Extreme risk - how bad tech mgmt destroys firms

EXTREMERISK10 WAYS POORLY MANAGED TECH

CAN DESTROY YOUR COMPANY

dude, failing to manage IT risk is serious

you might have to stop doing business altogether

stolen data can be used against your customers

the press may have a field day on you

it will be even worse in social media

you could lose critical assets

employees or directors could go to jail

competitors may learn your secrets

you may have to pay fines

the trust you've built into your brand may disappear

IT can be extremely complex & opaque, may require very specialized skills and changes very,

very fast

and just cause you’re a small, nimble start-up does

not give you license to be sloppy (especially if you

hope to pass exit due diligence)

here are 10 obvious, but common, mistakes to

avoid…

01LACK LEADERSHIP

MISTAKE

01LACK LEADERSHIPLeadership must understand the strategic importance of technology risk management

They must also be involved with decision-making and communicate like crazy

MISTAKE

LACK LEADERSHIPLeadership must put in place a technology risk management (TRM) framework that includes the right culture, policies, standards (enterprise requirements), & control procedures

They must also be responsible for communications & the quality of firm wide execution

01MISTAKE

LACK LEADERSHIPLeadership must get the right people, in the right roles, at the right time, with the right training

01MISTAKE

LACK LEADERSHIPLeadership must ensure that risks are identified and prioritized by likelihood and severity

01MISTAKE

LACK LEADERSHIPLeadership must identify control gaps, prioritize and budget for remediation, & monitor projects to close them

01MISTAKE

LACK LEADERSHIPLeadership must approve & track exceptions01

MISTAKE

LACK LEADERSHIPLine managers must be engaged & accountable for TRM

TRM must not be seen as red tape. It must be seen as a core job function of a technology manager (and disciplined/rewarded as such)

01MISTAKE

02LACK TRM FRAMEWORK

MISTAKE

02LACK TRM FRAMEWORKA TRM Framework must protect data & IT assets from unauthorized access or disclosure, misuse, and fraudulent modification

MISTAKE

02LACK TRM FRAMEWORKA TRM Framework must ensure data confidentiality, system security, reliability, resiliency, & recoverabilityMISTAKE

02LACK TRM FRAMEWORKA TRM Framework must define roles & responsibilities

MISTAKE

02LACK TRM FRAMEWORKA TRM Framework must identify & prioritize IT assets

MISTAKE

02LACK TRM FRAMEWORKA TRM Framework must identify & assess impact and likelihood of operational & emerging risk including internal & external networks, hardware, software, interfaces, operations, and human resources

The firm must also have a mechanism to identify risk trends externally

MISTAKE

02LACK TRM FRAMEWORKA TRM Framework must methodically & regularly inventory and prioritize risks, controls, exceptions, and gaps

MISTAKE

02LACK TRM FRAMEWORKA TRM Framework must be updated regularly

MISTAKE

03LACK PARTNER OVERSIGHT

MISTAKE

03LACK PARTNER OVERSIGHTIT provided or supported by partners must be in scope & leadership must fully understand outsourcing risks

Outsourced IT infrastructure is still part of your TRM. You can’t wash your hands of it

* Provision or support includes system development and support, DC ops, network admin, BCP, hosting / cloud and can involve one or more parties in or out of country

MISTAKE

03LACK PARTNER OVERSIGHTProper due diligence must ensure viability, capability, reliability, & stability of vendorsMISTAKE

03LACK PARTNER OVERSIGHTWritten contracts must define expected risk-related service levels, roles, obligations, & control processes in detail

They must also be reviewed regularly

* For example, performance targets, service levels, availability, reliability, scalability, compliance, audit, security, contingency planning, disaster recovery and backup

MISTAKE

03LACK PARTNER OVERSIGHTA Service Level Management Framework such as the IT Infrastructure Library (ITIL) must ensure continuing, monitored controls compliance

MISTAKE

03LACK PARTNER OVERSIGHTAn exit / backup plan must be in place to switch partners if required

MISTAKE

04LACK PORTFOLIO MANAGEMENT

MISTAKE

04LACK PORTFOLIO MGMTThe entire technology portfolio/platform must be managed through it's lifecycle

The business must be engaged with portfolio strategy as a key stakeholder

MISTAKE

04LACK PORTFOLIO MGMTEnterprise architecture strategy must be supported by accurate & accessible MIS and asset management data

MISTAKE

04LACK PORTFOLIO MGMTLeadership must define, document, & communicate the target state platform

MISTAKE

04LACK PORTFOLIO MGMTA professional Project / Change Management Framework like Project Management Body Of Knowledge (PMBOK) or ITIL must guide change from current to target

MISTAKE

04LACK PORTFOLIO MGMTA professional Quality Management program should ensure quality of build and operate

For example, a documented software development lifecycle (SDLC) should effectively guide development & code quality

MISTAKE

04LACK PORTFOLIO MGMTThere must be strong testing & code review controls

MISTAKE

04LACK PORTFOLIO MGMTIT Acquisition must be strategically aligned

MISTAKE

04LACK PORTFOLIO MGMTTechnology exit planning must be explicit & tracked

MISTAKE

05LACK SERVICE MANAGEMENT

MISTAKE

05LACK SERVICE MGMTOngoing IT operations must be guided by a Service Management (SM) Framework like ITILMISTAKE

05LACK SERVICE MGMTThe SM Framework should cover:

• Change Management & DevOps• Release & Deployment

Management• Capacity Management• Incident Management• Problem Management• Source Code Control• Asset Inventory & Config

Management• Backup & Recovery

MISTAKE

06LACK RECOVERABILITY

MISTAKE

06LACK RECOVERABILITYThe firm needs a realistic, business-prioritized, strategically-aligned & simple business continuity plan (BCP) that ensures reliability, performance, scalability, availability, and recoverability

MISTAKE

06LACK RECOVERABILITYThe BCP should identify critical systems (those that must not go down) as well as recovery point objectives (RPO) and recovery time objectives (RTO) to guide restoration service levels

MISTAKE

06LACK RECOVERABILITYThe disaster recovery plan should cover multiple scenarios, expose dependencies, & be tested regularly

MISTAKE

06LACK RECOVERABILITYBackup management must ensure that IT assets can be recovered as soon as required, depending on priority & that dependencies are understood

MISTAKE

06LACK RECOVERABILITYThere should be a Communications Plan defined in advance to deal with various scenariosMISTAKE

07LACK DATA SECURITY

MISTAKE

07 LACK DATA SECURITYYou must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties

MISTAKE

07 LACK DATA SECURITYYou must identify levels of data sensitivity and ensure escalating levels of protection based upon the significance / priority of risk.

MISTAKE

07 LACK DATA SECURITYYou must have end-to-end data protection such as encryption when you are dealing with confidential data

Your controls / standards must be in force wherever your data is stored or transmitted

MISTAKE

07 LACK DATA SECURITYYou must properly dispose of assets that hold confidential data

MISTAKE

07 LACK DATA SECURITYYou must have a mechanism to monitor security & react as required

MISTAKE

08LACK SYSTEM SECURITY

MISTAKE

08LACK SYSTEM SECURITYYou must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties

MISTAKE

08LACK SYSTEM SECURITYYou must identify levels of sensitivity & ensure escalating levels of protection based upon the significance / priority of risk

MISTAKE

08LACK SYSTEM SECURITYYou must ensure that IT assets are patched as required

You must ensure that IT assets are migrated out of production before End-of-Life or End-of-Service

MISTAKE

08LACK SYSTEM SECURITYYou must deploy the right level of network security (including anti-virus) across operating systems, network devices, databases, and enterprise mobile devices

MISTAKE

08LACK SYSTEM SECURITYKey points in the infrastructure (perimeter & internal as required) must be protected through intrusion detection & prevention tools such as firewalls

MISTAKE

08LACK SYSTEM SECURITYYou must test security using vulnerability assessment & penetration testing regularly

MISTAKE

08LACK SYSTEM SECURITYYou must have a mechanism to monitor security and react as required

MISTAKE

09LACK PHYSICAL SECURITY

MISTAKE

09LACK PHYSICAL SECURITYYou must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties

MISTAKE

09LACK PHYSICAL SECURITYYou must identify levels of sensitivity & ensure escalating levels of protection based upon the significance / priority of risk

MISTAKE

09LACK PHYSICAL SECURITYThere must be regular threat and vulnerability assessments

MISTAKE

09LACK PHYSICAL SECURITYYou must implement appropriate physical security such as need-to-access-only requirements & security / surveillance systems

MISTAKE

09LACK PHYSICAL SECURITYCritical resources such as air, water, power fire suppression, & communications should be redundant where required

MISTAKE

10LACK ACCESS CONTROLS

MISTAKE

10LACK ACCESS CONTROLSFor critical / sensitive systems an individual must not be granted access alone (never-alone principle)

MISTAKE

10LACK ACCESS CONTROLSThe transaction process should prevent a single person from initiating, approving, and executing by themselves (segregation of duties)

Job rotation is recommended for sensitive functions

MISTAKE

10LACK ACCESS CONTROLSAccess should be limited to need-to-know (access-control principle)MISTAKE

10LACK ACCESS CONTROLSAccess should be logged and access rights should be easy to review & modify as access rights change naturally over time

MISTAKE

10LACK ACCESS CONTROLSThere must be separate environments for development, testing, and production with controlled access to production where production access is limited and governed by segregation of duties

MISTAKE

SHARE THIS DECK & FOLLOW ME(please-oh-please-oh-please-oh-please)

stay up to date with my future slideshare posts

http://www.slideshare.net/selenasol/presentationshttps://twitter.com/eric_tachibana

http://www.linkedin.com/pub/eric-tachibana/0/33/b53

CLICK HERE FOR MORE!!!!

CREATIVE COMMONS ATTRIBUTIONS & REFERENCESTitle Slide: http://www.flickr.com/photos/23754017@N08/

Dude Slide: http://www.flickr.com/photos/karen_od/Ewok Slide: http://www.flickr.com/photos/daviddurantrejo/

Leadership Slide: http://www.flickr.com/photos/daviddurantrejo/Tech Risk Mgmt Slide: http://www.flickr.com/photos/daviddurantrejo/

Partner Oversight Slide: http://www.flickr.com/photos/daviddurantrejo/Service Mgmt Slide: http://www.flickr.com/photos/gageskidmore/

Portfolio Mgmt Slide: http://www.flickr.com/photos/fotomaf/Recoverability Slide: http://www.flickr.com/photos/karen_od/

Data Security Slide: http://www.flickr.com/photos/daviddurantrejo/System Security Slide: http://www.flickr.com/photos/daviddurantrejo /

Physical Security Slide: http://www.flickr.com/photos/fotomaf/Access Controls Slide: http://www.flickr.com/photos/daviddurantrejo/

http://www.mas.gov.sghttp://www.isaca.org

http://coso.org/guidance.htmhttp://www.itil-officialsite.com

http://www.pmi.org

Please note that all content & opinions expressed in this deck are my own and don’t necessarily represent the position of my current, or any previous, employers