Webb Watch Corporation © 2010 Managing Risk UMANT Presentation Presenters: Calvin Webb III Michael...

Webb Watch Corporation © 2010

Managing Risk

UMANT Presentation

Presenters:

Calvin Webb IIIMichael Di Paolo

April 23, 2010


Today’s Agenda

• Risk (10-15 minutes)– What is it?– Why is it important?– Common Terminology

• Information Technology Risk (20-25 minutes)

• Questions (10 minutes)

2


Risk – What is it/how to address it?

• Definition• Scenarios – What is the risk and plan to

address the risk?– Skydiving– Driving– Living in a house

3


Risk Common Terminology

• Enterprise Risk Management (ERM)– Enterprise risk management is a process, effected by

an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.1

1Committee of Sponsoring Organizations, Enterprise Risk Management – Integrated Framework, www.coso.org, 2004.

4


COSO ERM Framework

Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management

– Integrated Framework, (Jersey City, New Jersey: AICPA, 2004), 3-7.

5


Risk – Why is it important? Liberty losing millions in sales to other areas - Dayton News 4.19.10

Victoria: downturn in economy good news for public library 4.17.10

San Benito: city supervisor charged with theft saying he used city money to pay for repairs to his 1986 silver Camaro 4.15.10

Kerrville: voters weigh possibility of spouses on council 4.15.10

South Carolina: city manager search ‘tainted’ by illegal meetings 4.15.10

Austin: Cap Metro approves resolution to pay $51-million in debt to city out of projected sales taxes by 2019

More Delays: New Ash Cloud Heads Towards UK 4.19.10

6


Webb Watch Corporation Business Risk Navigation Model

FINANCIAL•Accounting Information•Commodity Pricing •Credit Availability•Liquidity•External Reporting•Investor Confidence

PEOPLE•Workforce Management•Performance Management•Management Competency •Training & Development•Operational Knowledge & Documentation•Benefit Management•Pension Management

• Competitor• Customer Wants • Economy• Laws & Regulations• Global Financial Markets• Political

• Catastrophic Loss • Terrorism / Violent Acts• Technological Innovation

EXTERNAL

SUPPORTSUPPORT

LEADERSHIP •Budget & Resource Allocation•Business Model / Sustainability•Ethics / Integrity•Governing Body & Executive•Operating & Organizational Culture•Organization Design•Transparency•Strategy •Succession Planning•Tone at the Top•Communication

OPERATIONS

INTANGIBLEINTANGIBLE

EXECUTIONEXECUTION

Ongoing Event

INFORMATION

7


• Competitor• Customer Wants • Economy• Laws & Regulations• Global Financial Markets• Political

• Catastrophic Loss • Terrorism / Violent Acts• Technological Innovation

EXTERNAL


Ongoing Event

EXTERNAL

SUPPORTSUPPORT


EXECUTIONEXECUTION


8


EXTERNAL

SUPPORTSUPPORT

INTANGIBLE

INTANGIBLE

EXECUTIONEXECUTION


FINANCIAL•Accounting Information•Commodity Pricing •Credit Availability•Liquidity•External Reporting•Investor Confidence

PEOPLE•Workforce Management•Performance Management•Management Competency •Training & Development•Operational Knowledge & Documentation•Benefit Management•Pension Management

LEADERSHIP •Budget & Resource Allocation•Business Model / Sustainability•Ethics / Integrity•Governing Body & Executive•Operating & Organizational Culture•Organization Design•Transparency•Strategy •Succession Planning•Tone at the Top•Communication

• Technology

• Infrastructure• Integrity• Security• Relevance• Availability• Access

EXECUTIONEXECUTION

INFORMATION

9


EXTERNAL

SUPPORTSUPPORT

INTANGIBLE

INTANGIBLE

EXECUTIONEXECUTION


EXECUTIONEXECUTION

OPERATIONS

10


EXTERNAL

SUPPORTSUPPORT

INTANGIBLE

INTANGIBLE

EXECUTIONEXECUTION

SUPPORTSUPPORT


11


Risks with Technology

• Risks are inherent in normal, everyday local government work practices.

• You try mightily to eliminate financial and other risk through all sorts of controls, review cycles, and approval processes. Many of these rely on technology systems.

• In the end, people don’t always to what is expected, emergencies void normal controls, people quit leaving gaps in process knowledge, technology systems fail, unforeseen events occur, and so forth.In today’s world, all local government work

practices rely on technology. And, technology is far from foolproof!


Information Security

• Only 20% of security breaches are attacks from outside!

• About 80% of all reported security breaches occur from within the corporate network and are made by employees.

• Have you ever even thought about or tried to manage technology risks in any meaningful way?

• Is technology security the domain of the IT Director in your organization?

• If so, that leaves a lot to be desired in the way of risk management.

• If employees cause most breaches, howcan an IT Director manage security effectively?


Controlling Risk from the Outside

• The IT Director can manage most, but not all, security to prevent successful attacks from the outside.

• Multiple layers of security (think of it just like multiple layers of clothing keep you warm in the winter).

• The best security systems are useless if not managed well.

14

Border Firewalls Strong passwords

DMZ Patch management

Intrusion Detection Systems

Web or Application firewalls

Intrusion Prevention Systems

Data encryption

Anti-virus Spam scanning


Breaking In

• I’ve led teams that have brokeninto a fairly large bank. Banks have rigorous federal security requirements.

• First, I’d try a frontal assault on your network defenses.

• Use of tools to scan and infiltrate your network from the Internet.

• If a frontal assault on your security defenses doesn’t yield results, I would shift to a flanking strategy – attack you from an angle you didn’t expect it.

• Failing that, I’d move on to social engineering; it almost never fails, because I enlist your employees to help me!

15


Damage from Security Breaches

• What could I do to your financial systems, or any systems for that matter, if I got inside your internal network?

• Financials, Procurement, HR/Payroll.• Other systems (Police, Code, Court, etc.)• Theft of Personally Identifiable Information (PII) –

Identify theft is rampant affecting over 5 million people.• Cause you loss of data, corrupted data, inability to use

your systems or know if data was or was not correct.• Reputation, loss of credibility, front page in the

newspapers and on the nightly news.

16

In March 2007, hackers stole 45.7 Million credit and debit cards of TJ Maxx customers!


Problems Managing Risk from the Inside

• Financial controls• Financial systems security• User provisioning/de-provisioning (access controls)• Employee education, employee education, employee

education (Phishing attacks, data leakage).• Management education (why do I care?)• IT education (they don’t know it all!)• Technology security systems• Good security practices• Regular testing of various aspects of your

security.

17


Why Should Anybody Care?

• We become ever more fragile organizations as we deploy more and more technology to operate our governments.

• We seem to think that security is something that IT can do alone; they can’t.

• We de-emphasize the risks inherent in our operations leaving ourselves open to disruption, financial loss, reputational loss, extra scrutiny, extra cost, and dismissal.

• Because it is simply good business to care about the information for which you are responsible.

• Because everyone, citizens and vendors, expect us to take prudent precautions with our information.


Questions?Questions?

Webb Watch Corporation © 2010 Managing Risk UMANT Presentation Presenters: Calvin Webb III Michael...

Documents

Transcript of Webb Watch Corporation © 2010 Managing Risk UMANT Presentation Presenters: Calvin Webb III Michael...