Webb Watch Corporation © 2010 Managing Risk UMANT Presentation Presenters: Calvin Webb III Michael...
-
Upload
ryan-reilly -
Category
Documents
-
view
214 -
download
0
Transcript of Webb Watch Corporation © 2010 Managing Risk UMANT Presentation Presenters: Calvin Webb III Michael...
Webb Watch Corporation © 2010
Managing Risk
UMANT Presentation
Presenters:
Calvin Webb IIIMichael Di Paolo
April 23, 2010
Webb Watch Corporation © 2010
Today’s Agenda
• Risk (10-15 minutes)– What is it?– Why is it important?– Common Terminology
• Information Technology Risk (20-25 minutes)
• Questions (10 minutes)
2
Webb Watch Corporation © 2010
Risk – What is it/how to address it?
• Definition• Scenarios – What is the risk and plan to
address the risk?– Skydiving– Driving– Living in a house
3
Webb Watch Corporation © 2010
Risk Common Terminology
• Enterprise Risk Management (ERM)– Enterprise risk management is a process, effected by
an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.1
1Committee of Sponsoring Organizations, Enterprise Risk Management – Integrated Framework, www.coso.org, 2004.
4
Webb Watch Corporation © 2010
COSO ERM Framework
Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management
– Integrated Framework, (Jersey City, New Jersey: AICPA, 2004), 3-7.
5
Webb Watch Corporation © 2010
Risk – Why is it important? Liberty losing millions in sales to other areas - Dayton News 4.19.10
Victoria: downturn in economy good news for public library 4.17.10
San Benito: city supervisor charged with theft saying he used city money to pay for repairs to his 1986 silver Camaro 4.15.10
Kerrville: voters weigh possibility of spouses on council 4.15.10
South Carolina: city manager search ‘tainted’ by illegal meetings 4.15.10
Austin: Cap Metro approves resolution to pay $51-million in debt to city out of projected sales taxes by 2019
More Delays: New Ash Cloud Heads Towards UK 4.19.10
6
Webb Watch Corporation © 2010
Webb Watch Corporation Business Risk Navigation Model
FINANCIAL•Accounting Information•Commodity Pricing •Credit Availability•Liquidity•External Reporting•Investor Confidence
PEOPLE•Workforce Management•Performance Management•Management Competency •Training & Development•Operational Knowledge & Documentation•Benefit Management•Pension Management
• Competitor• Customer Wants • Economy• Laws & Regulations• Global Financial Markets• Political
• Catastrophic Loss • Terrorism / Violent Acts• Technological Innovation
EXTERNAL
SUPPORTSUPPORT
LEADERSHIP •Budget & Resource Allocation•Business Model / Sustainability•Ethics / Integrity•Governing Body & Executive•Operating & Organizational Culture•Organization Design•Transparency•Strategy •Succession Planning•Tone at the Top•Communication
OPERATIONS
INTANGIBLEINTANGIBLE
EXECUTIONEXECUTION
Ongoing Event
INFORMATION
7
Webb Watch Corporation © 2010
• Competitor• Customer Wants • Economy• Laws & Regulations• Global Financial Markets• Political
• Catastrophic Loss • Terrorism / Violent Acts• Technological Innovation
EXTERNAL
INTANGIBLEINTANGIBLE
Ongoing Event
EXTERNAL
SUPPORTSUPPORT
INTANGIBLEINTANGIBLE
EXECUTIONEXECUTION
Webb Watch Corporation Business Risk Navigation Model
8
Webb Watch Corporation © 2010
EXTERNAL
SUPPORTSUPPORT
INTANGIBLE
INTANGIBLE
EXECUTIONEXECUTION
Webb Watch Corporation Business Risk Navigation Model
FINANCIAL•Accounting Information•Commodity Pricing •Credit Availability•Liquidity•External Reporting•Investor Confidence
PEOPLE•Workforce Management•Performance Management•Management Competency •Training & Development•Operational Knowledge & Documentation•Benefit Management•Pension Management
LEADERSHIP •Budget & Resource Allocation•Business Model / Sustainability•Ethics / Integrity•Governing Body & Executive•Operating & Organizational Culture•Organization Design•Transparency•Strategy •Succession Planning•Tone at the Top•Communication
• Technology
• Infrastructure• Integrity• Security• Relevance• Availability• Access
EXECUTIONEXECUTION
INFORMATION
9
Webb Watch Corporation © 2010
EXTERNAL
SUPPORTSUPPORT
INTANGIBLE
INTANGIBLE
EXECUTIONEXECUTION
Webb Watch Corporation Business Risk Navigation Model
EXECUTIONEXECUTION
OPERATIONS
10
Webb Watch Corporation © 2010
EXTERNAL
SUPPORTSUPPORT
INTANGIBLE
INTANGIBLE
EXECUTIONEXECUTION
SUPPORTSUPPORT
Webb Watch Corporation Business Risk Navigation Model
11
Webb Watch Corporation © 201012
Risks with Technology
• Risks are inherent in normal, everyday local government work practices.
• You try mightily to eliminate financial and other risk through all sorts of controls, review cycles, and approval processes. Many of these rely on technology systems.
• In the end, people don’t always to what is expected, emergencies void normal controls, people quit leaving gaps in process knowledge, technology systems fail, unforeseen events occur, and so forth.In today’s world, all local government work
practices rely on technology. And, technology is far from foolproof!
Webb Watch Corporation © 201013
Information Security
• Only 20% of security breaches are attacks from outside!
• About 80% of all reported security breaches occur from within the corporate network and are made by employees.
• Have you ever even thought about or tried to manage technology risks in any meaningful way?
• Is technology security the domain of the IT Director in your organization?
• If so, that leaves a lot to be desired in the way of risk management.
• If employees cause most breaches, howcan an IT Director manage security effectively?
Webb Watch Corporation © 2010
Controlling Risk from the Outside
• The IT Director can manage most, but not all, security to prevent successful attacks from the outside.
• Multiple layers of security (think of it just like multiple layers of clothing keep you warm in the winter).
• The best security systems are useless if not managed well.
14
Border Firewalls Strong passwords
DMZ Patch management
Intrusion Detection Systems
Web or Application firewalls
Intrusion Prevention Systems
Data encryption
Anti-virus Spam scanning
Webb Watch Corporation © 2010
Breaking In
• I’ve led teams that have brokeninto a fairly large bank. Banks have rigorous federal security requirements.
• First, I’d try a frontal assault on your network defenses.
• Use of tools to scan and infiltrate your network from the Internet.
• If a frontal assault on your security defenses doesn’t yield results, I would shift to a flanking strategy – attack you from an angle you didn’t expect it.
• Failing that, I’d move on to social engineering; it almost never fails, because I enlist your employees to help me!
15
Webb Watch Corporation © 2010
Damage from Security Breaches
• What could I do to your financial systems, or any systems for that matter, if I got inside your internal network?
• Financials, Procurement, HR/Payroll.• Other systems (Police, Code, Court, etc.)• Theft of Personally Identifiable Information (PII) –
Identify theft is rampant affecting over 5 million people.• Cause you loss of data, corrupted data, inability to use
your systems or know if data was or was not correct.• Reputation, loss of credibility, front page in the
newspapers and on the nightly news.
16
In March 2007, hackers stole 45.7 Million credit and debit cards of TJ Maxx customers!
Webb Watch Corporation © 2010
Problems Managing Risk from the Inside
• Financial controls• Financial systems security• User provisioning/de-provisioning (access controls)• Employee education, employee education, employee
education (Phishing attacks, data leakage).• Management education (why do I care?)• IT education (they don’t know it all!)• Technology security systems• Good security practices• Regular testing of various aspects of your
security.
17
Webb Watch Corporation © 2010
Why Should Anybody Care?
• We become ever more fragile organizations as we deploy more and more technology to operate our governments.
• We seem to think that security is something that IT can do alone; they can’t.
• We de-emphasize the risks inherent in our operations leaving ourselves open to disruption, financial loss, reputational loss, extra scrutiny, extra cost, and dismissal.
• Because it is simply good business to care about the information for which you are responsible.
• Because everyone, citizens and vendors, expect us to take prudent precautions with our information.
Webb Watch Corporation © 2010
Questions?Questions?