IT Risks and Controls
Transcript of IT Risks and Controls
-
8/11/2019 IT Risks and Controls
1/28
August 19, 20141
IT Risks and Controls
Risk Identification, Risk Mitigation, Risk
Management, Controls Implementation
Kemal Ozmen, CISA, TSRS Manager
-
8/11/2019 IT Risks and Controls
2/28
August 19, 20142
Agenda
General Concepts about IT Risks
Risk Identification and Management
Controls and Their Implementation
-
8/11/2019 IT Risks and Controls
3/28
August 19, 20143
What is Risk?Risk is the threat that an event or action will adversely affect an
organizations ability to achieve its business objectives andexecute its strategies successfully.
I N F O R M A T I O N F O R D E C I S I O N M A K I N G R I S K
Information used to support strategic, operational and financial decisions is not relevant , complete,accurate or timely
The risk that business processes are not clearly defined, are poorly aligned with business strategies, are notperforming effectively and efficiently in satisfying customer needs, are reducing shareholder value, are
compromising the integrity of data and information, or are exposing significant assets to unacceptable losses, risktaking, misappropriation or misuse
P R O C E S S R I S K
E N V I R O N M E N T R I S K
External forces that could significantly change the fundamentals that drive its overall business objectives andstrategies. These risks are not created by the company, but are inherent in the environment
-
8/11/2019 IT Risks and Controls
4/28
August 19, 20144
FINANCIAL RISKCurrency
Interest Rate
Liquidity
Cash Transfer/Velocity
Derivative
Settlement
Reinvestment/Rollover
CreditCollateral
CounterpartyINTEGRITY RISKManagement Fraud
Employee Fraud
Illegal Acts
Unauthorized Use
Reputation
EMPOWERMENT RISKLeadershipAuthority
Limit
Performance Incentives
Communications
OPERATIONS RISKCustomer Satisfaction
Human ResourcesProduct Development
EfficiencyCapacity
Performance GapCycle TimeSourcing
Commodity PricingObsolescence/Shrinkage
ComplianceBusiness Interruption
Product/Service FailureEnvironmental
Health and SafetyTrademark/Brand Name Erosion
OPERATIONALPricingContract Commitment
MeasurementAlignment
Completeness and AccuracyRegulatory Reporting
I N F O R M A T I O N F O R D E C I S I O N M A K I N G R I S K
FINANCIALBudget and PlanningCompleteness and Accuracy
Accounting InformationFinancial Reporting Evaluation
TaxationPension Fund
Investment EvaluationRegulatory Reporting
STRATEGICEnvironmental ScanBusiness Portfolio
ValuationMeasurement
Organization StructureResource Allocation
PlanningLife Cycle
Competitor Sensitivity Shareholder Relations Capital AvailabilityCatastrophic Loss Sovereign/Political Legal Regulatory Industry Financial Markets
E N V I R O N M E N T R I S K
P R O C E S S R I S K
INFORMATION PROCESSING/TECHNOLOGY RISK
AccessIntegrity
RelevanceAvailability
Infrastructure
-
8/11/2019 IT Risks and Controls
5/28
August 19, 20145
IT Risk Definitions
Integrity
The risk that computer data andprograms are not free from errorand do not represent actualeconomic events or transactions
Involves two areas:
Computerprograms/processing
Computer data
Relates specifically to all aspectsof application systems
Availability The risk that information,
processing ability andcommunications will not beavailable for critical operationsand processes when needed
Access The risk that users are given
access to systems, data orinformation they do not need
Unauthorized access is gained toconfidential systems, data andinformation
Relevance The risk that information is not
relevant for the purposes forwhich it is collected, maintainedor distributed
Relates to the usability andtimeliness of information that iseither created or summarized byan application system
-
8/11/2019 IT Risks and Controls
6/28
August 19, 20146
IT Risk Definitions
Infrastructure
The risk that IT core processesare not effectively supporting thecurrent and future needs of thebank
IT core processes include:
Organizational planning
Application system definitionand deployment
Logical security and securityadministration
Computer and networkoperations
Data and database
management Business/data center
recovery
INFORMATIONPROCESSING/
TECHNOLOGY RISK
AccessIntegrity
RelevanceAvailability
Infrastructure
-
8/11/2019 IT Risks and Controls
7/28
August 19, 20147
Agenda
General Concepts about IT Risks
Risk Identification and Management
Controls and Their Implementation
-
8/11/2019 IT Risks and Controls
8/28
August 19, 20148
Warning Signs
No linkage of risk to value
No effort to anticipate
Ineffective strategic control
No risk management policy
Not a management priority
No integrated risk assessment framework
Fragmented effort
Narrow focus
Poor risk communications
Too little, too late
-
8/11/2019 IT Risks and Controls
9/28
August 19, 20149
ABC of Risk Management
RISKS CONTROLS
AccessProcess Integrity
Relevance
Availability?
-
8/11/2019 IT Risks and Controls
10/28
August 19, 201410
Risk Management Objectives
Business Oriented
Easy To Understand
Technology Independent
Comprehensive
Flexible
Mappable to other Risk Models
-
8/11/2019 IT Risks and Controls
11/28
August 19, 201411
IT Risk Management Basic Principles
IT risk management strategies should be driven by
Business Risks, not just technical risks
Effective IT risk management should encompass a
combination of strategy, organization, processand
technology
Overall IT risk management process needs to be
applied to discrete, yet interrelated, components ofan organizations business processes and related
information technology
1
2
3
-
8/11/2019 IT Risks and Controls
12/28
August 19, 201412
IT Risk Management Framework
-
8/11/2019 IT Risks and Controls
13/28
August 19, 201413
IT Risk Management Framework
Who does/should do
things and why?
Core competencies
Leadership styles
Values and beliefs
Communication
What is/should be the strategy?
What are the strategic objectives?
Who are the key
stakeholders/customers?
What is the value proposition?
How is the strategy going to be
operationalized?
How do/should thingswork?
Policies
Business processes
Management processes
What is/should be the
technology implications?
Data architecture and
ownership
System architecture
Network architecture
Configuration
Integration
Tools
Common Language
Metrics/ Measures Structure
Culture/Values
Strategy
Skills
Technology
Processes
Organization
-
8/11/2019 IT Risks and Controls
14/28
August 19, 201414
IT Risk Management Framework
What Is Needed Succeed?
What are the organization implications
(structure, etc.)?
What are the roles, responsibilities,
and skills needed to achieve the
strategic objectives/benefits?
How will individual performance bemeasured?
What Is Needed To Succeed?
How can we create a common language fordefinition and discussion?
How will success be measured?
When should we measure it?
What Is Needed To Succeed?
What skills do people need?
What awareness training is needed?
How can it be delivered?
How can we make continuous learning a
reality?
Common Language
Metrics/ Measures Structure
Culture/Values
Strategy
Skills
Technology
Processes
Organization
-
8/11/2019 IT Risks and Controls
15/28
August 19, 201415
Managing RisksProcess Flow
-
8/11/2019 IT Risks and Controls
16/28
August 19, 201416
Managing RisksProcess Flow
CONTINUOUSLY ASSESS SECURITY RISK CONTROL PROCESSES
Risk Mngmnt.Risk Mngmnt.Processes InstalledProcesses Installed
In Place?In Place?
No
Yes
Design and InstallDesign and Install
a Risk Controla Risk Control
ProcessProcess
ContinuouslyContinuouslyAssess byAssess by
Comparing toComparing to
Best PracticesBest Practices
to Identifyto Identify
and Closeand Close
PerformancePerformance
GapsGaps
-
8/11/2019 IT Risks and Controls
17/28
August 19, 201417
Agenda
General Concepts about IT Risks
Risk Identification and Management
Controls and Their Implementation
-
8/11/2019 IT Risks and Controls
18/28
August 19, 201418
Definition of Control
The Policies, Procedures, Practicesand Organizational Structures,
Designed to Provide ReasonableAssurance that Business Objectiveswill be Achieved and that Undesired
Events will be Prevented or Detectedand Corrected.
-
8/11/2019 IT Risks and Controls
19/28
August 19, 201419
Definition of IT Control Objective
A Statement of the Desired Result orPurpose to be Achieved by
Implementing Control Procedures in aParticular IT Activity.
-
8/11/2019 IT Risks and Controls
20/28
August 19, 201420
Controls Process Framework
Monitoring
PervasiveControls
BusinessControls
Information & InformationProcessing Controls
Specific Risk Controls
Specific controls forinformation processing
purposes (e.g. observation,
inquiry, inspection,confirmation, analytical
procedures, etc.
Controls that have beenimplemented once into
processes and/or systems andare geared to produce aspecific outcome
Controls that have beenimplemented by managementfor process monitoring and/or
verification purposes
-
8/11/2019 IT Risks and Controls
21/28
August 19, 201421
Types of Controls
Preventive controls aredesigned to: Prevent an error or irregularity
from occurring
Eliminate risks at the source
Build quality into the process
Detective controls are used asa fail-safe method to: Manage risks more completely
Manage risks that occurirregularly or infrequently
Detect errors that are hard todefine and predict
System-based controls System-based controls are
automated, programmedprocedures performed by thecomputer system
People-based controls Risk management requires
judgment
Risk environment is not stableand changing circumstances
need to be accounted for
-
8/11/2019 IT Risks and Controls
22/28
August 19, 201422
Effectiveness Controls
System-Based
DetectiveControl
Desirable
Desirable
Reliabl
e
Reliabl
e
System-Based
PreventiveControl
People-Based
DetectiveControl
People-Based
PreventiveControl
High probability ofhuman error and
non-detection
Human error eliminated,risk prevented before
occurrence
High probability ofhuman error andnon-prevention
Human erroreliminated, but no
prevention
System-basedcontrols aremore reliable
Preventivecontrols aremore desirable
-
8/11/2019 IT Risks and Controls
23/28
August 19, 201423
Effective Controls
RISKS CONTROLS
IT BUSINESS RELATED RISKS CONTROL ELEMENTS
Strategy &
Policy
Manage
Deployment
Technology
Architecture
Monitor
Events
RESULTS OFINFORMATIONTECHNOLOGY
RISK ASSESSMENT
1 2
-
8/11/2019 IT Risks and Controls
24/28
August 19, 201424
Control Elements
Strategy & Policy
Management policies set the tone for the effectiveness of the entire IT riskmanagement program
Policies should:
Define managements view of risk acceptance
Be concise, understandable and enforceable
Be customized to the specific business unit to which they apply
Encompass the critical systems and processing environments
Establish guidelines and examples for consistency
-
8/11/2019 IT Risks and Controls
25/28
-
8/11/2019 IT Risks and Controls
26/28
August 19, 201426
Control Elements
MonitorEvents
Monitor Events is a series of processes that
include: Evaluating impact of IT on users and
technical architecture
Identification of IT-relevant risks in newtechnologies and applications
Defining and evaluating abnormalitiesthrough effective reporting, audit trails,violation reports, etc.
Changes in organizational dynamics
Compliance with policies
Re-certification of users andrights/privileges
Breach detection
-
8/11/2019 IT Risks and Controls
27/28
August 19, 201427
Control ElementsP
DET
PHYSICAL
NETWORK
PLATFORMDATA/DBMS
APPLICATION
PROCESS
TechnologyArchitecture
P - Strategy & PolicyD - Managed DeploymentE - Monitor EventsT - Technology Architecture
-
8/11/2019 IT Risks and Controls
28/28
August 19, 201428
Questions and
Answers10 minutes