This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Agenda• Introduction••• An overview of ICT and its Security An overview of ICT and its Security An overview of ICT and its Security
ProblemProblemProblem••• ICT related risksICT related risksICT related risks••• What went wrongWhat went wrongWhat went wrong••• Who is responsibleWho is responsibleWho is responsible••• Lessons from othersLessons from othersLessons from others••• What can be done?What can be done?What can be done?
Technology Trend• Stone, Iron, Industry, Information Age!• The world has now moved from natural
resources to information economy.• Information held by public and private
organisation’s information systems is among the most valuable assets in the organisation’s care and is considered a critical resource, enabling these organisations to achieve their objectives
• Because the organization's value have moved from tangible to intangible assets the risks has moved too, hence the overall cooperate risk management should take a new track
• Today ICT is in Almost all National Critical Infrastructure
ICT in Critical National infrastructures� Private and public organizations, government, and
the national security system increasingly depend on an interdependent network of critical physical and information infrastructures. Examples – energy production, transmission, and distribution– telecommunications, – financial services, – transportation sectors: railways, highways, airports etc.– systems for the provision of water and food for human
use and consumption– continuity of government.– chemical industry and hazardous materials– agriculture– defence industrial base– gas and oil storage and transportation
Agenda••• IntroductionIntroductionIntroduction• An overview of ICT and its Security
Problem••• ICT related risksICT related risksICT related risks••• What went wrongWhat went wrongWhat went wrong••• Who is responsibleWho is responsibleWho is responsible••• Lessons from othersLessons from othersLessons from others••• What can be done?What can be done?What can be done?
Information security is about protection of ICT assets/resources in terms of Confidentiality Integrity Availability – (information and services)Access Control to Information Involves: Protective/Proactive , Detective , Reactive and/or Recovery Measures
An overview of ICT & its security Problem
Valuable asset of organizations-Information Valuable asset of
organizations-Information
Software ( Operating Operating systems, Application systems, Application software) set of software) set of instructionsinstructions
Managing ICT security is a continuouscontinuous processprocess by which an organisation determines whatwhat needs to be protected and whywhy ; whatwhat it needs to be protected from (i.e. ThreatsThreats and VulnerabilitiesVulnerabilities ); and howhow (i.e. mechanisms) to protect it for as long as it exists.
Malicious software ( Virus, Virus, worm or denialworm or denial --ofof --service service attack, Backdoors, salami attack, Backdoors, salami attacks, attacks, spywarespyware , etc.), etc.) can be introduced here !
Holistic Approach required
Valuable asset of the organizations-Information
Valuable asset of the organizations-Information
An overview of ICT security Problem
Physical security of the hardware
Authorised user abusing his/her privileges e.g. Disgruntled staff
Agenda••• IntroductionIntroductionIntroduction••• An overview of ICT and its Security Problem An overview of ICT and its Security Problem An overview of ICT and its Security Problem • What went wrong••• Who is responsibleWho is responsibleWho is responsible••• Lessons from othersLessons from othersLessons from others••• What can be done?What can be done?What can be done?
• Despite of many technical solutions available-The problem of management of ICT-related risks in organisations are increasingly becoming major concerns to many ICT-dependent organisations
• The interesting questions here was, – what is it that makes the difference?
– Is it because of the consequences of globalisation?
– Is it because of the different regulations and requirements that need to be complied with in a given country?
– Is it because of market pressure or customer demand?
– Is it because of different cultures, in that, according to Robbins, national culture continues to be a powerful force in explaining a large proportion of organisations’ behaviour?
Objectives • The objective of this study was to investigate the
effects of some possible ICT risk management drivers on the process of getting senior management involved in ICT risk management, and hence accountable.
• The investigation was carried out by taking case study of four countries namely Sweden, USA, India, and Tanzania.
• The drivers investigated were mainly – Globalisation,
• One condition for global collaboration between different organisations, cultures and time zones is a “common language”, i.e. internationally accepted standards and frameworks.
• By using these standards and frameworks, security and quality can be defined, agreed on and followed up.
• One further advantage is the fact that offshore suppliers are normally certified, using these standards and frameworks.
• Their prospective customers can more easily assess security and quality requirements.
SarbanesSarbanes --Oxley Act in Oxley Act in 2002 (SOX)2002 (SOX) -- controlled and controlled and enforced by the US Securities enforced by the US Securities
and Exchange Commissionand Exchange CommissionCommittee of Sponsoring Committee of Sponsoring OrganizationOrganization ’’s (COSO) s (COSO) frameworkframework
Control Objectives for Control Objectives for Information and related Information and related TechnologyTechnology -- an IT an IT governance frameworkgovernance framework
• Based on the four studies, status and experiences of how ICT risk management is being practised in organisations in Sweden, USA, India and Tanzania was investigated
• Findings from the four studies were used as input to investigate senior management’s involvement in the ICT risk management process.
Studies in the four Countries (Swedish)• Study on Swedish government agencies concerning the use
of IT security - Indicated. – lack of support from senior management. – ICT security is not carried out in a systematic way which
makes it difficult for the management to prioritise between different risks and countermeasures, causing difficulties in following up the state of security.
• The use of models for return on security investment also shows the lack of support from senior management
Another study was carried out by interviewing information security managers and risk managers at 7 large Swedish trade and industry organisations making extensive use of ICT, most of them also with large international operations. – The overall summary of the result from the study is that
risk analysis is not used as a method to allocate resources for increasing the security level for the ICT systems.
The reason for this is probably that The reason for this is probably that using risk analysis has not gained the using risk analysis has not gained the approval of the managementapproval of the management
Studies in the four Countries (USA) • The USA study was based on the “2006 CSI/FBI Comput er Crime and
Security survey” which is based on the responses of 616 computer security practitioners in US corporations, governme nt agencies, financial institutions, medical institutions and un iversities . – The survey indicated a substantial decrease in the total dollar
amount of financial losses resulting from security breaches. • Probably this due to the Introduction of SOX
– “The Sarbanes-Oxley Act has changed the focus of in formation security in my organisation from technology to one of corporate governance”.
• For example, the Act requires that: – CEO and CFO to personally certify the correctness i n the financial
reports (section 302); – Demands the certification of the underlying (IT) pr ocesses (section
404); – Financial events of importance must be reported wit hin four days
(section 409); – The person who deliberately destroys documents, phy sical or
electronic, including e-mail, may be sentenced to u p to twenty years’ imprisonment (section 802)
Studies in the four Countries (India)• The study in India was based on the medium-sized
company as a representative of an outsourcing company in India, on the assumption of getting an average indication (2006).
• An example was iGATE corporation which was ISO2000 certified, ISO27001 certified, COBIT maturity level 5 and SOX compliant.
• The reason they have done this is that they see it is absolutely essential to have these standards and frameworks implemented for them to remain in business.
• In India, customer demand and market pressure makes security a top priority for senior management. – several Indian offshore suppliers are listed on the
USA stock market and so have to fulfil SOX requirements and have the same level of security in place
Studies in the four Countries (Tanzania) • The study in Tanzania took place between 2003 and 2006 -
the respondents were mainly senior management, Chief Financial Officers, Operational managers, IT Managers and general and technical staff.
• The study indicated that the focus of the organisations is on what is commonly known as “Computerisation”. – Very little or no attention at all is paid to managing ICT-
related risks. • This was partly found to be due to the following reasons:
– not knowing that they are vulnerable to ICT-related risks as a result of computerisation
– ICT risk is not seen as a risk to the organisation’s business;– the relaxed culture and lack of formal ICT and ICT security
policies and procedures; – believing that ICT security is a technical problem and
therefore both ICT in general and ICT security in particular being set aside for more important things.
••• IntroductionIntroductionIntroduction••• An overview of ICT and its Security An overview of ICT and its Security An overview of ICT and its Security
ProblemProblemProblem••• What went wrongWhat went wrongWhat went wrong••• Who is responsibleWho is responsibleWho is responsible• Lessons from others••• What can be done? What can be done? What can be done?
• Referring to the studies, one can see that Market Pressure and Customer Demand, which lead to regulatory requirements such as SOX, are significant risk management drivers.
• The key point was to get senior management’s backin g and involvement in the ICT risk management process
• This study shows that even though there are international standards and frameworks for feedback on how the ICT risks are handled in an organisation , Compliance with Regulations seems to be the strongest driver actually effecting involvement of senior managers in the ICT risk management process.
• However, in noting this, we also include – but view it as happening in earlier feed-back cycles – that Globalisation, Customer Demand and Market Pressure are drivers that initiate regulations (such as SOX) and thus interact as indicated earlier.
• Through Regulation (such as SOX), senior managers were in varying degrees held personally accountable; – We have seen for example some sections, as
mentioned, are very tough.
• However, there is still a need to identify more drivers of ICT risk management in the international and national scenes- it seems important to investigate how national, organisational and security cultures can blend and adapt in order to handle ICT security risks as part of the ordinary business processes.
••• IntroductionIntroductionIntroduction••• An overview of ICT and its Security An overview of ICT and its Security An overview of ICT and its Security
ProblemProblemProblem••• What went wrongWhat went wrongWhat went wrong• Who is responsible••• Lessons from othersLessons from othersLessons from others••• What can be done?What can be done?What can be done?
•Top management and oversight bodies that are vested with day to day planning, organizing, controlling, directing and staffing responsibilities have a broad stake in ensuring everything, including ICT matters, are properly manned and managed.
•Boards of Directors are vested with such responsibilities
•ICT related risks management requires strategic direction and driving force and that Board is responsible through the CEO.
••• IntroductionIntroductionIntroduction••• An overview of ICT and its Security An overview of ICT and its Security An overview of ICT and its Security
ProblemProblemProblem••• What went wrongWhat went wrongWhat went wrong••• Who is responsibleWho is responsibleWho is responsible••• Lessons from othersLessons from othersLessons from others• What can be done?
• The principle goal of an organization risk management process should be to protect the organization and its ability to achieve their mission
• and therefore ICT related risks management be part of the overall cooperate risk management because the value have moved from tangible to intangible assets
It's now the intangible economy !Information is the most valuable asset and is the o nly
commodity that can be stolen without being taken!
If organizations do not address these problems then they should expect severe financial damage resulting fr om Services interruption, reputations damage, Loss of strategic information, liability claims, loss of pr operty,
The dependence on ICT to business Core operations makes the ICT an important strategic tool