Brad Boroff, CISA CRISC Chief Information Security Officer Illinois Department of Revenue
Governance is the strategic alignment of operations with the agency such that maximum business value is achieved though the development and maintenance of effective control and compliance, performance management, and risk management. Agency Risk Control Compliance
Monitor Assess Compliance Risk Controllership Manage
Risk Charts the Course: Direction Speed Destination Finish Comprehensive Risk Assessments Goals and Objectives The Agency/Business Consulting Acquisition and Integrations Vision / Forecasting
Controllership Policy Management Access Management Core Technology Standards Project Services Change Management Data & Asset Management The Operation: Fuel Power Storage Alterations Policies Standards Procedures
Compliance Gauging & Monitoring: Performance Inspections Correction Evaluate Measure Self Audit Reporting Adherence Investigations Discipline
Governance Program Building Risk Controllership Compliance Who: Risk Council Risk Champion Controller Global Security Project Services Compliance/Disclosure Audit Staff Office of Compliance What: Strategy Prioritization Risk acceptance Executive Operations Digitization / Tools Policy Management Control Implementation Assess compliance Report adequacy Standardization Performance & Metrics
Report Vision Compliance Risk RISK Monitor Assess Controllership Control Policy
Definition of RISK (Merriam-Webster) 1: possibility of loss or injury : PERIL 2: someone or something that creates or suggests a hazard Probability X Impact = Inherent Risk (No Controls Applied) Inherent Risk X Controllership = Residual Risk (Controls Applied)
Probability X Impact = Inherent Risk (No Controls Applied) H=3 M=2 L=1 H=3 M=2 L=1 IR Inherent Risk X Controllership = Residual Risk (Controls Applied) IR H=1 M=2 L=3 RR
Probability X Impact = Inherent Risk (No Controls Applied) 3 x 3 = 9 Inherent Risk X Controllership = Residual Risk (Controls Applied) 9 x 2 = 18 Control Considerations: 1) Good Policy 2) Intrusion Detection 3) Security Guards 4) Physical Barriers 5) Logical Barriers
Probability X Impact = Inherent Risk (No Controls Applied) 3 x 2 = 6 Inherent Risk X Controllership = Residual Risk (Controls Applied) 6 x 1 = 6 Control Considerations: 1) Good Policy 2) Comprehensive System 3) Research 4) Communication 5) Operations
Probability X Impact = Inherent Risk (No Controls Applied)? x? = Inherent Risk X Controllership = Residual Risk (Controls Applied)? x? =? Control Considerations:
1) ISO 27001 & ISO 27005 2) Cobit 5.0 (includes ValRISK) 3) SP 800-30
Top Ten List: 10) Legacy/Out of Date Processes 9) Rules and Regulations/Policy Management 8) Unauthorized Access (Internal) 7) Integration and Consolidation 6) Change Management 5) End User Controls or Ad-Hoc Solutions 4) Theft of Data 3) Industrial Espionage 2) Virus Attacks or Malware 1) Hacking/Cyber Security
CISO Specialist Risk &Policy Security Operations Compliance and Disclosure DR & Recovery Services Access Admin Infrastructure
Investment: Time Acceptance Change Culture Benefits Structure/Alignment Stability Sustainability Best Practices Effectiveness Auditability Demand Management Tool Optimization Visibility Centralization
Report Vision Compliance Risk Monitor Assess Controllership Control Policy
Proposal to establish Governance Program (12-24 Months to Develop and Implement) Success Factors CISO Internal Audit Sustainable Governance Program Governance Program Management Monitoring and Compliance Mechanisms Establish IT Governance Program Structure & Approach Sr. Management approval of Governance Concept and Implementation Risk Assessments and Analysis Control Management and Framework Activities Management Commitment and Sponsorship Establish Appropriate Program Resourcing Business Engagement & Inclusion Ensuring Con=nuous Improvement Planning and Program Maturity Program Auditabili=y Ini>al Ac>vi>es Obtain Senior IT Leadership CommiCment Determine & Engage internal resources Develop and Deliver Risk Assessment Perform Risk and Control Analysis Control Framework Ac=vi=es