Brad Boroff, CISA CRISC - Tax Admin Boroff, CISA CRISC Chief Information Security Officer Illinois...
Transcript of Brad Boroff, CISA CRISC - Tax Admin Boroff, CISA CRISC Chief Information Security Officer Illinois...
Governance is the strategic alignment of operations with the agency such that maximum business value is achieved though the development and maintenance of effective control and compliance, performance management, and risk management.
Risk Control Compliance Agency
Risk
• Comprehensive Risk Assessments • Goals and Objectives • The Agency/Business • Consulting • Acquisition and Integrations • Vision / Forecasting
Charts the Course: • Direction • Speed • Destination • Finish
Controllership
• Policy Management • Access Management • Core Technology Standards • Project Services • Change Management • Data & Asset Management
• Policies • Standards • Procedures
The Operation: • Fuel • Power • Storage • Alterations
Compliance
• Measure • Self Audit • Reporting • Adherence • Investigations • Discipline
Gauging & Monitoring: • Performance • Inspections • Correction • Evaluate
Risk Compliance Controllership
• Strategy • Prioritization • Risk acceptance • Executive
• Operations • Digitization / Tools • Policy Management • Control Implementation
• Compliance/Disclosure • Audit Staff • Office of Compliance
Who:
What: • Assess compliance • Report adequacy • Standardization • Performance &
Metrics
• Risk Council • Risk Champion
• Controller • Global Security • Project Services
Governance – Program Building
Probability X Impact = Inherent Risk (No Controls Applied)
Inherent Risk X Controllership = Residual Risk (Controls Applied)
Definition of RISK (Merriam-Webster) 1: possibility of loss or injury : PERIL 2: someone or something that creates or suggests a hazard
Probability X Impact = Inherent Risk (No Controls Applied)
Inherent Risk X Controllership = Residual Risk (Controls Applied)
H=3 M=2 L=1
H=3 M=2 L=1
H=1 M=2 L=3
IR
IR RR
Probability X Impact = Inherent Risk (No Controls Applied)
3 x 3 = 9
Inherent Risk X Controllership = Residual Risk (Controls Applied)
9 x 2 = 18
Control Considerations: 1) Good Policy 2) Intrusion Detection 3) Security Guards 4) Physical Barriers 5) Logical Barriers
Probability X Impact = Inherent Risk (No Controls Applied)
3 x 2 = 6
Inherent Risk X Controllership = Residual Risk (Controls Applied)
6 x 1 = 6
Control Considerations: 1) Good Policy 2) Comprehensive System 3) Research 4) Communication 5) Operations
Probability X Impact = Inherent Risk (No Controls Applied)
? x ? =
Inherent Risk X Controllership = Residual Risk (Controls Applied)
? x ? = ?
Control Considerations:
Top Ten List: 10) Legacy/Out of Date Processes
9) Rules and Regulations/Policy Management 8) Unauthorized Access (Internal)
7) Integration and Consolidation 6) Change Management
5) End User Controls or Ad-Hoc Solutions 4) Theft of Data
3) Industrial Espionage 2) Virus Attacks or Malware
1) Hacking/Cyber Security
CISO
Risk &Policy
DR & Recovery Services
Security Operations
Access Admin
Infrastructure
Compliance and
Disclosure
Specialist
Investment: Time Acceptance Change Culture
Benefits Structure/Alignment Stability Sustainability Best Practices Effectiveness Auditability Demand Management Tool Optimization Visibility Centralization
Establish IT Governance Program
Structure & Approach
Proposal to establish Governance Program (12-‐24 Months to Develop and Implement)
CISO Internal Audit
• Management Commitment and Sponsorship • Establish Appropriate Program Resourcing • Business Engagement & Inclusion • Ensuring Con=nuous Improvement Planning and Program Maturity • Program Auditabili=y
Governance
Program Management
• Obtain Senior IT Leadership CommiCment • Determine & Engage internal resources • Develop and Deliver Risk Assessment • Perform Risk and Control Analysis • Control Framework Ac=vi=es
Ini>al Ac>vi>es
Success Factors
Risk Assessments and Analysis
Control Management and Framework
Activities
Sr. Management approval of
Governance Concept and Implementation
Sustainable Governance Program
Monitoring and Compliance Mechanisms