Wishing You All A Very Happy &

Prosperous New Year 2014

Your Professional Well-wisher

Prof. K. Subramanian

04/10/23Prof.KS@2014 IOB GM's presentation Jan 14 2

Governance, Risk & Compliance in Cyber Era Business Services Assurance in Cyber Era-

Challenges Before the Financial Services sector

Prof. K. Subramanian SM(IEEE, USA), SMACM(USA), FIETE, SM(IEEE, USA), SMACM(USA), FIETE,

SMCSI,MAIMA,MAIS(USA),MCFE(USA)SMCSI,MAIMA,MAIS(USA),MCFE(USA)

Founder Director & Professor, Advanced Center for Informatics & Innovative Learning (ACIIL), IGNOU

EX- IT Adviser to CAG of IndiaEx-Sr. DDG(NIC), Ministry of Comm. & IT

Emeritus President, eInformation Systems, Security, Audit Association

Former President, Cyber Society of India

33

Agenda• Introduction• Governance components• Risk Assurance & Standards & Compliance • Assurance Framework & PPP• Challenges for Technologists & Businesses

3

44

Notable Quotes"The poor have sometimes objected to being

governed badly; the rich have always objected to being governed at all." G. K. Chesterton

“Ever since men began to modify their lives by using technology they have found themselves in a series of technological traps.” Roger Revelle

“The law is the last interpretation of the law given by the last judge.”- Anon.

“Privacy is where technology and the law collide.” --Richard Smith (who traced the ‘I Love You’ and ‘Melissa viruses’)

"Technology makes it possible for people to gain control over everything, except over technology" John Tudor

04/10/23Prof.KS@2014 IOB GM's presentation Jan 14 5 55

MEDIATING FACTORS:MEDIATING FACTORS: Environment Environment Culture Culture

Structure Structure Standard Procedures Standard Procedures Politics Politics Management Decisions Management Decisions Chance Chance

ORGANIZATIONSORGANIZATIONS INFORMATION INFORMATION TECHNOLOGYTECHNOLOGY

04/10/23Prof.KS@2014 IOB GM's presentation Jan 14 610th september 2013 6

Principles of Good GovernanceLeadershipSelflessnessIntegrityObjectivityAccountabilityOpennessHonesty

Humane Governance

Should be CreativeUses Knowledge for

National Wealth and Health creation

Understands the economics of Knowledge

High Morality

04/10/23Prof.KS@2014 IOB GM's presentation Jan 14 7 77

Governance ComponentsProject GovernanceIT GovernanceLegal GovernanceSecurity GovernanceHuman & Humane Governance

04/10/23Prof.KS@2014 IOB GM's presentation Jan 14 8 8

Cyber Governance ComponentsEnvironmental & ICT

Infrastructure

Operational (logistics Integration)

Technology (synergy & Convergence)

Network (multi Modal Network)

Management (HRM & SCM &CRM)

Impact (feed-back correction)

Operational Integration (Functional)

Professional Integration (HR)

Emotional/Cultural Integration

Technology Integration

04/10/23Prof.KS@2014 IOB GM's presentation Jan 14 9 9

Corporate GovernanceBusiness Assurance Framework

Global Phenomena Combined Code of

UK and SOX of USABasel II & IIIProject GovernanceIT GovernanceHuman & Humane

Governance

India Initiatives1. Clause 492. Basel II & III -RBI3.SEBI- Corporate

Governance Implementation directives

4.Risk management-RBI (Basel 2/3)& TRAI

5. MCA Initiatives 2013

9

04/10/23Prof.KS@2014 IOB GM's presentation Jan 14 10 10

Global issues with Governance ofCyber Space

Information Technology & Business: current status and future

Does IT matter? IT--enabled Business - Role of Information, Information Systems

- In business

- Role of information technology in enabling business

- IT dependenceChanging Role of the CIOWeb 2.0 and 3.0 and governing cyberspaceeBusiness, eHealth, eBanking, eGovernanceCurrent Challenges and Issues 10

Creating Trust in an Enterprise

Today's information explosion is creating challenges for business and technology leaders at virtually every organization. The lack of trusted information and pressure to reduce costs is on the minds of CEOs and senior executives around the world.

What's required to solve these challenges is a paradigm shift - from generating and managing silos - of information, of talent and skills, of technologies and of projects to an environment where information is a trusted, strategic asset that is shared across the company.

1111

1212

Transition: Insurance Audit Assurance

& Assurance Layered Framework

Insurance Audit

Pre, Concurrent, Post IT Audit

Environmental Operational Technology Network Financial Management Impact

Electronics Continuous Audit Certification Assurance

Management & Operational Assurance

(Risk & ROI) Technical Assurance

(Availability, Serviceability & Maintainability)

Financial ASSURANCE Revenue Assurance (Leakage & Fraud) Legal Compliance &

Assurance (Governance)

1313

Business - technical G

ove

rnm

en

t

reg

ula

tory

Go

vern

me

nt

deve

lopm

ent

al

Bu

siness –

fina

ncial

Civil society

-

informational

Civil society - technical

ICT operations and maintenance

ICT planning and design

Investment in R & D

Marketing and distribution Project management

and construction Training

Borrowing capacity

Capital investment, eg network expansion

ICT technical solutions

Revenue collection

ICT Risk/venture capital

Sales and promotions

Subsidies

Access to development finance

ICT Regulatory powers – price, quality, interconnections, competition)

ICT Transaction/ concession design

Investment promotion

Legal framework for freedom of information

ICT Infrastructure strategy

ICT skills development

Innovation (high risk), eg community telecentres

Local customer knowledge

Capacity to network

A voice for the socially excluded

Expertise in design of ‘relevant’ content

Knowledge of user demand, eg

technology and information gaps

Capacity to mobilise civil society

Human Capacity ICT technicians in govt, business

and civil societyICT user-awareness and skills

Support for Entrepreneurs

Infrastructure Suitable primary architecture

Suitable secondary technology Acceptable cost/risks of

deploymentUniversal access (rural/urban)Adequate subscriber density

EnterpriseAccess to finance and credit

Supportive property rights and commercial lawDevelopment of ICT suppliers and service SMEs

Stimulation of demand, eg govt ‘leads by example’ through procurement

Policy and RegulationsInvestment promotion and

ownership rulesFair tax regimes for business

and society Transparent policy making

Effective regulatory frameworks (price, quality, interconnection,

competition)Adequate institutional capacity

Content and ApplicationsRelevant to development goals

and user needs, eg voice, e-mail, nat/global connectivity Content compatible with

education, cultural sensitivities and language

Affordable access (equipment, connection and content)

Human Capacity

Infrastructure

Enterprise Content & Applications

Policy and Regulation

strategic compact / partnerships

Civil so

ciety

-

info

rma

tiona

l

Design Parameters

13

1414

Operational Integration

Professional Integration (HR)

Emotional/Cultural Integration

ICT & Government Business & Services Integration

Multi Technology coexistence and seamless integration

Information Assurance

Quality, Currency, Customization/Personalization

ICE is the sole integrator IT Governance is Important

14

Managing InterdependenciesCritical IssuesInfrastructure characteristics (Organizational,

operational, temporal, spatial)

Environment (economic, legal /regulatory, technical, social/political)

Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex)

Type of failure (common cause, cascading, escalating)

Types of interdependencies

(Physical, cyber, logical, geographic)

State of operations

(normal, stressed /disrupted, repair/restoration)

.1515

16

Up The Value Chain

16

Enabling to rapidly move up the Governance Evolution Staircase

Strategy/PolicyPeopleProcessTechnology

3. TransactionCompetition

Confidentiality/privacy

Fee for transaction

E-authentication

Self-services

Skill set changes

Portfolio mgmt.

Sourcing Inc. business staff

BPR

Relationship mgmt.

Online interfaces

Channel mgmt.

Legacy sys. links

Security

Information access

24x7 infrastructure

Sourcing

Funding stream allocations

Agency identity

“Big Browser”

Job structures

Relocation/telecommuting

Organization

Performance accountability

Multiple-programs skills

Privacy reduces

Integrated services

Change value chain

New processes/services

Change relationships(G2G, G2B, G2C, G2E)

New applications

New data structures

Time

2. InteractionSearchable

Database

Public response/ email

Content mgmt.

Increased support staff

Governance

Knowledge mgmt.

E-mail best prac.

Content mgmt.

Metadata

Data synch.

Search engine

E-mail

1. Presence

Publish

Existing

Streamlineprocesses

Web site

Markup

Trigger

4. Transformation

Cost/Complexity

Define policy and outsource execution

Retain monitoring and control

Outsource service delivery staff

Outsource process execution staff

Outsource customer facing processes

Outsource backend processes

Applications

Infrastructure

Value

5. Outsourcing

Constituent

Evolve PPP model

1717

Threat & Vulnerability Management

Authenticating user identities with a range of mechanisms, such as tokens, biometrics and Public Key Infrastructure

Developing user access policies and procedures, rules and responsibilities and a standardized role structure that helps organizations meet and enforce security standards

Centralizing user data stores in a single enterprise directory that enables increased efficiencies in user administration, access control and authentication

Reducing IT operating costs and increasing efficiency by implementing effective user management to support self-service and automate workflow, and by provisioning and instituting flexible user administration

You need an integrated threat and vulnerability management solution to better monitor, report on and respond to complex security threats and vulnerabilities, as well as meet regulatory requirements.

You need to protect both your own information assets and those you are custodian of, such as sensitive customer data.

You want a real-time, integrated snapshot of your security posture.

You want to correlate events from data emerging from multiple security touch points.

You need support from a comprehensive inventory of known threat exposures.

You need to reduce the cost of ownership of your threat and vulnerability management system 1804/10/23 18

Prof.KS@2014 IOB GM's presentation Jan 14

Risk Identification Assess current security capabilities, including threat management,

vulnerability management, compliance management, reporting and intelligence analysis.

Define identify technology requirements for bridging security gaps Integrated Security Information Management Develop processes to evaluate and prioritize security intelligence

information received from external sources, allowing organizations to minimize risks before an attack

Implement processes that support the ongoing maintenance, evolution and administration of security standards and policies

Determine asset attributes, such as direct and indirect associations, sensitivity and asset criticality, to help organizations allocate resources strategically

Assist in aggregating security data from multiple sources in a central repository or "dashboard" for user-friendly presentation to managers and auditors

Help design and implement a comprehensive security reporting system that provides a periodic, holistic view of all IT risk and compliance systems and outputs

Assist in developing governance programs to enforce policies and accountability 1919

20

9 Rules of Risk Management There is no return without risk

Rewards to go to those who take risks.

Be Transparent Risk is measured, and managed by

people, not mathematical models. Know what you Don’t know

Question the assumptions you make Communicate

Risk should be discussed openly Diversify

Multiple risk will produce more consistent rewards

Sow Discipline A consistent and rigorous approach

will beat a constantly changing strategy

Use common sense It is better to be approximately right,

than to be precisely wrong. Return is only half the question

Decisions to be made only by considering the risk and return of the possibilities.

RiskMetrics Group

04/10/23 20Prof.KS@2014 IOB GM's presentation Jan 14

04/10/23Prof.KS@2014 IOB GM's presentation Jan 14 2121

Threat Modeling

Threat modeling is critical to address securityPrevention, detection, mitigation

There is no universal model yetMostly case-by-caseEfforts are under wayMicrosoft threat modeling tool

Allows one to uncover security flaws using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege)

Decompose, analyze and mitigate Insider threat modeling essential

04/10/23Prof.KS@2014 IOB GM's presentation Jan 14 2222

Insider Threat ModelingHow modeling can help you?

An alternative to live vulnerability testing (which is not feasible)

Modeling and analysis will reveal possible attack strategies of an insider

Modeling and risk analysis can help answer the following questions statically:How secure is the existing setup?Which points are most vulnerable?What are likely attack strategies?Where must security systems be placed?

What you cannot modelNon-cyber events – disclosures, memory dumps, etc.

10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 23

Calder- Moir IT Governance Framework

23

242424

CIO & CEOCIO & CEO Business Led Info. strategy Business Led Info. strategy

CIO & CMOCIO & CMO Competitive Edge & CVP Competitive Edge & CVP

CIO & CTOCIO & CTO Cost-Benefit Optimization Cost-Benefit Optimization

CIO & CFO Shareholder Value CIO & CFO Shareholder Value MaximizationMaximization

CIO & CHRO Employee Performance and CIO & CHRO Employee Performance and RewardsRewards

CIO & Business Partners Virtual Extended CIO & Business Partners Virtual Extended EnterpriseEnterprise

CXO Internal Strategic AlliancesCXO Internal Strategic Alliances

252525

Capital Productivity (ROI, EVA, MVA)

Material Productivity (60% of Cost)

Managerial Productivity (Information Worker)

Labour Productivity (Enabled by IW)

Company Productivity Micro

Factor Productivity Macro

The Productivity Promise

26

CEO-CTO-CIO-CSO Responsibility

"These systems should ensure that both business and technology managers are properly engaged in identifying compliance requirements and planning compliance initiatives which typically involve complementary adjustments in systems, practices, training and organization"

CXO & IT Governance the roles and

responsibilities for IT governance, highlighting the parts played by the CEO, business executives, CIO, IT steering committee, technology council, and IT architecture review board

26

2727

Four Faces of a CIO &CIO Management Framework

28

Learn more about own Businesses.Learn more about own Businesses.

Reach out to all Business & Function Reach out to all Business & Function Heads.Heads.

Sharpen Internal Consultancy Sharpen Internal Consultancy Competences.Competences.

Proactively Seize the Repertoire of Proactively Seize the Repertoire of PartnersPartners

Foster two way flow of IS & Line Talent.Foster two way flow of IS & Line Talent.

Way ForwardWay Forward

28

Standards, Standards, StandardsSecurityAuditInteroperabilityInterface

(systems/devises/comm.)

Architecture/Building Blocks/Reusable

HCI (Human Computer Interface)

ProcessEnvironmental

(Physical, Safety)Data Interchange

& mail messagingLayout/Imprint

2904/10/23 29Prof.KS@2014 IOB GM's presentation Jan 14

30

Importance of Group Standards -no one standard meets all requirementsISO 27001/BS7799 Vs COBIT Vs CMM & PCMM Vs ITIL

MissionMission

Business ObjectivesBusiness Objectives

Business RisksBusiness Risks

Applicable RisksApplicable Risks

Internal ControlsInternal Controls

ReviewReview

04/10/23 30Prof.KS@2014 IOB GM's presentation Jan 14

3131

“IT Regulations and Policies-Compliance & Management” CREATIVITY VS COMMAND CONTROL

Too much Creativity results in anarchyToo much command & control Kills Creativity

We Need a Balancing Act In IT Regulations and Policies-Compliance & Management

32

Gouvernance & AssuranceGouvernance & Assurance Maturity ModelMaturity Model

32

10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 33

Assurance in the PPP Environment

33

3434

Governance - Final Message

“In Governance matters Past is no guarantee;

Present is imperfect &

Future is uncertain“

“Failure is not when we fall down, but when we fail to get up”

3535

Learning From Experience========================

1. The only source of knowledge is experience.   -- Einstein

2. One must learn by doing the thing; for though you think you know it, you have no certainty, until you try.   -- Sophocles

3. Experience is a hard teacher because she gives the test first, and the lesson afterwards.   -- Vernon Sanders Law

4. Nothing is a waste of time if you use the experience wisely.    -- Rodin

3636

“To determine how much is too much, so that we can implement appropriate security measures to build

adequate confidence and trust”

“To derive a powerful logic for implementing or not implementing a security measure”

Security/Risk Assurance - Expectations

THANK YOUFor Interaction:

Prof. K. Subramanianksdir@nic.in

ksmanian48@gmail.comTele: 011-22723557

Let us Assure Good Governance & Business Assurance in Cyber Era

04/10/23 37Prof.KS@2014 IOB GM's presentation Jan 14