Executive Summary (Risk Management)

EXECUTIVE SUMMARY LPPM UKRIDA

Marcel

KAJ IAN MODEL KERANGKA KERJA TATA KELOLA TI, FOKUS AREA MANAJEMEN RESIKO

(STUDI KASUS KEAMANAN INFORMASI DI UNIVERSITAS)

JUNE 2014, V1.0

TATA KELOLA TI / IT GOVERNANCE Why should I care?

IT governance is a subset d i s c i p l i n e o f c o r p o r a t e governance, focused on IT and its p e r f o r m a n c e a n d r i s k management.

Evolved from Total Quality Management & ISO 9001 Quality Management Systems.

There is no single model of good corporate governance. - OECD

Corporate Governance GCG (Good Corporate Governance)

TATA KELOLA TI / IT GOVERNANCE Where is IT Governance in Corporate Governance?

Corporate Governance Scope, PricewaterhouseCoopers

Where is IT? Where is Business?

No separation.. It is blend..

TATA KELOLA TI / IT GOVERNANCE What is it?

The interest in IT governance is value creation. Historically, board-level executives deferred key IT

decisions to the company's IT management and business leaders. (Long-term goals)

Short-term goals of those responsible for managing IT can be in conflict with the best interests of other stakeholders unless proper oversight is established.

IT governance systematically involves everyone: board members, executive management, staff, customers, communities, investors and regulators.

An IT Governance framework is used to identify, establish and link the mechanisms to oversee the use of information and related technology to create value and manage the risks associated with using IT.


Various definitions of IT governance exist.

Whilst in the business world the focus has been on managing performance and creating value, in the academic world the focus has been on "specifying the decision rights and an accountability framework to encourage desirable behavior in the use of IT.


Although corporate governance involves many systems and structures, the heart of it lies in the boardroom (Bollard, 2003)

IT Governance = leadership + Organizational Structure + Processes (ITGI)

'(IT Governance) is an integral part of enterprise (corporate) Governance...' (ITGI)

IT Governance is the responsibility of the Board of Directors and Executive Management' (ITGI)

TATA KELOLA TI / IT GOVERNANCE Corporate Gov IT Gov IT Management

IT Governance Creation of setting in which others can manage effectively; business orientation: exernal; time orientation: future; do the right things! IT Management The making of operating decisions; business orientation: internal; time orientation: present; do things right!

TATA KELOLA TI / IT GOVERNANCE Focus area / scope?

1. Which IT-related decisions shall be taken? 2. Which roles or people shall carry out those decisions? 3. How shall these decisions be taken? 4. How are the results to be monitored?

TATA KELOLA TI / IT GOVERNANCE Some facts?

With the global economy showing signs of a gradual recovery, worldwide IT spending is on pace to total $3.8 trillion in 2014, a 3.2 percent increase from 2013 spending, according to the latest forecast by Gartner, Inc. (Gartner, April 2014)


Alinean ValueBase IT Spending Metrics for 20,000+ worldwide corporations

Comparing IT spending versus revenue, we see that since 2004, IT spending as a percentage of revenue has been declining. IT spending lagged revenue growth substantially, declining as a percentage year over year.

Waves of Innovation & Economic Prosperity

TATA KELOLA TI / IT GOVERNANCE Waves of Innovation & IT Investment

TATA KELOLA TI / IT GOVERNANCE Corporate Gov IT Gov Information Security Gov

TATA KELOLA TI / IT GOVERNANCE Information Security Governance (Structural View)

Information Security Governance OR Risk Management?

TATA KELOLA TI / IT GOVERNANCE Focus area / scope?

IT Governance Focus Area, ITGI

TATA KELOLA TI / IT GOVERNANCE What is Information Security Governance?

Information Security Governance consists of the Leadership, Organizational structures, Processes/procedures Compliance enforcement/monitoring mechanisms and Technologies

that ensure that the Confidentiality, Integrity and Availability of the organization's electronic assets (data, information, software, ..) are maintained at all times.

TATA KELOLA TI / IT GOVERNANCE What is Information Security Governance?

Information Security IT Security

Information Security risk assessment, policies, implementation method of information risk control, ex: ISO27001, NIST, COBIT, RISK IT, 4A Risk Management Framework, etc.

IT Security risk control of IT, ex: firewall, antivirus, encryption, etc.

TATA KELOLA TI / IT GOVERNANCE Information Security Governance in action

Operational

Tactical

Strategic

TATA KELOLA TI / IT GOVERNANCE Main Topic of Information Security Governance

TATA KELOLA TI / IT GOVERNANCE Information Security

Risk = Threat + Vulnerability + Impact

P h

I l o

s o

p h

y

A.T. Kearney Analysis

TATA KELOLA TI / IT GOVERNANCE Information Security

Risk Types Information Security Scopes

The Weakest Link in security is People

Information Security (Global Institution Implementation Cycle) Step 1 : Get the Boards buy-in about IT Risk Management

Step 2 : Select some guiding Best Practices

Step 3 : Perform a basic risk analysis

Step 4 : Create a Corporate Information Security Policy (CISP) and get the CISP signed by the Chairman/CEO

Step 5 : Create the rest of the Information Security Policy Architecture

Step 6 : Create an organizational structure for Information Security Governance

Step 7 : Create an initial set of compliance/control measures and start using these measures to create reports on all 3 management levels.

Step 8 : Create and implement an Awareness Program including aspects like information security job responsibilities

Step 9 : Get the cycle goingkick start the process

Step 10 : Redo the risk analysis from time to time to identify possible new risks

Step 11 : Keep the Information Security Policy Architecture up to date

Step 12 : Refine and expand the compliance control measures to cater for newly identified risks, enforce compliance and keep reporting to top management

Step 13 : Continue to make all users more Information Security aware

Step 14 : Return to Step 10.

Risk Response

Information Security (Risk Analysis Cycle)

Step 1 : Perform a risk analysis to determine the risks to be managed

Step 2 : Determine and create the policies needed to support the management of the identified risks

Step 3 : Determine the data needed to actually manage the risks (you can only manage that what you can measure)

Step 4 : Determine the institutions capability to manage the identified risks with the data on hand

Step 5 : Extract (gather) the data needed to reflect the status of every identified risk

Step 6 : Determine (calculate) the status of every specific identified risk from the extracted data

Step 7 : Represent the status of every risk in an easily understandable way

Step 8 : Report the status to Executive Management

Step 9 : Go back to Step 5.

Information Security Cycle

Security is a process

Best practice for PDCA?

There is no single model of good corporate governance. - OECD

TATA KELOLA TI / IT GOVERNANCE Risk Management Framework (Scenario to Responses)

Outlook & Inlook Analysis


Outlook & Inlook Analysis

Info

rmat

ion

Tech

nolo

gy L

ifecy

cle

ALN Medical Management

TATA KELOLA TI / IT GOVERNANCE Information Technology Lifecycle (Acquisition)

TATA KELOLA TI / IT GOVERNANCE Risk Management Framework

'The ITGI recommends that boards review the risk management approach for the most important IT-related risks on a regular basisat least annually. Boards should be aware of any significant unmitigated ICT risks. (ITGI)

Executive Summary (Risk Management)

Documents

Transcript of Executive Summary (Risk Management)