A Practical and Effective Approach to Risk Assessment
|
|
- James Payne
- 5 years ago
- Views:
Transcription
1 A Practical and Effective Approach to Risk Assessment IT Risk Assessment Case Study Portions of this presentation are from a 2007 & 2008 FFIEC Technology Conference presentation to bank examiners. Special thanks to Mark Chapman, Chapman Technology Group Inc., a FIPCO Endorsed Vendor. RIskOptix used in this risk assessment is a trademark of Chapman Technology Group Inc.
2 NIST IT Risk Assessment Definition Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process. Source: NIST Special Publication
3 IT Risk Assessment is NOT! Risk Management Vulnerability Scanning Penetration Testing Social Engineering An IT Audit General Controls Testing Business Continuity IT Governance or Compliance
4 NIST Risk Definition Risk is a function of the likelihood of a given threat-source exercising a potential vulnerability, and the resulting impact of that adverse event on the organization. Source: NIST Special Publication
5 High-Level Approach PUSH Preparation Universe Definition Scoring Hitting the Mark Copyright , Chapman Technology Group, Inc. All Rights Reserved.
6 Preparation Earn Management Buy-In Decide to In-Source or Outsource Anticipate the Benefits Identify the Specific Purpose How to Accomplish? (Methodology & Tools)
7 Earn Management Buy-In Motivators: GLBA Compliance / Fear Means to justify other initiatives New Management Eager to Learn True Believers Challenges: It costs money! I already know the risks better than anyone! We have more important things to do. Results: 1. Go through the motions 2. Do it right Copyright , Chapman Technology Group, Inc. All Rights Reserved.
8 In-Source or Outsource? Current Capability Do we have the capability or can we train inhouse? Can we identify a firm with independent, knowledgeable and sufficient resources? Future Capability Turnover of trained employees Dependence on consultants Copyright , Chapman Technology Group, Inc. All Rights Reserved.
9 Anticipated Benefits To learn something new To validate or quantify a concern To standardize communication of risk To establish common language and tools To satisfy the examiners Copyright , Chapman Technology Group, Inc. All Rights Reserved.
10 Specific Purpose Audit Planning Budgeting GLBA Compliance Disaster Recovery Policy Writing Risk Management Remediation Vendor Selection Hint: Answer the Question: What is the specific purpose of the risk assessment?
11 How to Accomplish? Methodology / Guideline / Standard NIST FFIEC ISO27001:2005 COBIT / COSO / IIA PUSH Format Paper Excel / Word Specialized Risk Assessment Software
12 High-Level Approach PUSH Preparation Universe Definition Scoring Hitting the Mark Copyright , Chapman Technology Group, Inc. All Rights Reserved.
13 Universe Definition Goal: To define an appropriate universe for the size and complexity of the Bank Choose the Number of Dimensions Assets, Risks, Controls For Each Dimension Define Scope, Granularity, Level of Detail Populate the Universe Copyright , Chapman Technology Group, Inc. All Rights Reserved.
14 How? - Pre-Engagement Checklist Assets = What s Valuable? What documentation does the bank have to provide information about IT assets? (HW, SW, business process) Risks = What bad things could happen? Controls = How do we mitigate the impact of bad things? What documentation does the bank have to provide evidence Controls exist?
15 How? - Pre-Engagement Checklist
16 Asset Universe Scope Business Functions Fixed-Assets Strategies Brands Contracts Cash Intellectual Property Products People Granularity How many levels of assets do we want to consider? Buildings Rooms Wall Clocks Detail How much information do we want to understand for each asset? Asset Type Asset Owner Importance Dependencies Copyright , Chapman Technology Group, Inc. All Rights Reserved.
17 Name & Describe the asset? How important is the asset? Capture BIA Information Determine the attributes to characterize the asset.
18
19 Risk Universe Scope Power Outage Pandemics Water Damage Fraud Computer Hacking Employee Turnover Tampering Granularity How many levels of risks do we want to consider? City-Wide Blackout Accidental Power Disconnect Wall Clocks stop working Detail How much information do we want to understand for each risk? Risk Type Threat Source Likelihood Impact
20 Describe Risk and potential impact? Set the impact and likelihood unmitigated! Quantitative Info? Did we identify follow-up? Determine attributes to characterize the risk.
21
22 Controls Universe Scope Financial Physical Technological Reputation Legal Insurance Granularity How many levels of controls do we want to consider? Firewalls Policy Atomic Clocks Detail How much information do we want to understand for each control? Control Owner Effectiveness Compliance Info Assessment Criteria
23 Categorize = Legal, Technical, etc? Describe Control and how to assess? By Design what is the Controls effectiveness? Did we identify follow-up? Type of Control and how did we Assess?
24
25 High-Level Approach PUSH Preparation Universe Definition Scoring Hitting the Mark Copyright , Chapman Technology Group, Inc. All Rights Reserved.
26 Scoring Choose Scale Normalize Prioritize and Trim Associate Adjust Compound Scores
27 Choose A Scoring Scale Define a consistent scale. Numeric (1-5), (0.1, 0.5, 1.0), (1-3), (0%-100%) Descriptive (Low, Med, High), (Nice-To-Have, Average, Critical)
28 Normalize Set the Relative Importance of: Risks with respect to other Risks Assets to other Assets Controls to other Controls 5
29 Prioritize and Trim Goal: To combat the natural exponential growth of assessment efforts by reducing the number of lowpriority assets, risks and controls. Approach: During data gathering, interview and universe definition we selected only critical assets, high impact/likely risks for further risk assessment efforts while documenting the decision.
30 Associate Controls to Risks Control Risks
31
32 Associate Assets to Risk Asset Risks
33 Asset Assets Risks Controls
34 Adjust Compound Scores Used Initial Scores with Few Documented Exceptions. Control Record
35 High-Level Approach PUSH Preparation Universe Definition Scoring Hitting the Mark Copyright , Chapman Technology Group, Inc. All Rights Reserved.
36 Hitting the Mark Did we meet our Purpose? Documented Observations / Findings The Final Report Tracking Actions Over Time Evaluate Project Effectiveness
37 Hitting the Mark - Answer our question What was the specific purpose of the risk assessment? Audit Planning GLBA Compliance Risk Management
38 Hitting the Mark Source: National Institute of Standards and Technology (NIST)
39 Hitting the Mark Added Benefit An Added benefit is realized, We can answer the questions: When and under what circumstances does the bank need to take action? When should the bank implement controls to mitigate the risk and protect the organization or document the acceptance of risk?
40 Write the Final Report Focused on 1. Observations - Findings 2. High Level GLBA Compliance Assessed 3. Process used (brief) 4. Trends - Future Activity 5. Management Observations timeline, follow-up 6. Continuous Risk Assessment, track the status of observations and other audits.
41 1. Observations - Findings Observation #2: High The server and exchange backups that are stored on removable storage and transferred off site were not adequately protected. Potential Exposure: Confidential data could be compromised if the devices were lost or stolen. Recommendation: Encrypt the data stored to the backup storage devices before they are removed offsite. Management Comment: Management has explored the viability of storing archived data.. Implementation will be completed by year-end.
42 1. Observations - Findings Observation #10: Low Information Systems Security Policy contains too much detail.... Potential Exposure: Missing Information Security Policy is a Compliance Risk,. Recommendation: Modify the Information Systems Security Policy so that it contains only "Policy" documentation... Templates have been provided to assist with management response. Management Comment: In response. in 2005 the bank purchased a canned Information Policy/Toolkit.
43 2. GLBA Compliance
44 3. Process Used The primary goal for the IT Risk Assessment was to adopt and document a consistent risk assessment methodology for the purpose of assessing risks at the bank on a sustainable basis. The approach used by this assessment followed the diagram on the right. Inventory Assets Characterize Assets Advance Important Items Identify Raw Risks Consider Mitigating Factors Calculate Residual Risk Exposure Advance Areas of Higher Risk Create Audit Plan Create Audit Program
45 Management Comments - Follow-up
46
47 Continuous Risk Assessment Audit Planning & Tracking
48 Conclusion PUSH Preparation Universe Definition Scoring Hitting the Mark Copyright , Chapman Technology Group, Inc. All Rights Reserved.
49 Risk Assessment Post Mortem Which directory did I put that in? Information is scattered all over Does a thick binder count for keeping information together? No ties between common information or information that is related
50
51 Risk Assessment Post Mortem Each risk assessment feels like it is a brand new (and painful) event! Who did it last year? Consultant X Who did it this year? Auditor Y The examiner or auditor wants proof: formal documentation. Multiple copies and duplicate data gathering Information not kept up-to-date
52
53
54
55 Risk Assessment Post Mortem Who should have access? Difficult to control who can access the information I don t have access, but I need to respond! Difficult to ensure the right people have the right information at the right time Complex spreadsheets cutting & pasting with no real cross-reference capabilities. Replace 11x17 printed spreadsheet that needs a plotter to print clearly
56 Risk Assessment Post Mortem What evidence exists that the RA was based on a formal methodology and can be repeated next year? No standard framework or format for assessing risk across the organization Assessment based simply on experience The board wants this IT Assessment in non-technical terms! Too much time spent formatting data for the Board or external auditors and examiners.
57 Questions
Risk Assessment Consideration for your ISMS. Presented by: John Laffey, Technical Manager
Risk Assessment Consideration for your ISMS Presented by: John Laffey, Technical Manager Please note: All participants have been muted. Please use the Question section of the dashboard questions will be
More informationCertificate in Internal Audit 3. Advanced Audit Techniques
Certificate in Internal Audit 3 Advanced Audit Techniques Who should attend? Senior Auditors Audit Managers and those about to be appointed to that role Auditors that need to audit projects, contracts
More informationSarbanes-Oxley Compliance Kit
Kit February 2018 This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this template has acquired the rights to use it for a SINGLE Disaster Recovery
More informationa physicians guide to security risk assessment
PAGE//1 a physicians guide to security risk assessment isalus healthcare isalus healthcare a physicians guide to security risk assessment table of contents INTRO 1 DO I NEED TO OUTSOURCE MY SECURITY RISK
More informationProven Strategies for Overcoming Business Continuity Challenges for Healthcare Organizations
Proven Strategies for Overcoming Business Continuity Challenges for Healthcare Organizations Kathy Lee Patterson, CBCP Business Continuity & Disaster Recovery Manager Children's Hospital of Philadelphia
More informationTaming the Tiger Risk Management in a Non profit Organisation
Principal, ExCEL3 Symposium on Risk Management Why every NGO should have a formal, structured Risk Management (RM) Programme What is Risk Key Steps in Developing a formal RM Programme Case Studies How
More informationSecurity Today. Shon Harris. Security consultant, educator, author
Security Today Shon Harris Security consultant, educator, author 360 Security Model Holistic Approach to Security Every Organization has these EXACT issues The responsibility of securing an organization
More informationAdvanced Audit Techniques
Certificate in Internal Audit 4 Advanced Audit Techniques Who should attend? Senior Auditors Audit Managers and those about to be appointed to that role Auditors that need to audit projects, contracts
More informationCertificate in Internal Audit IV
Certificate in Internal Audit IV The Senior Audit Role auditing key business activities Who should attend? Senior Auditors Audit Managers and those about to be appointed to that role Auditors that need
More informationOutsourcing and the Need for Supplier Audits
Outsourcing and the Need for Supplier Audits John A. Gatto Retired April 3, 2017 Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus 2 1 Definitions Third Party
More informationFirm Profile TURNING RISKS INTO OPPORTUNITIES
Firm Profile TURNING RISKS INTO OPPORTUNITIES You can measure opportunity with the same yardstick that measures the risk involved. They go together. Earl Nightingale TRUSTED ADVISORS RiSK Opportunities
More informationMore than 2000 organizations use our ERM solution
5 STEPS TOWARDS AN ACTIONABLE RISK APPETITE Contents New Defining Pressures Risk Appetite and Risk Tolerance Benefits The 5 Best of Practices Risk Assessments Benefits of an Actionable Risk Appetite More
More informationBusiness Continuity 101. Fairchild Resiliency Systems
Business Continuity 101 Fairchild Resiliency Systems Business Continuity Business Continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable
More informationAudio transcripts and lesson notes
Chapter 2 Quick Overview, Steps in an ISO 27001 implementation Audio transcripts and lesson notes Hi and welcome. This is Anup Narayanan, your instructor. This chapter gives you a quick overview of the
More informationAdvanced Audit Techniques
Advanced Audit Techniques Who should attend? Senior Auditors Audit Managers and those about to be appointed to that role Auditors that need to audit technical or complex business areas Assurance professionals
More informationDecember 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS:
December 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS: 2014 www.bcauditor.com CONTENTS Auditor General s Comments 3 623 Fort Street Victoria, British Columbia Canada V8W 1G1 P: 250.419.6100
More informationBusiness Continuity vs. Operational Risk Management vs. Business Resiliency. Karen Dye Oakley, CBCP, MBCI
Business Continuity vs. Operational Risk Management vs. Business Resiliency Karen Dye Oakley, CBCP, MBCI www.karendyeconsulting.com Background Most recently with Sun Microsystems, Inc. Director, Global
More informationRisk Management Policy and Framework
Risk Management Policy and Framework Introductory Note to User: CompanyLongName There is no requirement in Australia for a non-publicly listed entity (other than a company regulated by APRA) to comply
More informationTechnology Planning Simplified
National Head Start Association 42 nd Annual Head Start Conference and Expo March 29 April 2, 2015 Washington, DC Walter E. Washington Convention Center Technology Planning Simplified Thursday, April 2,
More informationSTEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference
STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS April 25, 2018 In-House Counsel Conference Presenters: Daniela Ivancikova, Assistant General Counsel, University of Delaware Evan
More informationTo: Identify your chief goals and objectives Identify risks Prioritize the risks to achieving objectives Determine which controls/processes to review
1 Objective To: Identify your chief goals and objectives Identify risks Prioritize the risks to achieving objectives Determine which controls/processes to review In order to: Develop an effective Internal
More informationCISSP Certified Information Systems Security Professional (CISSP)
QUESTION 1 CISSP Certified Information Systems Security Professional (CISSP) During a recovery procedure, one important step is to maintain records of important events that happen during the procedure.
More informationHow to disasterproof critical. business data. 5 steps for keeping systems online and accessible in any scenario.
How to disasterproof critical business data 5 steps for keeping systems online and accessible in any scenario. The growth of DRaaS The tremendous growth of software as a service (SaaS) continues, while
More informationDynamic IT Disaster Recovery Plan
Because of fast and expansive technological developments, no business can function without incorporating IT (Information Technology) anymore. Speed is an essential component of business practices which
More informationRisk Management Developing an Effective Audit Plan
2013 CliftonLarsonAllen LLP Risk Management Developing an Effective Audit Plan Association of Credit Union Internal Auditors P L n L e A l n o s a r n L o t f i l C 3 1 0 2 cliftonlarsonallen.com Discussion
More informationBC & RISK MANAGEMENT: CONVERGENCE IS REAL David Halford Forsythe Solutions Group Frank Perlmutter Strategic BCP
BC & RISK MANAGEMENT: CONVERGENCE IS REAL David Halford Forsythe Solutions Group Frank Perlmutter Strategic BCP WHY THE CONVERGENCE OF BUSINESS CONTINUITY & RISK MANAGEMENT? The convergence of BC and RM
More informationBuilding and Maintaining a Business Continuity Program
Building and Maintaining a Business Continuity Program Successful strategies for financial institutions for effective preparation and recovery 1 Building and Maintaining a Business Continuity Program Table
More informationCreating a Business Continuity Plan for your Health Center
Creating a Business Continuity Plan for your Health Center 1 Page Left Intentionally Blank 2 About This Manual This tool is the result of collaboration between the Primary Care Development Corporation
More informationLEVERAGING TECHNOLOGY TO OPTIMIZE CONTINUITY AND RECOVERY
tech line / oct 2014 LEVERAGING TECHNOLOGY TO OPTIMIZE CONTINUITY AND RECOVERY Reduce your risks and position your center to take care of customers no matter what happens. By Matt Morey and Ken Barton
More informationTopics. Background Approach Status
16 th September 2014 Topics Background Approach Status Background e-governance in India National e-governance Plan 2006 31 Mission Mode Projects Quality Assurance in e-governance Quality Assessment of
More informationEnsuring Organizational & Enterprise Resiliency with Third Parties
Ensuring Organizational & Enterprise Resiliency with Third Parties Geno Pandolfi Tuesday, May 17, 2016 Room 7&8 (1:30-2:15 PM) Session Review Objectives Approaches to Third Party Risk Management Core Concepts
More informationStandard Operating Procedures
Auditing of a Technology Vendor Checklist This checklist is intended to be a guide to planning your next audit. The items here should be evaluated for completeness. It is crucial for both Quality and the
More informationSuccessful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)
1 Successful ERM Program Standards Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager William C. Hord V.P. of Enterprise Risk Management
More informationRSA. Sustaining Trust in the Digital World. Gintaras Pelenis
1 RSA Sustaining Trust in the Digital World Gintaras Pelenis +370 698 75456 Gintaras.pelenis@emc.com 2 IN 2011 THE DIGITAL UNIVERSE WILL SURPASS 1.8 ZETTABYTES 1,800,000,000,000,000,000,000 3 $ 4 5 Advanced
More informationAn introduction to business continuity planning
An introduction to business continuity planning What is business continuity, and is it relevant to me? Business continuity planning is about identifying the critical functions and services your business
More informationDrive Your Business. Four Ways to Improve Your Vendor Risk Program
Drive Your Business Four Ways to Improve Your Vendor Risk Program Introduction Risk-management professionals often find the creation of a vendor risk management (VRM) program to be a challenging task,
More informationNavigating the Risk Assessment with NIST
Navigating the Risk Assessment with NST Moderator: Ashley Swanson, Director of Product Marketing Presenter: Josh Stone, Director of Product Management ntroduction What are we really after? Risk assessment
More informationBuilding a Hosted Statistical Computing Environment: Is it Possible?
PharmaSUG2011 - Paper DM01 Building a Hosted Statistical Computing Environment: Is it Possible? John Leveille, d-wise Technologies, Raleigh, NC, USA ABSTRACT Small pharmaceutical companies face a large
More informationDiscovering the TAC 202 Information Security Standard
This PathMaker Group white paper describes the subject matter within the standard and purpose of each area of measurement. Ryker Exum Introduction The TAC 202 is a freely available security standards framework
More informationThe Best Offense. Presented by: Kimberly Hirsch MBCP, MBCI, ISO22301 Lead Auditor Fusion Risk Management
The Best Offense Presented by: Kimberly Hirsch MBCP, MBCI, ISO22301 Lead Auditor Fusion Risk Management Agenda Welcome and Introduction Governance and Compliance Liability Issues BC Standards Requirements
More informationSOX 404 & IT Controls
SOX 404 & IT Controls IT Control Recommendations For Small and Mid-size companies by Ike Ugochuku, CIA, CISA TLK Enterprise 2006, www.tlkenterprise.com INTRODUCTION Small, medium, and large businesses
More information18 Business Continuity Management
18 Business Continuity Management Business Continuity is the strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business
More informationDISASTER PREPAREDNESS Guide & Template
Go Beyond The Cloud STEP-BY-STEP DISASTER PREPAREDNESS Guide & Template WHITEPAPER BY XVAND TECHNOLOGY CORPORATION Xvand Technology Corporation 832.204.4909 questions@xvand.com www.isutility.com Disaster
More informationBY TED BROWN, CBCP CBCV MBCI PRESIDENT & CEO KETCHCONSULTING BCI USA BOARD MEMBER CPM HALL OF FAME
Conducting a Business Continuity Plan Audit BY TED BROWN, CBCP CBCV MBCI PRESIDENT & CEO KETCHCONSULTING BCI USA BOARD MEMBER CPM HALL OF FAME KETCHConsulting: WHAT DO WE DO? Executive Justification of
More informationRisk Analysis (Project Impact Analysis)
Chapter 2 Risk Analysis (Project Impact Analysis) 2.1 Overview Risk management is a process that provides management with the balance of meeting business objectives or missions and the need to protect
More informationUS Business Continuity Safeguarding Your Business from a Disaster
US Business Continuity Safeguarding Your Business from a Disaster Juanita Hardin BMO Harris Bank Head TPS Risk and Compliance William Simmons BMO Harris Bank Vice President Business Continuity Management
More informationCreating an Actionable Disaster Recovery Plan
Creating an Actionable Disaster Recovery Plan Presentation Outline Plan Justification Disaster Definitions & Facts Costs of a Disaster Benefits of Planning Building an Actionable Disaster Recovery Plan
More informationRisk Management Using Spiral Model for Information Technology
Risk Management Using Spiral Model for Information Technology Rajendra Ganpatrao Sabale, Dr. A.R Dani Student of Ph.D., Singhania University, Pacheri Bari, Dist. Jhunjhunu( Rajasthan), India International
More informationIBM Data Security Services for activity compliance monitoring and reporting log analysis management
Improving your compliance posture and reducing risk through log analysis management IBM Data Security Services for activity compliance monitoring and reporting log analysis management Highlights Provide
More informationRisk Management in the 21 st Century Ameren Business Risk Management
Management in the 21 st Century Ameren Business Management Charles A. Bremer V.P. Ameren Service Center/Information Technology Ameren Services Co. November, 2007 Ameren s History 2 Ameren Today Electric
More informationDUBAL s ISO based ERM Program
DUBAL s ISO 31000-based ERM Program Building a Harmonized, Proactive and Sustainable Approach to Risk Management October, 2013 Toby Shore Corporate Treasurer & Chief Risk Officer DUBAL Key Things To Discuss
More informationEnterprise-Wide Security Transformation to Meet Escalating Regulatory Requirements
Enterprise-Wide Security Transformation to Meet Escalating Regulatory Requirements Modern corporations are faced with increasingly complex compliance and regulatory demands that require them to respond
More informationThe Sector Skills Council for the Financial Services Industry. National Occupational Standards. Risk Management for the Financial Sector
The Sector Skills Council for the Financial Services Industry National Occupational Standards Risk Management for the Financial Sector Final version approved April 2009 IMPORTANT NOTES These National Occupational
More informationAgenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)
The Intersection of Enterprise-wide Risk (ERM) and Business Continuity (BCM) Marc Dominus 2005 Protiviti Inc. EOE Agenda Terminology and Process Introductions ERM Process Overview BCM Process Overview
More informationCHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS
5-1 CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION In accordance with Statements on Auditing Standards Numbers 78 and 94, issued by the American Institute of Certified Public Accountants
More informationWHITE PAPER. The Foundation of a Successful ITAM Program - In 5 Not So Easy Steps
WHITE PAPER The Foundation of a Successful ITAM Program - In 5 Not So Easy Steps The Foundation of a Successful ITAM Program - In 5 Not So Easy Steps If anyone ever tells you It s easy to establish a successful
More informationGAHIMSS Chapter. CPHIMS Review Session. Systems Analysis. Stephanie Troncalli, Healthcare IT Strategist Himformatics July 22, 2016
GAHIMSS Chapter CPHIMS Review Session Systems Analysis Stephanie Troncalli, Healthcare IT Strategist Himformatics July 22, 2016 CPHIMS Competency Areas CPHIMS Examination Content Outline (effective February,
More informationBusiness Continuity Advice. Loss of premises
Loss of premises Consider the impact on your organisation if you are unable to use your premises for whatever reason. Maybe a fire, flood, or loss of electricity. Even an incident on the transport network
More informationBuilding an IT Roadmap. Planning for technology initiatives aid in successful and timely implementation of IT projects
Building an IT Roadmap Planning for technology initiatives aid in successful and timely implementation of IT projects Table of Contents Guide: How to develop a 18-36 month IT roadmap...1 Why is it important
More informationPoints of Discussion
Business Continuity Planning Considerations for Business Process Offshoring Todd Litman, CBCP DRJ Spring World March 18, 2013 1 Points of Discussion Business Process Offshoring Benefits & Risks Business
More informationEffectively Communicating Enterprise-Wide Business Continuity to Senior Management and Stakeholders. October 7, 2014
Effectively Communicating Enterprise-Wide Business Continuity to Senior Management and Stakeholders October 7, 2014 Agenda Background Program Elements What Makes it Enterprise-wide Recommended Strategies
More informationCollaboration with Business Associates on Compliance
Collaboration with Business Associates on Compliance HCCA Compliance Institute April 19, 2016 Balancing risk management, compliance responsibility and business growth Responsibility of entities as they
More informationTable of Contents 1. What s New... 1
Table of Contents Business and IT Impact Analysis Questionnaire... Impact - Risk... Scoring... 2 Facility / Business Function / Application... 3 Mandated Requirement Compliance... 4 Compliance - System
More informationRisk Assessment - Balancing Risk While Enhancing Controls
Risk Assessment - Balancing Risk While Enhancing Controls cliftonlarsonallen.com Session Objectives Define risk and risk assessment. Execution of assessment and approach Impact on controls and future state
More informationIPSec Professional Risk Victorian Protective Data Security Standards Compliance Services Overview in Brief
IPSec Professional Risk Victorian Protective Data Security Standards Compliance Services Overview in Brief Date: March 2017 Copyright & Confidentiality This document is copyright IPSec Pty Ltd (IPSec).
More informationPART THREE: Work Plan and IV&V Methodology (RFP 5.3.3)
PART THREE: Work Plan and IV&V Methodology (RFP 5.3.3) 3.1 IV&V Methodology and Work Plan 3.1.1 NTT DATA IV&V Framework We believe that successful IV&V is more than just verification that the processes
More information716 West Ave Austin, TX USA
FRAUD-RELATED INTERNAL CONTROLS GLOBAL Headquarters the gregor building 716 West Ave Austin, TX 78701-2727 USA Figure 2.1 COSO defines an internal control as a process, effected by an entity s board of
More informationOur Solution: BizNet Total Network Care System Overview
What do business owners want from their technology investment? Our Solution: BizNet Total Network Care System Overview Table of Contents Overview...Page 2 Discover: Understand What You Have...Page 4 BizNet
More informationAssessing the tangible and intangible impact of design investment. Why is measuring the impact of design investment such a complex task?
The tangible and intangible impact of design activity on business page 1 Assessing the tangible and intangible impact of design investment When your business makes an investment in design it will be making
More informationSarbanes-Oxley Act of 2002 Can private businesses benefit from it?
Sarbanes-Oxley Act of 2002 Can private businesses benefit from it? As used in this document, Deloitte means Deloitte Tax LLP, which provides tax services; Deloitte & Touche LLP, which provides assurance
More informationStandards Review and Conducting a Self-Assessment
Emergency Management & Safety Solutions Developing a Comprehensive Emergency Management Program and Conducting Your Own Internal Assessment March 2011 Standards Review and Conducting a Self-Assessment
More informationInternal Audit Department 350 South 5 th Street, Suite 302 Minneapolis, MN (612)
Internal Audit Department 350 South 5 th Street, Suite 302 Minneapolis, MN 55415-1316 (612) 673-2056 Date: July 19, 2016 To: Re: Mayor Betsy Hodges; City Council Members; City Coordinator Cronk; Chief
More informationRisk Assessment as a Foundation for Disaster Preparedness
Risk Assessment as a Foundation for Disaster Preparedness Jeffrey A. Slotnick CPP, PSP, Founder OR 3 M Are You Prepared? Copyright 2016 OR3M, Do Not Reproduce Without Permission 1 Session Objectives Poorly
More informationSoftware Project & Risk Management Courses Offered by The Westfall Team
Software Project & Risk Management is a 5-day course designed to provide a knowledge base and practical skills for anyone interested in implementing or improving Software Project and Risk Management techniques
More informationStarting a Vendor Assessment Program
Starting a Vendor Assessment Program Kevin Brandt, CBCP Agenda Why? Wait Really Why? Overview Policies and Procedures Implementation Work Effort Assessment Tips Special Case What About? Looking Forward
More informationSubject Area 1 Project Initiation and Management
Professional Practice Narrative: Establish the need for a Business Continuity Plan (BCP), including obtaining management support and organizing and managing the BCP project to completion. (This includes
More informationThroughput Accounting Fundamentals Financial reporting for operational decision-making
Throughput Accounting Fundamentals Financial reporting for operational decision-making General: August 2016 Throughput Accounting is a simple, yet extraordinary, way to look at a company s finances. It
More informationOutsourcing for Success. Moving from In-house to an FIS Outsourced Solution
Outsourcing for Success Moving from In-house to an FIS Outsourced Solution An Evolving Decision Financial Considerations Reduction in Risk Back to the Business of Banking 2 Outsourcing Trends Outsourcing
More informationEnterprise Risk Management Defined and Explained
Enterprise Risk Management Defined and Explained Council of Engineering and Scientific Society Executives ACCESSE16 July 27, 2016 Paul Klein Managing Director Not-for-Profit Atlantic Coast Market Territory
More informationSTUDY UNIT TEN INTERNAL AUDIT RESPONSIBILITIES FOR FRAUD
STUDY UNIT TEN INTERNAL AUDIT RESPONSIBILITIES FOR FRAUD 1 10.1 Fraud -- Nature, Prevention, and Detection..................................... 1 10.2 Fraud -- Indicators........................................................
More informationSOLUTION BRIEF RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT
RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT INTRODUCTION Your organization s regulatory compliance landscape changes every day. In today s complex regulatory environment, governmental and industry
More informationA USER MANUAL FOR RESEARCHERS: PLAN & MANAGE PROJECT RISK TEMPLATES
A USER MANUAL FOR RESEARCHERS: PLAN & MANAGE PROJECT RISK TEMPLATES Research Project Management https://research-tools.mun.ca/rpm Copyright 2017 Memorial University of Newfoundland TABLE OF CONTENTS Introduction..3
More informationAUDITING BUSINESS CONTINUITY: GLOBAL BEST PRACTICES
AUDITING BUSINESS CONTINUITY: GLOBAL BEST PRACTICES EXCERPT FROM THE FOREWORD There are numerous publications that provide a wealth of knowledge about what Business Continuity Management (BCM) is and how
More informationUNF Finance and Audit Committee January 15, 2013
Item 7 UNF Finance and Audit Committee January 15, 2013 Issue Office of Internal Auditing Audit Planning Methodology Proposed Action Report Background Information The purpose of this item is to present
More informationPayment Card Industry Data Security Standard Compliance: Key Players and Relationships. By Jason Chan
WHITE PAPER: ENTERPRISE SECURITY SERVICES Payment Card Industry Data Security Standard Compliance: By Jason Chan White Paper: Enterprise Security Services Payment Card Industry Data Security Standard
More informationBridging the gap between Internal Audit and IT functions
Bridging the gap between Internal Audit and IT Michael Wanguru 29 August 2013 Agenda Definitions Relation between Internal Audit and IT Symptoms of a disconnected function Dangers to an organization Creating
More informationSupply Risk Management
White Paper Supply Risk Management In today's changing business climate, procurement's role is not just about getting the right goods and services at the best possible price, with the right volumes, at
More informationCERT Resilience Management Model, Version 1.2
CERT Resilience Management Model, Asset Definition and Management (ADM) Richard A. Caralli Julia H. Allen David W. White Lisa R. Young Nader Mehravari Pamela D. Curtis February 2016 CERT Program Unlimited
More informationBUSINESS PLAN OUTLINE
BUSINESS PLAN OUTLINE Use the headings in the left hand column to organize your plan. The descriptors in the right hand column may be helpful to prompt your thoughts/ideas. THE BUSINESS Describe your Business
More information12.0 Business Continuity Management
Number 12.0 Policy Owner Information Security and Technology Policy Business Continuity Management Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 12. Business Continuity
More informationIT Audit Process Prof. Liang Yao Week Three IT Risk Assessment
Week Three IT Risk Assessment Defining Risks Inherent Risk: The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls) Residual
More informationDo You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?
Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi? Web Hull Privacy, Data Protection, & Compliance Advisor Web.Hull@icloud.com HCCA 2017 Compliance Institute
More informationDo You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?
Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi? Web Hull Privacy, Data Protection, & Compliance Advisor Web.Hull@icloud.com HCCA 2017 Compliance Institute
More informationThe Information Security and Privacy Tradeshow. CIS 8080 Security/Privacy of Information Richard Baskerville
The Information Security and Privacy Tradeshow CIS 8080 Security/Privacy of Information Richard Baskerville This activity simulates a market in which participants aim to offer the best information security
More informationInformation Technology Risks in Today s Environment
Information Technology s in Today s Environment - Traci Mizoguchi Enterprise Services Senior Manager, Deloitte & Touche LLP Agenda Overview Top 10 Emerging IT s Summary Q&A 1 Overview Technology continues
More informationRisk Based Internal Audit Plan
Risk Based Internal Audit Plan (Developing a Risk based IA Plan and updating the Audit Universe) C.A. Milan Mody WIRC of ICAI Presentation on 18th August 2018 1 2 Table of Contents Backdrop What is Risk?
More information1/8/2015. Learning Objectives. Why have a plan? Emergency Preparedness, Business Continuity, and Disaster Recovery. Can you anticipate the unexpected?
Emergency Preparedness, Business Continuity, and Disaster Recovery APPA-Institute for Facilities Management J. Craig Klimczak, D.V.M., M.S. 321 South Mosley Road St. Louis, MO 63141 compuvet@aol.com Learning
More informationCalifornia Law WHITE PAPER ISO Assuring Your Information. Sarbanes-Oxley Act. How much should you spend?
WHITE PAPER California Law 1798.82 ISO 17799 Sarbanes-Oxley Act NERC Basel II Assuring Your Information Contents Executive summary: What is INFORM?.................................................4 Benefits
More informationBusiness Continuity Maturity Matrix
Business Continuity Maturity Matrix A maturity model is one of the most valuable tools available for planning and sustaining a new Business Continuity program. Like the Business Continuity Planning (BCP)
More informationVENDOR MANAGEMENT 101
VENDOR MANAGEMENT 101 Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager Introduction to Vendor Management About Your Presenter Andrea
More information