IT Risk and Control Framework
IT Risk and Control Framework
Session Objectives
IT opportunities and risks Global concern/incidents Bangladesh perspective Best practices frameworks/standards ISACA COBIT framework Summary
*http://www.dailytech.com/Worlds+Data+to+Reach+18+Zettabytes+by+2011/article11055.htm
http://www.gao.gov/products/GAO-12-137
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/ITGI-Global-Survey-Results.aspx
Bangladesh Scenario
Achievement
Ranked 134 in UN E-Gov survey in e-gov development category Some quick win projects by Government Bangladesh is on the list of top 30 destinations for global IT outsourcing for 2010-11(Garter)
Challenges
Ranked poor in language, infrastructure and data and intellectual property security (Gartner) Lack of sustainability of IT Systems Lack of ownership of IT systems Inadequate Human resources Poor IT management Increased cyber incidents No National BD-CERT
Advantage of using Best Practices Better accountability and responsibility (ownership) No blame game Better management Better benefits from IT investments Better Compliance Better monitoring Compare with others
About COBIT
COBIT is a comprehensive IT governance and management framework. Accepted globally as a set of tools that ensures IT is working effectively and efficiently Addresses every aspect of IT Ensure clear ownership and responsibilities A common language for all Improves IT efficiency and effectiveness Better management of IT investments Ensure compliance Complementary copy is available (www.isaca.org/cobit)
COBIT Coverage
Strategic IT Plan Manage IT Investment Manage IT Human Resources Manage IT Risks Manage Projects Acquire & Maintain Application Software Acquire and Maintain Technology Infrastructure Manage Changes
Functions
C C A C
I C C I
A/ R R C
I A/ R R A
C C I C C C C C C C C C C C C C I R C C I
Process Goal
Reduce unauthorized access
Activity Goal
Understand vulnerabilities and threats
Maintain Reputation
Frequency of review
IT Goals(28)
IT Processes(32)
Respond to governance requirements Account for and protect all IT assets. Protect the achievement of IT objectives. Establish clarity of business impact Ensure that critical and confidential information is authorized Ensure that automated business transactions can be trusted. Ensure that IT services and infrastructure can properly resist and recover from failures
Assess and manage IT risks(PO9) Ensure systems security(DS5) Manage the configuration(DS9) Manage Facilities(DS12) Monitor and evaluate internal control (ME2)
27001/2
Summary
Use Best practice such as COBIT to minimize IT Risks Start with basic processes Form a high level IT Strategy Committee headed by CEO/Head. Formulate and implement IT Strategic Plan and IT policies. Allocate resources (People, infrastructure, ) Assign roles and responsibilities, authority and accountability (Use RACI Chart) Make IT a regular board agenda. Regularly assess, review and monitor IT Risks. Establish a national BD-CERT(by gov)