IT Risks and Controls

8/11/2019 IT Risks and Controls

1/28

August 19, 20141

IT Risks and Controls

Risk Identification, Risk Mitigation, Risk

Management, Controls Implementation

Kemal Ozmen, CISA, TSRS Manager


2/28

August 19, 20142

Agenda

General Concepts about IT Risks

Risk Identification and Management

Controls and Their Implementation


3/28

August 19, 20143

What is Risk?Risk is the threat that an event or action will adversely affect an

organizations ability to achieve its business objectives andexecute its strategies successfully.

I N F O R M A T I O N F O R D E C I S I O N M A K I N G R I S K

Information used to support strategic, operational and financial decisions is not relevant , complete,accurate or timely

The risk that business processes are not clearly defined, are poorly aligned with business strategies, are notperforming effectively and efficiently in satisfying customer needs, are reducing shareholder value, are

compromising the integrity of data and information, or are exposing significant assets to unacceptable losses, risktaking, misappropriation or misuse

P R O C E S S R I S K

E N V I R O N M E N T R I S K

External forces that could significantly change the fundamentals that drive its overall business objectives andstrategies. These risks are not created by the company, but are inherent in the environment


4/28

August 19, 20144

FINANCIAL RISKCurrency

Interest Rate

Liquidity

Cash Transfer/Velocity

Derivative

Settlement

Reinvestment/Rollover

CreditCollateral

CounterpartyINTEGRITY RISKManagement Fraud

Employee Fraud

Illegal Acts

Unauthorized Use

Reputation

EMPOWERMENT RISKLeadershipAuthority

Limit

Performance Incentives

Communications

OPERATIONS RISKCustomer Satisfaction

Human ResourcesProduct Development

EfficiencyCapacity

Performance GapCycle TimeSourcing

Commodity PricingObsolescence/Shrinkage

ComplianceBusiness Interruption

Product/Service FailureEnvironmental

Health and SafetyTrademark/Brand Name Erosion

OPERATIONALPricingContract Commitment

MeasurementAlignment

Completeness and AccuracyRegulatory Reporting

I N F O R M A T I O N F O R D E C I S I O N M A K I N G R I S K

FINANCIALBudget and PlanningCompleteness and Accuracy

Accounting InformationFinancial Reporting Evaluation

TaxationPension Fund

Investment EvaluationRegulatory Reporting

STRATEGICEnvironmental ScanBusiness Portfolio

ValuationMeasurement

Organization StructureResource Allocation

PlanningLife Cycle

Competitor Sensitivity Shareholder Relations Capital AvailabilityCatastrophic Loss Sovereign/Political Legal Regulatory Industry Financial Markets

E N V I R O N M E N T R I S K

P R O C E S S R I S K

INFORMATION PROCESSING/TECHNOLOGY RISK

AccessIntegrity

RelevanceAvailability

Infrastructure


5/28

August 19, 20145

IT Risk Definitions

Integrity

The risk that computer data andprograms are not free from errorand do not represent actualeconomic events or transactions

Involves two areas:

Computerprograms/processing

Computer data

Relates specifically to all aspectsof application systems

Availability The risk that information,

processing ability andcommunications will not beavailable for critical operationsand processes when needed

Access The risk that users are given

access to systems, data orinformation they do not need

Unauthorized access is gained toconfidential systems, data andinformation

Relevance The risk that information is not

relevant for the purposes forwhich it is collected, maintainedor distributed

Relates to the usability andtimeliness of information that iseither created or summarized byan application system


6/28

August 19, 20146

IT Risk Definitions

Infrastructure

The risk that IT core processesare not effectively supporting thecurrent and future needs of thebank

IT core processes include:

Organizational planning

Application system definitionand deployment

Logical security and securityadministration

Computer and networkoperations

Data and database

management Business/data center

recovery

INFORMATIONPROCESSING/

TECHNOLOGY RISK

AccessIntegrity

RelevanceAvailability

Infrastructure


7/28

August 19, 20147

Agenda





8/28

August 19, 20148

Warning Signs

No linkage of risk to value

No effort to anticipate

Ineffective strategic control

No risk management policy

Not a management priority

No integrated risk assessment framework

Fragmented effort

Narrow focus

Poor risk communications

Too little, too late


9/28

August 19, 20149

ABC of Risk Management

RISKS CONTROLS

AccessProcess Integrity

Relevance

Availability?


10/28

August 19, 201410

Risk Management Objectives

Business Oriented

Easy To Understand

Technology Independent

Comprehensive

Flexible

Mappable to other Risk Models


11/28

August 19, 201411

IT Risk Management Basic Principles

IT risk management strategies should be driven by

Business Risks, not just technical risks

Effective IT risk management should encompass a

combination of strategy, organization, processand

technology

Overall IT risk management process needs to be

applied to discrete, yet interrelated, components ofan organizations business processes and related

information technology

1

2

3


12/28

August 19, 201412

IT Risk Management Framework


13/28

August 19, 201413


Who does/should do

things and why?

Core competencies

Leadership styles

Values and beliefs

Communication

What is/should be the strategy?

What are the strategic objectives?

Who are the key

stakeholders/customers?

What is the value proposition?

How is the strategy going to be

operationalized?

How do/should thingswork?

Policies

Business processes

Management processes

What is/should be the

technology implications?

Data architecture and

ownership

System architecture

Network architecture

Configuration

Integration

Tools

Common Language

Metrics/ Measures Structure

Culture/Values

Strategy

Skills

Technology

Processes

Organization


14/28

August 19, 201414


What Is Needed Succeed?

What are the organization implications

(structure, etc.)?

What are the roles, responsibilities,

and skills needed to achieve the

strategic objectives/benefits?

How will individual performance bemeasured?

What Is Needed To Succeed?

How can we create a common language fordefinition and discussion?

How will success be measured?

When should we measure it?

What Is Needed To Succeed?

What skills do people need?

What awareness training is needed?

How can it be delivered?

How can we make continuous learning a

reality?

Common Language

Metrics/ Measures Structure

Culture/Values

Strategy

Skills

Technology

Processes

Organization


15/28

August 19, 201415

Managing RisksProcess Flow


16/28

August 19, 201416

Managing RisksProcess Flow

CONTINUOUSLY ASSESS SECURITY RISK CONTROL PROCESSES

Risk Mngmnt.Risk Mngmnt.Processes InstalledProcesses Installed

In Place?In Place?

No

Yes

Design and InstallDesign and Install

a Risk Controla Risk Control

ProcessProcess

ContinuouslyContinuouslyAssess byAssess by

Comparing toComparing to

Best PracticesBest Practices

to Identifyto Identify

and Closeand Close

PerformancePerformance

GapsGaps


17/28

August 19, 201417

Agenda





18/28

August 19, 201418

Definition of Control

The Policies, Procedures, Practicesand Organizational Structures,

Designed to Provide ReasonableAssurance that Business Objectiveswill be Achieved and that Undesired

Events will be Prevented or Detectedand Corrected.


19/28

August 19, 201419

Definition of IT Control Objective

A Statement of the Desired Result orPurpose to be Achieved by

Implementing Control Procedures in aParticular IT Activity.


20/28

August 19, 201420

Controls Process Framework

Monitoring

PervasiveControls

BusinessControls

Information & InformationProcessing Controls

Specific Risk Controls

Specific controls forinformation processing

purposes (e.g. observation,

inquiry, inspection,confirmation, analytical

procedures, etc.

Controls that have beenimplemented once into

processes and/or systems andare geared to produce aspecific outcome

Controls that have beenimplemented by managementfor process monitoring and/or

verification purposes


21/28

August 19, 201421

Types of Controls

Preventive controls aredesigned to: Prevent an error or irregularity

from occurring

Eliminate risks at the source

Build quality into the process

Detective controls are used asa fail-safe method to: Manage risks more completely

Manage risks that occurirregularly or infrequently

Detect errors that are hard todefine and predict

System-based controls System-based controls are

automated, programmedprocedures performed by thecomputer system

People-based controls Risk management requires

judgment

Risk environment is not stableand changing circumstances

need to be accounted for


22/28

August 19, 201422

Effectiveness Controls

System-Based

DetectiveControl

Desirable

Desirable

Reliabl

e

Reliabl

e

System-Based

PreventiveControl

People-Based

DetectiveControl

People-Based

PreventiveControl

High probability ofhuman error and

non-detection

Human error eliminated,risk prevented before

occurrence

High probability ofhuman error andnon-prevention

Human erroreliminated, but no

prevention

System-basedcontrols aremore reliable

Preventivecontrols aremore desirable


23/28

August 19, 201423

Effective Controls

RISKS CONTROLS

IT BUSINESS RELATED RISKS CONTROL ELEMENTS

Strategy &

Policy

Manage

Deployment

Technology

Architecture

Monitor

Events

RESULTS OFINFORMATIONTECHNOLOGY

RISK ASSESSMENT

1 2


24/28

August 19, 201424

Control Elements

Strategy & Policy

Management policies set the tone for the effectiveness of the entire IT riskmanagement program

Policies should:

Define managements view of risk acceptance

Be concise, understandable and enforceable

Be customized to the specific business unit to which they apply

Encompass the critical systems and processing environments

Establish guidelines and examples for consistency


25/28


26/28

August 19, 201426

Control Elements

MonitorEvents

Monitor Events is a series of processes that

include: Evaluating impact of IT on users and

technical architecture

Identification of IT-relevant risks in newtechnologies and applications

Defining and evaluating abnormalitiesthrough effective reporting, audit trails,violation reports, etc.

Changes in organizational dynamics

Compliance with policies

Re-certification of users andrights/privileges

Breach detection


27/28

August 19, 201427

Control ElementsP

DET

PHYSICAL

NETWORK

PLATFORMDATA/DBMS

APPLICATION

PROCESS

TechnologyArchitecture

P - Strategy & PolicyD - Managed DeploymentE - Monitor EventsT - Technology Architecture


28/28

August 19, 201428

Questions and

Answers10 minutes

IT Risks and Controls

Documents

Transcript of IT Risks and Controls