© 2006 Industry Direct Ltd. All Rights Reserved. 1 This entire 21 screen presentation is copyright IDL 2006 all rights reserved & no reproduction or presentation is permitted without written permission from IDL. Repeatable Solution Sales & Compliance On Demand are IDL trademarks in the USA, UK and other countries. Monetary values quoted may be £ equivalent of another currency. Neither ITEX nor IDL guarantee making companies compliant. Enabling Efficient Risk Management Policy Execution “Curing CEO Insomnia With A Proactive & Sustainable IT Strategy For Risk Management” Presented by: Neil MacArthur IDL Director of Strategy

© 2006 Industry Direct Ltd. All Rights Reserved. 2 Contents 1.The Business Case 2.The Standards Based Solution Strategy 3.The Engagement Model 4.Next Steps

© 2006 Industry Direct Ltd. All Rights Reserved The Business Case Risk & Compliance Quotation “An inability to source & format data with sufficient integrity can cost an organisation both financially & legally” Butler Group

© 2006 Industry Direct Ltd. All Rights Reserved. 4 In Legal The Law Society is about to publish “Information Security Guidelines For Solicitors” One of the significant problems this will pose is the guideline execution without a framework or standards based approach as the foundation for an integrated Information Security Management System. “The Law Society Information Security Guidelines are intended to assist solicitors achieve good practice in relation to information security” Law Society October 2006

© 2006 Industry Direct Ltd. All Rights Reserved. 5 The adoption of Gershon Report and the Technology Transformation policy by the public sector is having a significant impact on ISO standards adoption in key areas: NHS Trusts Police Forces [CJIT] Local & Metropolitan Councils IDL Analysis Autumn 2006 In Public Sector As the new ISO standards only appeared in Q4 2005, it is not until the FY06/07 public sector ICT plans that the early implementation of the ISO standards based approach was detected, with the most significant phase anticipated in FY07/08.

© 2006 Industry Direct Ltd. All Rights Reserved. 6 This year, financial services institutions (FSIs) are investing an estimated £35 billion globally in IT solutions for risk & compliance. However, TowerGroup finds that 30 percent of these IT investments may be considered wasteful. Given their tactical compliance purpose, many risk & compliance solutions are duplicated over multiple functional silos or are applied to inefficient legacy technology systems. TowerGroup In Financial Services Financial Services organizations, for example, have a major problem with the cost of regulatory compliance, as they have to meet multiple regulations including Sarbanes Oxley, Basel II, Solvency II, Anti-Money Laundering, Data Privacy, SEPA & other regulations.

© 2006 Industry Direct Ltd. All Rights Reserved The Standards Based Solution Strategy Risk & Compliance Quotation “Many of the necessary IT components [for compliance] may already be in place, but they must be integrated & standardized across the business.” Gartner

© 2006 Industry Direct Ltd. All Rights Reserved. 8 Corporate Governance & IT Governance Corporate Governance relies upon IT Governance to support efficient & sustainable risk & compliance, using an integrated not fragmented IT solution – this is Phase #2!. Copyright IDL 2006 all rights reserved Processes Applications Infrastructure Content Corporate Governance IT Governance

© 2006 Industry Direct Ltd. All Rights Reserved. 9 Risk & Compliance Phase #2 Overview IT solutions for risk & compliance has evolved from “point solutions” & use of manual or legacy systems to the adoption of best practice frameworks such as COSO Enterprise Risk Management Integrated Framework, CoBIT or ITIL. And, today there is the availability of ISO certification to ensure robust, efficient & effective best practice implementation of risk & compliance policies at the lowest cost. Copyright IDL 2006 all rights reserved Manual, legacy or point solutions for risk & compliance Best practice COSO integrated policy framework for risk & compliance ISO standards for risk & compliance subjects Risk management & compliance evolution Phase #1Phase #2

© 2006 Industry Direct Ltd. All Rights Reserved. 10 Best Practice Evolution Integrated IT risk management & compliance best practice evolution. Copyright IDL 2006 all rights reserved Enterprise SMB COSO Internal Control - Integrated Framework [SEC endorsed] IT Control Objectives for Sarbanes Oxley - ITGI COSO Enterprise Risk Management – Integrated Framework Institute of Internal Auditors Endorsement Of COSO ERM Framework Guidance For Smaller Public Companies Reporting On Internal Control Financial Control Integrated Management & Control ISO IT Service Management ISO series information security

© 2006 Industry Direct Ltd. All Rights Reserved. 11 Best Practice Implementation Risk management covers multiple areas of risk that a corporation needs to formally monitor and manage to stay efficient and compliant. Best practice is COSO Enterprise Risk Management – Integrated Framework [ for policy used by auditors, setting the corporate governance agenda, supported by ISO-standards based IT. Copyright IDL 2006 all rights reserved CreditMarketLiquidityHazardTradingSystems Risk assess >>> risk policy >>> implementation >>> report >>> update risk policy COBIT & ITIL ISO IT Service Management ISO Information Security COSO Enterprise Risk Management Integrated Policy Framework Legal

© 2006 Industry Direct Ltd. All Rights Reserved. 12 "78% of businesses that adopt standards feel prepared to handle catastrophic IT failure - only 28% of business without standards adoption feel prepared for IT catastrophe. Furthermore, 71% of businesses that adopt standards feel prepared to deal with failure in the supply chain, whereas only 43% of those without standards feel prepared". Compelling Value Automating the adoption of standards will further reduce risk and cost! Business Standards Magazine reporting on BSI Research

© 2006 Industry Direct Ltd. All Rights Reserved. 13 Framework & Standards Adoption New IDL analysis in Q demonstrates the adoption of standards and framework strategy in risk management across 50 major European financial service institutions. Frameworks & Standards Adoption Autumn 2006 COSO Enterprise Risk Management45% ISO Information Security30% IT Infrastructure Library [ITIL]41% ISO IT Service Management29% Control Objectives for Information & Related Technology [COBIT]37% Copyright IDL 2006 all rights reserved

© 2006 Industry Direct Ltd. All Rights Reserved The Engagement Model Risk & Compliance Quotation “The IIA advocates for an Enterprise Risk Management process that takes into account all aspects of a company” The Institute of Internal Auditors

© 2006 Industry Direct Ltd. All Rights Reserved. 15 Integrated IT Risk & Compliance Solutions Corporate Governance relies upon IT Governance support for efficient & sustainable risk & compliance, which is an integrated not fragmented IT infrastructure solution. The IT solution set requires an integrated and scalable implementation, probably using a blended on-site and off-site model for delivery. Copyright IDL 2006 all rights reserved Processes Applications Infrastructure Content Integrated Corporate Governance Integrated IT Governance

© 2006 Industry Direct Ltd. All Rights Reserved. 16 Engagement The US IT Governance Institute [ITGI] has developed a “best practice” engagement process to align a corporation’s risk & compliance policy to an integrated IT solution. #1Plan & Scope : Driven by policy #2IT Risk Assessment #3Identify Accounts & Controls #4 Document IT Controls #5 Evaluate Control #6 Evaluate Operations #7 Scope & Remediate #8 Updated Documentation & Approval #9 Build Sustainability & Scale To ERM ITGI best practice scoping model [

© 2006 Industry Direct Ltd. All Rights Reserved. 17 ISO Standards Based IT Governance The expanding range of internationally accepted standards has generated substantial interest is a common, independent and certifiable strategy for sustainable IT governance. Service Delivery Capacity Mgmt. Service Level Mgmt. Info. Security Mgmt. Service Continuity & Service Reporting IT Services Budget & Availability Mgmt. Accounting Control Configuration Mgmt. Change Mgmt. Release Release Mgmt. Resolution Incident Mgmt. Problem Mgmt. Relationship Business Relationship Mgmt. Supplier Mgmt. Service Delivery Service Support Including Service Desk ISO ISO BS PAS 77: ITSCM

© 2006 Industry Direct Ltd. All Rights Reserved. 18 Thank You Neil MacArthur IDL Director of Strategy