ISACA S IT Audit, Information Security & Risk Insights Africa 2014 MAY, 2014

Size: px

Start display at page:

Download "ISACA S IT Audit, Information Security & Risk Insights Africa 2014 MAY, 2014"

Rosa Bradford
6 years ago
Views:

1 ISACA S IT Audit, Information Security & Risk Insights Africa 2014 MAY, 2014 MANAGING IT RISKS IN THE BANKING INDUSTRY Emmanuel Ofori Boateng, Dep. Head, IT, Ecobank Ghana

2 OVERVIEW - HISTORY OF RISK MANAGEMENT - OVERVIEW OF IT RISKS IN BANKS - REMEDIES

3 HISTORY OF RISK MANAGEMENT The Study of Risk Management begun after WWII It had to do with market insurance to protect individuals and companies from various losses associated with accident. The use of derivatives are risk management instruments begun in the 1970s. International risk regulation and Operational Risks begun in the 1990s.

4 HISTORY OF RISK MANAGEMENT Concomitantly governance of risk management became essential and integrated risk management was introduced. In the wake of financial scandals and bankruptcies resulting from poor risk management; the Sarbenes- Oxley regulation was introduced in 2002 (Enron). However these regulations, governance rules and risk management methods failed to prevent the financial crisis that begun in 2007 (Lehman Brothers)

5 RISKS IN BANKS MARKET RISKS CREDIT RISKS OPERATIONAL RISKS

6 OPERATIONAL RISK The main characteristic of operational risk is that unlike market and credit risks, which mainly involve risks associated with trading or lending, everyone in the financial organization can be a source of operational risk

7 IT RISKS CLASSIFICATION IT risks can be classified according to their impact on the organization, as follows: 1. Security risk 2. Availability risk 3. Performance risk 4. Compliance risk

8 IT RISKS CLASSIFICATION SECURITY RISK the information will be altered, accessed, or used by unauthorized parties.

9 IT RISK CLASSIFICATION AVAILABILITY RISK that information or applications will be inaccessible due to system failure or natural disaster, including any recovery period.

10 IT RISK CLASSIFICATION PERFORMANCE RISK that underperformance of systems, applications, or personnel, or IT as a whole will diminish business productivity or value.

11 IT RISK CLASSIFICATION COMPLIANCE RISK that information handling or processing will fail to meet regulatory, IT or business policy requirements. Usually, it involves penalties, fines, or loss of reputation from failure to comply with laws or regulations

12 IT RISKS - IT GOVERNANCE - CYBERSECURITY (Cyberterrorism, Data loss) - CARD FRAUD - BIG DATA SECURITY & PRIVACY INTERNET BANKING HACKING VIRUSES OUTSOURCING

13 IT RISK Unauthorized Access: User/Developer access was not approved for a particular level of access or action; Example: Ensure privileged access is appropriately restricted. Excessive Access: User/Developer access level is beyond the scope of job role and responsibility; Example: Ensure the Principle of Least Privilege is in place people only have access to the information and transactions needed to perform their job and scope of responsibility

14 IT RISKS Unauthorized Changes: Program change was not approved before move to production Lack of control around the acquisition and implementation of new applications and maintenance of existing applications Lack of control around the acquisition, installation, configuration, integration, and maintenance of the IT infrastructure.

15 MITIGATING I.T. RISK ROLE OF BOARD OF DIRECTORS AND MANAGEMENT Federal Financial Institutions Examination Council (FFIEC) direct senior management and the board of directors to manage IT risks, including information security, business continuity and disaster recovery.

16 MITIGATING IT RISKS AUDITS AND OTHER INDEPENDENT REVIEWS

17 MITIGATING IT RISKS LEGAL FRAMEWORK EDUCATION

18 MITIGATING IT RISKS USING STANDARDS, FRAMEWORKS etc COBIT (ISACA): Control Objectives for Information Technology that focuses on four key domain areas of Plan & Organize, Acquire & Implement, Deliver & Support, and Monitor & Evaluate

19 MITIGATING IT RISKS ITIL (INFORMATION TECHNOLOGY INFRASTRUCTURE LIBRARY) Framework for IT Service Management practices, such as Change Management, Incident Management, Problem Management, Configuration Management, Service Level Management

20 MITIGATING IT RISKS CMMi (Software Engineering Institute): Capability Maturity Model Integration for Software Development Lifecycle ISO20000: Framework and Certification for IT Service Management ISO27001: Framework and Certification for Information Security RiskIT (ISACA): IT-related buisness risk, focusing in Risk Evaluation, Risk Governance, and Risk Monitoring/Reporting

21 MITIGATING IT RISKS VENDOR MANAGEMENT RISKS AND CONTROLS

22 CONCLUSION In years to come, banks will face two major drivers that will challenge them to take on deepened I.T. risks: GLOBALIZATION AND INTERNET-RELATED TECHNOLOGIES

23 THANK YOU QUESTIONS?

Job Description. No of Direct Reports : 0. Titles of Direct Reports: Size of Department: 5. Budget Responsibility (direct) :

Job Description. No of Direct Reports : 0. Titles of Direct Reports: Size of Department: 5. Budget Responsibility (direct) : Job Description Job Title : Department : Compliance Analyst Information Technology Reporting to (Job Title) : Director of Risk, Security & Compliance No of Direct Reports : 0 Titles of Direct Reports: