This is the presentation slide as part of the courseware utilized when delivering Information Technology Risk Management training - workshop on May 2013.
2. Trainer Profile
15 years of working experience with exposure in
advisory, consulting, audit, training and education,
software development, project management and
network administration
VP - Head of Information Technology at Roligio Group
Advisor at Global Innovations and Technology
Platform
Subject Matter Expert, Editorial Journal Reviewer and
Exam Developer at ISACA
Program Evaluator at Project Management Institute
Microsoft Faculty Fellow
Columnist and contributor at ZDNet Asia, e27.co,
Forbes Indonesia, DetikINET and InfoKomputer
among others
4. Definition
• Risk is the effect of uncertainty on objectives,
whether positive or negative
• Risk Management: Identification, assessment,
and prioritization of risks
• Involves coordination and economical
application of resources to minimize, monitor,
and control the probability and/or impact of
unfortunate events or to maximize the
realization of opportunities
ValueConsult
IT Risk Management
4
5. Sources
• Uncertainty in financial markets
• Project failures (at any phase in design, development,
production, or sustainment life-cycles)
• Legal liabilities
• Credit risk
• Accidents
• Natural causes and disasters
• Deliberate attack from an adversary
• Uncertain or unpredictable root-cause
• Others…
ValueConsult
IT Risk Management
5
6. Ideal Risk Management
• Prioritizing risks with the greatest loss (or impact)
and the greatest probability of occurrence
• Risks with lower probability of occurrence and
lower loss are handled in descending order
• In practice the process of assessing overall risk
can be difficult
• Balancing resources used to mitigate between
risks with high probability of occurrence but
lower loss versus a risk with high loss but lower
probability of occurrence can often be
mishandled
ValueConsult
IT Risk Management
6
7. Intangible Risk Management
• Identifying a new type of a risk with 100% probability of
occurring but is ignored by organization due to lack of
identification ability
• For example, when deficient knowledge is applied to a
situation, a knowledge risk materializes
• Relationship risk appears when ineffective collaboration
occurs
• Directly reduce productivity of knowledge
workers, decrease cost
effectiveness, profitability, service, quality, reputation, bran
d value, and earnings quality
• Allows risk management to create immediate value from
risk identification and reduction that reduce productivity
ValueConsult
IT Risk Management
7
8. Risk Management Methodology
• Identify and characterize threats
• Assess vulnerability of critical assets to specific
threats
• Determine likelihood and impact of the risks
• Identify ways to reduce those risks
• Prioritize risk reduction measures based on a
strategy
ValueConsult
IT Risk Management
8
9. Risk Management Principles
• Create value
• Resources expended to mitigate risk should be
less than the consequence of inaction (the
gain should exceed the pain)
• be an integral part of organizational processes
• be part of decision making process
• explicitly address uncertainty and assumptions
• be systematic and structured
ValueConsult
IT Risk Management
9
10. Risk Management Principles (cont’d)
•
•
•
•
•
•
be based on the best available information
be tailorable
take human factors into account
be transparent and inclusive
be dynamic, iterative and responsive to change
be capable of continual improvement and
enhancement
• be continually or periodically re-assessed
ValueConsult
IT Risk Management
10
11. Risk Management Process
• ISO 31000
1.
Establishing the context
• identification of risk in a selected domain of interest
• planning the remainder of the process
• mapping out
– the social scope of risk management
– the identity and objectives of stakeholders
– the basis upon which risks will be evaluated, constraints.
• defining a framework for the activity and an agenda for identification
• developing an analysis of risks involved in the process
• mitigation or solution of risks using available technological, human
and organizational resources.
2.
3.
ValueConsult
Identification: source and problem analysis
Assessment
IT Risk Management
11
12. Risk Options
• Design a new business process with adequate
built-in risk control and containment measures
from the start
• Periodically re-assess risks accepted in ongoing
processes as a normal feature of business
operations and modify mitigation measures
• Transfer risks to an external agency (insurance
company, etc)
• Avoid risks altogether (i.e. closing down a
particular high-risk business unit/department)
ValueConsult
IT Risk Management
12
13. Risk Response
• Avoidance
Eliminate, withdraw from or not become involved
• Reduction
Optimize, Mitigate
• Sharing
Transfer , outsource or insure
• Retention
Accept and budget
ValueConsult
IT Risk Management
13
14. Risk Management Plan
• Select appropriate controls or
countermeasures to measure each risk
• Propose applicable and effective security
controls for managing the risks
• Contain a schedule for control implementation
and responsible persons for those actions
• Approval from the appropriate level of
management for risk mitigation
ValueConsult
IT Risk Management
14
15. Risk Management Plan (cont’d)
• According to ISO/IEC 27001, after risk
assessment prepare a Risk Treatment Plan
(document the decisions about how each of the
identified risks should be handled)
• Mitigation of risks often means selection
of security controls; it should be documented in a
Statement of Applicability, which identifies which
particular control objectives and controls from
the standard have been selected, and why
• Implementation follows all of the planned
methods for mitigating the effect of the risks
ValueConsult
IT Risk Management
15
16. Risk Management Plan (cont’d)
• Initial risk management plans will never be perfect
• Practice, experience, and actual loss results will
necessitate changes in the plan and contribute
information to allow possible different decisions to be
made in dealing with the risks being faced
• Risk analysis results and management plans should be
updated periodically. There are two primary reasons
for this:
– To evaluate whether the previously selected security
controls are still applicable and effective
– To evaluate the possible risk level changes in the business
environment
ValueConsult
IT Risk Management
16
17. Risk Management Challenges
• Prioritizing risk management processes too highly could keep an
organization from ever completing a project or even getting started
• Do differentiate between risk and uncertainty -- Risk can be
measured by impacts x probability
• If risks are improperly assessed and prioritized, time can be wasted
in dealing with risk of losses that are not likely to occur
• Spending too much time assessing and managing unlikely risks can
divert resources that could be used more profitably
• Unlikely events do occur but if risk is unlikely enough to occur it
may be better to simply retain risk and deal with the result if loss
does occur
• Qualitative risk assessment is subjective and lacks consistency
• Primary justification for a formal risk assessment process is legal
and bureaucratic
ValueConsult
IT Risk Management
17
19. Definition
• Methods and processes used by organizations to
manage risks and seize opportunities related to
the achievement of their objectives
• Its framework involves
– Identifying particular events or circumstances relevant
to the organization's objectives (risks and
opportunities)
– Assessing them in terms of likelihood and magnitude
of impact
– Determining a response strategy
– Monitoring progress and assurance
ValueConsult
IT Risk Management
19
20. Definition (cont’d)
• In short, ERM is also a risk-based approach to
managing an company, corporation,
enterprise’s integrating concepts of internal
control, Sarbanes-Oxley Act for U.S corps and
Strategic Planning
ValueConsult
IT Risk Management
20
21. Benefits
• Identifying and addressing risk and
opportunities proactively
• Company or business will protect and create
value for their stakeholders such as
owners, employees, customers, regulators, an
d society in general
ValueConsult
IT Risk Management
21
22. ERM Framework
• Known as Risk Response Strategy:
– Avoidance: exiting the activities giving rise to risk
– Reduction: taking action to reduce the likelihood
or impact related to the risk
– Alternative Actions: deciding and considering
other feasible steps to minimize risks
– Share or Insure: transferring or sharing a portion
of the risk, to finance it
– Accept: no action is taken, due to a cost or benefit
decision
ValueConsult
IT Risk Management
22
24. ERM Processes
• Establishing Context
Understanding current conditions the organization
operates on an internal, external and risk management
context
• Identifying Risks
Documenting material threats to organization’s
achievement of its objectives and representation of
areas the organization may exploit for competitive
advantage
• Analyzing/Quantifying Risks
Creating probability distributions of outcomes for each
material risk
ValueConsult
IT Risk Management
24
25. ERM Processes (cont’d)
• Integrating Risks
Aggregating all risk distributions, reflecting correlations and
portfolio effects, formulating results of impact on company
key performance metrics
• Assessing or Prioritizing Risks
Determining contribution of each risk to aggregate risk profile,
and doing prioritization
• Treating or Exploiting Risks
Crafting strategies for controlling and exploiting various risks
• Monitoring and Reviewing
Measuring and monitoring risk environment and performance
of risk management strategies
ValueConsult
IT Risk Management
25
26. ERM Objectives
• Companies manage risks and have various
departments or functions ("risk functions") that
identify and manage particular risks
• Each risk function varies in capability and how it
coordinates with other risk functions
• Main goal and challenge is improving this
capability, coordination, integration of output to
provide a unified picture of risk for stakeholders
and improving organization's ability to manage
enterprise risks effectively
ValueConsult
IT Risk Management
26
27. ERM Challenges
• Identifying executive sponsors
• Establishing a common risk language or glossary
• Describing the enterprise’s risk appetite (take or
not)
• Identifying and describing risks in risk inventory
• Implementing risk-ranking methodology to
prioritize risks within and across functions
• Setting up Risk Committee and or Chief Risk
Officer to coordinate certain activities of entire
risk functions
ValueConsult
IT Risk Management
27
28. ERM Challenges (cont’d)
• Establishing ownership for particular risks and responses
• Calculating Cost-Benefit Analysis of risk management
effort.
• Developing action plans to ensure risks are appropriately
managed
• Developing consolidated reporting for various stakeholders
• Monitoring results of actions taken in mitigating risk
• Ensuring efficient risk coverage by internal auditors,
consulting teams, and other evaluating entities
• Developing technical ERM framework that enables secure
participation by third parties and remote employees
ValueConsult
IT Risk Management
28
29. Risk Functions
• Strategic planning
Identifying external threats and competitive opportunities,
along with strategic initiatives to address them
• Marketing
Understanding target customer to ensure product or
service alignment with its requirements
• Compliance & Ethics
Monitoring compliance with code of conduct and directing
fraud investigations
• Accounting / Financial compliance
Complying with Sarbanes-Oxley which identifies financial
reporting risks
ValueConsult
IT Risk Management
29
30. Risk Functions (cont’d)
• Law Department
Managing litigation and analyzing emerging legal trends
that impact the organization
• Insurance
Ensuring proper insurance coverage for the organization
• Treasury
Ensuring cash is sufficient to meet business needs, while
managing risk related to commodity pricing or foreign
exchange
• Operational Quality Assurance
Verifying operational output is tolerable
ValueConsult
IT Risk Management
30
31. Risk Functions (cont’d)
• Operations management
Ensuring business runs day-to-day and related barriers are
surfaced for resolution
• Credit
Ensuring any credit provided to customers is appropriate to
their ability to pay
• Customer service
Ensuring customer complaints are handled promptly and
root causes are reported to operations for resolution
• Internal audit
Evaluating effectiveness of entire risk functions and
recommending improvements
ValueConsult
IT Risk Management
31
32. Internal Audit Role
• Beside IT Audit, they play an important role in evaluating
organization risk management processes and advocating
continued improvement
• Should not take any direct responsibility for making risk
management decisions for the enterprise or managing risk
management function
• Perform an annual risk assessment of the enterprise
• Develop audit engagements plan
• Involves review of various risk assessments performed by
enterprise: strategic plans, competitive benchmarking, and
SOX top-down risk assessment
• Considering prior audits, and interviewing variety of senior
management
ValueConsult
IT Risk Management
32
34. IT Risk Concept
• Part of business risk associated with the use,
ownership, operation, involvement, influence and
adoption of IT within an enterprise
• Consists of IT-related events that could
potentially impact the business
• Occur both uncertain frequency and magnitude
• It creates challenges in meeting strategic goals
and objectives
• Due to IT’s importance to the overall business, IT
risk should be treated like other key business
risks.
ValueConsult
IT Risk Management
34
35. Risk IT Framework
• Framework
– Integrate the management of IT risk with the
overall ERM
– Compare assessed IT risk with risk
appetite and risk tolerance of the organization
– Understand how to manage the risk
ValueConsult
IT Risk Management
35
36. Risk IT Categories
IT Benefit/Value enabler
Missed opportunity to increase business value by IT
enabled or improved processes
IT Program/Project delivery
Related to the management of IT related projects
intended to enable or improve business
IT Operation and Service Delivery
Day by day IT operations and service delivery that
can bring issues, inefficiency to the business
operations of an organization
ValueConsult
IT Risk Management
36
37. Risk Assessment
ISACA Risk IT
Information Security Risk Management for
ISO 27001
IT Risk Assessment
Frameworks
CRAMM Information Security Toolkit
OCTAVE (Operationally Critical Threat,
Asset, Vulnerability Evaluation)
ValueConsult
IT Risk Management
37
38. IT Risk ASSESSMENT
•Definition of risk assessment
The potential that a given threat will exploit vulnerabilities of
an asset or group of assets to cause loss or damage to the
assets. The impact or relative severity of the risk is
proportional to the business value of the loss/damage and to
the estimated frequency of the threat.
ValueConsult
IT Risk Management
38
39. IT Risk ASSESSMENT
Components of risk assessment
• Threats to, and vulnerabilities
of, processes and/or assets (including
both physical and information assets)
• Impact on assets based on threats and
vulnerabilities
• Probabilities of threats (combination of
the likelihood and frequency of
occurrence)
ValueConsult
IT Risk Management
39
41. ISACA Risk IT
Risk IT: A Balance is Essential
• Risk and value are two sides of the same coin.
• Risk is inherent to all enterprises.
BUT
Enterprises need to ensure that opportunities for
value creation are not missed by trying to
eliminate all risk.
ValueConsult
IT Risk Management
41
42. Risk IT Extends Val IT and COBIT
Risk IT complements and
extends COBIT and Val IT
to make a more complete
IT governance guidance
resource.
ValueConsult
IT Risk Management
42
43. IT-related Risk Management
Risk IT is not limited to information security. It covers all ITrelated risks, including:
• Late project delivery
• Not achieving enough
value from IT
• Compliance
• Misalignment
• Obsolete or inflexible
IT architecture
• IT service delivery
problems
ValueConsult
IT Risk Management
43
44. Guiding Principles of Risk IT
Always connect to enterprise objectives.
Align the management of IT-related business risk
with overall enterprise risk management.
Balance the costs and benefits of managing risk.
Promote fair and open communication of IT risk.
ValueConsult
IT Risk Management
44
45. Guiding Principles of Risk IT
Establish the right tone from the top while defining
and enforcing personal accountability for operating
within acceptable and well-defined tolerance levels.
Understand that this is a continuous process and an
important part of daily activities.
ValueConsult
IT Risk Management
45
46. Key Risk IT Content: The “What”
• Key content of the Risk IT framework includes:
• Risk management essentials
•
In Risk Governance: Risk appetite and tolerance,
responsibilities and accountability for IT risk
management, awareness and communication, and risk
culture
•
In Risk Evaluation: Describing business impact and
risk scenarios
•
In Risk Response: Key risk indicators (KRI) and risk
response definition and prioritisation
• Section on how Risk IT extends and enhances COBIT and
Val IT (Note: Risk IT does not require the use of COBIT or
Val IT.)
ValueConsult
IT Risk Management
46
47. Key Risk IT Content: The “What”
• Process model sections that contain:
• Descriptions
• Input-output tables
• RACI (Responsible, Accountable, Consulted, Informed)
table
• Goals and Metrics Table
• Maturity model is provided for each domain
• Appendices
• Reference materials
• High-level comparison of Risk IT to other risk management
frameworks and standards
• Glossary
47
48. IT Risk Communication
• IT risk communication flows are:
– Expectation
• what the organization expects as final result
• what are the expected behavior of employee and
management
• Encompasses strategy, policies, procedures, awareness
training
– Capability
• It indicates how the organization is able to manage the risk
– Status
• Information of the actual status of IT risk
• Encompasses risk profile of the organization, Key Risk
Indicator, events, root cause of loss events
ValueConsult
IT Risk Management
48
49. IT Risk Communication (cont’d)
• An effective information should be
Clear
Concise
Useful
Timely
Aimed at the correct target audience
Available on a need to know basis
ValueConsult
IT Risk Management
49
50. Risk IT Three Domains
ValueConsult
IT Risk Management
50
51. Risk Governance
• Ensure that IT risk management practices are
embedded in the enterprise, enabling it to secure
optimal risk-adjusted return
• RG1 Establish and Maintain a Common Risk View
RG1.1 Perform enterprise IT risk assessment
RG1.2 Propose IT risk tolerance thresholds
RG1.3 Approve IT risk tolerance
RG1.4 Align IT risk policy
RG1.5 Promote IT risk aware culture
RG1.6 Encourage effective communication of IT risk
ValueConsult
IT Risk Management
51
52. Risk Governance (cont’d)
• RG2 Integrate With ERM
RG2.1 Establish and maintain accountability for IT risk
management
RG2.2 Coordinate IT risk strategy and business risk
strategy
RG2.3 Adapt IT risk practices to enterprise risk practices
RG2.4 Provide adequate resources for IT risk
management
RG2.5 Provide independent assurance over IT risk
management
ValueConsult
IT Risk Management
52
53. Risk Governance (cont’d)
• RG3 Make Risk-aware Business Decisions
RG3.1 Gain management buy in for the IT risk
analysis approach
RG3.2 Approve IT risk analysis
RG3.3 Embed IT risk consideration in strategic
business decision making
RG3.4 Accept IT risk
RG3.5 Prioritize IT risk response activities
ValueConsult
IT Risk Management
53
54. Risk Evaluation
• Ensure that IT-related risks and opportunities
are identified, analyzed and presented in
business terms
• RE1 Collect Data
RE1.1 Establish and maintain a model for data
collection
RE1.2 Collect data on the operating environment
RE1.3 Collect data on risk events
RE1.4 Identify risk factors
ValueConsult
IT Risk Management
54
55. Risk Evaluation (cont’d)
• RE3 Maintain Risk Profile
RE3.1 Map IT resources to business processes
RE3.2 Determines business criticality of IT
resources
RE3.3 Understand IT capabilities
RE3.4 Update risk scenario components
RE3.5 Maintain the IT risk register and iT risk map
RE3.6 Develop IT risk indicators
ValueConsult
IT Risk Management
55
56. Risk Evaluation (cont’d)
• RE2 Analyze Risk
RE2.1 Define IT risk analysis scope
RE2.2 Estimate IT risk
RE2.3 Identify risk response options
RE2.4 Perform a peer review of IT risk analysis
ValueConsult
IT Risk Management
56
57. Risk Response
• Ensure that IT-related risk issues, opportunities
and events are addressed in a cost-effective
manner and in line with business priorities
• RR1 Articulate Risk
RR1.1 Communicate IT risk analysis results
RR1.2 Report IT risk management activities and state
of compliance
RR1.3 Interpret independent IT assessment findings
RR1.4 Identify IT related opportunities
ValueConsult
IT Risk Management
57
58. Risk Response (cont’d)
• RR2 Manage Risk
RR2.1 Inventory controls
RR2.2 Monitor operational alignment with risk
tolerance thresholds
RR2.3 Respond to discovered risk exposure and
opportunity
RR2.4 Implement controls
RR2.5 Report IT risk action plan progress
ValueConsult
IT Risk Management
58
59. Risk Response (cont’d)
• RR3 React to Events
RR3.1 Maintain incident response plans
RR3.2 Monitor IT risk
RR3.3 Initiate incident response
RR3.4 Communicate lessons learned from risk
events
ValueConsult
IT Risk Management
59
60. Risk/Response Definition
The purpose of defining a risk
response is to bring risk in line
with the defined risk tolerance
for the enterprise after due risk
analysis.
In other words, a response needs
to be defined such that future
residual risk (=current risk with
the risk response defined and
implemented) is as much as
possible (usually depending on
budgets available) within risk
tolerance limits.
ValueConsult
IT Risk Management
61
61. Risk IT Benefits and Outcomes
Accurate view on current and near-future IT-related events
End-to-end guidance on how to manage IT-related risks
Understanding of how to capitalise on the investment made in an IT internal control
system already in place
Integration with the overall risk and compliance structures within the enterprise
Common language to help manage the relationships
Promotion of risk ownership throughout the organisation
Complete risk profile to better understand risk
ValueConsult Management
IT Risk
62
62. Risk IT Evaluation
• The link between IT risk scenarios and ultimate
business impact needs to be established to
understand the effect of adverse events
• Risk IT prescribe different methods
–
–
–
–
–
–
COBIT Information criteria
Balanced scorecard
Extended balanced scorecard
Westerman
COSO
Factor Analysis of Information Risk
ValueConsult
IT Risk Management
63
63. Risk IT Scenarios
• The hearth of risk evaluation process
• Scenarios can be derived in two different and
complementary ways:
– A top-down approach from the overall business
objectives to the most likely risk scenarios that can
impact them
– A bottom-up approach where a list of generic risk
scenarios are applied to the organization situation
– Each risk scenarios is analyzed determining frequency
and impact, based on the risk factors
ValueConsult
IT Risk Management
64
64. Risk IT Response
• Risk avoidance, exiting the activities that give rise to
the risk
• Risk mitigation, adopting measures to detect, reduce
the frequency and/or impact of the risk
• Risk transfer, transferring to others part of the risk, by
outsourcing dangerous activities or by insurance
• Risk acceptance: deliberately running the risk that has
been identified, documented and measured
• Key risk indicators: metrics capable of showing that
organization is subject or has a high probability of
being subject to a risk exceeding the defined risk
appetite
ValueConsult
IT Risk Management
65
65. Relationship with ISACA Frameworks
• Risk IT Framework complements ISACA’s
COBIT
• COBIT provides a comprehensive framework
for the control and governance of businessdriven information-technology-based (ITbased) solutions and services
• COBIT sets good practices for the means of
risk management by providing a set of
controls to mitigate IT risk
ValueConsult
IT Risk Management
66
66. Relationship with ISACA Frameworks (cont’d)
• Risk IT sets good practices for the ends by
providing a framework for enterprises to
identify, govern and manage IT risk
• Val IT allows business managers to get
business value from IT investments, by
providing a governance framework
• VAL IT can be used to evaluate the actions
determined by Risk management process
ValueConsult
IT Risk Management
67
67. Relationship With Other Frameworks
• Risk IT accept Factor Analysis of Information
Risk terminology and evaluation process
• ISO 27005
For a comparison of Risk IT processes and those
foreseen by ISO/IEC 27005 standard
• ISO 31000
The Risk IT Practitioner Guide appendix 2
• COSO
The Risk IT Practitioner Guide appendix 4
ValueConsult
IT Risk Management
68
68. Information Security Risk Management
for Iso/IEC 27001/ISO 27005
ISO/IEC 27000 Family of Standards
• ISO/IEC 27001 based on BS7799 by British
Standards Institution
• Adopts “plan-do-check-act” process model
• Information Security Management System (ISMS)
standard (ISO/IEC 27001)
• Formal specification mandates specific
requirements
• Adoption of ISO/IEC 27001 allows for formal audit
and certification to explicit standard
• Risk management based on ISO/IEC 27000
standards
ValueConsult
IT Risk Management
69
69. Information Security Risk Management
for Iso/IEC 27001/ISO 27005
ISO/IEC 27005
• Information security risk management
standard
• Does not specify, recommend or name
any specific risk analysis method
• Does specify a structured, systematic
and rigorous process from analysis
risks to creating the risk treatment
plan
ValueConsult
IT Risk Management
70
70. CRAMM Information security risk
toolkit
• Provides staged and disciplined approach towards IT
risk assessment
Source: http://www.cramm.com/overview/howitworks.htm
ValueConsult
IT Risk Management
71
71. CRAMM Information security risk
toolkit
Asset identification and valuation
•
•
•
•
Physical
Software
Data
Location
Threat and vulnerability assessment
•
•
•
•
•
Hacking
Viruses
Failures of equipment or software
Wilful damage or terrorism
Errors by people
Countermeasure selection and recommendation
ValueConsult
IT Risk Management
72
72. CERT OCTAVE
Operationally Critical Threat, Asset, and
Vulnerability Evaluation Framework by
Software Engineering Institute (1999)
• Components of information security risk evaluation
• Processes with required inputs, activities, outputs
• Phase 1: Build asset-based threat profiles
• Phase 2: Identify Infrastructure Vulnerabilities
• Phase 3: Develop security strategy and plans
Self-directed information security risk
evaluation
Analysis team includes people from business
units and IT department
ValueConsult
IT Risk Management
73
76. Understanding Risks in the Systems
Development Life Cycle
Business Application
Development
Alternative Software
Development
Strategies
Information Systems
Maintenance
Practices
Project Management
Practices
System Development
Tools and Productivity
Aids
Software
Development Process
Improvement
Practices
Auditing Systems
Development,
Acquisition and
Maintenance
ValueConsult
IT Risk Management
77
77. Business Application Development
An Individual Application or Project is Initiated by
• A new opportunity that relates to new or existing business process
• A problem that relates to an existing business process
• A new opportunity that will enable the organization to take
advantage of technology
• A problem with the current technology
Traditional Systems Development Life Cycle Phases
• Phase 1—Feasibility
• Phase 2—Requirements definition
• Phase 3—Design
• Phase 4—Development
• Phase 5—Implementation
ValueConsult
IT Risk Management
78
78. Business Application Development
Roles and Responsibilities of Groups and
Individuals
•
•
•
•
•
•
•
•
•
•
Senior management
User management
Project Steering committee
Project Sponsor
Systems development management
Project manager
Systems development project team
User project team
Security officer
Quality assurance
ValueConsult
IT Risk Management
79
79. Business Application Development
Risks Associated with Software Development
• Potential risks exist when poor or inadequate
SDLC methodologies are utilized
• Systems designed using a poor methodology
may not meet the users needs and often
exceed limits of financial resources
• Merely following a methodology does not
ensure success of a development project
ValueConsult
IT Risk Management
80
80. Business Application Development
Structured Analysis, Design, and Development
Techniques
• Develop system context diagrams
• Perform hierarchical data flow/control flow
decomposition
• Develop control transformations
• Develop mini-specifications
• Develop data dictionaries
• Define all external events—inputs from external
environment
• Define single transformation data flow diagrams from
each external event
ValueConsult
IT Risk Management
81
81. Traditional System Development Life
Cycle (SDLC) Approach
Phase 1 - Feasibility Study
• Define a time frame
• Determine an optimum alternative/solution in
meeting business needs and general information
resource requirements or estimates
• Determine if an existing system can correct the
situation with slight or no modification
• Determine if a vendor product offers a solution
• Determine the approximate cost
• Determine if the solution fits the business strategy
ValueConsult
IT Risk Management
82
82. Business Application Development
Phase 2 - Requirements Definition
• Identify and consult stakeholders to determine their
expectations
• Analyze requirements to detect and correct conflicts and
determine priorities
• Identify system bounds and how the system should interact
with its environment
• Convert user requirements into system requirements
• Record requirements in a structured format
• Verify that requirements are complete, consistent,
unambiguous, verifiable, modifiable, testable and traceable
• Resolve conflicts between stakeholders
• Resolve conflicts between the requirements set and the
resources that are available
ValueConsult
IT Risk Management
83
83. Traditional System Development Life
Cycle (SDLC) Approach
Software Acquisition
•
•
•
•
•
•
•
Decision made to acquire not develop
Occurs after Requirements phase
Request for proposal (RFP) contents
Topics of discussion with users about vendors
Contract contents
Contract management
Integrated Resource Management Systems
• Fully integrated corporate solution
• SAP, Peoplesoft, Oracle Financials, etc.
• Impact on way the corporation does business
• Need to conduct a impact and risk assessment
ValueConsult
IT Risk Management
84
84. Traditional System Development Life
Cycle (SDLC) Approach
Phase 3 - Design
• User involvement
• Key design activities
• Software baselining
• End of design phase
Phase 4 - Development
• Key activities
• Programming methods and techniques
• On-line programming facilities (Integrated Development Environment - IDE)
• Programming languages
• High-level
• Object-oriented
• Scripting [such as SH(SHELL), PERL, TCL, Python, JAVAScript and VB Script]
• Low-level assembler
• Fourth generation
• Decision support or expert systems
• Program debugging
ValueConsult
IT Risk Management
85
85. Traditional System Development Life
Cycle (SDLC) Approach
Phase 4 - Development (continued)
• Testing
• Elements of a software testing process
• Test plan
• Conduct and report test results
• Address outstanding issues
• General testing levels
• Unit testing
• Interface or integration testing
• System testing
• Final acceptancce testing
ValueConsult
IT Risk Management
86
86. Traditional System Development Life
Cycle (SDLC) Approach
Phase 4 - Development (continued)
• Testing (continued)
• Other types of testing - related terminology
• Alpha and beta testing
• Pilot testing
• Whitebox testing
• Blackbox testing
• Function/validation testing
• Regression testing
• Parallel testing
• Sociability testing
• Automated applicating testing
ValueConsult
IT Risk Management
87
87. Traditional System Development Life
Cycle (SDLC) Approach
Phase 5 - Implementation
• Planning for implementation
• Formal plan
• Data conversion
• Acceptance testing
• Certification and accreditation process
Post-Implementation Review
• Assess adequacy
• Evaluate projected cost benefits
• Develop recommendations
• Develop an action plan
• Assess the development project process
ValueConsult
IT Risk Management
88
89. Logical Access Exposures
and Controls
Remote access security
risks include:
Remote access security
controls include:
Denial of service
Policy and standards
Malicious third parties
Proper authorizations
Misconfigured communications software
Identification and authentication
mechanisms
Misconfigured devices on the corporate
computing infrastructure
Encryption tools and techniques, such as
the use of VPN
Host systems not secured appropriately
System and network management
Physical security issues over remote
users’ computers
ValueConsult
IT Risk Management
90
90. Logical Access Exposures
and Controls
Remote access using personal digital
assistants (PDAS) control issues to
address include:
•
•
•
•
•
•
•
•
Compliance
Approval
Standard PDA applications
Due care
PDA applications
Synchronization
Encryption
Virus detection and control
ValueConsult
IT Risk Management
91
91. Logical Access Exposures
and Controls
Authorization Issues
• Access issues with mobile technology
• These devices should be strictly controlled both by policy and
by denial of use. Possible actions include:
• Banning all use of transportable drives in the security
policy
• Where no authorized used of USB ports exists, disabling use
with a logon script which removes them form the system
directory
• If they are considered necessary for business use,
encrypting all data transported or saved by these devices
• Audit logging in monitoring system access
• provides management an audit trail to monitor activities of a
suspicious nature, such as a hacker attempting brute force
attacks on a privileged logon ID
ValueConsult
IT Risk Management
92
92. Logical Access Exposures
and Controls
Authorization Issues
• Audit logging in monitoring system access
• Access rights to system logs
• A periodic review of system-generated logs can
detect security problems, including attempts to
exceed access authority or gain system access
during unusual hours.
Audit logging in monitoring system access
• Tools for audit trails (logs) analysis
• Audit reduction tools
• Trends/variance-detection tools
• Attack signature-detection tools
ValueConsult
IT Risk Management
93
93. Logical Access Exposures
and Controls
Authorization Issues
• Audit logging in monitoring system access
• Cost consideration
• Audit concerns
• Patterns or trends that indicate abuse of access privileges,
such as concentration on a sensitive application
• Violations (such as attempting computer file access that is
not authorized) and/or use of incorrect passwords
• Restrict and monitor access to computer features that bypass
cost consideration
• Generally, only system software programmers should have
access to:
• Bypass label processing (BLP)
• System exits
• Special system logon IDs
ValueConsult
IT Risk Management
94
95. Information Systems Maintenance
Practices
Change Management Process Overview
- POSB Lucky Draw Fraud Case
• Deploying changes
• Documentation
• Testing program changes
• Emergency changes
• Deploying changes back into production
• Change exposures (unauthorized changes)
ValueConsult
IT Risk Management
96
96. Information Systems Maintenance
Practices
Configuration Management
Library Control Software
• Executable and source code integrity
• Source code comparison
System Change Procedures and the Program Migration
Process
• Evaluate the adequacy of the organization’s procedures
• Identify system changes
• Review documentation
• Evaluate adequacy of procedures
ValueConsult
IT Risk Management
97
98. Network Infrastructure
Security
LAN Security
• Local area networks facilitate the storage
and retrieval of programs and data used
by a group of people. LAN software and
practices also need to provide for the
security of these programs and data.
LAN risk and issues
• Dial-up access controls
ValueConsult
IT Risk Management
99
99. Network Infrastructure
Security
Client-Server Security
• Control techniques in place
• Securing access to data or application
• Use of network monitoring devices
• Data encryption techniques
• Authentication systems
• Use of application level access control programs
Client/server risks and issues
• Access controls may be weak in a client-server environment.
• Change control and change management procedures.
• The loss of network availability may have a serious impact on the business or service.
• Obsolescence of the network components
• The use of modems to connect the network to other networks
• e connection of the network to public switched telephone networks may be weak
• Changes to systems or data
• Access to confidential data and data modification may be unauthorized
• Application code and data may not be located on a single machine enclosed in a secure
computer room, as with mainframe computing
ValueConsult
IT Risk Management
100
100. Network Infrastructure
Security
Internet Threats and Security
Passive attacks
• Network analysis
• Eavesdropping (Video: Wireshark Wireless Password Sniffing)
• Traffic analysis
Active attacks
•
•
•
•
•
•
•
•
•
Brute-force attack
Masquerading
Packet replay
Message modification
Unauthorized access through the Internet or web-based services
Denial of service
Dial-in penetration attacks
E-mail bombing and spamming
E-mail spoofing
ValueConsult
IT Risk Management
101
101. Network Infrastructure
Security
Internet Threats and Security
• Threat impact
• Loss of income
• Increased cost of recovery
• Increased cost of retrospectively securing systems
• Loss of information
• Loss of trade secrets
• Damage to reputation
• Legal and regulatory noncompliance
• Failure to meet contractual commitments
• Legal action by customers for loss of confidential data
ValueConsult
IT Risk Management
102
102. Network Infrastructure
Security
Internet Threats and Security
• Causal factors for internet attacks
• Availability of tools and techniques on the Internet
• Lack of security awareness and training
• Exploitation of security vulnerabilities
• Inadequate security over firewalls
• Internet security controls
Firewall Security Systems
• Firewall general features
• Firewall types
• Router packet filtering
• Application firewall systems
• Stateful inspection
ValueConsult
IT Risk Management
103
103. Network Infrastructure
Security
Firewall Security Systems
• Examples of firewall implementations
• Screened-host firewall
• Dual-homed firewall
• Demilitarized zone (DMZ)
Firewall issues
•
•
•
•
•
•
A false sense of security
The circumvention of firewall
Misconfigured firewalls
What constitutes a firewall
Monitoring activities may not occur on a regular basis
Firewall policies
ValueConsult
IT Risk Management
104
104. Network Infrastructure
Secuity
Intrusion Detection Systems (IDS)
An IDS works in conjunction with routers and firewalls by
monitoring network usage anomalies.
• Network-based IDSs
• Host-based IDSs
Components:
• Sensors that are responsible for collecting data
• Analyzers that receive input from sensors and determine intrusive activity
• An administration console
• A user interface
ValueConsult
IT Risk Management
105
105. Network Infrastructure
Security
Types of Intrusion Detection Systems (IDS)
• Signature-based
• Statistical-based
• Neural networks
Features
•
•
•
•
•
•
Intrusion detection
Gathering evidence on intrusive activity
Automated response
Security monitoring
Interface with system tolls
Security policy management
ValueConsult
IT Risk Management
106
106. Network Infrastructure
Security
Intrusion Detection Systems (IDS)
• Limitations:
• Weaknesses in the policy definition
• Application-level vulnerabilities
• Backdoors into applications
• Weaknesses in identification and
authentication schemes
ValueConsult
IT Risk Management
107
107. Network Infrastructure
Security
Encryption
• Key elements of encryption systems
• Encryption algorithm
• Encryption key
• Key length
• Private key cryptographic systems
• Public key cryptographic systems
• Elliptical curve cryptosystem (ECC)
• Quantum cryptography
• Digital signatures
ValueConsult
IT Risk Management
108
108. Network Infrastructure
Security
Encryption (Continued)
• Digital signatures
• Data integrity
• Authentication
• Nonrepudiation
• Replay protection
• Public key infrastructure
• Digital certificates
• Certificate authority (CA)
• Registration authority (RA)
• Certificate revocation list
• Certification practice statement (CPS)
ValueConsult
IT Risk Management
109
109. Network Infrastructure
Security
Encryption (Continued)
• Use of encryption in OSI protocols
• Secure sockets layer (SSL)
• Secure Hypertext Transfer Protocol (S/HTTP)
• IP security
• SSH
• Secure multipurpose Internet mail
extensions (S/MIME)
• Secure electronic transactions (SET)
ValueConsult
IT Risk Management
110
111. PRM Processes
• Planning how risk is managed within particular project
• Plans include risk management tasks, responsibilities,
activities and budget
• Assigning a healthy skepticism risk officer responsible
for foreseeing potential project problems
• Maintaining live project risk database (risk profile)
• Each risk should have these attributes: opening date,
title, short description, probability and importance
ValueConsult
IT Risk Management
112
112. PRM Processes (cont’d)
• Creating anonymous risk reporting channel
• Each team member should have the possibility to
report risks that he/she foresees in the project
• Preparing mitigation plans for risks that are chosen to
be mitigated
• Identify how the risk will be handled – what, when, by
whom and how will it be done to avoid it or minimize
consequences if it becomes a liability
• Summarizing planned and faced risks, effectiveness of
mitigation activities, and effort spent for the risk
management
ValueConsult
IT Risk Management
113
Training slides on InformationTechnology Risk Management
Image credit: blogs.adobe.com
Requirements definition is concerned with identifying and specifying the requirements of the system chosen for development during the feasibility study. Requirements include descriptions of what a system should do, how users will interact with a system, conditions under which the system will operate and the information criteria the system should meet. CobiT’s framework principles for information criteria shows that this includes issues associated with effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability. The requirements definition phase deals with these issues.To accomplish the above in the requirements definition phase:Identify and consult stakeholders to determine their expectations.Analyze requirements to detect and correct conflicts and determine priorities.Identify system bounds and how the system should interact with its environment. Convert user requirements into system requirements (e.g., an interactive user interface prototype that demonstrates screen look and feel).Record requirements in a structured format. Historically, requirements have been recorded in a written requirements specification, possibly supplemented by some schematic models. Commercial requirements management tools now are available that allow requirements and related information to be stored in a multiuser database.Verify that requirements are complete, consistent, unambiguous, verifiable, modifiable, testable and traceable. Because of the high cost of rectifying requirements problems in downstream development phases, effective requirements reviews have a large payoff. Resolve conflicts between stakeholders.Resolve conflicts between the requirements set and the resources that are available.IS auditors are involved at this stage to determine whether adequate security requirements have been defined to address, at a minimum, the confidentiality, integrity and availability requirements of the system. This includes whether adequate audit trails are defined as part of the system, as these affect the auditor’s ability to identify issues for proper follow-up.