Characteristics of a MatureIT RISK Management Program As it relates to a Mature Corporate Governance Program which works to International Standards such as ISO 17999 and Basel II
Companies are required to Improve controls • Examples of Laws Governing Companies • The Patriot Act • Sarbanes Oxley • Gramm-Leach-Bliley Act • HIPAA
Laws, Governance, Controls and the Overlap • The laws all • Require various controls for various reasons • Many controls in each law • Are identical to those in the other laws but you have to make sure you cover all the angles • You want to • Avoid excessive work effort to maintain compliance but also want to ensure compliance
USA Patriot ActOct 2001 • Impacts: • Financial Institutions, ISPs and other companies that handle and store online communications • Purpose: • Boost Government’s ability to track and prosecute terrorist activity through increased use of surveillance, information sharing, and other means. • What does this mean: • Obliges financial institutions to report any suspicious activity regarding large money transactions. • Also obliges ISPs to all Government agencies to collect information on users including credit card and bank account information.
USA Patriot ActOct 2001 • Permits • A single judicial body to issue a nationwide order covering corporate communications • Lets a single court order • Grant nationwide access to stored e-mail and communications records • Treats stored voicemail like stored e-mail • Allows investigators • To electronically ease drop on suspected instances of terrorism and computer crime – especially related to money laundering
Gramm-Leach-Bliley Act (GLBA) - November 1999 • Impacts: • Mainly Financial Institutions, but also any company that collects name, Social Security, and bank account numbers of employees and customers • Purpose: • To protect information financial institutions collect about customers • What does this mean: • Safe Guard Rule forces financial institutions to design, implement, and maintain safeguards to protect customer information.
GLBA • Safeguards Rule • Requires • That customer information is adequately protected. • FFIEC favors • Risk analysis to asses the appropriateness and effectiveness of the safeguards • Requires • That an individual be identified to coordinate, monitor and test the safeguards • Often assigned to a third party to maintain separation of duties and impartiality
Sarbanes-Oxley ActAugust 2002 • Impacts: • Any public company • Purpose: • To restore investor confidence in the financial reporting of public companies and hold officers responsible for misrepresentation • What does this mean: • Mandates quarterly reporting on how a company derives quarterly financial report, including controls and procedures used. Report to be audited by third party.
Sarbanes-Oxley ActAugust 2002 • Develop processes and systems to ensure data integrity • Track everyone who has access to data • Store resulting logs on secure media/SAN
Sarbanes-Oxley ActAugust 2002 • Security and ops teams that manage networks and review logs • Need to have arms length relationships with business and IT functions to eliminate opportunity for fraud • Will require • Enterprise level monitoring to identify breaches and anomalies • Eventually will need to monitor all systems that feed financial reporting applications
HIPAA • Health Insurance Portability and Accountability Act - August 1996 • Impacts:Bank One as a company that handles individual insurance information and provides health care clearinghouse and billing/data formatting services • Purpose • To improve portability while maintaining privacy and security of patient information • What does this mean: • Privacy rule, security rule, standards for Medical providers, claims processors, and Insurance companies - securing information and electronic communications.
References for model • BASEL II • ISO 17999 • Provides 90% of the controls needed for compliance with various laws if a company is ISO compliant • SEI – CMMI • Carnegie Mellon – Software Engineering Institute • http://www.sei.cmu.edu/cmmi/ • Capability Maturity Model® Integration • ISF • Information Security Forum • Working documents on • How to become a mature IT Risk Management function within a Mature Corporate Risk Management Governance Program
What makes a Mature ITRM? • Processes to achieve Governance objectives • Meeting Risk management requirements • Robust reporting framework • Strong internal control characteristics • Behavior of Mature ITRM that meets criteria • Benefits of meeting criteria
Basel Categories Basel Categories Basel Risks Risks Sub Risks Employee fraud / Malice Employee fraud / Malice Internal fraud Internal fraud People People Inadequate or loss of people resources Inadequate or loss of people resources Employee disputes Employee disputes Employment practices and Employment practices and workplace safety workplace safety Documentation / Contract Documentation / Contract - - Legal risk Legal risk Valuation / Model Valuation / Model Project / Change management initiatives Project / Change management initiatives Fiduciary / Trust Fiduciary / Trust Client & Service Interaction Client & Service Interaction Clients, products and Clients, products and Transaction Process Failure Transaction Process Failure Process Process business practices business practices Physical security Physical security Regulatory/Compliance Regulatory/Compliance Execution, delivery and Execution, delivery and Suitability Suitability process management process management Financial reporting / Accounting & Tax Financial reporting / Accounting & Tax Privacy/Confidentiality Privacy/Confidentiality Business continuity Business continuity Failed systems Failed systems Information security Information security Business Business disruptions and disruptions and Hardware Hardware Systems Systems systems failures systems failures Software Software Communications Communications Interfaces Interfaces Outsourcing risk / Third party performance Outsourcing risk / Third party performance External fraud External fraud External External Disaster External Disaster Customer / Counterparty fraud Customer / Counterparty fraud Damage to physical assets Damage to physical assets Basel II View - Corporate ORM / Framework Standard Risk Categories
ISO 17999 (aka 17799) • Establishes best practices for secure deployments • Policies • Procedures • Operations, • Business continuity • Incident management • Ref: http://www.bsitraining.com/infosecurity_standards.asp#17999
Processes to achieve Governance objectives • Key IT RISK Process • Policy Framework • Objectives • Board and Management committed • Statement on how risk will be managed • Degree of risk that will be accepted • Assignment of responsibility for managing risk • Cost/benefit process for acceptance of risk appetite level
Processes to achieve Governance objectives • Key IT RISK Process • Risk Process • Objectives • Process to identify and assess risk associated with each layer of an IT Asset starting with the Business process • Tools in place to measure risk • Controls in place to ensure tools and processes running at expected level of maturity • Processes are equal or better to those of business peers and meet general practice criteria for assessment processes
Processes to achieve Governance objectives • Key IT RISK Process • Control framework • Objectives • Controls that assess and manage risk are monitored to ensure against failure or un-acceptable results • Controls are designed to monitor for compliance and report status of risk profile • IT Risk Staff and clients/employees are informed of rules and regulations, made aware of current risk issues
Processes to achieve Governance objectives • Key IT RISK Process • Control framework • Objectives Continued • Employees are trained in effective risk management practices as well as developed for job enhancement/advancement • Rewards are based on performance against agreed objectives. Failures and inappropriate actions are dealt with • Loss management controls are in place to detect and respond to fraud and corruption activities • Controls are in place and working to ensure security of assets
Risk Management Requirements • A mature risk management structure • Covers the entire organization, with clearly defined roles and responsibilities • IT RISK Management Requirement: • An ITRM structure • covering the entire organization, • with clearly defined roles and responsibilities, • which is consistent with the organization’s risk management structure • and has a good interface with other areas.
Risk Management Requirements • A mature risk assessment process • Identifies and evaluates key risks, which is consistent across all risk areas and the organization • IT RISK Management Requirement: • An Information risk assessment process which is consistent across the organization and will as a minimum: • Identify the nature and extent of information risks facing the organization • Assess the likelihood of the information risks materializing • Establish the cost benefit analysis of implementing controls to manage information risks (including proportionality, such as what peer organizations are doing).
Risk Management Requirements • Policies, standards, and procedures developed and implemented • To ensure all identified risks are managed within the organization’s risk appetite • IT RISK Management Requirement: • Policies, standards, and procedures developed and implemented to ensure that all identified information risks are managed, including: • Establishing the acceptable information risks (known as risk appetite) • Ensuring there is an adequate response to directions from the board • Implementing impact reduction by use of control measures (ability to prevent, detect, and recover from an incident)
Risk Management Requirements • A process • For the regular monitoring of risk management processes and the carrying out of corrective action. • IT RISK Management Requirement: • Procedures to monitor the effectiveness of controls and the integrity of the information risk management processes
Risk Management Requirements • A process • For regular risk reporting to executives and to the Board, with facilities to enable the assimilation of feedback into the risk processes • IT RISK Management Requirement: • A process for regular reporting of information risks to executives and to the Board, with facilities to enable the assimilation of feedback into the information risk management processes
Risk Management Requirements • A process • To communicate appropriate risk information to the organization’s stakeholders. • IT RISK Management Requirement: • A process to communicate information about information risks to the organization’s stakeholders both internally and externally
ITRM Reporting • Key Reporting Indicator • Information Risk Incidents • Objective • To provide detailed information to the Board on any information risk incidents that have occurred within the organization, above an agreed cost/impact threshold. • Characteristics • Total number of incidents this period • Total number of incidents this financial year • Number of incidents above the threshold • For each incident above the threshold • An impact assessment for each incident • Statement of how the incident was handled • Key indicators for the incident (cost, resources expended • Time before the incident was under control
ITRM Reporting • Key Reporting Indicator • Cost effectiveness of ITRM • Objective • To provide high-level information to the Board on the cost effectiveness of ITRM • Characteristics • Cost of all ITRM controls • Effective cost of doing nothing • Ratio of the cost of controls against doing nothing • Benchmarking against peer organizations • Compliance with ITRM controls as a percentage • Annual report on the effectiveness of the risk management process
ITRM Reporting • Key Reporting Indicator • Exposure to Litigation • Objective • To provide information to the Board on the potential for litigation or regulatory action as a result of information risks • Characteristics • Current legal proceedings and cumulative cost • Current regulatory exceptions and cumulative cost • Existing breaches of legislation (by legal instrument) • Existing breaches of regulation • Level of compliance to legislation as a percentage • Potential cost of legislation breeches • Potential cost of regulation breeches
ITRM Reporting • Key Reporting Indicator • Assessment of information risks • Objective • To provide information to the Board on the current assessment of information risks • Characteristics • Top Ten information risks • Likelihood of impact • Potential magnitude of impact • Assessment of risks against risk appetite • Identification of critical applications at risk • Availability and cost of control measures • Top Ten current threats and vulnerabilities (broken down in similar fashion to top ten information risks • Top Ten emerging threats and vulnerabilities (broken down in a similar fashion to top ten information risks
ITRM Reporting • Key Reporting Indicator • Status of incident management procedures • Objective • To provide information to the Board on the current status of information risk incident management procedures • Characteristics • Information on the status of the information risk incident management process is required, both for the organization and peer organizations. Where possible, the information should be broken down as: • Cost of incident management resources • Performance against key performance indicator • Time to mobilize key resources • Benchmark against peer organizations • Improvements required (with associated cost)
Understanding Maturity levels • Benefitsof a Mature ITRM function • Levels of maturity andcharacteristicsof each level • Next steps • Finding your own level of maturity • Building a program to be the best
Benefits of a Mature ITRM function • Benefit: • Improves the Quality of Decision Making • Argument for benefit: • The rigor that can be applied to the Board decisions by knowledgeable, independent directors is significant in enhancing the quality of those decisions
Benefits of a Mature ITRM function • Benefit: • Improves access to inward investment • Argument for Benefit: • Reduces the perception of risk by investors and market analysts through transparency and accountability. • Helps to influence the organization’s ability to raise finance by demonstrating a commitment to the protection of shareholder’s assets. • Fundamental to restoring trust in capital markets.
Benefits of a Mature ITRM function • Benefit: • Reduces risk • Argument for benefit: • Helps ensure that the Board’s objectives and the organization’s strategy take into account the needs of stakeholders, therefore reducing the risk of costly conflict. • Establishes a structure where the organization can manage risk and develop a strong relationship between the organization and Board on risk management. • Helps to reduce risk of fraud through implementation of strong controls, which are regularly reviewed for integrity
Benefits of a Mature ITRM function • Benefit: • Stimulates performance • Argument for Benefit: • Corporate governance establishes a clear link between performance and rewards, which encourages the organization to improve performance.
Benefits of a Mature ITRM function • Benefit: • Demonstrates organizational integrity • Argument for benefit: • Problems emerge early and are quickly dealt with in an organized manner rather than remain hidden which gives the impression of deception in the markets.
Benefits of a Mature ITRM function • Benefit: • Improves business relationships • Argument for Benefit: • Demonstrates a heightened awareness of the needs of stakeholders by taking into account their interests when making decisions. • Promotes stronger relationships.
Benefits of a Mature ITRM function • Benefit: • Improves public perception and marketability • Argument for benefit: • Increased awareness of stakeholder needs and concentration on corporate social responsibility encourages organizations to act in a more publicly acceptable manner. • This improves the way in which the organization is perceived as a socially responsible business.
Levels of Maturity Matrix • 5 levels of maturity based on behaviors • Poor Behavior • Fair Behavior • Medium Behavior • Good Behavior • Excellent Behavior
Levels of Maturity Matrix • Criteria to apply against each level of maturity • C1 - CMMI (Capability Maturity Model® Integration) • maturity level (refer: http://www.sei.cmu.edu/cmmi/ • C2 - Assimilate ITRM direction from the Board into existing processes to create an effective ITRM structure • C3 - Adequacy of Information Risk Assessment Processes • C4 - How comprehensive, effective, and proactive is the management of information risk and the implementation of controls • C5 - How the organization ensures the integrity and effectiveness of information risk management processes • C6 - Adequacy and level or ITRM reporting • C7 - Adequacy and level of ITRM communication both within and outside the corporation
Level of Maturity – Poor Behavior • C1 - Initial– process unpredictable, poorly controlled, and reactive • C2 - Handlesdirection from Board as separate and un-coordinated requests. • ITRM structure is poor and inflexible • C3 - Employsimmature ITRM processes with which are inconsistent and have limited effectiveness • C4 - Implementsfew controls and reacts to Information risk incidents as they occur
Level of Maturity – Poor Behavior • C5 - EmploysITRM processes which may be generally adequate but are not typically reviewed • C6 - ITRM processes provideinadequate information which is only reported to next level in the organization • C7 - ITRM informationrarely communicated to any level of the organization
Level of Maturity – Excellent Behavior • C1 -Optimizing– focus on process improvement • C2 -Manages and assimilatesBoard Direction on ITRM using well established procedures. • ITRM structureis both consistent and flexible in response to change • C3 -EmploysITRM processes which cover the entire business, are mature and are appropriate to meet objectives. • C4 -Responds proactivelyto all information risks within the risk appetite though a comprehensive combination of baseline and targeted controls
Level of Maturity – Excellent Behavior • C5 -Employscomprehensive and effective ITRM processes which are regularly reviewed • C6 -MaintainsBoard level ITRM reporting processes which are timely, adequate, and appropriate • C7 -Maintainsa high level of effective ITRM communication at own level throughout the organization
Criteria for Strong controls needed to meet Governance objectives • There is a systemfor the identification, evaluation, management, and control of KEY risks • An Adequateinternal control environment with regular review mechanism exists, including board level oversight • Effectivemonitoring and a corrective action processes exist • Appropriate channels exist for risk communication and information flow with peers, staff and upper management
Next Steps • Finding level of maturity for your program • Where do you fit in each category? • What is your current capability? • What are your shortfalls? • What are the risks of failing to Mature? • Building your plan • Understand the Corporate Governance program • Understand the Corporate Risk Management program • Align with Corporate Operational Risk Management programs • Plan to change areas of maturity weakness • Sell the program
Level of Maturity – Fair Behavior • C1 - Managed– Process characterized for projects and is often reactive- each project or effort can do its own thing • C2 – Direction from Board • Acted on as it occurs and is assimilated into some existing processes. • ITRM structure stable but not very flexible • C3 -Employsadequate ITRM process where the coverage is known but not at all complete • C4 - Managessome information risks through limited and inconsistent assessments and control implementations