Brad Boroff, CISA CRISC Chief Information Security Officer Illinois Department of Revenue

Governance is the strategic alignment of operations with the agency such that maximum business value is achieved though the development and maintenance of effective control and compliance, performance management, and risk management.

Risk Control Compliance Agency

Risk

Controllership

Compliance

Assess

Manage

Monitor

Risk

•  Comprehensive Risk Assessments •  Goals and Objectives •  The Agency/Business •  Consulting •  Acquisition and Integrations •  Vision / Forecasting

Charts the Course: •  Direction •  Speed •  Destination •  Finish

Controllership

•  Policy Management •  Access Management •  Core Technology Standards •  Project Services •  Change Management •  Data & Asset Management

•  Policies •  Standards •  Procedures

The Operation: •  Fuel •  Power •  Storage •  Alterations

Compliance

•  Measure •  Self Audit •  Reporting •  Adherence •  Investigations •  Discipline

Gauging & Monitoring: •  Performance •  Inspections •  Correction •  Evaluate

Risk Compliance Controllership

•  Strategy •  Prioritization •  Risk acceptance •  Executive

•  Operations •  Digitization / Tools •  Policy Management •  Control Implementation

•  Compliance/Disclosure •  Audit Staff •  Office of Compliance

Who:

What: •  Assess compliance •  Report adequacy •  Standardization •  Performance &

Metrics

•  Risk Council •  Risk Champion

•  Controller •  Global Security •  Project Services

Governance – Program Building

Vision

Assess

Policy Control

Monitor

Report

Risk

Controllership

Compliance RISK

Probability X Impact = Inherent Risk (No Controls Applied)

Inherent Risk X Controllership = Residual Risk (Controls Applied)

Definition of RISK (Merriam-Webster) 1: possibility of loss or injury : PERIL 2: someone or something that creates or suggests a hazard

Probability X Impact = Inherent Risk (No Controls Applied)

Inherent Risk X Controllership = Residual Risk (Controls Applied)

H=3 M=2 L=1

H=3 M=2 L=1

H=1 M=2 L=3

IR

IR RR

Probability X Impact = Inherent Risk (No Controls Applied)

3 x 3 = 9

Inherent Risk X Controllership = Residual Risk (Controls Applied)

9 x 2 = 18

Control Considerations: 1)  Good Policy 2)  Intrusion Detection 3)  Security Guards 4)  Physical Barriers 5)  Logical Barriers

Probability X Impact = Inherent Risk (No Controls Applied)

3 x 2 = 6

Inherent Risk X Controllership = Residual Risk (Controls Applied)

6 x 1 = 6

Control Considerations: 1)  Good Policy 2)  Comprehensive System 3)  Research 4)  Communication 5)  Operations

Probability X Impact = Inherent Risk (No Controls Applied)

? x ? =

Inherent Risk X Controllership = Residual Risk (Controls Applied)

? x ? = ?

Control Considerations:

1)  ISO 27001 & ISO 27005 2)  Cobit 5.0 (includes ValRISK) 3)  SP 800-30

  Top Ten List: 10) Legacy/Out of Date Processes

9) Rules and Regulations/Policy Management 8) Unauthorized Access (Internal)

7) Integration and Consolidation 6) Change Management

5) End User Controls or Ad-Hoc Solutions 4) Theft of Data

3) Industrial Espionage 2) Virus Attacks or Malware

1) Hacking/Cyber Security

CISO

Risk &Policy

DR & Recovery Services

Security Operations

Access Admin

Infrastructure

Compliance and

Disclosure

Specialist

Investment: Time Acceptance Change Culture

Benefits Structure/Alignment Stability Sustainability Best Practices Effectiveness Auditability Demand Management Tool Optimization Visibility Centralization

Vision

Assess

Policy Control

Monitor

Report

Risk

Controllership

Compliance

Establish IT Governance Program

Structure & Approach

Proposal  to  establish  Governance  Program  (12-­‐24  Months  to  Develop  and  Implement)  

CISO Internal Audit

• Management  Commitment  and  Sponsorship  • Establish  Appropriate  Program  Resourcing    • Business  Engagement  &  Inclusion  • Ensuring  Con=nuous  Improvement  Planning  and  Program  Maturity  • Program  Auditabili=y  

 Governance

Program Management

• Obtain  Senior  IT  Leadership  CommiCment  •   Determine  &  Engage  internal  resources  • Develop  and  Deliver  Risk  Assessment  • Perform  Risk  and  Control  Analysis  • Control  Framework  Ac=vi=es    

Ini>al  Ac>vi>es  

Success  Factors  

Risk Assessments and Analysis

Control Management and Framework

Activities

Sr. Management approval of

Governance Concept and Implementation

Sustainable Governance Program

Monitoring and Compliance Mechanisms