Presentation is loading. Please wait.

Presentation is loading. Please wait.

Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks.

Published byPenelope Blankenship Modified over 9 years ago

Similar presentations

Presentation on theme: "Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks."— Presentation transcript:

1 Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks

2 2 Learning Objectives Participants will learn about: –The types of IT risks which may go unaddressed by executives and audit committees –Risks of cloud computing –The types of questions around IT risks that will solicit the most meaningful responses –What types of responses to questions on IT risks may be indicative of bigger issues –How to communicate more effectively topics surrounding IT risks

3 3 What boards say… Nearly half of boards surveyed are dissatisfied with their ability to oversee IT risk * Source: Oliver Wyman’s Global Risk Center and the National Association of Corporate Directors (NACD)

4 4 What boards say… The top three reasons: –Insufficient expertise at the board level –Insufficient communication on company's IT strategy and operations –Lack of integrated business IT strategy picture presented by management to board * Source: Oliver Wyman’s Global Risk Center and the National Association of Corporate Directors (NACD)

5 5 Questions Executives Should Ask How many times have we been successfully hacked this year? –What you should know: Foreign hackers are attacking U.S. businesses every day. –Red flag answers from management: “We haven’t.”

6 6 Questions Executives Should Ask How many people can access our customers’ or employees’ sensitive data? –What you should know: Many organizations don’t know the answer. –Red flag answers from management: “We have SOX controls.”

7 7 Questions Executives Should Ask Who is going to lose their job if the implementation goes poorly? –What you should know: Accountability is often one of the biggest hurdles to a successful implementation. –Red flag answers from management: Naming anyone not at the meeting.

8 8 Questions Executives Should Ask What is the definition of a successful project? Budget? Timing? Functionality? –What you should know: Consultants usually get paid more when projects go poorly and rarely do the stakeholders set the definition of a success up front. –Red flag answers from management: “A system that does what it’s supposed to do.”

9 9 Questions Executives Should Ask Are our laptops and other portable devices encrypted? –What you should know: Encrypting a laptop can help show adequate controls and possibly will allow you to avoid liability for data breaches. –Red flag answers from management: “It costs too much.”

10 10 Questions Executives Should Ask Do we enforce strong passwords? –What you should know: Easily guessed passwords make hackers’ lives easier. –Red flag answers from management: “Our users will just write them down.”

11 11 Questions Executives Should Ask Has our disaster recovery plan been fully and completely tested in the past year? –What you should know: If you don’t test the plan, it’s likely to not work when you need it. –Red flag answers from management: “We haven’t tested it.”

12 12 Questions Executives Should Ask How do we know our service providers are keeping our data safe? –What you should know: A lot of customer and proprietary data is provided to third parties by many organizations. –Red flag answers from management: “We get a SAS No 70 report” or “It’s in our contract.”

13 13 Guiding Principles Advice Invite IT leadership and IT auditors to audit committee meetings periodically. Don’t be afraid to ask the tough questions about IT. Don’t be afraid to probe the responses to your questions. Consider holding executive sessions with IT leadership and IT auditors.

14 14 The Cloud Should we be using the cloud?

15 15 Reactions to the Cloud Why is my CIO talking about the weather? Is this just a sales ploy so I pay more for what I’m already getting? Are these computers in the sky somewhere? What happens if it rains? So you want me to put my critical business information and computer operations in a place I can’t see at some company I’ve never heard of?

16 16 The History of Computing – 1970s and Early 80s Overview: Mainframes dominated the landscape Workstations had little processing power, effectively “thin clients” Network infrastructure was often contained within a single building and was proprietary Users needed to be at the physical site

17 17 The History of Computing – 1970s and Early 80s Characteristics: Biggest security threats were insiders Privacy laws were in their infancy Disaster recovery plans focused on the physical building and data center with offsite recovery centers. Storage took up significant space Few people had email Few people had cell phones Phones were separate from the computer network

18 18 The History of Computing – Late 1980s and Early 90s Overview: Client server architecture started to replace mainframes Workstations had more processing power Network infrastructure was beginning to use standard protocols. Many companies started creating company-wide networks using private lines Companies cautiously used the internet for limited purposes Users needed to be at the physical site

19 19 The History of Computing – Late 1980s and Early 90s Characteristics: Biggest security threats were insiders Privacy laws were in their infancy Disaster recovery plans focused on the physical building and data center with offsite recovery centers Storage took up significant space Email and cell phones were still the exception Phones were separate from the computer network “Outsourcing” was generally related running a physical large data center

20 20 The History of Computing – 1990s Overview: Client server architecture widely replaced mainframes Workstations had much more processing power, laptops started to be adopted but were much less powerful. “Thin clients” re-emerged Network infrastructure still used several standards Many companies started using the internet, but still not for critical business Most users needed to be at the physical site “Outsourcing” was generally related running a physical large data center with some application service providers

21 21 The History of Computing – 1990s Characteristics: Biggest security threats were insiders, but network and internet connectivity began introducing new security risks Privacy laws were in their infancy Disaster recovery plans focused on the physical building and data center with offsite recovery centers Storage took up significant space, but less than before Email and cell phones were widely adopted Phones were separate from the computer network Data center hosting became more popular as did application service providers

22 22 The History of Computing – 2000s Overview: Client server architecture dominates the landscape Workstations and laptops had much more processing power Smart phones widely used Network infrastructure came to one standard VPN was adopted on a widespread basis Many companies started using the internet for critical business applications Significant move towards application service providers and remote data center hosting Most users could now work remotely

23 23 The History of Computing – 2000s Characteristics: Biggest security threats were now from the internet Security vulnerabilities of major products were easily exploited Privacy laws began to take form Disaster recovery plans still focused on the physical building and data center with offsite recovery centers Storage became inexpensive and small Smart phones and laptops were the norm – data now resided outside the company, but generally only on company devices Phones began to get integrated with the computer network

24 24 Computing – Today Overview: Client server architecture dominates the landscape with widespread “virtualization” Workstations and laptops are powerful, but little is run on them making most operate more like “thin clients” Smart phones widely used Network infrastructure on one standard and VPN heavily used Most companies use the internet for critical business Majority of users can work remotely Many companies exploring the use of the cloud

25 25 Computing – Today Characteristics: Biggest security threats are state sponsored cyber attacks Major developers better at security Privacy laws much more robust Disaster recovery plans still focused on the physical building and data center with offsite recovery centers Storage is extremely inexpensive and small Smart phones and laptops are the norm – data resides outside the company, including on personal devices Phones often integrated with the computer network

26 26 What is the Cloud Virtualized servers and applications running in remote data centers that may have redundancy between data centers

27 27 Cloud Considerations Security –Cloud providers may be more of a target for hackers since they are widely known as service providers, however they also typically have very deep security resources to manage those risks –The cloud might be accessed from anywhere, so end user security access configurations tend to be more important –Third party cloud providers potentially have significant access to any system in their environment Key considerations –Can your internal IT resources secure your environment based on your risk profile better than the cloud? –Do you have strong enough end user security? –Does the cloud provider have a type 2 SOC 2 report over Security?

28 28 Cloud Considerations Availability and disaster recovery –Cloud providers tend to use hardened data centers with redundancy between locations –Heavy reliance on network connectivity to access cloud resources Key considerations –Do you think you can harden your data centers as well as the cloud data centers? –Has your disaster recovery and business continuity plan been revised to address end user computing? –Do you have adequate network redundancy? –Does the cloud provider have a type 2 SOC 2 report over Availability?

29 29 Cloud Considerations Privacy –Cloud providers may be more of a target for hackers since they are widely known as service providers, however they also typically have very deep security resources to manage those risks –Third party cloud providers potentially have significant access to any system in their environment –If there is a breach at the cloud provider you may still be responsible for compliance with privacy laws and the impact Key considerations –Are you able to comply with all of the privacy requirements relevant to your industry –Does the cloud provider have a type 2 SOC 2 report over Privacy?

30 30 Cloud Considerations Cost –With cloud providers there is much less capital spending –The cost of personnel with expertise in maintaining servers, infrastructure, and security can be spread across many organizations, potentially decreasing cost Key considerations –Are you comparing “apples to apples”?

31 31 Cloud Questions?

Download ppt "Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks."

Similar presentations

The IT Staff of the Future: The Importance of IT Business Alignment for Staff Development Katherine Spencer Lee Executive Director Robert Half Technology.

The IT Staff of the Future: The Importance of IT Business Alignment for Staff Development Katherine Spencer Lee Executive Director Robert Half Technology.
Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
The Lucernex Cloud: A software-as-a-service solution delivered via the Cloud What is the Cloud? Cloud Computing is the future of all software applications,

The Lucernex Cloud: A software-as-a-service solution delivered via the Cloud What is the Cloud? Cloud Computing is the future of all software applications,
Cloud Computing EDT 7860. Cloud Computing Overview Cloud Computing can be defined as a network of applications, services, and infrastructure that are.

Cloud Computing EDT Cloud Computing Overview Cloud Computing can be defined as a network of applications, services, and infrastructure that are.
FIA Prague Preparation February 6, 2008. Scenario planning approach We cannot predict the future We cannot predict the future We do understand the drivers.

FIA Prague Preparation February 6, Scenario planning approach We cannot predict the future We cannot predict the future We do understand the drivers.
INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT Christopher P. Buse Assistant Commissioner and CISO State of Minnesota Mobile Device Management Assessing.

INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT Christopher P. Buse Assistant Commissioner and CISO State of Minnesota Mobile Device Management Assessing.
1 8 - Management and Operation of Technology Infrastructure Management and Operation of Technology Infrastructure.

1 8 - Management and Operation of Technology Infrastructure Management and Operation of Technology Infrastructure.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
The 2009 Cloud Consensus Report July 28, 2009 Bringing the Cloud Down to Earth Sponsored by the Merlin Federal Cloud Initiative.

The 2009 Cloud Consensus Report July 28, 2009 Bringing the Cloud Down to Earth Sponsored by the Merlin Federal Cloud Initiative.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.

Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.
SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.

SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.
1. 2 New Computing Models, and What They Mean to the Small and Mid Sized Business Consumer How your business can make practical decisions between “The.

1. 2 New Computing Models, and What They Mean to the Small and Mid Sized Business Consumer How your business can make practical decisions between “The.
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Chapter-7 Introduction to Cloud Computing Cloud Computing.

Chapter-7 Introduction to Cloud Computing Cloud Computing.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Open Cloud Sunil Kumar Balaganchi Thammaiah Internet and Web Systems 2, Spring 2012 Department of Computer Science University of Massachusetts Lowell.

Open Cloud Sunil Kumar Balaganchi Thammaiah Internet and Web Systems 2, Spring 2012 Department of Computer Science University of Massachusetts Lowell.

Similar presentations

Ads by Google