Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integrating Enterprise Risk Management and IT Security “ an architect’s view” Presented by Stan Dormer, B.Sc., FIIA Director of Education & Training Services.

Similar presentations


Presentation on theme: "Integrating Enterprise Risk Management and IT Security “ an architect’s view” Presented by Stan Dormer, B.Sc., FIIA Director of Education & Training Services."— Presentation transcript:

1 Integrating Enterprise Risk Management and IT Security “ an architect’s view” Presented by Stan Dormer, B.Sc., FIIA Director of Education & Training Services MindGrove Ltd

2 © 2007 MindGrove 2 ERM and IT Security … Enterprise Risk Management – technology implications of the COSO ERM model Using structured and pre-defined Control Objectives to manage Enterprise Technology Risks – COBIT Using risk to join ERM and Technology Risks from mission statement to business objectives; from business objectives to risk; from risk to control objectives Ensuring your security architecture maps onto your business risk model Notions for this session

3 IT Security - Backdrop

4 © 2007 MindGrove 4 The power to perform YearTransistors , , , , ,000 Intel386™ processor ,000 Intel486™ processor 19891,180,000 Intel® Pentium® processor 19933,100,000 Intel® Pentium® II processor 19977,500,000 Intel® Pentium® III processor ,000,000 Intel® Pentium® 4 processor ,000,000 Intel® Itanium® processor ,000,000 Intel® Itanium® 2 processor ,000,000 Intel® Dual Core processor 20061,200,000,000

5 © 2007 MindGrove 5 Yesterday and Today 300 calculations per second – calculate the trajectory of a shell 70,000,000,000,000 calculations per second – forecast the weather for our planet 1 calculation per second – add up the items in a shopping list

6 © 2007 MindGrove 6 I contribute to good governance by examining the organisation’s plans for business continuity But fact – security is the biggest issue

7 © 2007 MindGrove 7 Reactivity to IT Security is typically ad-hoc We fix IT Security problems after the event We don’t integrate IT Security into the foundations of the organisation’s risk management culture The outcome is an ad-hoc risk-control structure

8 Enterprise Risk Management – technology implications of the COSO ERM model

9 © 2007 MindGrove 9 COSO

10 © 2007 MindGrove 10 An organisation’s objectives are defined by it’s context

11 © 2007 MindGrove 11 COSO

12 © 2007 MindGrove 12 And its objectives are threatened by risk

13 © 2007 MindGrove 13 COSO

14 © 2007 MindGrove 14 And because of this we deploy controls

15 © 2007 MindGrove 15 Many of the risks that threaten objectives are IT Security problems So the COSO ERM model is just as relevant to the examination of the impact of IT Security risks as any other risk

16 © 2007 MindGrove 16 But IT Security risks are typically abstracted directly from IT Security goals So we tend to model IT Security risk independently of the remainder of business risk losing context and connections to objectives along the way Risk: Data held in electronic systems are: destroyed, altered or copied by insiders or outsiders Control: IT Security defences against outsiders Control: IT Security defences against insiders IT Security Risk Confidentiality, Integrity, Accountability Of what to what?

17 Using structured and pre-defined Control Objectives to manage Enterprise Technology Risks – COBIT

18 © 2007 MindGrove 18 The organisation’s context and objectives Operational Objective

19 © 2007 MindGrove 19 Objective dependent on IT

20 © 2007 MindGrove 20 Data integrity as a threat to the business objective

21 © 2007 MindGrove 21 COBIT

22 © 2007 MindGrove 22 Cobit 4.0 Suggests that a risk is tempered by drawing down best practice control structures Define the Information Architecture PO2.1 Enterprise Information Architecture Model PO2.2 Enterprise Data Dictionary and Data Syntax Rules PO2.3 Data Classification Scheme PO2.4 Integrity Management Application Controls Data Origination/Authorisation Controls AC1 Data Preparation Procedures AC2 Source Document Authorisation Procedures AC3 Source Document Data Collection AC4 Source Document Error Handling AC5 Source Document Retention Data Input Controls AC6 Data Input Authorisation Procedures AC7 Accuracy, Completeness and Authorisation Checks AC8 Data Input Error Handling Data Processing Controls AC9 Data Processing Integrity AC10 Data Processing Validation and Editing AC11 Data Processing Error Handling Data Output Controls AC12 Output Handling and Retention AC13 Output Distribution AC14 Output Balancing and Reconciliation AC15 Output Review and Error Handling AC16 Security Provision for Output Reports Boundary Controls AC17 Authenticity and Integrity AC18 Protection of Sensitive Information During Transmission and Transport

23 © 2007 MindGrove 23 COSO ERM using predefined guidance When there is a risk to the organisation through IT draw down relevant IT Security and Control guidance from COBIT

24 © 2007 MindGrove 24 COBIT 4.0 COBIT is an IT governance framework that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organisations. COBIT® 4.0—emphasises regulatory compliance, helps organisations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.

25 Using risk to join ERM and Technology Risks from mission statement to business objectives; from business objectives to risk; from risk to control objectives

26 © 2007 MindGrove 26 Mission  Objectives

27 © 2007 MindGrove 27 Objectives  Risks

28 © 2007 MindGrove 28 Objectives  Risks in more detail

29 © 2007 MindGrove 29 Risks  Controls

30 © 2007 MindGrove 30 Risks  Controls

31 Ensuring your security architecture maps onto your business risk model

32 © 2007 MindGrove 32 Forex Bank Mission: "To be the most profitable FOREX trader in the world" Objective: To innovate new trading systems Objective: To trade within the rules set by Bank of England Objective: To trade securely through electronic systems Defines first its Mission Statement Reporting objective Compliance objective Operational objective Strategic objective Objective: To monitor trades and provide early warning of bad positions Mission  Objectives

33 © 2007 MindGrove 33 Risk Analysis  Controls Objective: To trade securely through electronic systems

34 © 2007 MindGrove 34 Objective: To trade securely through electronic systems Use of multi-layer formal architectural modelling approach to ensure integrated and effective business fit

35 © 2007 MindGrove 35 ERM and IT Security … Enterprise Risk Management – technology implications of the COSO ERM model Using structured and pre-defined Control Objectives to manage Enterprise Technology Risks – COBIT Using risk to join ERM and Technology Risks from mission statement to business objectives; from business objectives to risk; from risk to control objectives Ensuring your security architecture maps onto your business risk model Notions for this session

36 © 2007 MindGrove 36 Retrieve presentation from: on the members’ page of the resources section

37 Integrating Enterprise Risk Management and IT Security “ an architect’s view” Presented by Stan Dormer, B.Sc., FIIA Director of Education & Training Services MindGrove Ltd


Download ppt "Integrating Enterprise Risk Management and IT Security “ an architect’s view” Presented by Stan Dormer, B.Sc., FIIA Director of Education & Training Services."

Similar presentations


Ads by Google