EXTREMERIS K 10 WAYS POORLY MANAGED TEC CAN DESTROY YOUR COMPANY
Sep 08, 2014
EXTREMERISK10 WAYS POORLY MANAGED TECH
CAN DESTROY YOUR COMPANY
dude, failing to manage IT risk is serious
you might have to stop doing business altogether
stolen data can be used against your customers
the press may have a field day on you
it will be even worse in social media
you could lose critical assets
employees or directors could go to jail
competitors may learn your secrets
you may have to pay fines
the trust you've built into your brand may disappear
IT can be extremely complex & opaque, may require very specialized skills and changes very,
very fast
and just cause you’re a small, nimble start-up does
not give you license to be sloppy (especially if you
hope to pass exit due diligence)
here are 10 obvious, but common, mistakes to
avoid…
01LACK LEADERSHIP
MISTAKE
01LACK LEADERSHIPLeadership must understand the strategic importance of technology risk management
They must also be involved with decision-making and communicate like crazy
MISTAKE
LACK LEADERSHIPLeadership must put in place a technology risk management (TRM) framework that includes the right culture, policies, standards (enterprise requirements), & control procedures
They must also be responsible for communications & the quality of firm wide execution
01MISTAKE
LACK LEADERSHIPLeadership must get the right people, in the right roles, at the right time, with the right training
01MISTAKE
LACK LEADERSHIPLeadership must ensure that risks are identified and prioritized by likelihood and severity
01MISTAKE
LACK LEADERSHIPLeadership must identify control gaps, prioritize and budget for remediation, & monitor projects to close them
01MISTAKE
LACK LEADERSHIPLeadership must approve & track exceptions01
MISTAKE
LACK LEADERSHIPLine managers must be engaged & accountable for TRM
TRM must not be seen as red tape. It must be seen as a core job function of a technology manager (and disciplined/rewarded as such)
01MISTAKE
02LACK TRM FRAMEWORK
MISTAKE
02LACK TRM FRAMEWORKA TRM Framework must protect data & IT assets from unauthorized access or disclosure, misuse, and fraudulent modification
MISTAKE
02LACK TRM FRAMEWORKA TRM Framework must ensure data confidentiality, system security, reliability, resiliency, & recoverabilityMISTAKE
02LACK TRM FRAMEWORKA TRM Framework must define roles & responsibilities
MISTAKE
02LACK TRM FRAMEWORKA TRM Framework must identify & prioritize IT assets
MISTAKE
02LACK TRM FRAMEWORKA TRM Framework must identify & assess impact and likelihood of operational & emerging risk including internal & external networks, hardware, software, interfaces, operations, and human resources
The firm must also have a mechanism to identify risk trends externally
MISTAKE
02LACK TRM FRAMEWORKA TRM Framework must methodically & regularly inventory and prioritize risks, controls, exceptions, and gaps
MISTAKE
02LACK TRM FRAMEWORKA TRM Framework must be updated regularly
MISTAKE
03LACK PARTNER OVERSIGHT
MISTAKE
03LACK PARTNER OVERSIGHTIT provided or supported by partners must be in scope & leadership must fully understand outsourcing risks
Outsourced IT infrastructure is still part of your TRM. You can’t wash your hands of it
* Provision or support includes system development and support, DC ops, network admin, BCP, hosting / cloud and can involve one or more parties in or out of country
MISTAKE
03LACK PARTNER OVERSIGHTProper due diligence must ensure viability, capability, reliability, & stability of vendorsMISTAKE
03LACK PARTNER OVERSIGHTWritten contracts must define expected risk-related service levels, roles, obligations, & control processes in detail
They must also be reviewed regularly
* For example, performance targets, service levels, availability, reliability, scalability, compliance, audit, security, contingency planning, disaster recovery and backup
MISTAKE
03LACK PARTNER OVERSIGHTA Service Level Management Framework such as the IT Infrastructure Library (ITIL) must ensure continuing, monitored controls compliance
MISTAKE
03LACK PARTNER OVERSIGHTAn exit / backup plan must be in place to switch partners if required
MISTAKE
04LACK PORTFOLIO MANAGEMENT
MISTAKE
04LACK PORTFOLIO MGMTThe entire technology portfolio/platform must be managed through it's lifecycle
The business must be engaged with portfolio strategy as a key stakeholder
MISTAKE
04LACK PORTFOLIO MGMTEnterprise architecture strategy must be supported by accurate & accessible MIS and asset management data
MISTAKE
04LACK PORTFOLIO MGMTLeadership must define, document, & communicate the target state platform
MISTAKE
04LACK PORTFOLIO MGMTA professional Project / Change Management Framework like Project Management Body Of Knowledge (PMBOK) or ITIL must guide change from current to target
MISTAKE
04LACK PORTFOLIO MGMTA professional Quality Management program should ensure quality of build and operate
For example, a documented software development lifecycle (SDLC) should effectively guide development & code quality
MISTAKE
04LACK PORTFOLIO MGMTThere must be strong testing & code review controls
MISTAKE
04LACK PORTFOLIO MGMTIT Acquisition must be strategically aligned
MISTAKE
04LACK PORTFOLIO MGMTTechnology exit planning must be explicit & tracked
MISTAKE
05LACK SERVICE MANAGEMENT
MISTAKE
05LACK SERVICE MGMTOngoing IT operations must be guided by a Service Management (SM) Framework like ITILMISTAKE
05LACK SERVICE MGMTThe SM Framework should cover:
• Change Management & DevOps• Release & Deployment
Management• Capacity Management• Incident Management• Problem Management• Source Code Control• Asset Inventory & Config
Management• Backup & Recovery
MISTAKE
06LACK RECOVERABILITY
MISTAKE
06LACK RECOVERABILITYThe firm needs a realistic, business-prioritized, strategically-aligned & simple business continuity plan (BCP) that ensures reliability, performance, scalability, availability, and recoverability
MISTAKE
06LACK RECOVERABILITYThe BCP should identify critical systems (those that must not go down) as well as recovery point objectives (RPO) and recovery time objectives (RTO) to guide restoration service levels
MISTAKE
06LACK RECOVERABILITYThe disaster recovery plan should cover multiple scenarios, expose dependencies, & be tested regularly
MISTAKE
06LACK RECOVERABILITYBackup management must ensure that IT assets can be recovered as soon as required, depending on priority & that dependencies are understood
MISTAKE
06LACK RECOVERABILITYThere should be a Communications Plan defined in advance to deal with various scenariosMISTAKE
07LACK DATA SECURITY
MISTAKE
07 LACK DATA SECURITYYou must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties
MISTAKE
07 LACK DATA SECURITYYou must identify levels of data sensitivity and ensure escalating levels of protection based upon the significance / priority of risk.
MISTAKE
07 LACK DATA SECURITYYou must have end-to-end data protection such as encryption when you are dealing with confidential data
Your controls / standards must be in force wherever your data is stored or transmitted
MISTAKE
07 LACK DATA SECURITYYou must properly dispose of assets that hold confidential data
MISTAKE
07 LACK DATA SECURITYYou must have a mechanism to monitor security & react as required
MISTAKE
08LACK SYSTEM SECURITY
MISTAKE
08LACK SYSTEM SECURITYYou must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties
MISTAKE
08LACK SYSTEM SECURITYYou must identify levels of sensitivity & ensure escalating levels of protection based upon the significance / priority of risk
MISTAKE
08LACK SYSTEM SECURITYYou must ensure that IT assets are patched as required
You must ensure that IT assets are migrated out of production before End-of-Life or End-of-Service
MISTAKE
08LACK SYSTEM SECURITYYou must deploy the right level of network security (including anti-virus) across operating systems, network devices, databases, and enterprise mobile devices
MISTAKE
08LACK SYSTEM SECURITYKey points in the infrastructure (perimeter & internal as required) must be protected through intrusion detection & prevention tools such as firewalls
MISTAKE
08LACK SYSTEM SECURITYYou must test security using vulnerability assessment & penetration testing regularly
MISTAKE
08LACK SYSTEM SECURITYYou must have a mechanism to monitor security and react as required
MISTAKE
09LACK PHYSICAL SECURITY
MISTAKE
09LACK PHYSICAL SECURITYYou must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties
MISTAKE
09LACK PHYSICAL SECURITYYou must identify levels of sensitivity & ensure escalating levels of protection based upon the significance / priority of risk
MISTAKE
09LACK PHYSICAL SECURITYThere must be regular threat and vulnerability assessments
MISTAKE
09LACK PHYSICAL SECURITYYou must implement appropriate physical security such as need-to-access-only requirements & security / surveillance systems
MISTAKE
09LACK PHYSICAL SECURITYCritical resources such as air, water, power fire suppression, & communications should be redundant where required
MISTAKE
10LACK ACCESS CONTROLS
MISTAKE
10LACK ACCESS CONTROLSFor critical / sensitive systems an individual must not be granted access alone (never-alone principle)
MISTAKE
10LACK ACCESS CONTROLSThe transaction process should prevent a single person from initiating, approving, and executing by themselves (segregation of duties)
Job rotation is recommended for sensitive functions
MISTAKE
10LACK ACCESS CONTROLSAccess should be limited to need-to-know (access-control principle)MISTAKE
10LACK ACCESS CONTROLSAccess should be logged and access rights should be easy to review & modify as access rights change naturally over time
MISTAKE
10LACK ACCESS CONTROLSThere must be separate environments for development, testing, and production with controlled access to production where production access is limited and governed by segregation of duties
MISTAKE
SHARE THIS DECK & FOLLOW ME(please-oh-please-oh-please-oh-please)
stay up to date with my future slideshare posts
http://www.slideshare.net/selenasol/presentationshttps://twitter.com/eric_tachibana
http://www.linkedin.com/pub/eric-tachibana/0/33/b53
CLICK HERE FOR MORE!!!!
CREATIVE COMMONS ATTRIBUTIONS & REFERENCESTitle Slide: http://www.flickr.com/photos/23754017@N08/
Dude Slide: http://www.flickr.com/photos/karen_od/Ewok Slide: http://www.flickr.com/photos/daviddurantrejo/
Leadership Slide: http://www.flickr.com/photos/daviddurantrejo/Tech Risk Mgmt Slide: http://www.flickr.com/photos/daviddurantrejo/
Partner Oversight Slide: http://www.flickr.com/photos/daviddurantrejo/Service Mgmt Slide: http://www.flickr.com/photos/gageskidmore/
Portfolio Mgmt Slide: http://www.flickr.com/photos/fotomaf/Recoverability Slide: http://www.flickr.com/photos/karen_od/
Data Security Slide: http://www.flickr.com/photos/daviddurantrejo/System Security Slide: http://www.flickr.com/photos/daviddurantrejo /
Physical Security Slide: http://www.flickr.com/photos/fotomaf/Access Controls Slide: http://www.flickr.com/photos/daviddurantrejo/
http://www.mas.gov.sghttp://www.isaca.org
http://coso.org/guidance.htmhttp://www.itil-officialsite.com
http://www.pmi.org
Please note that all content & opinions expressed in this deck are my own and don’t necessarily represent the position of my current, or any previous, employers