Increasing scope and speeding up delivery while staying ... … · Company: ABN AMRO...

Increasing scope and speeding up delivery while staying secure.

IT Risk in an Agile transformation.

Information Security Risk Management – ABN AMROChristian de Groot & Sander Oerlemans

2 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.

What you will learn

Lessons Learned for ABN AMRO in this transformation

3

Learn About Key IT Risk Challenges in Agile Context

of ABN AMRO

Learn About Agile IT Risk Transformationof ABN AMRO

21


Agenda

Introduction

Challenges of the old IT Risk process in an Agile context

Objectives new IT Risk process and current solution

Lessons learned

Next steps

Q&A


ABN AMRO

• Retail, Private & Corporate Clients

• Full range of products, majority of products available via internet

• Operating income 8588 million

• 21664 employees

• Amsterdam, 1720


ABN AMRO and scope IT Risk

IT Risk assessments performed on a periodic basis and in case of major changes.

USA

Brazil

UKThe Netherlands

Singapore

Hongkong

France

GermanyBelgiumGuernsey

Assessments on IT processes

Generic IT processes

Assessments on IT assets

• +/- 3000 applications• IT infrastructure

• Internal hosted datacentre

• Cloud• Vendors• etc


IT

IT ownership IT assets

Chief Operations Office

Business ownership IT assets

Project Managers

Business lines

Business ideas for improvement

ABN AMRO organizational structure prior to Agile transition

Full Agile Enterprise

Currently here (October 2018)

Traditional Enterprise with Agile teams (2016)

Start Agile Transformation (2015)

Waterfall


ABN AMRO transforms to Agile organizational structureFull Agile Enterprise




Waterfall

IT

Centralized ownership IT assets

Business lines

Business ideas for improvement


Business lines

ABN AMRO transforms to Agile organizational structure

Ideas for improvement

Grid Grid

BlockBlock BlockBlock

BlockProduct Owner

BM BM

BMBM

SM




Distinction between Business and IT ownership





Waterfall

Product Owners are always responsible for their (IT) products

Lack of IT Risk

ownership awareness


ABN AMRO’s old IT Risk process not fit for AgileFull Agile Enterprise




Waterfall

Start project

End project

Old IT Risk Assessment process

RiskAssessmentTiming IT

Risk assessment

unclear


ABN AMRO increasing digitalFull Agile Enterprise




Waterfall

Scope assessed assets and assessed

controls too low


ABN AMRO’s outdated tooling and manual processesFull Agile Enterprise




Waterfall

OUTDATED TOOLING

MANUAL PROCESSES

Assessed controls not

100% accurate

Manual processes

and outdated

tooling


ABN AMRO’s IT Risk process not compliant in Agile context





Waterfall

Frequency too low

Quality too low

Awareness ownership too low

IT Risk process not compliant in

Agile context


Goals for new IT Risk processFull Agile Enterprise




Waterfall

OBJECTIVES new processCHALLENGES Old process1. All assets should be in scope

2. All controls should be in scope

3. Assessed controls should be 100% accurate

4. Presence of full awareness of Product Owner of IT Risk ownership

5. Future proof tooling (maximum automation and integration)

6. Prove compliance of IT Risk process in the new Agile context

Lack of IT Risk

ownership awareness

Timing of IT Risk process

unclear

Scope assessed

assets and assessed

controls too low

Assessed controls not 100% accurate

Manual processes

and outdated

tooling

IT Risk process not compliant in

Agile context


ServiceNow proven golden source for all IT assets, buildings and vendors.

Our ServiceNow GRC solution – scope and accuracy

Assessed assets

Controls InternetBanking

HR Jira Adm





Waterfall

Increased accuracy of assessed controls by using automatic profiling.

Public

Confidential

Transactional

Cloud

Baseline


ServiceNow proven golden source for all IT assets, buildings and vendors.

Our ServiceNow GRC solution – scope and accuracy

Assessed assets

Controls InternetBanking

HR Jira Adm

Baseline





Waterfall

Increased accuracy of assessed controls by using automatic profiling.

Public

Confidential

Transactional

Cloud

Baseline


ServiceNow GRC

Control

Issue

Issue Task

Our ServiceNow GRC solution – Full Awareness

JIRA

Backlog





Waterfall

MANUAL PROCESSES

Assessed controls not

100% accurate

Manual processes

and outdated

tooling


Our GRC solution – Future proof tooling and automationFull Agile Enterprise




Waterfall

ITSM & Asset management


Compliance IT Risk Process

Our ServiceNow GRC solution – Prove Compliance

ü Risk Assessment Frequency Sufficient

ü Risk Assessment Frequency sufficient

ü Risk Assessment Quality is sufficient

ü Increased number of people who are carrying out assessments.





Waterfall

Proof compliance through Dashboardü Product Owners

ü (Senior) Management

ü Direct Access 2nd Line

ü Internal Audit


Value outcomes

400Product Owners

3000+Applications and

other assets

An increase of

All assets in scope Security Check done by 400 Product Owners

instead of 40 Risk Assessors

CISO Operational IT Risk Assessment

From 3-6 months to 2-4 weeks

7XFASTER


Knowledge sharing with other companies (e.g. ServiceNow Summits & Knowledge)4

Lessons learned

Change People, Process and culture instead of ServiceNow; use out of the box functionality3

Communication is key2

Commitment from management of all effected business lines1

Regular feedback sessions with ServiceNow experts 5


Training

• Training new process and tool for whole organization

Integration

• Integration with cloud management

• Integration with vendor management

Control

• Control test automation by integrating with other applications

Check list

• Implementation of Risk Management part of GRC.

Our next stepsFull Agile Enterprise




Waterfall

[email protected]

[email protected]

Thank you

mailto:[email protected]

mailto:[email protected]


Speaker introduction

Name: Christian de GrootTitle: Information Security Risk Manager

Function: CISO / IT Risk ManagementCompany: ABN AMRO

Experience/Expertise: 5 years experience in BI & datawarehousing and KPI reporting. 4 years experience of improving Markets systems. 3 years experience in business process improvement (lean six sigma), 1,5 years ABN AMRO CISO process and product development within IT risk management (current). MscBusiness Information Systems. Expertise: Achievements: Roll out of Financial Management Datamarts for MeesPierson, Implementation of Intellimatch/Intellitracs for Markets back office and Launcher platform for Markets front office, Roll-out ServiceNow GRC module to CISO organization and increased internal work collaboration by automating IT risk assessment process within ABN AMRO.

Current Projects: Roll-out ServiceNow GRC module to the rest of the organization - including Product owners into the IT risk assessment process.


Speaker introduction

Name: Sander OerlemansTitle: Information Security Risk Manager

Function: CISO / IT Risk ManagementCompany: ABN AMRO

Experience/Expertise: 1,5 years IT risk management for ABN AMRO business line Retail, 1,5 years ABN AMRO CISO process and product development within IT risk management (current), BA Philosophy and MSc Information studies: Business Information studies.

Expertise: Achievements: Roll-out ServiceNow GRC module to CISO organization and increased internal work collaboration by automating IT risk assessment process within ABN AMRO.

Current Projects: Roll-out ServiceNow GRC module to the rest of the organization - including Product owners into the IT risk assessment process.

Increasing scope and speeding up delivery while staying ... … · Company: ABN AMRO...

Documents

Transcript of Increasing scope and speeding up delivery while staying ... … · Company: ABN AMRO...