Increasing scope and speeding up delivery while staying ... … · Company: ABN AMRO...
Transcript of Increasing scope and speeding up delivery while staying ... … · Company: ABN AMRO...
Increasing scope and speeding up delivery while staying secure.
IT Risk in an Agile transformation.
Information Security Risk Management – ABN AMROChristian de Groot & Sander Oerlemans
2 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
What you will learn
Lessons Learned for ABN AMRO in this transformation
3
Learn About Key IT Risk Challenges in Agile Context
of ABN AMRO
Learn About Agile IT Risk Transformationof ABN AMRO
21
3 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Agenda
Introduction
Challenges of the old IT Risk process in an Agile context
Objectives new IT Risk process and current solution
Lessons learned
Next steps
Q&A
4 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
ABN AMRO
• Retail, Private & Corporate Clients
• Full range of products, majority of products available via internet
• Operating income 8588 million
• 21664 employees
• Amsterdam, 1720
5 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
6 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
ABN AMRO and scope IT Risk
IT Risk assessments performed on a periodic basis and in case of major changes.
USA
Brazil
UKThe Netherlands
Singapore
Hongkong
France
GermanyBelgiumGuernsey
Assessments on IT processes
Generic IT processes
Assessments on IT assets
• +/- 3000 applications• IT infrastructure
• Internal hosted datacentre
• Cloud• Vendors• etc
7 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
IT
IT ownership IT assets
Chief Operations Office
Business ownership IT assets
Project Managers
Business lines
Business ideas for improvement
ABN AMRO organizational structure prior to Agile transition
Full Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
8 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
ABN AMRO transforms to Agile organizational structureFull Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
IT
Centralized ownership IT assets
Business lines
Business ideas for improvement
9 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Business lines
ABN AMRO transforms to Agile organizational structure
Ideas for improvement
Grid Grid
BlockBlock BlockBlock
BlockProduct Owner
BM BM
BMBM
SM
Ideas for improvement
Ideas for improvement
Ideas for improvement
Distinction between Business and IT ownership
Full Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
Product Owners are always responsible for their (IT) products
Lack of IT Risk
ownership awareness
10 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
ABN AMRO’s old IT Risk process not fit for AgileFull Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
Start project
End project
Old IT Risk Assessment process
RiskAssessmentTiming IT
Risk assessment
unclear
11 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
ABN AMRO increasing digitalFull Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
Scope assessed assets and assessed
controls too low
12 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
ABN AMRO’s outdated tooling and manual processesFull Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
OUTDATED TOOLING
MANUAL PROCESSES
Assessed controls not
100% accurate
Manual processes
and outdated
tooling
13 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
ABN AMRO’s IT Risk process not compliant in Agile context
Full Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
Frequency too low
Quality too low
Awareness ownership too low
IT Risk process not compliant in
Agile context
14 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Goals for new IT Risk processFull Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
OBJECTIVES new processCHALLENGES Old process1. All assets should be in scope
2. All controls should be in scope
3. Assessed controls should be 100% accurate
4. Presence of full awareness of Product Owner of IT Risk ownership
5. Future proof tooling (maximum automation and integration)
6. Prove compliance of IT Risk process in the new Agile context
Lack of IT Risk
ownership awareness
Timing of IT Risk process
unclear
Scope assessed
assets and assessed
controls too low
Assessed controls not 100% accurate
Manual processes
and outdated
tooling
IT Risk process not compliant in
Agile context
15 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
ServiceNow proven golden source for all IT assets, buildings and vendors.
Our ServiceNow GRC solution – scope and accuracy
Assessed assets
Controls InternetBanking
HR Jira Adm
Full Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
Increased accuracy of assessed controls by using automatic profiling.
Public
Confidential
Transactional
Cloud
Baseline
16 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
ServiceNow proven golden source for all IT assets, buildings and vendors.
Our ServiceNow GRC solution – scope and accuracy
Assessed assets
Controls InternetBanking
HR Jira Adm
Baseline
Full Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
Increased accuracy of assessed controls by using automatic profiling.
Public
Confidential
Transactional
Cloud
Baseline
17 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
ServiceNow GRC
Control
Issue
Issue Task
Our ServiceNow GRC solution – Full Awareness
JIRA
Backlog
Full Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
MANUAL PROCESSES
Assessed controls not
100% accurate
Manual processes
and outdated
tooling
18 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Our GRC solution – Future proof tooling and automationFull Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
ITSM & Asset management
19 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Compliance IT Risk Process
Our ServiceNow GRC solution – Prove Compliance
ü Risk Assessment Frequency Sufficient
ü Risk Assessment Frequency sufficient
ü Risk Assessment Quality is sufficient
ü Increased number of people who are carrying out assessments.
Full Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
Proof compliance through Dashboardü Product Owners
ü (Senior) Management
ü Direct Access 2nd Line
ü Internal Audit
20 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Value outcomes
400Product Owners
3000+Applications and
other assets
An increase of
All assets in scope Security Check done by 400 Product Owners
instead of 40 Risk Assessors
CISO Operational IT Risk Assessment
From 3-6 months to 2-4 weeks
7XFASTER
21 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Knowledge sharing with other companies (e.g. ServiceNow Summits & Knowledge)4
Lessons learned
Change People, Process and culture instead of ServiceNow; use out of the box functionality3
Communication is key2
Commitment from management of all effected business lines1
Regular feedback sessions with ServiceNow experts 5
22 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Training
• Training new process and tool for whole organization
Integration
• Integration with cloud management
• Integration with vendor management
Control
• Control test automation by integrating with other applications
Check list
• Implementation of Risk Management part of GRC.
Our next stepsFull Agile Enterprise
Currently here (October 2018)
Traditional Enterprise with Agile teams (2016)
Start Agile Transformation (2015)
Waterfall
24 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Speaker introduction
Name: Christian de GrootTitle: Information Security Risk Manager
Function: CISO / IT Risk ManagementCompany: ABN AMRO
Experience/Expertise: 5 years experience in BI & datawarehousing and KPI reporting. 4 years experience of improving Markets systems. 3 years experience in business process improvement (lean six sigma), 1,5 years ABN AMRO CISO process and product development within IT risk management (current). MscBusiness Information Systems. Expertise: Achievements: Roll out of Financial Management Datamarts for MeesPierson, Implementation of Intellimatch/Intellitracs for Markets back office and Launcher platform for Markets front office, Roll-out ServiceNow GRC module to CISO organization and increased internal work collaboration by automating IT risk assessment process within ABN AMRO.
Current Projects: Roll-out ServiceNow GRC module to the rest of the organization - including Product owners into the IT risk assessment process.
25 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Speaker introduction
Name: Sander OerlemansTitle: Information Security Risk Manager
Function: CISO / IT Risk ManagementCompany: ABN AMRO
Experience/Expertise: 1,5 years IT risk management for ABN AMRO business line Retail, 1,5 years ABN AMRO CISO process and product development within IT risk management (current), BA Philosophy and MSc Information studies: Business Information studies.
Expertise: Achievements: Roll-out ServiceNow GRC module to CISO organization and increased internal work collaboration by automating IT risk assessment process within ABN AMRO.
Current Projects: Roll-out ServiceNow GRC module to the rest of the organization - including Product owners into the IT risk assessment process.