ENTERPRISE IT RISK MANAGEMENT “EXPLORING THE RIGHT POSTURE” PARAG DEODHAR 27 JULY 2012 BANGALORE 27 JULY 2012 ‐ BANGALORE
ENTERPRISE IT RISK MANAGEMENT“EXPLORING THE RIGHT POSTURE”
PARAG DEODHAR27 JULY 2012 BANGALORE27 JULY 2012 ‐ BANGALORE
EVOLUTION OF IT WITHIN THE ORGANISATIONEVOLUTION OF IT WITHIN THE ORGANISATION
TRANSFORMERENABLER
TRANSFORMER
SUPPORT TEAM
27 July 2012 PARAG DEODHAR 2ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM
ENTERPRISE RISK & ITENTERPRISE RISK & IT
• IT is now CORE to Business• Top 3 areas which Audit Committees want to spend more time on (Source: KPMG Survey)
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 3
IT RISK MANAGEMENT IS MUCH MORE THANIT SECURITY
N li i d i f i i I ll IT l d• Not limited to information security. It covers all IT‐related risks, including:• Late project deliveryLate project delivery• Not achieving enough
value from ITC li• Compliance
• Misalignment• Obsolete or inflexible
IT architecture• IT service delivery
problemsp
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 4
IT RISK DOES NOT EMANATE FROM THE IT DEPARTMENT ALONE
• Mergers and Acquisitions• Purchasing software as a service• Investing in application enhancements• Outsourcing and offshoring• Outsourcing and offshoring• Integrating diverse applications
i S li k C– Business Partners, Suppliers, Banks, Customers…
• End Users• Consultants and Auditors!!!
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 5
WHO OWNS IT RISK?WHO OWNS IT RISK?
• IT Risk Management ‐ Organisation Structure & Reporting line– IT team– Risk Management Team– External Vendors– Group Team
WHO’S NECK IS ON THE LINE WHENDISASTER STRIKES?
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 6
CIO REPORT TO THE AUDIT COMMITTEECIO REPORT TO THE AUDIT COMMITTEE(Source: KPMG Survey)
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 7
IT RISK UNIVERSEIT RISK UNIVERSE
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 8
EMERGING IT RISKS IN THE BORDERLESSENTERPRISE
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 9
MANAGING IT RISKSMANAGING IT RISKS
N h i d• New threats are emerging every day• Basic measures like – Anti‐Virus, Firewalls are no longer
enoughenough• Tools like SIEM, IPS, DLP, DRM… are now standard
requirementrequirement • Only tools are not enough, continuous updates, 24x7
monitoring and response is requiredmonitoring and response is required• Do you have the resources – money, time, human
resources???• What is your risk posture? What do you tell the Board? • How do you manage compliance?
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 10
y g p
GUIDING PRINCIPLESGUIDING PRINCIPLESSource: ISACA
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 11
IT RISK MANAGEMENT FRAMEWORKIT RISK MANAGEMENT FRAMEWORK•Responsibility and accountability for risk
Source: ISACA
accountability for risk•Risk appetite and tolerance•Awareness and communicationRi k lt•Risk culture
• Key risk indicators (KRIs)•Risk response definition and prioritisationprioritisation
• Risk scenarios• Risk scenarios•Business impact descriptions
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 12
IT RISK MATURITY MODEL TO ASSESS POSTUREIT RISK – MATURITY MODEL TO ASSESS POSTURESource: ISACA
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 13
Its not a Goal But a journeyIts not a Goal – But a journey…
THANK YOUTHANK YOU27 July 2012 PARAG DEODHAR 14ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM