or customers demand. Examples Not achieving enough value from IT Misalignment with business objectives Obsolete or inflexible IT architecture ٢٣
IT Operational Risk The risk resulting from inadequate or failed internal processes, people, and technologies or from external events. Examples System Failure Network Failure Untrained staff ٢٤ ٢٤
Information Secuirty Risk The risk associated with data confidentiality, integrity and availability. Examples Information leakage Unauthorized access Malicious software ٢٥
IT Business Continuity Risk The risk concerned with the ability of the IT organization to continue to perform its function in case of system failure or disasters. Examples Lack of Disaster Recovery plan Lack of high availability solutions on critical systems ٢٦
IT Third Parties Risk The risk associated with third parties engagement including business partners, service providers, contractors, outsourcers, supply-chain nodes, and consulting services Examples Poor quality of service or product Credit risk Compliance risk Untrained staff Poor performance ٢٧
Frameworks ٢٨ ٢٨
Lean Six Sigma Lean Six Sigma (by Michael George) is a methodology that maximizes shareholder value by achieving the fastest rate of improvement in customer satisfaction, cost, quality, process speed, and invested capital. Six Sigma is a business management strategy, originally developed by Motorola, that today enjoys widespread application in many sectors of industry. Six Sigma seeks to identify and remove the causes of defects and errors in manufacturing and business processes. It uses a set of quality management methods, including statistical methods, and creates a special infrastructure of people within the organization ٢٩
COSO Committee of Sponsoring Organizations of the Treadway Commission (COSO) COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems ٣٠
COBIT Control Objectives for Information and related Technology (COBIT). A set of best practices (framework) for IT management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices To assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. ٣١
ITIL The Information Technology Infrastructure Library (ITIL) is a set of concepts and policies for managing information technology (IT) infrastructure, development and operations. ٣٢
CMMI Capability Maturity Model Integration (CMMI) A process improvement approach, that provide organizations with the essential elements of effective process improvement. It can be used to guide process improvement across a project, a division, or an entire organization. ٣٣
ISO 27001 ISO/IEC 27002 provides best prac ce recommenda ons on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the Confidential, Integrity and availability. ٣٤
TOGAF The Open Group Architecture Framework (TOGAF) is a framework for enterprise architecture which provides a comprehensive approach to the design, planning, implementation, and governance of an enterprise information architecture. ٣٥
Risk IT The Risk IT framework complements ITGI s COBIT and which provides a comprehensive framework for enterprises to identify, govern and manage IT risk. ٣٦
BS 25999 BS 25999 is BSI's standard in the field of Business Continuity Management (BCM). This standard replaces PAS 56, a Publicly Available Specifica on, published in 2003 on the same subject. ٣٧