IT Governance Risk Compaliance
Transcript of IT Governance Risk Compaliance
-
7/31/2019 IT Governance Risk Compaliance
1/37
Enhancing IT Governance, Risk andEnhancing IT Governance, Risk and
Compliance Management (IT GRC)Compliance Management (IT GRC)
Enabling Reliable eServicesEnabling Reliable eServices
Tawfiq F. AlrushaidSaudi Aramco
-
7/31/2019 IT Governance Risk Compaliance
2/37
AgendaAgenda
GRC Overview
IT GRC Introduction
IT Governance
IT Risk Management IT Compliance
IT GRC Framework
Implementation Approach
-
7/31/2019 IT Governance Risk Compaliance
3/37
GRC OverviewGRC Overview
Internal system
Enforcement
Hazards
Governance
Laws, Regulations & Controls
ComplianceManagement
Risk
Management
-
7/31/2019 IT Governance Risk Compaliance
4/37
Corporate Governance HistoryCorporate Governance History
The East Asian Financial Crisis (1997)
Corporate collapses and massive bankruptcies (early 2000s) ENRON
MCI (WorldCom)
AOL
Arthur Andersen
Tyco
Compliance with Corporate regulations & law
Sarbanes-Oxley Act
Compliance with Frameworks
HIPAA
COBIT
ISO/IEC 38500
-
7/31/2019 IT Governance Risk Compaliance
5/37
IT Governance OverviewIT Governance Overview
Definition
IT governance is a structure of
processes that govern decision
making around investmentdecisions in eServices, client
relationships, project management
and other important IT operational
areas.
-
7/31/2019 IT Governance Risk Compaliance
6/37
-
7/31/2019 IT Governance Risk Compaliance
7/37
IT Compliance ManagementIT Compliance Management
Planning Projects Support Operations InformationSecurity
IT Business Unites
ITIL
COSOCMMI
BS29555
-
7/31/2019 IT Governance Risk Compaliance
8/37
IT Risk Management ComponentsIT Risk Management Components
IT Strategic
Risk
Information
Security
Risk
Operational
Risk
Third Party
Risk
Business Continuity
Risk
-
7/31/2019 IT Governance Risk Compaliance
9/37
IT Risk Management ProcessesIT Risk Management Processes
Risk Governance
Roles & Responsibilities (Charter)
Policy
|
Standards
|
Guideline
s
Alerts
|Escalation
|DashboardPlanning | Programs | Projects | Operations
Collect Data,
Analyze &
Risk Profile
Risk Evaluation
Articulate,
Manage &
React
Risk Response
Training & Awareness
-
7/31/2019 IT Governance Risk Compaliance
10/37
IT Risk Management Process in ActionIT Risk Management Process in Action
Risk Governance
Risk Evaluation
Risk Response
ERM Risk Register
IT Risk Register IT Risk Register
-
7/31/2019 IT Governance Risk Compaliance
11/37
IT GRC Business DriversIT GRC Business Drivers
Business is more dependent on IT
IT environment is more complex
Less time between IT failures and organizational
impact
Increase in threats related to IT Increase in regulations, standards and controls
-
7/31/2019 IT Governance Risk Compaliance
12/37
Law, Policies , Regulations
Single GRC automation platform Provide a holistic view of Organization
Dashboard
Rapid deployment of new standards or
regulation
St
andard4
Taking an Integrated Approach to GRCTaking an Integrated Approach to GRC
St
andard1
St
andard2
St
andard3
Controls
Speed up remediation
Minimize your total controls documentation,
testing and auditing costs.
Governance
Risk Management
Compliance Management
Managing controls across multiple regulations
Training & Awareness
Similar knowledge domain and require
common awareness and training program
GRC
Optimize resources
-
7/31/2019 IT Governance Risk Compaliance
13/37
IT GRC FrameworkIT GRC Framework
IT GRC
Supporting
IT Programs,
& Initiatives
Supporting
Standards,
Frameworks
&
Methodologies
Supporting IT Organizations
-
7/31/2019 IT Governance Risk Compaliance
14/37
IT GRC Supporting Frameworks & StandardsIT GRC Supporting Frameworks & Standards
Process Improvement
Lean Six Sigma
COBIT
Monitor &
EvaluateDeliver & Support
Acquire &
Implement
Plan &
Organize
IT
Risk
Mangm.
Service
Management
Information
Security
Management
Business
Continuity
Management
ITs
Enterprise
Architecture
Application
Development
Internal
Controls
-
7/31/2019 IT Governance Risk Compaliance
15/37
Reliable
eServices
eServices Reliability FrameworkeServices Reliability Framework
Reliable IT Infrastructure
Reliable IT Processes
IT Governance,
Risk and
Compliance
Management
(IT GRC)
IT Portfolio
Management
-
7/31/2019 IT Governance Risk Compaliance
16/37
Mapping IT GRC Model To eServices GRC ModelMapping IT GRC Model To eServices GRC Model
-
7/31/2019 IT Governance Risk Compaliance
17/37
IT GRC Value for eServicesIT GRC Value for eServices
Value for eServices
IT Governance Implementing and enhancing IT policies, IT Controls,IT value delivery, Resource management and
Performance management will enhance the
alignment with customer demand
IT Strategy Risk Respond to changes in technology, economy & demand
IT Operation Risk Minimize the failure of Technologies, Processes & Peopleto ensure Service Delivery
Information Security Ensure Data integrity to protect customers data(authentication & encryption)
Business Continuity Implement high availability solutions, disaster recoveryplans to ensure Service Continuity
IT Third Party Risk Manage the performance, quality and risk of serviceproviders and contractors
IT Compliance
Adhere to eServices regulations and standards to enhance
customer trust and confidence
ITRiskManagement
-
7/31/2019 IT Governance Risk Compaliance
18/37
IT GRC Maturity ModelIT GRC Maturity Model
Unaware
Ad hoc approach to
managing programs
and Initiatives
Success is not
measured
IT
GRCMaturity
Fragmented
Tactical approach to
meet program
objectives
Silos of projects in
place w/o integration
Information is not
shared betweenPrograms
New requirements
within a silo are
addressed without
considering other
areas
Measurement is
difficult
Integrated
Silos are broken
down
Information is
shared across
Programs
New requirements
are rapidly addressed
by a common
Framework
Programs benefits
are measured
Aligned
Strategic approach to
aligning Programs
with the overall
business
Silos are
nonexistent
Automation isconsolidated
wherever possible
Business benefits
are measured
Optimized
Strategic approach
to IT optimization
Business benefits
are measured and
improved year over
year
Time
-
7/31/2019 IT Governance Risk Compaliance
19/37
IT GRC Implementation ApproachIT GRC Implementation Approach
Conduct Awareness
Identify IT GRC
Requirements
Select critical IT
processes
Leverage industry
standards and
frameworks
Conduct maturity
assessment
Establish IT GRC
maturity levels, goals
& Identify Gaps
Establish IT
Governance landscape
Establish IT risk
Universe
Define Unified IT GRC
Management
Framework
Establish
improvement
Roadmap
Standardize IT GRC
Controls, Process &
practices in line with
industry Standards,
framework and best
practices
Integrate IT GRC
Controls, Process
practices with IT Core
processes
Establish KGIs, KPIs &
KRIs
Enhance monitoring,
reporting, alerting, and
escalation of IT GRC
Provide IT risk
Dashboards
Automate
-
7/31/2019 IT Governance Risk Compaliance
20/37
IT RiskManagement
IT GovernanceIT ComplianceManagement
Compli
anceRisk
OperationalRisk
BusinessContinuity
Management
Third-PartyRisk
Information Protection
Risk
IT Strategy
Risk
IT ProcessesMaturity
Assessment
IT Standards &GuidelinesManagement
IT PortfolioManagement
IT Standards &Guidelines
ComplianceManagement
Industrial Standards &Frameworks
ComplianceManagement
Third-PartyComplianceManagement
BusinessandOtherITProg
rams
RiskGovernance
Stra
tegicAlignm
ent
Common IT Control Framework
Common IT Awareness & Training Framework
Common IT GRC Dashboard
IT Governance, Risk and Compliance (GRC) Program
-
7/31/2019 IT Governance Risk Compaliance
21/37
Q&AQ&A
Thank You
Q&A
-
7/31/2019 IT Governance Risk Compaliance
22/37
Linked Slides
-
7/31/2019 IT Governance Risk Compaliance
23/37
IT Strategic RiskIT Strategic Risk
The risk resulting from the lack of alignment with the
business, lack of responsiveness to economicchanges, industry changes or customers demand.
Examples
Not achieving enough value from IT Misalignment with business objectives
Obsolete or inflexible IT architecture
-
7/31/2019 IT Governance Risk Compaliance
24/37
IT Operational RiskIT Operational Risk
The risk resulting from inadequate or failed
internal processes, people, and technologies
or from external events. Examples
System Failure
Network Failure
Untrained staff
-
7/31/2019 IT Governance Risk Compaliance
25/37
Information Secuirty RiskInformation Secuirty Risk
The risk associated with data confidentiality,
integrity and availability. Examples
Information leakage
Unauthorized access
Malicious software
-
7/31/2019 IT Governance Risk Compaliance
26/37
IT Business Continuity RiskIT Business Continuity Risk
The risk concerned with the ability of the IT
organization to continue to perform itsfunction in case of system failure or disasters. Examples
Lack of Disaster Recovery plan
Lack of high availability solutions on critical systems
-
7/31/2019 IT Governance Risk Compaliance
27/37
IT Third Parties RiskIT Third Parties Risk
The risk associated with third parties
engagement including business partners,service providers, contractors, outsourcers,
supply-chain nodes, and consulting services Examples
Poor quality of service or product
Credit risk
Compliance risk Untrained staff
Poor performance
-
7/31/2019 IT Governance Risk Compaliance
28/37
Frameworks
-
7/31/2019 IT Governance Risk Compaliance
29/37
LeanLean Six SigmaSix Sigma
Lean Six Sigma (by Michael George) is a methodology that
maximizes shareholder value by achieving the fastest rate ofimprovement in customer satisfaction, cost, quality, process speed,
and invested capital.
Six Sigma is a business management strategy, originally developedby Motorola, that today enjoys widespread application in many
sectors of industry.
Six Sigma seeks to identify and remove the causes of defects and
errors in manufacturing and business processes. It uses a set ofquality management methods, including statistical methods, and
creates a special infrastructure of people within the organization
-
7/31/2019 IT Governance Risk Compaliance
30/37
COSOCOSO
Committee of Sponsoring Organizations of the Treadway
Commission (COSO) COSO has established a common definition of internal
controls, standards, and criteria against which companies and
organizations can assess their control systems
-
7/31/2019 IT Governance Risk Compaliance
31/37
COBITCOBIT
Control Objectives for Information and related Technology(COBIT).
A set of best practices (framework) for IT managementcreated by the Information Systems Audit and ControlAssociation (ISACA), and the IT Governance Institute (ITGI) in1992.
COBIT provides managers, auditors, and IT users with a set ofgenerally accepted
measures, indicators, processes and best practices
To assist them in maximizing the benefits derived through
the use of information technology and developingappropriate IT governance and control in a company.
-
7/31/2019 IT Governance Risk Compaliance
32/37
ITILITIL
The Information Technology Infrastructure Library (ITIL) is a
set of concepts and policies for managing informationtechnology (IT) infrastructure, development and operations.
-
7/31/2019 IT Governance Risk Compaliance
33/37
CMMICMMI
Capability Maturity Model Integration (CMMI)
A process improvement approach, that provide organizationswith the essential elements of effective process
improvement.
It can be used to guide process improvement across a project,
a division, or an entire organization.
-
7/31/2019 IT Governance Risk Compaliance
34/37
ISOISO 2700127001
ISO/IEC 27002 provides best pracce recommendaons on
information security management for use by those who areresponsible for initiating, implementing or maintaining
Information Security Management Systems (ISMS).
Information security is defined within the standard in the
context of the Confidential, Integrity and availability.
-
7/31/2019 IT Governance Risk Compaliance
35/37
TOGAFTOGAF
The Open Group Architecture Framework
(TOGAF) is a framework for enterprise architecture whichprovides a comprehensive approach to the design, planning,
implementation, and governance of an enterprise
information architecture.
-
7/31/2019 IT Governance Risk Compaliance
36/37
Risk ITRisk IT
The Risk IT framework complements ITGIs COBIT and which
provides a comprehensive framework for enterprises toidentify, govern and manage IT risk.
-
7/31/2019 IT Governance Risk Compaliance
37/37
BS 25999BS 25999
BS 25999 is BSI's standard in the field of
Business Continuity Management (BCM). Thisstandard replaces PAS 56, a Publicly Available
Specificaon, published in 2003 on the same
subject.