Presented by Wayne Tufek at CISO Platform Annual Summit, 2013. Wayne Tufek is currently the IT Security and Risk Manager at the University of Melbourne. His career spans over 17 years as an active hands on practitioner of information security and technology risk management. He has worked in the public sector, Big 4, financial services, consumer products and education sectors.
3. Overview of IT Risk
•
•
•
•
Risk
IT Risk
IT Governance
Risk management
4. What Causes IT Risk?
• George Westerman from MIT Sloan
•
http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
– Failure of oversight and governance processes (ineffective
IT governance)
• Series of poor decisions and badly structured IT assets
• Locally optimised decisions
• Lack of business involvement
– Uncontrolled complexity
– Inattention to risk
• IT risk results from decision-making
processes that ignore the full range of
business needs that arise from using IT
5. The Business Consequences
of IT Risk
Agility
Accuracy
Access
Availability
Source: George Westerman
http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
6. The Business Consequences
of IT Risk (cont)
Enterprise IT Risks
Availability
Access
Business continuity
DRP
Information protection
Knowledge sharing
Preventing attacks
Accuracy
Agility
Ability to implement
Data Integrity
Regulatory compliance major strategic
change
Source: George Westerman
http://cisr.mit.edu/research/researchoverview/classic-topics/it-related-risk/
IT Risk Factors
Technology &
Infrastructure
Applications &
Information
Configuration management Architecture complexity
Degree of standardisation Redundancy
Age of technology
Data integrity
Degree of customisation
People & Skills
Vendors &
Other Partners
Policy &
Process
Organisational
Turnover
SLAs
Controls
Skills planning
Use of firms standards Degree of standardisation
Recruitingtraining
Sole source risk
Accountability
ITBusiness relationship
Cost cutting
Complexity
Funding
7. Example Risk Factors
• Availability
– Alternative site
– Excessive time to restore (RTO, RPO, MTO)
– Special hardware or equipment or a unique
environment
– Network links
8. Example Risk Factors
• Access
– Financial impact of unauthorised modification of
data
– Impact of unauthorised disclosure
– Are duties segregated?
– Is access based on the users role?
– Can the system track user actions and provide
reports?
– How effective is the access provisioning/deprovisioning process?
9. Example Risk Factors
• Accuracy
– What is the financial impact of incorrect
applications?
– How will inaccuracy impact customers and the
organisation’s reputation?
– What regulatory and government compliance is
required?
– Is there a high level of customisation?
– Are calculations performed by any third parties?
10. Example Risk Factors
• Agility
– Is the system hard coded with custom features
difficult to modify?
– Is the system supported by the vendor?
– Does the system require hard to obtain technical
resources to maintain support?
– Can the system be scaled in terms of volume?
– Is the documentation adequate?
– Does the system run on out of date software
11. Example
• Single Sign-On implementation
Agility
Accuracy
Access
Availability
Source: George Westerman
http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
12. Example
• Moving corporate data to the cloud
Agility
Accuracy
Access
Availability
Source: George Westerman
http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/