Characteristics of a Mature IT RISK Management Program

1
Characteristics of a MatureIT RISK Management
Program

• As it relates to a Mature Corporate Governance
  Program which works to International Standards
• such as ISO 17999 and Basel II

2
Companies are required to Improve controls

• Examples of Laws Governing Companies
• The Patriot Act
• Sarbanes Oxley
• Gramm-Leach-Bliley Act
• HIPAA

3
Laws, Governance, Controls and the Overlap

• The laws all
• Require various controls for various reasons
• Many controls in each law
• Are identical to those in the other laws but you
  have to make sure you cover all the angles
• You want to
• Avoid excessive work effort to maintain
  compliance but also want to ensure compliance

4
USA Patriot ActOct 2001

• Impacts
• Financial Institutions, ISPs and other companies
  that handle and store online communications
• Purpose
• Boost Governments ability to track and prosecute
  terrorist activity through increased use of
  surveillance, information sharing, and other
  means.
• What does this mean
• Obliges financial institutions to report any
  suspicious activity regarding large money
  transactions.
• Also obliges ISPs to all Government agencies to
  collect information on users including credit
  card and bank account information.

5
USA Patriot ActOct 2001

• Permits
• A single judicial body to issue a nationwide
  order covering corporate communications
• Lets a single court order
• Grant nationwide access to stored e-mail and
  communications records
• Treats stored voicemail like stored e-mail
• Allows investigators
• To electronically ease drop on suspected
  instances of terrorism and computer crime
  especially related to money laundering

6
Gramm-Leach-Bliley Act (GLBA) - November 1999

• Impacts
• Mainly Financial Institutions, but also any
  company that collects name, Social Security, and
  bank account numbers of employees and customers
• Purpose
• To protect information financial institutions
  collect about customers
• What does this mean
• Safe Guard Rule forces financial institutions to
  design, implement, and maintain safeguards to
  protect customer information.

7
GLBA

• Financial Policy Rule
• Governs
• How companies collect and disseminate customer
  personal financial information
• Requires
• A copy of privacy policy be delivered to each
  customer at least once a year
• Indicates what is collected, how it is protected,
  and to whom it will or will not be disclosed.
• Considered a binding contract

8
GLBA

• Safeguards Rule
• Requires
• That customer information is adequately
  protected.
• FFIEC favors
• Risk analysis to asses the appropriateness and
  effectiveness of the safeguards
• Requires
• That an individual be identified to coordinate,
  monitor and test the safeguards
• Often assigned to a third party to maintain
  separation of duties and impartiality

9
Sarbanes-Oxley ActAugust 2002

• Impacts
• Any public company
• Purpose
• To restore investor confidence in the financial
  reporting of public companies and hold officers
  responsible for misrepresentation
• What does this mean
• Mandates quarterly reporting on how a company
  derives quarterly financial report, including
  controls and procedures used. Report to be
  audited by third party.

10
Sarbanes-Oxley ActAugust 2002

• Develop processes and systems to ensure data
  integrity
• Track everyone who has access to data
• Store resulting logs on secure media/SAN

11
Sarbanes-Oxley ActAugust 2002

• Security and ops teams that manage networks and
  review logs
• Need to have arms length relationships with
  business and IT functions to eliminate
  opportunity for fraud
• Will require
• Enterprise level monitoring to identify breaches
  and anomalies
• Eventually will need to monitor all systems that
  feed financial reporting applications

12
HIPAA

• Health Insurance Portability and Accountability
  Act - August 1996
• Impacts Bank One as a company that handles
  individual insurance information and provides
  health care clearinghouse and billing/data
  formatting services
• Purpose
• To improve portability while maintaining privacy
  and security of patient information
• What does this mean
• Privacy rule, security rule, standards for
  Medical providers, claims processors, and
  Insurance companies - securing information and
  electronic communications.

13
References for model

• BASEL II
• ISO 17999
• Provides 90 of the controls needed for
  compliance with various laws if a company is ISO
  compliant
• SEI CMMI
• Carnegie Mellon Software Engineering Institute
• http//www.sei.cmu.edu/cmmi/
• Capability Maturity Model Integration
• ISF
• Information Security Forum
• Working documents on
• How to become a mature IT Risk Management
  function within a Mature Corporate Risk
  Management Governance Program

14
What makes a Mature ITRM?

• Processes to achieve Governance objectives
• Meeting Risk management requirements
• Robust reporting framework
• Strong internal control characteristics
• Behavior of Mature ITRM that meets criteria
• Benefits of meeting criteria

15
Basel II View - Corporate ORM / Framework
Standard Risk Categories
16
ISO 17999 (aka 17799)

• Establishes best practices for secure deployments
• Policies
• Procedures
• Operations,
• Business continuity
• Incident management
• Ref http//www.bsitraining.com/infosecurity_stan
  dards.asp17999

17
Processes to achieve Governance objectives

• Key IT RISK Process
• Policy Framework
• Objectives
• Board and Management committed
• Statement on how risk will be managed
• Degree of risk that will be accepted
• Assignment of responsibility for managing risk
• Cost/benefit process for acceptance of risk
  appetite level

18
Processes to achieve Governance objectives

• Key IT RISK Process
• Risk Process
• Objectives
• Process to identify and assess risk associated
  with each layer of an IT Asset starting with the
  Business process
• Tools in place to measure risk
• Controls in place to ensure tools and processes
  running at expected level of maturity
• Processes are equal or better to those of
  business peers and meet general practice
  criteria for assessment processes

19
Processes to achieve Governance objectives

• Key IT RISK Process
• Control framework
• Objectives
• Controls that assess and manage risk are
  monitored to ensure against failure or
  un-acceptable results
• Controls are designed to monitor for compliance
  and report status of risk profile
• IT Risk Staff and clients/employees are informed
  of rules and regulations, made aware of current
  risk issues

20
Processes to achieve Governance objectives

• Key IT RISK Process
• Control framework
• Objectives Continued
• Employees are trained in effective risk
  management practices as well as developed for job
  enhancement/advancement
• Rewards are based on performance against agreed
  objectives. Failures and inappropriate actions
  are dealt with
• Loss management controls are in place to detect
  and respond to fraud and corruption activities
• Controls are in place and working to ensure
  security of assets

21
Risk Management Requirements

• A mature risk management structure
• Covers the entire organization, with clearly
  defined roles and responsibilities
• IT RISK Management Requirement
• An ITRM structure
• covering the entire organization,
• with clearly defined roles and responsibilities,
• which is consistent with the organizations risk
  management structure
• and has a good interface with other areas.

22
Risk Management Requirements

• A mature risk assessment process
• Identifies and evaluates key risks, which is
  consistent across all risk areas and the
  organization
• IT RISK Management Requirement
• An Information risk assessment process which is
  consistent across the organization and will as a
  minimum
• Identify the nature and extent of information
  risks facing the organization
• Assess the likelihood of the information risks
  materializing
• Establish the cost benefit analysis of
  implementing controls to manage information risks
  (including proportionality, such as what peer
  organizations are doing).

23
Risk Management Requirements

• Policies, standards, and procedures developed and
  implemented
• To ensure all identified risks are managed within
  the organizations risk appetite
• IT RISK Management Requirement
• Policies, standards, and procedures developed and
  implemented to ensure that all identified
  information risks are managed, including
• Establishing the acceptable information risks
  (known as risk appetite)
• Ensuring there is an adequate response to
  directions from the board
• Implementing impact reduction by use of control
  measures (ability to prevent, detect, and recover
  from an incident)

24
Risk Management Requirements

• A process
• For the regular monitoring of risk management
  processes and the carrying out of corrective
  action.
• IT RISK Management Requirement
• Procedures to monitor the effectiveness of
  controls and the integrity of the information
  risk management processes

25
Risk Management Requirements

• A process
• For regular risk reporting to executives and to
  the Board, with facilities to enable the
  assimilation of feedback into the risk processes
• IT RISK Management Requirement
• A process for regular reporting of information
  risks to executives and to the Board, with
  facilities to enable the assimilation of feedback
  into the information risk management processes

26
Risk Management Requirements

• A process
• To communicate appropriate risk information to
  the organizations stakeholders.
• IT RISK Management Requirement
• A process to communicate information about
  information risks to the organizations
  stakeholders both internally and externally

27
ITRM Reporting

• Key Reporting Indicator
• Information Risk Incidents
• Objective
• To provide detailed information to the Board on
  any information risk incidents that have occurred
  within the organization, above an agreed
  cost/impact threshold.
• Characteristics
• Total number of incidents this period
• Total number of incidents this financial year
• Number of incidents above the threshold
• For each incident above the threshold
• An impact assessment for each incident
• Statement of how the incident was handled
• Key indicators for the incident (cost, resources
  expended
• Time before the incident was under control

28
ITRM Reporting

• Key Reporting Indicator
• Cost effectiveness of ITRM
• Objective
• To provide high-level information to the Board on
  the cost effectiveness of ITRM
• Characteristics
• Cost of all ITRM controls
• Effective cost of doing nothing
• Ratio of the cost of controls against doing
  nothing
• Benchmarking against peer organizations
• Compliance with ITRM controls as a percentage
• Annual report on the effectiveness of the risk
  management process

29
ITRM Reporting

• Key Reporting Indicator
• Exposure to Litigation
• Objective
• To provide information to the Board on the
  potential for litigation or regulatory action as
  a result of information risks
• Characteristics
• Current legal proceedings and cumulative cost
• Current regulatory exceptions and cumulative cost
• Existing breaches of legislation (by legal
  instrument)
• Existing breaches of regulation
• Level of compliance to legislation as a
  percentage
• Potential cost of legislation breeches
• Potential cost of regulation breeches

30
ITRM Reporting

• Key Reporting Indicator
• Assessment of information risks
• Objective
• To provide information to the Board on the
  current assessment of information risks
• Characteristics
• Top Ten information risks
• Likelihood of impact
• Potential magnitude of impact
• Assessment of risks against risk appetite
• Identification of critical applications at risk
• Availability and cost of control measures
• Top Ten current threats and vulnerabilities
  (broken down in similar fashion to top ten
  information risks
• Top Ten emerging threats and vulnerabilities
  (broken down in a similar fashion to top ten
  information risks

31
ITRM Reporting

• Key Reporting Indicator
• Status of incident management procedures
• Objective
• To provide information to the Board on the
  current status of information risk incident
  management procedures
• Characteristics
• Information on the status of the information
  risk incident management process is required,
  both for the organization and peer organizations.
  Where possible, the information should be broken
  down as
• Cost of incident management resources
• Performance against key performance indicator
• Time to mobilize key resources
• Benchmark against peer organizations
• Improvements required (with associated cost)

32
Understanding Maturity levels

• Benefits of a Mature ITRM function
• Levels of maturity and characteristics of each
  level
• Next steps
• Finding your own level of maturity
• Building a program to be the best

33
Benefits of a Mature ITRM function

• Benefit
• Improves the Quality of Decision Making
• Argument for benefit
• The rigor that can be applied to the Board
  decisions by knowledgeable, independent directors
  is significant in enhancing the quality of those
  decisions

34
Benefits of a Mature ITRM function

• Benefit
• Improves access to inward investment
• Argument for Benefit
• Reduces the perception of risk by investors and
  market analysts through transparency and
  accountability.
• Helps to influence the organizations ability to
  raise finance by demonstrating a commitment to
  the protection of shareholders assets.
• Fundamental to restoring trust in capital
  markets.

35
Benefits of a Mature ITRM function

• Benefit
• Reduces risk
• Argument for benefit
• Helps ensure that the Boards objectives and the
  organizations strategy take into account the
  needs of stakeholders, therefore reducing the
  risk of costly conflict.
• Establishes a structure where the organization
  can manage risk and develop a strong relationship
  between the organization and Board on risk
  management.
• Helps to reduce risk of fraud through
  implementation of strong controls, which are
  regularly reviewed for integrity

36
Benefits of a Mature ITRM function

• Benefit
• Stimulates performance
• Argument for Benefit
• Corporate governance establishes a clear link
  between performance and rewards, which encourages
  the organization to improve performance.

37
Benefits of a Mature ITRM function

• Benefit
• Demonstrates organizational integrity
• Argument for benefit
• Problems emerge early and are quickly dealt
  with in an organized manner rather than remain
  hidden which gives the impression of deception in
  the markets.

38
Benefits of a Mature ITRM function

• Benefit
• Improves business relationships
• Argument for Benefit
• Demonstrates a heightened awareness of the
  needs of stakeholders by taking into account
  their interests when making decisions.
• Promotes stronger relationships.

39
Benefits of a Mature ITRM function

• Benefit
• Improves public perception and marketability
• Argument for benefit
• Increased awareness of stakeholder needs and
  concentration on corporate social responsibility
  encourages organizations to act in a more
  publicly acceptable manner.
• This improves the way in which the organization
  is perceived as a socially responsible business.

40
Levels of Maturity Matrix

• 5 levels of maturity based on behaviors
• Poor Behavior
• Fair Behavior
• Medium Behavior
• Good Behavior
• Excellent Behavior

41
Levels of Maturity Matrix

• Criteria to apply against each level of maturity
• C1 - CMMI (Capability Maturity Model
  Integration)
• maturity level (refer http//www.sei.cmu.edu/cmm
  i/
• C2 - Assimilate ITRM direction from the Board
  into existing processes to create an effective
  ITRM structure
• C3 - Adequacy of Information Risk Assessment
  Processes
• C4 - How comprehensive, effective, and proactive
  is the management of information risk and the
  implementation of controls
• C5 - How the organization ensures the integrity
  and effectiveness of information risk management
  processes
• C6 - Adequacy and level or ITRM reporting
• C7 - Adequacy and level of ITRM communication
  both within and outside the corporation

42
Level of Maturity Poor Behavior

• C1 - Initial process unpredictable, poorly
  controlled, and reactive
• C2 - Handles direction from Board as separate and
  un-coordinated requests.
• ITRM structure is poor and inflexible
• C3 - Employs immature ITRM processes with which
  are inconsistent and have limited effectiveness
• C4 - Implements few controls and reacts to
  Information risk incidents as they occur

43
Level of Maturity Poor Behavior

• C5 - Employs ITRM processes which may be
  generally adequate but are not typically reviewed
  
• C6 - ITRM processes provide inadequate
  information which is only reported to next level
  in the organization
• C7 - ITRM information rarely communicated to any
  level of the organization

44
Level of Maturity Excellent Behavior

• C1 -Optimizing focus on process improvement
• C2 -Manages and assimilates Board Direction on
  ITRM using well established procedures.
• ITRM structure is both consistent and flexible in
  response to change
• C3 -Employs ITRM processes which cover the entire
  business, are mature and are appropriate to meet
  objectives.
• C4 -Responds proactively to all information risks
  within the risk appetite though a comprehensive
  combination of baseline and targeted controls

45
Level of Maturity Excellent Behavior

• C5 -Employs comprehensive and effective ITRM
  processes which are regularly reviewed
• C6 -Maintains Board level ITRM reporting
  processes which are timely, adequate, and
  appropriate
• C7 -Maintains a high level of effective ITRM
  communication at own level throughout the
  organization

46
Criteria for Strong controls needed to meet
Governance objectives

• There is a system for the identification,
  evaluation, management, and control of KEY risks
• An Adequate internal control environment with
  regular review mechanism exists, including board
  level oversight
• Effective monitoring and a corrective action
  processes exist
• Appropriate channels exist for risk communication
  and information flow with peers, staff and upper
  management

47
Next Steps

• Finding level of maturity for your program
• Where do you fit in each category?
• What is your current capability?
• What are your shortfalls?
• What are the risks of failing to Mature?
• Building your plan
• Understand the Corporate Governance program
• Understand the Corporate Risk Management program
• Align with Corporate Operational Risk Management
  programs
• Plan to change areas of maturity weakness
• Sell the program

48
Questions?
49
Other levels of maturity assessments
50
Level of Maturity Fair Behavior

• C1 - Managed Process characterized for projects
  and is often reactive- each project or effort can
  do its own thing
• C2 Direction from Board
• Acted on as it occurs and is assimilated into
  some existing processes.
• ITRM structure stable but not very flexible
• C3 -Employs adequate ITRM process where the
  coverage is known but not at all complete
• C4 - Manages some information risks through
  limited and inconsistent assessments and control
  implementations

51
Level of Maturity Fair Behavior

• C5 -Employs adequate ITRM processes which are
  reviewed on an ad-hoc basis
• C6 -Inadequate and unstructured ITRM reporting to
  line management
• C7 -ITRM information is communicated only at the
  very senior level within the organization

52
Level of Maturity Medium Behavior

• C1 - Defined Process characterized for the
  organization and is proactive standardized
  processes
• C2 Direction from Board acted upon in a
  consistent manner but not coordinated or
  proactive.
• ITRM structure established, effective but limited
  in ability to react to change.
• C3 Has effective ITRM processes in place with
  reasonable coverage of the business
• C4 -Manages many information risks through
  irregular assessment processes and control
  implementations

53
Level of Maturity Medium Behavior

• C5 -Has effective ITRM process in place which are
  occasionally reviewed
• C6 -Immature and irregular processes for
  reporting to senior management
• C7 -ITRM information is communicated at most
  senior levels within the organization

54
Level of Maturity Good Behavior

• C1 -Quantitatively Managed process measured and
  controlled managed within statistical
  boundaries
• C2 Direction from Board acted on consistently
  and in a coordinated but immature process.
• ITRM structure effective and flexible but
  inconsistent in ability to manage change
• C3 Has consistent and effective ITRM processes
  in place covering most of the business
• C4 -Manages most information risks through a set
  of baseline controls and some targeted controls
  base on risk assessments

55
Level of Maturity Good Behavior

• C5 -Has effective ITRM processes in place which
  are periodically reviewed
• C6 -Generally adequate but periodic ITRM
  reporting processes to top management
• C7 -ITRM information is communicated at own level
  throughout most of the organization