Managing IT Risk: The ISACA Risk IT Framework. 1 st ISACA Day, Sofia 15 October Charalampos (Haris)Brilakis, CISA
|
|
- Lily Ellis
- 5 years ago
- Views:
Transcription
1 Managing IT Risk: The ISACA Risk IT Framework Charalampos (Haris)Brilakis, CISA ISACA Athens Chapter BoD / Education Committee Chair Sr. Manager, Internal Audit, Eurobank (Greece) 1 st ISACA Day, Sofia 15 October 2015 All technology should be assumed guilty until proven innocent David Brower, environmentalist
2 What is your role in managing risk? Do you: 1. Own and manage risks? (eg. Business & IT Mgmt) 2. Oversee risks? (eg. Security, Risk Mgmt, Compliance) 3. Provide independent assurance? (Internal Audit) Harry Brilakis ISACA Athens Chapter 2
3 Agenda ISACA s Risk IT Framework IT Risk basics Risk Governance Domain Risk Evaluation Domain Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 3
4 Risk Management Frameworks & Risk IT Standards and frameworks are available, but are either too: Generic enterprise risk management oriented (COSO ERM) IT security oriented The Risk IT Framework fills the gap. Complete and Stand alone framework Integrates with other RM frameworks already implemented Complements ValIT and COBIT 4.1 Guidance available to ISACA Members The scope of the Risk IT framework is also fully covered within the scope of the COBIT 5 framework. Harry Brilakis ISACA Athens Chapter 4
5 What to do to manage IT risk? Key content of the Risk IT framework includes: Risk management essentials In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture In Risk Evaluation: Describing business impact and risk scenarios In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation Section on how Risk IT extends and enhances COBIT and Val IT (Note: Risk IT does not require the use of COBIT or Val IT.) Process model sections that contain: Descriptions Input output tables RACI (Responsible, Accountable, Consulted, Informed) table Goals and Metrics Table Maturity model is provided for each domain Appendices Reference materials High level comparison of Risk IT to other risk management frameworks and standards Glossary Available as a free download to all: Harry Brilakis ISACA Athens Chapter 5
6 Guide on How to implement it Key contents of The Risk IT Practitioner Guide: Review of the Risk IT process model Risk IT to COBIT and Val IT How to use it: 1. Define a risk universe and scoping risk management 2. Risk appetite and risk tolerance 3. Risk awareness, communication and reporting: includes key risk indicators, risk profiles, risk aggregation and risk culture 4. Express and describe risk: guidance on business context, frequency, impact, COBIT business goals, risk maps, risk registers 5. Risk scenarios: includes capability risk factors and environmental risk factors 6. Risk response and prioritisation 7. A risk analysis workflow: swim lane flow chart, including role context 8. Mitigation of IT risk using COBIT and Val IT Mappings: Risk IT to other risk management standards and frameworks Glossary Available as a free download to ISACA Members Harry Brilakis ISACA Athens Chapter 6
7 Benefits Benefits of adopting the Risk IT Framework : Guidance on how to manage IT related risks A common and sustainable approach for IT risk assessment and response A better view of IT related risk and its financial implications A better understanding of the roles and responsibilities with regard to IT risk management A common language to help communication amongst business, IT, risk and audit management Opportunities for integration of IT risk management with the overall risk and compliance structures within the enterprise Alignment with ERM Harry Brilakis ISACA Athens Chapter 7
8 Who can benefit from ISACA s RiskIT Framework? Boards and executive management who need to set direction and monitor risk at the enterprise level Managers of IT and business departments, who need to define risk management process Risk management professionals who need specific IT risk guidance External stakeholders Harry Brilakis ISACA Athens Chapter 8
9 Agenda The Risk IT Framework IT Risk basics Risk Governance Domain Risk Evaluation Domain Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 9
10 Which of the following entail IT risk? Business objectives Generic IT risks 1. Improve customer service scores [xx]% in every branch by year end 2. Reduce customer wait time in line to [xx] minutes 3. By the end of the year decrease administration expenses by [xx]%. 4. Introduce a mobile application for expanding our service to younger customers 5. Timely produce accurate customer monthly billing statement 6. Adapt to the new tax law / comply with new regulation of 1. IT Project budget overrun or new application development failure, delaying business initiatives 2. Dependency and use of end user computing and ad hoc solutions for important information needs 3. Intentional or unintentional software modification leading to wrong data or fraudulent actions 4. Systems cannot handle increased transaction volumes 5. Virus attack 6. Data corruption 7. Lack of new technology IT skills Harry Brilakis ISACA Athens Chapter 10
11 What is IT risk? IT risk is business risk specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. Risk and opportunity relationship also holds for IT risk Business management is the most important stakeholder Determines what IT needs to do to support the business IT risk is not purely a technical issue. Harry Brilakis ISACA Athens Chapter 11
12 IT risk in the Risk Hierarchy IT risk is a component of the overall risk universe of the enterprise IT risk is not limited to information security, but covers all ITrelated risks. For example: IT service interruptions, business efficiency, late project delivery Harry Brilakis ISACA Athens Chapter 12
13 The Risk IT Principles Always connect to business objectives. Align the management of IT related business risk with overall ERM (if implemented). Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well defined tolerance levels. Are a continuous process and part of daily activities. Balance the costs and benefits of managing IT risk. Promote fair and open communication of IT risk. Harry Brilakis ISACA Athens Chapter 13
14 The three Domains Risk Governance Domain Ensure that IT risk management practices are embedded in the enterprise Risk Evaluation Domain Ensure that IT related risks and opportunities are identified, analysed and presented in business terms Risk Response Domain Ensure that IT related risk issues, opportunities and events are addressed in a cost effective manner and in line with business priorities Harry Brilakis ISACA Athens Chapter 14
15 The RiskIT Process Model Harry Brilakis ISACA Athens Chapter 15
16 Agenda The Risk IT Framework IT Risk basics (definitions, principles) Risk Governance Domain Risk Evaluation Domain Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 16
17 Risk Governance Domain Domain s basic concepts include: Responsibility and accountability for IT risk Awareness and communication Risk appetite and tolerance, risk capacity Risk culture Harry Brilakis ISACA Athens Chapter 17
18 Risk Governance Domain Assign Responsibilities and Accountability for IT risk Stakeholders are across the enterprise, not just IT Guidance is provided (RACI charts) Promote risk awareness via risk communication Risks are well understood and known, IT risk issues are identifiable, and the enterprise recognises and uses the means to manage them. What to communicate: Risk strategy, policies and procedures, awareness training Risk management process maturity Risk profile, KRIs, events and loss data, root causes of loss events To whom: Executive Management, Board, CRO, CIO, CFO, Business Management, IT Management, Risk control, Compliance, Audit, HR, staff Harry Brilakis ISACA Athens Chapter 18
19 Risk Governance Domain Risk Appetite The broad based amount of risk a company or other entity is willing to accept when trying to achieve its objectives Measured in terms of frequency and magnitude of a risk What is the amount of loss the enterprise wants to accept to pursue a return? Harry Brilakis ISACA Athens Chapter 19
20 Risk Governance Domain Risk Tolerance The acceptable level of variation that management is willing to allow for any particular risk as it pursues objectives Often measured in the same units as those used to measure the related objective. At lower levels of the enterprise exceptions can be tolerated as long as at the overall exposure (at enterprise level) does not exceed the set risk appetite Risk Capacity The cumulative loss an enterprise can withstand without risking its continued existence. It differs from risk appetite, which is more about how much risk is desirable. Harry Brilakis ISACA Athens Chapter 20
21 Risk Governance Domain Risk Appetite and Risk Capacity Left diagram A relatively sustainable situation Risk appetite is lower than risk capacity Actual risk exceeds risk appetite in a number of situations, but always remains below the risk capacity Right diagram An unsustainable situation Risk appetite is defined at a level beyond risk capacity; this means that management is prepared to accept risk well over its capacity to absorb loss. As a result, actual risk routinely exceeds risk capacity even when staying almost always below the risk appetite level. 21
22 Risk Governance Domain 9 Risk culture A setting in which components of risk are discussed openly, and acceptable levels of risk are understood and maintained. Harry Brilakis ISACA Athens Chapter 22
23 Agenda The Risk IT Framework IT Risk basics (definitions, principles) Risk Governance Domain (establish, define) Risk Evaluation Domain Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 23
24 Risk Evaluation Domain Essentials Domain s basic concepts include: Risk scenarios Business impact descriptions Harry Brilakis ISACA Athens Chapter 24
25 Risk Evaluation Domain Essentials IT Risk scenarios a description of a possible IT related event that when/if it occurs can lead to a business impact. Components: Actor, Threat Type, Event, Asset/Resource, Time NOTE: Risk Scenarios are key elements of the COBIT 5 risk management process APO12 Harry Brilakis ISACA Athens Chapter 25
26 Risk Evaluation Domain Essentials Example of generic IT risk scenarios Eg. Damage of critical server / regular software malfunction of critical application software Harry Brilakis ISACA Athens Chapter 26
27 Risk Evaluation Domain Essentials IT Risk scenarios (cont) IT Risk scenarios can be created, with a combination of Top down from business objectives to probable IT risk scenarios Bottom up from generic IT scenarios Both approaches are complementary and should be used simultaneously. The Risk IT Practitioner & COBIT 5 for Risk provide a comprehensive set of generic risk scenarios. These should be used as a reference to reduce the chance of overlooking major/common risk scenarios. Harry Brilakis ISACA Athens Chapter 27
28 Risk Evaluation Domain Essentials IT Risk scenarios (cont) Risk factors: factors that influence the frequency and/or business impact of risk scenarios Related to enterprises environment capabilities Harry Brilakis ISACA Athens Chapter 28
29 Risk Evaluation Domain Essentials Business impact descriptions IT risk should be expressed in unambiguous and clear, business relevant terms. RiskIT Framework does not prescribe any single method IT risk scenarios should be linked to ultimate business impact Harry Brilakis ISACA Athens Chapter 29
30 Agenda The Risk IT Framework IT Risk basics (definitions, principles) Risk Governance Domain (establish, define) Risk Evaluation Domain (assess) Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 30
31 Risk Response Domain Essentials Domain s basic concepts include: Key risk indicators (KRIs) Risk response definition and prioritisation Harry Brilakis ISACA Athens Chapter 31
32 Risk Response Domain Essentials Key risk indicators (KRIs) Metrics capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite. Harry Brilakis ISACA Athens Chapter 32
33 Risk Response Domain Essentials Risk response definition and prioritisation Bring risk in line with the defined risk appetite for the enterprise after risk analysis. a response needs to be defined such that future residual risk (current risk with the risk response defined and implemented) is, as much as possible (usually depending on budgets available), within risk tolerance limits. Harry Brilakis ISACA Athens Chapter 33
34 Risk Response Domain Essentials Responses to risk: Risk Avoidance: exiting the activities or conditions that give rise to risk. Risk Reduction/Mitigation: action is taken to detect the risk, followed by action to reduce the frequency and/or impact of a risk. Risk Sharing/Transfer: reducing risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common techniques include insurance and outsourcing. Risk Acceptance: no action is taken relative to a particular risk, and loss is accepted when/if it occurs. IT risk should be accepted only by business management (and business process owners) in collaboration with and supported by IT, and acceptance should be communicated to senior management and the board. Harry Brilakis ISACA Athens Chapter 34
35 Risk Response Domain Essentials Risk response selection Cost of response (eg. insurance) Importance of risk Capability to implement response Effectiveness of the response Efficiency of the response Risk response prioritisation QuickWin: Efficient and effective response on high risk BC: Expensive/difficult responses to high risks or efficient and effective on lower risk Defer: Costly response to lower risk Harry Brilakis ISACA Athens Chapter 35
36 Agenda The Risk IT Framework IT Risk basics (definitions, principles) Risk Governance Domain (establish, define) Risk Evaluation Domain (assess) Risk Response Domain (act) Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 36
37 Risk IT Process Model 1. Define a risk universe and scoping risk management 2. Risk appetite and risk tolerance 3. Risk awareness, communication and reporting: includes key risk indicators, risk profiles, risk aggregation and risk culture 4. Express and describe risk: guidance on business context, frequency, impact, COBIT business goals, risk maps, risk registers 5. Risk scenarios: includes capability risk factors and environmental risk factors 6. Risk response and prioritization 7. A risk analysis workflow: swim lane flow chart, including role context 8. Mitigation of IT risk using COBIT and Val IT Harry Brilakis ISACA Athens Chapter 37
38 Key Points ISACA Risk IT complements other Risk frameworks Can/should be adapted to the organisation IT risk is business risk Business management is the most important stakeholder Should be expressed in business terms Contains both opportunities for benefit and threats for success Responsibilities of the three lines of defense Own/Manage, Oversee, Assure Risk culture, communication and awareness around IT s role in risk and opportunity Harry Brilakis ISACA Athens Chapter 38
39 Thank you! Charalampos (Harry) Brilakis, CISA harry.bril {at} gmail.com ISACA Athens Chapter Massalias Athens Info {at} isaca.gr 39
CISM Certified Information Security Manager
CISM Certified Information Security Manager Firebrand Custom Designed Courseware Logistics Start Time Breaks End Time Fire escapes Instructor Introductions Introduction to Information Security Management
More informationIT risks and controls
Università degli Studi di Roma "Tor Vergata" Master of Science in Business Administration Business Auditing Course IT risks and controls October 2018 Agenda I IT GOVERNANCE IT evolution, objectives, roles
More informationISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )
ISACA Pasitikėjimas informacinėmis sistemomis ir jų nauda Certification Details for Certified in the Governance of Enterprise IT (CGEIT ) Dainius Jakimavičius, CGEIT ISACA Lietuva tyrimų ir metodikos koordinatorius
More informationINFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK
INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK 1. INTRODUCTION The Board of Directors of the Bidvest Group Limited ( the Company ) acknowledges the need for an IT Governance Framework as recommended
More informationWhat is IT Governance and Why is it Important?
What is IT Governance and Why is it Important? 5th Performance Seminar of the INTOSAI IT Standing Committee Richard Brisebois & Greg Boyd Oman, 3 March 2007 Agenda IT Governance What Is It? Why IT Governance
More informationRethinking Information Security Risk Management CRM002
Rethinking Information Security Risk Management CRM002 Speakers: Tanya Scott, Senior Manager, Information Risk Management, Lending Club Learning Objectives At the end of this session, you will: Design
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationEnterprise GRC Implementation
Enterprise GRC Implementation Our journey so far implementation observations and learning points Derek Walker Corporate Risk Manager National Grid 1 Introduction to National Grid One of the world s largest
More informationIT123: SABSA Foundation Training
IT123: SABSA Foundation Training IT123 Rev.002 CMCT COURSE OUTLINE Page 1 of 8 Training Description: SABSA is the world s leading open security architecture framework and methodology. SABSA is a top-tobottom
More informationData Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016
Data Protection Practical Strategies for Getting it Right Jamie Ross Data Security Day June 8, 2016 Agenda 1) Data protection key drivers and the need for an integrated approach 2) Common challenges data
More informationSingapore Quick Guide to the COSO. Enterprise Risk Management and Internal Control Frameworks Edition
Singapore Quick Guide to the COSO Enterprise Risk Management and Internal Control Frameworks 2016 Edition The Protiviti-SAC COSO Academy The Protiviti-SAC COSO Academy in Singapore was formed by global
More informationIntegrating ITIL and COBIT 5 to optimize IT Process and service delivery. Johan Muliadi Kerta
Integrating ITIL and COBIT 5 to optimize IT Process and service delivery Johan Muliadi Kerta Measurement is the first step that leads to control and eventually to improvement. If you can t measure something,
More informationData governance and data quality: is it on your agenda or lurking in the shadows?
Data governance and data quality: is it on your agenda or lurking in the shadows? Associate Professor Anne Young Director Planning, Quality and Reporting The University of Newcastle Context Data governance
More informationCOSO ERM. To improve organizational performance & Governance COSO ERM. COSO Internal Control. COSO ERM_prepared by Nattapan T. 2
COSO ERM COSO Internal Control COSO ERM To improve organizational performance & Governance COSO ERM_prepared by Nattapan T. 2 COSO ERM Definition of Enterprise Risk Management (ERM) A process applied in
More informationEnabling efficiency through Data Governance: a phased approach
Enabling efficiency through Data Governance: a phased approach Transform your process efficiency, decision-making, and customer engagement by improving data accuracy An Experian white paper Enabling efficiency
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationEnterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018
Enterprise Risk Management (ERM) and Cybersecurity Na9onal Science Founda9on March 14, 2018 Agenda Guiding Principles for Implementing ERM at NSF (Based on COSO) NSF s ERM Framework ERM Cybersecurity Risk
More informationExam Requirements v4.1
COBIT Foundation Exam Exam Requirements v4.1 The purpose of this document is to provide information to those interested in participating in the COBIT Foundation Exam. The document provides information
More informationGOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI CONTENTS Overview Conceptual Definition Implementation of Strategic Risk Governance Success Factors Changing Internal Audit Roles
More informationPresenter: Ian Musweu FCCA, FZICA, CRA. Head of Risk and Assurance Professional Insurance
Presenter: Ian Musweu FCCA, FZICA, CRA Head of Risk and Assurance Professional Insurance Contents: Introduction; Overview of the two major frameworks Frameworks side by side Similarities and differences
More information3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework
COSO Revised: Implications for Compliance and Ethics Programs Urton Anderson, CCEP Director of the Von Allmen School of Accountancy and EY Professor The University of Kentucky Session Agenda The COSO Framework
More informationEffective COBIT Learning Solutions Information package Corporate customers
Effective COBIT Learning Solutions Information package Corporate customers Thank you f o r y o u r interest Thank you for showing interest in COBIT learning solutions from ITpreneurs. This document provides
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationCOBIT 5 Implementation
COBIT 5 Implementation Fifalde Consulting Inc. +1-613-699-3005 2017 Fifalde Consulting Inc. COBIT is a registered Trade Mark of ISACA and the IT Governance Institute. 2 1. Course Description: Get a practical
More informationCitation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.
Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation
More informationExam4Tests. Latest exam questions & answers help you to pass IT exam test easily
Exam4Tests http://www.exam4tests.com Latest exam questions & answers help you to pass IT exam test easily Exam : CISM Title : Certified Information Security Manager Vendor : ISACA Version : DEMO 1 / 10
More informationPREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.
PREPARE FOR TAKE OFF Accelerate your organisation s journey to the Cloud. cloud. Contents Introduction Program & Governance BJSS Cloud Readiness Assessment: Intro Platforms & Development BJSS Cloud Readiness
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationImplementation PREVIEW VERSION
Implementation These following pages provide a preview of the information contained in COBIT 5 Implementation. The publication provides a good-practice approach for implementation governance of enterprise
More informationCOURSE BROCHURE. COBIT5 FOUNDATION Training & Certification
COURSE BROCHURE COBIT5 FOUNDATION Training & Certification What is COBIT5? COBIT 5 (Control Objectives for Information and Related Technology) is an international open standard that defines requirements
More informationThe Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation. ISACA All Rights Reserved.
The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation Tichaona Zororo CIA, CISA, CISM, CRISC, CRMA, CGEIT, COBIT 5 Certified Assessor B.Sc. Honours Information Systems,
More informationPOSITION DESCRIPTION
UNCLASSIFIED IT Security Certification Assessor POSITION DESCRIPTION Unit, Directorate: Location: IT & Physical Security, Protective Security Wellington Salary range: H $77,711 - $116,567 Purpose of position:
More informationThreat and Vulnerability Assessment Tool
TABLE OF CONTENTS Threat & Vulnerability Assessment Process... 3 Purpose... 4 Components of a Threat & Vulnerability Assessment... 4 Administrative Safeguards... 4 Logical Safeguards... 4 Physical Safeguards...
More informationDigital Service Management (DSM)
Digital Service Management (DSM) A Proactive, Collaborative and Balanced Approach for Securing, Managing and Improving the Online Services that Drive the Digital Enterprise itsm003 v.3.0 Agenda and Objectives
More informationVal-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.
Val-EdTM Valiant Technologies Education & Training Services Workshop for CISM aspirants All Trademarks and Copyrights recognized Page 1 of 8 Welcome to Valiant Technologies. We are a specialty consulting
More informationRevisit the Foundations of ITSM SMSG
Revisit the Foundations of ITSM SMSG 10 th October 2013 Ian Connelly Over 15 years experience working in IT, principally in Service Operations for Telcos, ISPs & the Insurance sector Service Management
More informationFrameworks and Standards
Frameworks and Standards Chris Davis and Mike Schiller. IT Auditing: Using Controls to Protect Information Assets (second edition) Autumn, 2011 Prepared by Nataliia Semenenko Content Why do we need frameworks
More informationLeveraging COBIT to Implement Information Security
DISCUSS THIS ARTICLE Leveraging COBIT to Implement Information By John Frisken, CA COBIT Focus 5 May 2015 In delivering IT security consulting services to large enterprises in Australia, particularly in
More informationDigital Service Management (DSM)
Digital Service Management (DSM) A Proactive, Collaborative and Balanced Approach for Managing, Improving and Securing an Enterprise Digital Service Portfolio itsm003 v.3.0 Agenda and Objectives What is
More informationBPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.
BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...
More informationManchester Metropolitan University Information Security Strategy
Manchester Metropolitan University Information Security Strategy 2017-2019 Document Information Document owner Tom Stoddart, Information Security Manager Version: 1.0 Release Date: 01/02/2017 Change History
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationPresented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0
Cyber Security and Inside Threats: Turning Policies into Practices Presented by Ingrid Fredeen and Pamela Passman Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0 Presented By Ingrid Fredeen, J.D.
More informationEntergy Arkansas, Inc. Transition Plan Technical Conference #1
Entergy Arkansas, Inc. Transition Plan Technical Conference #1 May 5, 2010 1 Why Technical Conferences? Complex subject matter Venue for stakeholders to develop an awareness and understanding of the issues
More informationISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard
Certification Exam Outline Effective Date: April 2013 About CISSP-ISSMP The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing
More informationBuilding a Resilient Security Posture for Effective Breach Prevention
SESSION ID: GPS-F03B Building a Resilient Security Posture for Effective Breach Prevention Avinash Prasad Head Managed Security Services, Tata Communications Agenda for discussion 1. Security Posture 2.
More informationRisk Advisory Academy Training Brochure
Academy Brochure 2 Academy Brochure Cyber Security Our Cyber Security trainings are focused on building your internal capacity to leverage IT related technologies more confidently and manage risk and uncertainty
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationIS Audit and Assurance Guideline 2002 Organisational Independence
IS Audit and Assurance Guideline 2002 Organisational Independence The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards
More informationInformation Security Architecture Gap Assessment and Prioritization
FEATURE Information Security Architecture Gap Assessment and Prioritization Do you have something to say about this article? Visit the Journal pages of the ISACA website (www.isaca. org/journal), find
More informationDefining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline
Resiliency Model A Holistic Approach to Risk Management Discussion Outline Defining the Challenges and Solutions The Underlying Concepts of Our Approach Outlining the Resiliency Model (RM) Next Steps The
More informationIsaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.
Isaca EXAM - CISM Certified Information Security Manager Buy Full Product http://www.examskey.com/cism.html Examskey Isaca CISM exam demo product is here for you to test the quality of the product. This
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationNext Generation Policy & Compliance
Next Generation Policy & Compliance Mason Karrer, CISSP, CISA GRC Strategist - Policy and Compliance, RSA Core Competencies C33 2013 Fall Conference Sail to Success CRISC CGEIT CISM CISA Introductions...
More informationHeads of Internal Audit Webinar. Integrated Assurance. 24 July In partnership with
Heads of Internal Audit Webinar Integrated Assurance 24 July 2013 In partnership with WELCOME TO THE WEBINAR The audio for this webcast will be broadcast via your PC speakers you do not need to dial in.
More informationThe Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA
The Experience of Generali Group in Implementing COBIT 5 Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA Generali Group at a glance Let me introduce myself Marco Salvato CISA, CISM, CGEIT,
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationInformation Security Continuous Monitoring (ISCM) Program Evaluation
Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda
More informationBusiness Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018
Business Continuity Management: How to get started Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018 Introduction Tony Drewitt - Managing Director: IT Governance UK and EU One
More informationTrillium Consulting. Data Governance. Optimizing Business Outcomes through Data and Information Assets
Trillium Consulting Data Governance Optimizing Business Outcomes through Data and Information Assets DAMA Indiana Winter Meeting Indianapolis, Indiana January 20, 2011 Jim Orr, Global Director Enterprise
More informationAchieving effective risk management and continuous compliance with Deloitte and SAP
Achieving effective risk management and continuous compliance with Deloitte and SAP 2 Deloitte and SAP: collaborating to make GRC work for you Meeting Governance, Risk and Compliance (GRC) requirements
More informationSymantec Data Center Transformation
Symantec Data Center Transformation A holistic framework for IT evolution As enterprises become increasingly dependent on information technology, the complexity, cost, and performance of IT environments
More informationCOBIT 5 With COSO 2013
Integrating COBIT 5 With COSO 2013 Stephen Head Senior Manager, IT Risk Advisory Services 1 Our Time This Evening Importance of Governance COBIT 5 Overview COSO Overview Mapping These Frameworks Stakeholder
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationSecurity Director - VisionFund International
Security Director - VisionFund International Location: [Europe & the Middle East] [United Kingdom] Category: Security Job Type: Open-ended, Full-time *Preferred location: United Kingdom/Eastern Time Zone
More informationInformation Security Governance and IT Governance
Information Security Governance and IT Governance Overview NC State is redesigning its IT governance process (see external document, NC State IT Governance Redesign at http://go.ncsu.edu/it-governance-redesign-final
More informationROI for Your Enterprise Through ISACA A global IS association helping members achieve organisational success.
ROI for Your Enterprise Through ISACA A global IS association helping members achieve organisational success. ROI for Your Enterprise Through ISACA With the growing complexities of global business and
More informationCISA Training.
CISA Training www.austech.edu.au WHAT IS CISA TRAINING? The CISA, Certified Information Systems Auditor, is a professional designation which provides great benefits and increased influence for an individual
More informationSecurities Industry Association Sarbanes Oxley from the IT Practitioner s Point of View. October, 2004
Securities Industry Association Sarbanes Oxley from the IT Practitioner s Point of View October, 2004 Introduction Influences on Bear Stearns approach Bear Stearns IT Strategy 2 SOX Section 404 SEC. 404.
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO/IEC 38500 Lead IT Corporate Governance Manager The objective of the PECB Certified ISO/IEC 38500 Lead IT Corporate Governance Manager examination is to ensure
More informationNERC Staff Organization Chart Budget 2019
NERC Staff Organization Chart Budget 2019 President and CEO Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Senior Vice President, General Counsel and Corporate
More informationBCS Practitioner Certificate in Information Risk Management Syllabus
BCS Practitioner Certificate in Information Risk Management Syllabus Version 6.5 April 2017 This qualification is not regulated by the following United Kingdom Regulators - Ofqual, Qualification in Wales,
More information354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2
Index Accounts Payable Process Review Procedures Assessments, 191 Actions to Resolve Risks COSO ERM Control Activities, 97 Activity Management COSO ERM Control Activities, 81 AICPA SAS No. 1 Internal Controls
More informationGetting Started with IT Service Management
Getting Started with IT Service Management SMSG 4 th February 2014 BCS Bedford Branch Ian Connelly Over 15 years experience working in IT, latterly within Service Operations for Telcos, ISPs & the insurance
More informationDepartment of Management Services REQUEST FOR INFORMATION
RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President
More informationBRING EXPERT TRAINING TO YOUR WORKPLACE.
BRING EXPERT TRAINING TO YOUR WORKPLACE. ISACA s globally respected training and certification programs inspire confidence that enables innovation in the workplace. ISACA s On-Site Training brings a unique
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationTable of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING
Table of Contents Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING Chapter 1: Significance of Internal Auditing in Enterprises Today: An Update 3 1.1 Internal Auditing History and Background
More informationBREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE
BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE 31st Annual SoCal ISSA Security Symposium Wendy T. Wu Vice President Agenda + CISO: Then and Now + Who are the Stakeholders and What Do They Care About?
More informationGRC SURVEY RESULT Please indicate your profession
COPENHAGEN?=! CO?=! MPLIANCE T o p i c a l a n d T i m e l y Riskability GRC Controllers Governance, Risk & Compliance COPENHAGEN?=! CHARTER Bribery, Fraud & Corruption GRC SURVEY RESULT. Please indicate
More informationRisk Based IT Auditing Master Class. Unlocking your World to a Sea of Opportunities
Risk Based IT Auditing Master Class Unlocking your World to a Sea of Opportunities The Digital World Information Technology has developed into a nerve center of every organisation. It has become an intrinsic
More informationCYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS
CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS WILLIAM (THE GONZ) FLINN M.S. INFORMATION SYSTEMS SECURITY MANAGEMENT; COMPTIA SECURITY+, I-NET+, NETWORK+; CERTIFIED
More informationSDLC Maturity Models
www.pwc.com SDLC Maturity Models SecAppDev 2017 Bart De Win Bart De Win? 20 years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific publications
More informationfalanx Cyber ISO 27001: How and why your organisation should get certified
falanx Cyber ISO 27001: How and why your organisation should get certified Contents What is ISO 27001? 3 What does it cover? 3 Why should your organisation get certified? 4 Cost-effective security management
More informationNERC Staff Organization Chart Budget 2019
NERC Staff Organization Chart Budget 2019 President and CEO Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Officer Senior Vice President, General Counsel and Corporate
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationData ownership within governance: getting it right
Data ownership within governance: getting it right Control your data An Experian white paper Data Ownership within Governance : Getting it right - 1 Table of contents 1. Introduction 03 2. Why is data
More informationMetricStream GRC Summit 2013: Case Study
W E L C O M E MetricStream GRC Summit 2013: Case Study Angela Hoon Principal KPMG LLP Lisa Rawls Director KPMG LLP Supradeep Appikonda Director MetricStream Cutting through Complexity During Your GRC Journey
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationCOURSE BROCHURE CISA TRAINING
COURSE BROCHURE CISA TRAINING What is CISA? The CISA, Certified Information Systems Auditor, is a professional designation which provides great benefits and increased influence for an individual within
More informationBusiness Analysis in Practice
Business Analysis in Practice (Level 2 CCBA Certification Preparation Course) Duration: 3 days PM-Partners have been leaders in project management certification for 20 years, training over 8,500 industry
More informationPosition Title: IT Security Specialist
Position Title: IT Security Specialist SASRIA SOC LIMITED Sasria, a state-owned company, is the only short-term insurer in South Africa that provides affordable voluntary cover against special risks such
More informationIntroduction to ISO/IEC 27001:2005
Introduction to ISO/IEC 27001:2005 For ISACA Melbourne Chapter Technical Session 18 th of July 2006 AD Prepared by Endre P. Bihari JP of Performance Resources What is ISO/IEC 17799? 2/20 Aim: Creating
More informationKENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)
KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT) 1. DIRECTOR, LEARNING & DEVELOPMENT - LOWER KABETE Reporting to the Director General, Campus Directors will be responsible for
More information<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager. https://www.2passeasy.
Exam Questions CISM Certified Information Security Manager https://www.2passeasy.com/dumps/cism/ 1.Senior management commitment and support for information security can BEST be obtained through presentations
More informationRISK INTELLIGENCE Assurance and efficiency improvement through a robust Enterprise Risk Management approach
INTELLIGENCE RISK INTELLIGENCE Assurance and efficiency improvement through a robust Enterprise Risk Management approach Carla De Geyseleer CFO Investor Days 2018, Bordeaux CERTIFICATION ACTIVATION 2 Prioritizing
More informationBest Practices & Lesson Learned from 100+ ITGRC Implementations
Best Practices & Lesson Learned from 100+ ITGRC Implementations Presenter: Vivek Shivananda CEO of Rsam Dec 3, 2010 ISACA -NY Chapter Copyright 2002 2010 Relational Security Corp. (dba Rsam) Agenda Overview
More informationSTAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:
STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More information