Security and risk governance. An operational model
|
|
- Jeffry Golden
- 5 years ago
- Views:
Transcription
1 Security and risk governance An operational model
2 Table of Contents Ecosystem not Enterprise Segregation of duties Operating model Organizational structure Governance The benefits Forward steps Ecosystem not enterprise Gartner predicts that by 2017, the proportion of IT corporate spending that which will be spent outside the internal IT organization will rise from 38%, at present, to over 50%. 1 Changes to the business model and underlying IT functions are driving the need for a clearer, better approach to information security governance. One that s increasingly flexible in its response and quicker in dealing with business change and the need for innovation. Adoption of cloud services part of the change is driven by organizations desire to reduce costs, increase flexibility, and quickly adapt to future business requirements. The result: Organizations no longer own the end-to-end operations of their IT organizations. The assets belong to, and are under control of, a remote third party. The data held in that infrastructure is still owned by the organization, so it remains legally responsible for it. Still, the data is processed out of the organization s direct control and potentially in multiple geographic locations. The increasing demand for mobility and access to any data, at any time, at any place, and on any device has coincided with the increased use of personal devices. Moreover, this access is no longer restricted to employees. Partners, third parties, and customers also need access to core system information. This means your organization s data may be processed and held externally, and used on noncorporate devices, all of which is out of your direct control. Yet, this data is still your organization s lifeblood, and it s still the organization s responsibility to ensure full compliance with regulatory and privacy-related requirements. So, what are the new governance requirements and resulting risks arising from this New Style of Business? With an ever more technologically advanced business operation, organizations face even more sophisticated high-tech cyber threats. The news is full of recent cyber events, resulting in significant financial impacts and personal consequences after attacks within global businesses. As a consequence, there is a greater need to manage new risks. An organization can only plan for appropriate defense strategies to manage and prevent cyber breaches by understanding these risks and balancing them against the business opportunity that change enables. This requires an information governance structure in which everyone knows who is responsible for what, who reports to whom, and what steps need to be taken to defend against and respond to a cyber-attack. It s essential to lay out your organization s structure to manage these elements and ensure that today s business requirements are reflected in a business-led security governance and management structure. This enables your organization to be prepared to face today s cyber risks and handle them appropriately. 1 content/assets/events/keywords/ symposium/sym25/gartnersym24-executive-report2.pdf 2
3 Segregation of duties To ensure companies have a clear structure that separates the groups who define guidelines versus those who are responsible for their execution, regulators are increasingly asking for a Three lines of defense model. Figure 1: Three lines of defense Oversight Guidance (What) Execution (How) The first line of defense is the execution layer This is where the definitions about how things get done are laid out and where controls are executed. Operational excellence is at the center of all their activities. These employees deal with day-to-day operations and establish a clear picture of how controls are executed. Typically the group includes roles shown in Table 1. Table 1: Types of roles in the execution layer Function Responsibility control owner Lines of business Business Corporate functions Business CIO and IT security Technology Third parties Externals All employees on the execution layer must be authorized and vetted, even though they may not be directly employed within the organization. This may also include third parties employed by the organization, as they often have valuable information that could jeopardize the company s security, if compromised. The second line is the guidance layer This is where definitions about what needs to be done are established and controls defined. Control efficiency is at the center of their activities. These employees deal with the general security framework, used by the execution layer, as a base for their own definitions and baselines. Their duty is to develop clear guidelines for an effective and efficient framework, designed for maximum effectiveness. This is largely a chief information security officer function and includes responsibility for: Security strategy and policy definition Governance and structure 3
4 Monitoring, analysis, and response Risk remediation programs The third line is independent oversight This is where auditors, or other outside control functions, provide the oversight function. This means ensuring an organization is upholding preagreed standards and doing what it said it will do. The auditor s job is to oversee the execution layer and ensure the organization follows the framework designed by the guiding layer. Auditors provide independent assurance and oversight of operations and processes to ensure the organization is in compliance with the security framework and regulatory requirements. An auditing line also ensures guidelines are enforced consistently across all sections of the organization. Operating model No organization is complete without a clearly defined operating model that describes the interfaces and who does what. Information risk management, always a business topic, has become increasingly prominent since the World Economic Forum listed cyber risk high up in its risk reports. 2 Because the topic has business relevance, the organization s business side must also deal with it. This led to top managers being asked about their cyber-risk level/ appetite. And, with a major part of cyber security still related to IT, it s important to separate operational IT tasks from governance activities within the business. This approach is in line with segregating duties as described earlier. Cornerstones of this operating model are: A business centric approach with clear information ownership on the business side. IT employees often see data without knowing its relevance in the business context. This means that they can t handle the data correctly and appropriately. The three lines of defense model is fully applied with a clear segregation of duties between execution and guidance, and a fully independent oversight with defined interfaces. Transformation of cyber security away from an IT focus to a business- and value-focused risk topic. 2 _/ docs/wef_riskresponsibility_ HyperconnectedWorld_ Report_2014.pdf 4
5 Figure 2: Operating model cornerstones Customers/clients/units Unit 1 Unit 2 Unit 3 Unit 4 Unit n Service functions HR Legal Finance Compliance IT Oversight Audit Regulator Third parties Relationship management Policies Risk monitoring Strategies Risk reporting Framework Remediation control Target state KRIs & KPIs Control framework Education & awareness Organizational structure There is no silver bullet or one all-encompassing organizational structure. Every organization has its own business environment. However, there are some fundamentals that need to be covered, even though they may be altered to match an organization s specific needs. Examples include: IT functions should focus on IT security and all aspects (the How ) of the day-today operation. Focus areas include, for example: Identity and access management Vulnerability management Threat management Logging and monitoring Security events and incidents handling Risk controls execution Business functions, clients, or customers should incorporate their own element of cyber security and provide interfacing people capable of articulating the importance of data, access requirements, and regulatory and specific privacy requirements relevant to their business. The central organization dealing with cyber risk resides outside of IT, and reports resulting risks independently through established governance channels and escalation paths. The responsibilities cover guiding, monitoring, and reporting, as described in the operational model. 5
6 Governance It s important to choose the right governance body for cyber security and risk topics early in the process. The goal is to provide clear direction and accountability. It ensures direction comes from the top down and that the objectives are aligned with business requirements, avoiding a bottom-up, technology-driven approach to cyber security and risk. The governance body should oversee the cyber status, monitor agreed actions and remediation, and escalate to the next management level if required. Organizations usually have a range of committees and governance teams. So, there s no need to reinvent the wheel and create additional boards just for the sake of having a dedicated one. If a board with senior representation already exists, use it. Adapt the Terms of Reference of the existing body and ensure cyber security and risk become a standing agenda item. Very often, existing risk boards, operational management boards, and finance committees provide a very good home for the cyber security and risk topic. During times of constant change, this structure will enable decisions to be made by key stakeholders, which will gain greater acceptance. By following this approach, cyber security and risk will emerge from being a business inhibitor to an enabler. The benefits The benefits of segregating duties and having a clear business structure can be easily recognized. The transformation away from focusing on technology security toward business- and value-focused cyber-risk management brings a structure where roles, responsibilities, and duties are much clearer. It s easy to see who is responsible for what and who the go to person is. This is particularly important in the event of a breach or cyber-attack, as it s essential for a company to be prepared and ready. To react swiftly, while knowing who is responsible for what; and who should react, monitor, inform, and report; is essential to manage the situation successfully. This new clarity will benefit your organization in additional ways: It promotes operational excellence. This is encouraged by segregating duties and ensuring employees have a clear understanding of their duties. It will save the organization money through a stricter adherence to standards and regulations, and make sure cyber security and risk is a front-line issue. It enables adopting the New Style of Business in a secure way, which supports business flexibility. It also helps to have a clear governance structure that includes security at the beginning when adopting new solutions, rather than as an afterthought. And, with employees and IT having a better understanding of their responsibilities, it will become easier, as everyone understands what s required when new ideas are introduced. 6
7 These models create transparency and as a result, when properly executed, reduce risk to what may become a board-level issue later on. Organizations who know their risks and threats are much more likely to prevent ugly cyber surprises and better manage through such crises, in the event of such an eventuality. Forward steps About the Author Andreas Wuchner CTO Security Innovation The demand for greater flexibility from today s business will be enabled by disruptive technologies such as cloud and mobility. This will lead to changes in how and where an organization will store its data. Often, it will be held with a third-party provider, outside the organization s direct control. This will introduce a new set of risks to be managed. To ensure your organization is prepared to face and handle the risk appropriately, a business-led security governance and management structure will be required to plan the appropriate defense strategies, and manage and prevent cyber breaches. 7
8 Learn more at About DXC DXC Technology (NYSE: DXC) is the world s leading independent, end-to-end IT services company, helping clients harness the power of innovation to thrive on change. Created by the merger of CSC and the Enterprise Services business of Hewlett Packard Enterprise, DXC Technology serves nearly 6,000 private and public sector clients across 70 countries. The company s technology independence, global talent and extensive partner alliance combine to deliver powerful next-generation IT services and solutions. DXC Technology is recognized among the best corporate citizens globally. For more information, visit DXC Technology Company. All rights reserved. DXC_4AA6-1216ENW. October 2016
Flemish Government streamlines service to citizens. DXC Technology platform reduces administration to save citizens 97 million a year
Flemish Government streamlines service to citizens Objective Improve services by introducing e-government to increase efficiencies and reduce costs DXC Technology platform reduces administration to save
More informationWhite Paper Describing the BI journey
Describing the BI journey The DXC Technology Business Intelligence (BI) Maturity Model Table of contents A winning formula for BI success Stage 1: Running the business Stage 2: Measuring and monitoring
More informationViewpoint Transition to the cloud
Transition to the cloud Get answers to common public sector questions Table of contents What are the 2 considerations that preserve the benefits of moving to a cloud platform? How do cloud 2 services affect
More informationThe Path to Digital Transformation. A Roadmap for Business Success
The Path to Digital Transformation A Roadmap for Business Success Table of Contents Introduction 3 Moving Toward Transformation 4 Overcoming Transformation Barriers 7 How DXC Technology Can Help 8 Conclusion
More informationViewpoint Adopt a service orientation
Adopt a service orientation Leverage this service-driven approach in the transportation sector Table of contents Make the change 1 transform Review technology issues 2 Understand the 2 architectural elements
More informationWhite Paper. Five Steps to Enabling a Mobile Workforce
Five Steps to Enabling a Mobile Workforce White Paper It s amazing to think that most employees smartphones and tablets offer more storage, processing power and functionality than an enterprise-class mainframe
More informationManaged Cloud storage. Turning to Storage as a Service for flexibility
Managed Cloud storage Turning to Storage as a Service for flexibility Table of contents Encountering problems? 2 Get an answer 2 Check out cloud services 2 Getting started 3 Understand changing costs 4
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR), which takes effect in 2018, will bring changes
More informationRSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, anti-virus, intrusion prevention systems, intrusion
More informationRole Profile. Role Details. Grade 4 Business unit. Date produced or updated March 2017
Role Profile Role Details Role Title Risk Officer Permanent Grade Business unit Risk Reporting to Head of Risk Date produced or updated March 2017 Purpose of Role To support the Head of Risk and Risk Director
More informationTHE ARCG CHARTER. Issued in March 2008
THE ARCG CHARTER Issued in March 2008 Index Part A Internal Audit Purpose Charter Mission Independence Scope & Responsibilities Authority Accountability Standards Part B Compliance Introduction Guiding
More informationBoards and internal audit: Working together to strengthen risk management
Boards and internal audit: Working together to strengthen risk management Growing demands on boards The role of the board has always been an important and demanding one, but today s board members face
More informationViewpoint Link services to outcomes
Link services to outcomes Get engaged with business outcomes service management Table of contents Refocus on outcomes 3 Understand business outcomes service management 3 Leverage the business of IT 4 See
More informationCertified Identity Governance Expert (CIGE) Overview & Curriculum
Overview Identity and Access Governance (IAG) provides the link between Identity and Access Management (IAM) rules and the policies within a company to protect systems and data from unauthorized access,
More informationIndustry Perspective Keys to digital transformation success
Keys to digital transformation success Strategy June 2016 How to get digital into your DNA At a time when many established companies are struggling to remain competitive, it s clear that fundamental change
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR) that takes effect in 2018 will bring changes for
More informationRealize the full value Use IT to drive results in pharma mergers, acquisitions, and divestitures. Viewpoint
Realize the full value Use IT to drive results in pharma mergers, acquisitions, and divestitures Viewpoint Table of contents M&A activity increasing 3 The pendulum swings 3 How IT can help this crucial
More informationEY Center for Board Matters Boards and internal audit
EY Center for Board Matters Boards and internal audit Working together to strengthen risk management Growing demands on boards The role of the board has always been an important and demanding one, but
More informationCITIBANK N.A JORDAN. Governance and Management of Information and Related Technologies Guide
CITIBANK N.A JORDAN Governance and Management of Information and Related Technologies Guide 2018 Table of Contents 1. OVERVIEW... 2 2. Governance of Enterprise IT... 3 3. Principles of Governance of Enterprise
More informationFour Strategies for Enabling Innovation in the Face of Risk and Compliance. By John A. Epperson and Clayton J. Mitchell
Four Strategies for Enabling Innovation in the Face of Risk and Compliance By John A. Epperson and Clayton J. Mitchell Audit / Tax / Advisory / Risk / Performance Smart decisions. Lasting value. Four Strategies
More informationTabletop Exercises. for Cybersecurity. Maintaining a healthy incident response. White Paper. By Michael Everett, Security Analyst
Tabletop Exercises for Cybersecurity Maintaining a healthy incident response White Paper By Michael Everett, Security Analyst Effectiveness of Incident Response Formulating and implementing an incident
More informationA robust and systematic review.
Principal risks and uncertainties A robust and systematic review. The Board considers these to be the most significant risks faced by the Group that may impact the achievement of our six strategic drivers.
More informationRisks and Leverage the Power of the Cloud
White Paper How to 14/18pt Mitigate Regular subtitle the Month Year Risks and Leverage the Power of the Cloud Table of Contents The time to move to the cloud is now...3 Cost benefits of a cloud-based approach...3
More informationTechnical white paper Optimize global sourcing in your supply chain environment
Optimize global sourcing in your supply chain environment Enhance supply chain analytics with SAP HANA Table of contents Optimize global sourcing 2 Get the fastest path to a global sourcing solution 2
More informationDXC Eclipse Retail Transformation:
White Paper DXC Eclipse Retail Transformation: How Retailers Can Maximize Their Data to Capture More Market Share Table of Contents Introduction...2 Smart data solutions...3 How retailers can successfully
More informationEmbracing SaaS: A Blueprint for IT Success
Embracing SaaS: A Blueprint for IT Success 2 Embracing SaaS: A Blueprint for IT Success Introduction THIS EBOOK OUTLINES COMPELLING APPROACHES for CIOs to establish and lead a defined software-as-a-service
More informationWhite Paper. Rethinking procurement strategies for application services
White Paper Rethinking procurement strategies for application services 1 Just as cloud set us on the path to on-demand, as-a-service computing, there s a movement afoot to deliver application services
More informationINSIDE. 2 Introduction 12 Conclusion 4 6. How Prepared Are Corporate Law Departments?
INSIDE 1 A Message From Morrison & Foerster s Global Risk & Crisis Management Chair 7 How Prepared Are Corporate Law Departments? 2 Introduction 12 Conclusion 4 6 Risk and Crisis Management: An Emerging
More informationCOMPLIANCE TRUMPS RISK
RSA ARCHER GRC Product Brief COMPLIANCE TRUMPS RISK Organizations are finding themselves buried in compliance activities and reacting to the latest laws and regulations. The ever-increasing volume, complexity
More informationAn Overview of the AWS Cloud Adoption Framework
An Overview of the AWS Cloud Adoption Framework Version 2 February 2017 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes
More informationnpliance IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION Auditing for
IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION EUROS (US $1.15 BILLION) BY EUROPEAN UNION REGULATORS for failing to comply with a 2004 antitrust order. The previous year, DaimlerChrysler paid a US $30
More informationLufthansa accelerates the progress of travel innovation. DXC Technology services designs and implements Open API for leading German airline
Objective Create an Open API for external developers to make data more available in order to encourage innovation of travel services Approach Issued request for proposal to vendors with appropriate technical
More informationEmpower people Enable productivity. DXC MyWorkStyle
Empower people Enable productivity DXC MyWorkStyle The modern enterprise at your fingertips DXC MyWorkStyle provides me with a consumer-like experience with enterprise security and instant collaboration.
More informationModernizing Cyber Defense: Embracing CDM. Okta Inc. 301 Brannan Street, Suite 300 San Francisco, CA
Modernizing Cyber Defense: Embracing CDM Okta Inc. 301 Brannan Street, Suite 300 San Francisco, CA 94107 info@okta.com 1-888-722-7871 The Department of Homeland Security s (DHS) Continuous Diagnostic and
More informationThree Lines of Defense vs. Five Lines of Assurance
Three Lines of Defense vs. Five Lines of Assurance Elevating the Role of the Board and CEO in Risk Governance Tim Leech, Managing Director Risk Oversight Solutions Inc. Lauren Hanlon, Director Risk Oversight
More informationJourney to Excellence
Journey to Excellence 42 Deloitte A Middle East Point of View Fall 2015 Operational excellence The excellence agenda in the Gulf countries is increasingly changing the context in which governments operate
More informationWhite Paper Be a hero with cloud ROI
Be a hero with cloud ROI Two factors determine potential savings before moving to the cloud Table of contents Use the right cloud for the 2 right workload Test two metrics to see if you 3 should use cloud
More informationIntelligent automation and internal audit
Intelligent automation and internal audit Adding value through governance, risk management, and controls Second article in the series kpmg.ch Contents Governing intelligent automation across the enterprise
More informationDXC Eclipse White Paper. How to mitigate the risks and leverage the power of the cloud
How to mitigate the risks and leverage the power of the cloud Table of contents The time to move to the cloud is now 2 Cost benefits of a cloud-based approach 2 Beware of the race to services 3 How to
More informationTopics and Trends. A presentation by Vonya Global Vonya Global LLC Duplication without written consent from Vonya Global is not permitted.
Topics and Trends A presentation by Vonya Global Presenter Steve Randall Partner Vonya Global Internal Audit co-sourcing and outsourcing firm based in Chicago with international capabilities, representation
More informationEmerging & disruptive technology risks
Emerging & disruptive technology risks Shawn W. Lafferty, KPMG Partner IT Internal Audit/Risk Assurance April 2018 Why IT internal audit? find ways to overcome resource and budgetary constraints. This
More informationThe Current State of Risk Management Maturity for Belgian Organizations kpmg.com/be
Enterprise Risk Management The Current State of Risk Management Maturity for Belgian Organizations kpmg.com/be 2 Enterprise Risk Management Table of content 1. Introduction...05 2. Takeaways...07 3. Key
More informationRSA. Sustaining Trust in the Digital World. Gintaras Pelenis
1 RSA Sustaining Trust in the Digital World Gintaras Pelenis +370 698 75456 Gintaras.pelenis@emc.com 2 IN 2011 THE DIGITAL UNIVERSE WILL SURPASS 1.8 ZETTABYTES 1,800,000,000,000,000,000,000 3 $ 4 5 Advanced
More informationRegulatory business process services: A strategic enabler
Regulatory business process services: A strategic enabler Achieving cost containment and regulatory savvy through partnership Life sciences companies are under enormous cost and resource pressure. According
More informationSTATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL
Governance Digi.Com Berhad Annual Report 2017 73 STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL IN ACCORDANCE WITH PARAGRAPH 15.26 (b) OF THE MAIN MARKET LISTING REQUIREMENTS OF BURSA MALAYSIA SECURITIES
More informationState of Washington. Technology Business Management (TBM) Connie Michener Washington Technology Solutions
State of Washington 2016 NASCIO Award Nomination Project Title Nomination Category Contact Agency Project Lead Technology Business Management (TBM) Enterprise IT Management Initiatives Connie Michener
More informationAdvisory Services. Global process ownership: implications for organizations. Global process ownership as a concept. by Lisa Janke and Neel Garg
Advisory Services Global process ownership: implications for organizations by Lisa Janke and Neel Garg Global process ownership as a concept Developing a governance model that seeks to assign process ownership
More informationMaking budgeting, forecasting and analytics easy in the Cloud.
Create a single source of truth and improve collaboration. Shorten your budgeting and forecasting cycle times. Reduce or eliminate errorprone manual processes. Empower users with automated reporting and
More informationHeightened standards for compliance risk management. Lines of defense compliance s role
Heightened standards for risk management Lines of defense s role Post-financial crisis, the Office of the Comptroller of the Currency (OCC) developed a set of heightened expectations to enhance the risk
More informationEY Center for Board Matters. Leading practices for audit committees
EY Center for Board Matters for audit committees As an audit committee member, your role is increasingly complex and demanding. Regulators, standard-setters and investors are pressing for more transparency
More informationRisk Management Policy and Framework
Risk Management Policy and Framework Introductory Note to User: CompanyLongName There is no requirement in Australia for a non-publicly listed entity (other than a company regulated by APRA) to comply
More informationRole of Board of Directors in Risk Management. CPA Erick Audi Thursday, 15 th November 2018
Role of Board of Directors in Risk Management Presentation by: CPA Erick Audi Thursday, 15 th November 2018 Uphold public interest Presentation Agenda Introduction & Definitions Legal Provisions/Guidelines
More information"IT Governance Helping Business Survival
"IT Governance Helping Business Survival Steve Crutchley CEO & Founder Consult2Comply www.consult2comply.com Introduction Steve Crutchley Founder & CEO of Consult2Comply 39 Years IT & Business Experience
More informationStrathclyde Partnership for Transport
APPENDIX 3 Strathclyde Partnership for Transport Information Management Strategy Action Date Version Owner Review Created 22/01/2019 0.6 HM Updated 12/02/2019 1.0 HM Updated Contents 1. Information is
More informationISACA. The recognized global leader in IT governance, control, security and assurance
ISACA The recognized global leader in IT governance, control, security and assurance High-level session overview 1. CRISC background information 2. Part I The Big Picture CRISC Background information About
More informationViewpoint Put apps to the test
Put apps to the test Use testing as a service to gain a clear competitive edge Table of contents Review testing as a service 3 Understand TaaS 4 Learn how it works 4 Understand the limitations of traditional
More informationPROACTIVE ADOPTER SERIES: Embracing foundational benefits of IT security
PROACTIVE ADOPTER SERIES: Embracing foundational benefits of IT security In a world where small and midsize businesses (SMBs) are constantly looking for ways to costeffectively increase productivity and
More informationProtecting your critical digital assets: Not all systems and data are created equal
JANUARY 2017 Hoxton/Tom Merton/Getty Images R i s k Protecting your critical digital assets: Not all systems and data are created equal Top management must lead an enterprise-wide effort to find and protect
More informationHow can you improve your ability to identify, respond and adapt to significant operational interruptions?
How can you improve your ability to identify, respond and adapt to significant operational interruptions? Agenda I Introductions and objectives II Why is resilience important III Typical issues be aware
More informationInternal audit insights High impact areas of focus
2014 Internal audit insights High impact areas of focus To be truly effective, internal audit departments should ensure that their efforts are targeted at the key risks and issues facing their business
More informationManaging Enterprise Risk in a Connected World. Transforming to a Digital Enterprise
Managing Enterprise Risk in a Connected World Transforming to a Digital Enterprise In a connected world, disruptions can be devastating. A single business in one small corner of the planet can be impacted
More informationEnhancing Audit Committee Excellences through Internal Audit. 21 November 2017
Enhancing Audit Committee Excellences through Internal Audit 21 November 2017 Sharpen and Strengthen Excellences of Audit Committee Recent Trends and Emerging Challenges Global and Emerging Trends Roles
More informationRisk appetite and assurance Do you know your limits?
Risk appetite and assurance Do you know your limits? Paul Day Partner Banking & Capital Markets Deloitte UK Tim Thompson Partner Quantitative Risk & Finance Deloitte UK Stephen Boyd Senior Manager Risk
More information4/26. Analytics Strategy
1/26 Qlik Advisory As a part of Qlik Consulting, Qlik Advisory works with Customers to assist in shaping strategic elements related to analytics to ensure adoption and success throughout their analytics
More informationAdvanced Audit Techniques
Advanced Audit Techniques Who should attend? Senior Auditors Audit Managers and those about to be appointed to that role Auditors that need to audit technical or complex business areas Assurance professionals
More informationOversight by Board, Risk Management & Audit Committee (RMAC) and other committees. Second line of defense
47 In the business environment that we live in, doing nothing might be the biggest risk of all. At Cim, the Board plays a crucial role in risk oversight; it is bringing more diverse viewpoints into the
More informationWhy Hiring the Right CISO is so Hard And What You Can Do About It
Why Hiring the Right CISO is so Hard And What You Can Do About It AUTHORS: ERIK MATSON Managing Director, Global Head of Insurance & Cybersercurity JOHN BUDRISS Executive Director, Technology, Data Science
More informationDovetailing & Augmenting Enterprise Risk Management, Compliance, Controls Environment and Audit Presentation by:
Dovetailing & Augmenting Enterprise Risk Management, Compliance, Controls Environment and Audit Presentation by: Sospeter Thiga Group Head of Risk, Compliance & Performance Monitoring, CPF FS Ltd Thursday,
More informationUnderstanding Supply Chain Risks
Understanding Supply Chain Risks Brent Wildasin August 2016 HCHB IT Security Day Supply Chain Risk Management 2 What is information and communications technology supply chain risk management (ICT SCRM)?
More informationInternational Standards for the Professional Practice of Internal Auditing (Standards)
INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Attribute Standards 1000 Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the
More informationCRISC EXAM PREP COURSE: SESSION 4
CRISC EXAM PREP COURSE: SESSION 4 Job Practice 2 Copyright 2016 ISACA. All rights reserved. DOMAIN 4 RISK AND CONTROL MONITORING AND REPORTING Copyright 2016 ISACA. All rights reserved. Domain 4 Continuously
More informationWhite Paper Universities and industry:
Universities and industry: Thinking beyond traditional research based partnerships Universities and industry need to think beyond traditional research based partnerships University and industry partnerships
More informationSeamless Application Security: Security at the Speed of DevOps
White Paper Security Seamless Application Security: Security at the Speed of DevOps Table of Contents page The Current Application Security Problem...1 These Problems Will Only Continue to Grow...1 Why
More informationRSA ARCHER INSPIRE EVERYONE TO OWN RISK
RSA ARCHER INSPIRE EVERYONE TO OWN RISK Executive Priorities Growth is the highest priority 54 % 25 % Technology initiatives are second priority Business Growth & Technology Copyright 2016 EMC Corporation.
More informationEmbedding Operational Risk
Embedding Operational Risk Banking & Payments Federation Ireland Angela Calapa, Risk & Regulatory Director Areas of Challenge for Embedding Operational Risk Most banks face a significant number of challenges
More informationNavigating Changing Dynamics of First Line Risk and Control Functions
POINT OF VIEW Navigating Changing Dynamics of First Line Risk and Control Functions Including results of Protiviti s large financial institution survey on business control functions An organization s overall
More information2013 New COSO 2013 Framework and Current Trends in Risk Management
2013 New COSO 2013 Framework and Current Trends in Risk Management Session 105 IASA 86 TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW Agenda COSO 2013 framework Overview Why the update? What has been
More informationTHE CLOUD, RISKS AND INTERNAL CONTROLS. Presented By William Blend, CPA, CFE
THE CLOUD, RISKS AND INTERNAL CONTROLS Presented By William Blend, CPA, CFE AGENDA Cloud Basics Risks Related Cloud Use GOA on Service Level Agreements COSO ERM Internal Control Model 2 CLOUD BASICS Evolution
More informationAPPLICATION TRANSFORMATION: ACCELERATING THE NEW FACE OF GOVERNMENT
APPLICATION TRANSFORMATION: ACCELERATING THE NEW FACE OF GOVERNMENT INDUSTRY PERSPECTIVE Application Transformation: Accelerating the New Face Of Government 1 EXECUTIVE SUMMARY Today s technological environment
More informationIT Audit at Brown. A collaboration between the Information Technology and Internal Audit Teams
IT Audit at Brown A collaboration between the Information Technology and Internal Audit Teams Page 1 Agenda Objective Risk Management Overview Internal Audit at Brown IT Audit at Brown Frequently Asked
More informationHow can you turn digital risk into a source of competitive advantage?
How can you turn digital risk into a source of competitive advantage? 15 October 2018 The better the question. The better the answer. The better the world works. moderator Today s Heidi Riddell EY Asia-Pacific
More informationSecurity Today. Shon Harris. Security consultant, educator, author
Security Today Shon Harris Security consultant, educator, author 360 Security Model Holistic Approach to Security Every Organization has these EXACT issues The responsibility of securing an organization
More informationThomson Reuters AutoAudit
Thomson Reuters AutoAudit DRIVE DEEPER INSIGHTS 2 For internal audit:» Liberate audit teams from manual tasks» Enrich the dialogue with the business» Enhance the quality of internal audit reports» Engage
More informationEnhancing business continuity management to address changing business realities
IBM Global Technology Services November 2017 Thought Leadership White Paper Enhancing business continuity management to address changing business realities A business-centric approach to help reduce business
More informationBusiness Benefits by Aligning IT best practices
Business Benefits by Aligning IT best practices Executive Summary Since the Sarbanes-Oxley Act (Sarbanes-Oxley or SOX) was signed into law in 2002, many companies have adopted some IT practices to comply
More informationCanadian Insurance Accountants Association
www.pwc.com/ca Canadian Insurance Accountants Association Corporate Governance Rising Expectations Presented By: Sandeep Dhiman May 20, 2015 Agenda 1. Current Corporate Governance Environment 2. Hot Topics
More informationThird Party Risk Management ( TPRM ) Transformation
Third Party Risk Management ( TPRM ) Transformation September 20, 2017 Internal use only An introduction to TPRM What is a Third Party relationship? A Third Party relationship is any business arrangement
More informationManaging IT risk in a disruptive world
Managing IT risk in a disruptive world Cross-industry perspectives on staying ahead of information technology risks: Views from a KPMG share forum kpmg.com About the authors Phil Lageschulte Phil currently
More informationWhite Paper The DevOps Disruption
The DevOps Disruption June 2017 We can represent the performance of a business model based on the money invested into the business and the revenue generated as a result. Why invest in DevOps? Can a DevOps
More informationGoverning the cloud. insights for 5executives. Drive innovation and empower your workforce through responsible adoption of the cloud
insights for 5executives Governing the cloud Drive innovation and empower your workforce through responsible adoption of the cloud Of special interest to Chief information officers Chief information security
More informationWhite Paper. b+s Cloud Services - UCaaS. August, 2017 Wolfgang Ditl, Product Owner b+s Cloud Services
i White Paper b+s Cloud Services - UCaaS 1 August, 2017 Wolfgang Ditl, Product Owner b+s Cloud Services Contents Objective... 3 Introduction... 3 The advantages of cloud services... 4 Cloud models... 5
More informationINTEGRATED RISK BUSINESS CONTINUITY CYBER-SECURITY THE RESILIENCE FACTORS THAT DRIVE YOUR REPUTATION
CYBER-SECURITY BUSINESS CONTINUITY INTEGRATED RISK THE RESILIENCE FACTORS THAT DRIVE YOUR REPUTATION INTRODUCTION We all work hard to build and protect our reputation, and in today s world of 24/7 news
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Common healthcare industry approach for assessing security and reporting compliance Background and challenges Compliance requirements for healthcare organizations and their
More informationSub-section Content. 1 Preliminaries - Post title: Head of Group Risk - Reports to: CRO - Division: xxx - Department: xxx - Location: xxx
Sub-section Content 1 Preliminaries - Post title: Head of Group Risk - Reports to: CRO - Division: xxx - Department: xxx - Location: xxx 2 Job Purpose - To assist in the maintenance and development of
More informationIBM Watson Financial Services
IBM Watson Financial Services Risk & Compliance Innovation Forum Adapting to a New Regulatory Environment in Europe Tim Roberts London 24 May 2017 2016 IBM Corporation Agenda for Today All financial institutions
More informationNext-generation enterprise risk management
Next-generation enterprise risk management Advancing strategy and performance in light of the COSO 2017 refresh Heading into the beginning of the year, the EY Center for Board Matters published the Top
More informationAUTOAUDIT. Drive deeper insights
AUTOAUDIT Drive deeper insights Facing new challenges on multiple frontiers The world is rapidly changing for today s internal auditors, whose roles are evolving from cop to counselor. No longer do internal
More informationReady for GDPR? Five steps to turn compliance into your advantage
Ready for GDPR? Five steps to turn compliance into your advantage 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG
More informationAdapting Risk Management to Evolving Technologies
Adapting Risk Management to Evolving Technologies May 9, 2017 Ray Cheung 2017 Crowe 2017 Horwath Crowe International Horwath LLP Agenda Digital Disruption and Shifting IT Spend High Tech Risk Environment
More informationINFORMATION SERVICES FY 2018 FY 2020
INFORMATION SERVICES FY 2018 FY 2020 3-Year Strategic Plan Technology Roadmap Page 0 of 14 Table of Contents Strategic Plan Executive Summary... 2 Mission, Vision & Values... 3 Strategic Planning Process...
More information