LHS IT Risk Management John Mitchell

LHS
IT Risk Management
John Mitchell
PhD, MBA, CEng, CITP, FBCS, CFIIA, CISA, CGEIT, QiCA, CFE
LHS Business Control
47 Grangewood
Potters Bar
Herts EN6 1SL
© John Mitchell
Tel: +44 (0)1707 851454
Cell: +44 (0)7774 145638
[email protected]
www.lhscontrol.com
LHS
2
© John Mitchell
LHS Main IT Components
(People)
(Technology)
© John Mitchell
(Processes)
LHS
IT Assurance Frameworks
COSO
ISO 22301
ISO 38500
ISO 31000
CMM & ISO 15504
ISO 20000
ISO 27031
ISO 24762
ISO 8000
ITIL
ISO 9000
ISO 27000
WHAT
ISO 25010
HOW
SCOPE OF COVERAGE
4
© John Mitchell
LHS
Assurance
DIRECT
INTERNAL
AUDITS
(20%)
CONTROL
ENVIRONMENT
REVIEW
(5%)
INTERNAL
CONTROL
ASSURANCE
CONTROL
SELF ASSESSMENT
(20%)
MANAGEMENT
ASSURANCE
OTHER ASSURANCE
FUNCTIONS
(20%)
EXTERNAL AUDIT
(5%)
RISK
MANAGEMENT
PROGRAMME
(30%)
5
© John Mitchell
LHS
The Risk Management Process
H
i
g
h
Senior Management
Attention
Local Management
Attention
No Action
L
I
K
E
L
I
H
O
O
D
L
o
w
E
Inherent
Risk
D
Likelihood
Reduction
C
B
Residual
Risk
Consequence
Reduction
A
A
Low
B
C
CONSEQUENCE
D
E
High
6
© John Mitchell
LHS
Inherent Risk
The likelihood and consequence of risk
crystallisation before mitigating actions
(controls) have been put in place
7
© John Mitchell
LHS
8
© John Mitchell
LHS
9
© John Mitchell
LHS
Residual Risk
The likelihood and consequence of risk
crystallisation after mitigating actions
(controls) have been put in place
10
© John Mitchell
LHS
11
© John Mitchell
LHS
Likelihood/Probability
• The likelihood that something will occur in a
defined time frame
• Usually measured in frequency per time
period
12
© John Mitchell
Liklihood. Optimism vs. pessimism
BUSINESS WITH CONFIDENCE
ICAEW
April 2014
icaew.com
Slide # 13
LHS
Consequence/Impact
• The impact on the organisation when a risk
crystallises
• Usually measured on an incremental scale of
impact
14
© John Mitchell
LHS
Holistic Risk Management
MB = Main Board
XC = Executive Committee
MB
XC
Risk Director
(Residual Operational Risks)
Risk Director
(Key Corporate Risks)
Local
Risk
Management
IT
HR
Key Operational
Risks
Key Operational
Risks
FM
Fin
Prod
15
© John Mitchell
LHS Whose Concerned With What?
Inherent Risk >< Control = Residual/Retained Risk
Local Management are
Concerned with these
Senior
Management
are concerned
with this
16
© John Mitchell
LHS The Risk Management Process
•
Inherent Risk
 The starting point
•
Residual risk

•
Where you end up after doing something
Retained Risk
 What you formally decide to live with
Risk appetite
Risk tolerance


Often the same as the residual risk
17
© John Mitchell
LHS
Which One
Would You Want Assurance Over?
Inherent Risk
Controls
Risk 1
None
Risk 2
Some
Risk 3
Lots
Residual
Risk
18
© John Mitchell
LHS
Class
Control Classification
Ability to detect the event and take recovery action
1
Prevents the event, or detects it as it happens and prevents further
impact
2
Detects the event and reacts fast enough to fix it well within the
specified time window
3
Detects the event and reacts just fast enough to fix it within the
specified time window
4
Detects the event but cannot react fast enough to fix it within the
specified time window
5
Fails to detect the event but has a partially deployed business
continuity plan
6
Fails to detect the event but does have a business continuity plan
7
Fails to detect the event and does not have a business continuity plan
Type
Preventive
Detective
Reactive
19
Source: D Brewer & W List
© John Mitchell
LHS
Key IT Operational
Risk Areas
 Confidentiality
 Data, information and services are only available
to those who should have them
 Integrity
 Data and processing is complete, accurate and
reliable
 Availability
 Data, information and services are available at the
time of need to those who should have them
 Compliance
 All processing will comply with relevant statutory
and regulatory requirements
 Reliability
 All operations are consistently applied
20
© John Mitchell
Simple IT Infrastructure
LHS
End User Computing
(Bandit Country)
Finance
Facilities
People
EUC
Policies
Data
Standards
Application
Software
Procedures
Base Software
(Operating System & DBMS)
Hardware
21
© John Mitchell
LHS
Extended Infrastructure
Back-end
legacy
system
Social
Networking
Credit Check
& Banking
Cloud
Computing
Inner
Firewall
BYOD
Wearability
Customer
Middleware
SQL
database
© John Mitchell
Web
server
Outer
Firewall
Internet
Router
22
LHS The Usual Documentation
23
© John Mitchell
LHS
What Is This Control Stuff?
• Definition
– Anything which monitors, or modifies the
behaviour of a process so as to ensure its
predictability
• How They Work
– A control is simply a test against a known
attribute
24
© John Mitchell
LHS
•
•
•
•
Anatomy of a Control
Design
Implementation
Monitoring
Evaluation
25
© John Mitchell
LHS
Control Design
How well the control should work, in theory, if it is always
applied in the way intended:
3) – designed to reduce a risk aspect entirely
(either likelihood or consequence)
2) – designed to reduce most of a risk aspect
1) – designed to reduce some parts of a risk aspect
0) – very limited or badly designed, even where used
correctly provides little or no protection
26
© John Mitchell
LHS
Control Implementation
The way in which the control operates in practice:
3) – the control is always applied as intended
2) – the control is generally operational, but on occasions
is not applied as intended
1) – the control is sometimes correctly applied
0) – the control is not applied, or is applied incorrectly
27
© John Mitchell
LHS
Control Monitoring
How we know that the the control is continuing to operate
(embedded monitor):
3) – operation is always monitored
2) – operation is usually monitored, but on occasions is not
1) – operation is monitored on an ad-hoc basis
0) – operation is not monitored at all
28
© John Mitchell
LHS
Control Evaluation
How frequently the control effectiveness is evaluated:
3) – control is regularly evaluated for effectiveness
2) – control is occasionally evaluated for effectiveness
1) – control is evaluated on an ad-hoc basis
(usually when something goes wrong)
0) – control is never evaluated
29
© John Mitchell
LHS
Scoring Control Effectiveness
(Simple Model – Not Weighted)
• Apply DIME:
–
–
–
–
Design
Implementation
Monitoring
Evaluation
– INITIAL SCORE
= 2 (3)
= 2 (3)
= 1 (3)
= 1 (3)
= 6 (12) = 50%
30
© John Mitchell
LHS
Scoring Control Effectiveness
(Weighted Model)
• Apply DIME:
–
–
–
–
Design
Implementation
Monitoring
Evaluation
– INITIAL SCORE
(x3)
(x3)
(x2)
(x1)
2 = 6 (9)
2 = 6 (9)
1 = 2 (6)
1 = 1 (3)
= 15 (27) = 55%
31
© John Mitchell
LHS
An Example
• Two signatures on a cheque will prevent an
unauthorised disbursement by one person
– Design
– Implementation
– Monitoring
– Evaluation
= 3 (3)
= 3 (3)
= 3 (3)
= 1 (3)
– INITIAL SCORE = 10 (12) = 83%
32
© John Mitchell
LHS
Another Example
• Ghost employees will be prevented from being
created on the payroll by making HR responsible
for employee record creation instead of the
Payroll department.
–
–
–
–
Design
Implementation
Monitoring
Evaluation
= 0 (3)
= 3 (3)
= 3 (3)
= 3 (3)
– INITAL SCORE
= 9 (12) = 75%
– However, as Design scores 0, then total score
becomes zero.
33
© John Mitchell
Another View
LHS
H
i
g
h
L
I
K
E
L
I
H
O
O
D
L
o
w
E
8
D
2,18
C
16
B
1
A
3,4,5,6,7,9,
10,11,13,14
Low
B
C
CONSEQUENCE
12) Power
Loss
14) 3rd Party
Support
17
A
12
15
D
15) Loss of
Data Centre
E
High
34
© John Mitchell
LHS
Embedded Monitors
• Those things that confirm that the mitigating
actions (controls) are effectively working on a
continuous basis
• Usually a comparison against KPIs
• This may be an SLA
35
© John Mitchell
Embedded
Monitor
in
Action
LHS
Not
OK
Test Norm
OK
OK
OK
OK
OK
Not
OK
Time
© John Mitchell
Actual
OK
Expected
Actual
36
LHS
Embedded Monitor
Examples
• A green indicator light shows that the temperature
is within the norm
• A regular reconciliation shows that all transactions
were processed successfully
• Free disk space below 75% indicates that storage
is not a problem
• Re-work at less than 1% indicates that the
manufacturing process is operating within quality
standards
37
© John Mitchell
LHS
Early Warning Indicators
• Those things that indicate a risk is likely to
crystallise in the near future:
– Trend analysis
– Exception reporting
– Complaints
38
© John Mitchell
LHS
EWI In Action
Trouble Looming
Quantity
Acceptable
Time
© John Mitchell
39
LHS
EWI Examples
• An amber light shows that the temperature is
outside the norm, but is not yet critical
• Trend analysis (response time increasing)
• Exception reporting (too many incorrect P/Ws)
• Service Levels (telephone not answered)
• Free disk space decreasing
• Free memory less than 40%
40
© John Mitchell
LHS
CMM & ISO 15504
CMM
ISO15504
5 – Optimised
5 - Optimised
4 – Managed and Measurable 4 – Predictable
3 – Defined
3 – Established
________________________________________
2 – Repeatable
2 - Managed
1 – Ad Hoc
1 - Performed
0 – Non existent
0 - Incomplete
.
© John Mitchell
LHS
Selling Risk Management
42
© John Mitchell
LHS
•
•
•
•
•
•
•
•
•
Summary
Determine business objectives
Identify IT objectives
Identify IT risks (inherent level)
Prioritise IT risks (inherent level)
Identify potential controls
Ascertain whether they are in operation
Re-score IT risk (residual level)
Agree remedial action plan (if necessary)
Formally retain the residual risk (Main Board)
43
© John Mitchell
LHS
Questions?
John Mitchell
PhD, MBA, CEng, CITP, FBCS, CFIIA, CISA, CGEIT, QiCA, CFE
LHS Business Control
47 Grangewood
Potters Bar
Hertfordshire EN6 1SL
England
Tel: +44 (0)1707 851454
Cell: +44 (0)7774 145638
[email protected]
www.lhscontrol.com
44
© John Mitchell