IT Governance Risk Compaliance

7/31/2019 IT Governance Risk Compaliance

1/37

Enhancing IT Governance, Risk andEnhancing IT Governance, Risk and

Compliance Management (IT GRC)Compliance Management (IT GRC)

Enabling Reliable eServicesEnabling Reliable eServices

Tawfiq F. AlrushaidSaudi Aramco


2/37

AgendaAgenda

GRC Overview

IT GRC Introduction

IT Governance

IT Risk Management IT Compliance

IT GRC Framework

Implementation Approach


3/37

GRC OverviewGRC Overview

Internal system

Enforcement

Hazards

Governance

Laws, Regulations & Controls

ComplianceManagement

Risk

Management


4/37

Corporate Governance HistoryCorporate Governance History

The East Asian Financial Crisis (1997)

Corporate collapses and massive bankruptcies (early 2000s) ENRON

MCI (WorldCom)

AOL

Arthur Andersen

Tyco

Compliance with Corporate regulations & law

Sarbanes-Oxley Act

Compliance with Frameworks

HIPAA

COBIT

ISO/IEC 38500


5/37

IT Governance OverviewIT Governance Overview

Definition

IT governance is a structure of

processes that govern decision

making around investmentdecisions in eServices, client

relationships, project management

and other important IT operational

areas.


6/37


7/37

IT Compliance ManagementIT Compliance Management

Planning Projects Support Operations InformationSecurity

IT Business Unites

ITIL

COSOCMMI

BS29555


8/37

IT Risk Management ComponentsIT Risk Management Components

IT Strategic

Risk

Information

Security

Risk

Operational

Risk

Third Party

Risk

Business Continuity

Risk


9/37

IT Risk Management ProcessesIT Risk Management Processes

Risk Governance

Roles & Responsibilities (Charter)

Policy

|

Standards

|

Guideline

s

Alerts

|Escalation

|DashboardPlanning | Programs | Projects | Operations

Collect Data,

Analyze &

Risk Profile

Risk Evaluation

Articulate,

Manage &

React

Risk Response

Training & Awareness


10/37

IT Risk Management Process in ActionIT Risk Management Process in Action

Risk Governance

Risk Evaluation

Risk Response

ERM Risk Register

IT Risk Register IT Risk Register


11/37

IT GRC Business DriversIT GRC Business Drivers

Business is more dependent on IT

IT environment is more complex

Less time between IT failures and organizational

impact

Increase in threats related to IT Increase in regulations, standards and controls


12/37

Law, Policies , Regulations

Single GRC automation platform Provide a holistic view of Organization

Dashboard

Rapid deployment of new standards or

regulation

St

andard4

Taking an Integrated Approach to GRCTaking an Integrated Approach to GRC

St

andard1

St

andard2

St

andard3

Controls

Speed up remediation

Minimize your total controls documentation,

testing and auditing costs.

Governance

Risk Management

Compliance Management

Managing controls across multiple regulations

Training & Awareness

Similar knowledge domain and require

common awareness and training program

GRC

Optimize resources


13/37

IT GRC FrameworkIT GRC Framework

IT GRC

Supporting

IT Programs,

& Initiatives

Supporting

Standards,

Frameworks

&

Methodologies

Supporting IT Organizations


14/37

IT GRC Supporting Frameworks & StandardsIT GRC Supporting Frameworks & Standards

Process Improvement

Lean Six Sigma

COBIT

Monitor &

EvaluateDeliver & Support

Acquire &

Implement

Plan &

Organize

IT

Risk

Mangm.

Service

Management

Information

Security

Management

Business

Continuity

Management

ITs

Enterprise

Architecture

Application

Development

Internal

Controls


15/37

Reliable

eServices

eServices Reliability FrameworkeServices Reliability Framework

Reliable IT Infrastructure

Reliable IT Processes

IT Governance,

Risk and

Compliance

Management

(IT GRC)

IT Portfolio

Management


16/37

Mapping IT GRC Model To eServices GRC ModelMapping IT GRC Model To eServices GRC Model


17/37

IT GRC Value for eServicesIT GRC Value for eServices

Value for eServices

IT Governance Implementing and enhancing IT policies, IT Controls,IT value delivery, Resource management and

Performance management will enhance the

alignment with customer demand

IT Strategy Risk Respond to changes in technology, economy & demand

IT Operation Risk Minimize the failure of Technologies, Processes & Peopleto ensure Service Delivery

Information Security Ensure Data integrity to protect customers data(authentication & encryption)

Business Continuity Implement high availability solutions, disaster recoveryplans to ensure Service Continuity

IT Third Party Risk Manage the performance, quality and risk of serviceproviders and contractors

IT Compliance

Adhere to eServices regulations and standards to enhance

customer trust and confidence

ITRiskManagement


18/37

IT GRC Maturity ModelIT GRC Maturity Model

Unaware

Ad hoc approach to

managing programs

and Initiatives

Success is not

measured

IT

GRCMaturity

Fragmented

Tactical approach to

meet program

objectives

Silos of projects in

place w/o integration

Information is not

shared betweenPrograms

New requirements

within a silo are

addressed without

considering other

areas

Measurement is

difficult

Integrated

Silos are broken

down

Information is

shared across

Programs

New requirements

are rapidly addressed

by a common

Framework

Programs benefits

are measured

Aligned

Strategic approach to

aligning Programs

with the overall

business

Silos are

nonexistent

Automation isconsolidated

wherever possible

Business benefits

are measured

Optimized

Strategic approach

to IT optimization

Business benefits

are measured and

improved year over

year

Time


19/37

IT GRC Implementation ApproachIT GRC Implementation Approach

Conduct Awareness

Identify IT GRC

Requirements

Select critical IT

processes

Leverage industry

standards and

frameworks

Conduct maturity

assessment

Establish IT GRC

maturity levels, goals

& Identify Gaps

Establish IT

Governance landscape

Establish IT risk

Universe

Define Unified IT GRC

Management

Framework

Establish

improvement

Roadmap

Standardize IT GRC

Controls, Process &

practices in line with

industry Standards,

framework and best

practices

Integrate IT GRC

Controls, Process

practices with IT Core

processes

Establish KGIs, KPIs &

KRIs

Enhance monitoring,

reporting, alerting, and

escalation of IT GRC

Provide IT risk

Dashboards

Automate


20/37

IT RiskManagement

IT GovernanceIT ComplianceManagement

Compli

anceRisk

OperationalRisk

BusinessContinuity

Management

Third-PartyRisk

Information Protection

Risk

IT Strategy

Risk

IT ProcessesMaturity

Assessment

IT Standards &GuidelinesManagement

IT PortfolioManagement

IT Standards &Guidelines


Industrial Standards &Frameworks


Third-PartyComplianceManagement

BusinessandOtherITProg

rams

RiskGovernance

Stra

tegicAlignm

ent

Common IT Control Framework

Common IT Awareness & Training Framework

Common IT GRC Dashboard

IT Governance, Risk and Compliance (GRC) Program


21/37

Q&AQ&A

Thank You

Q&A


22/37

Linked Slides


23/37

IT Strategic RiskIT Strategic Risk

The risk resulting from the lack of alignment with the

business, lack of responsiveness to economicchanges, industry changes or customers demand.

Examples

Not achieving enough value from IT Misalignment with business objectives

Obsolete or inflexible IT architecture


24/37

IT Operational RiskIT Operational Risk

The risk resulting from inadequate or failed

internal processes, people, and technologies

or from external events. Examples

System Failure

Network Failure

Untrained staff


25/37

Information Secuirty RiskInformation Secuirty Risk

The risk associated with data confidentiality,

integrity and availability. Examples

Information leakage

Unauthorized access

Malicious software


26/37

IT Business Continuity RiskIT Business Continuity Risk

The risk concerned with the ability of the IT

organization to continue to perform itsfunction in case of system failure or disasters. Examples

Lack of Disaster Recovery plan

Lack of high availability solutions on critical systems


27/37

IT Third Parties RiskIT Third Parties Risk

The risk associated with third parties

engagement including business partners,service providers, contractors, outsourcers,

supply-chain nodes, and consulting services Examples

Poor quality of service or product

Credit risk

Compliance risk Untrained staff

Poor performance


28/37

Frameworks


29/37

LeanLean Six SigmaSix Sigma

Lean Six Sigma (by Michael George) is a methodology that

maximizes shareholder value by achieving the fastest rate ofimprovement in customer satisfaction, cost, quality, process speed,

and invested capital.

Six Sigma is a business management strategy, originally developedby Motorola, that today enjoys widespread application in many

sectors of industry.

Six Sigma seeks to identify and remove the causes of defects and

errors in manufacturing and business processes. It uses a set ofquality management methods, including statistical methods, and

creates a special infrastructure of people within the organization


30/37

COSOCOSO

Committee of Sponsoring Organizations of the Treadway

Commission (COSO) COSO has established a common definition of internal

controls, standards, and criteria against which companies and

organizations can assess their control systems


31/37

COBITCOBIT

Control Objectives for Information and related Technology(COBIT).

A set of best practices (framework) for IT managementcreated by the Information Systems Audit and ControlAssociation (ISACA), and the IT Governance Institute (ITGI) in1992.

COBIT provides managers, auditors, and IT users with a set ofgenerally accepted

measures, indicators, processes and best practices

To assist them in maximizing the benefits derived through

the use of information technology and developingappropriate IT governance and control in a company.


32/37

ITILITIL

The Information Technology Infrastructure Library (ITIL) is a

set of concepts and policies for managing informationtechnology (IT) infrastructure, development and operations.


33/37

CMMICMMI

Capability Maturity Model Integration (CMMI)

A process improvement approach, that provide organizationswith the essential elements of effective process

improvement.

It can be used to guide process improvement across a project,

a division, or an entire organization.


34/37

ISOISO 2700127001

ISO/IEC 27002 provides best pracce recommendaons on

information security management for use by those who areresponsible for initiating, implementing or maintaining

Information Security Management Systems (ISMS).

Information security is defined within the standard in the

context of the Confidential, Integrity and availability.


35/37

TOGAFTOGAF

The Open Group Architecture Framework

(TOGAF) is a framework for enterprise architecture whichprovides a comprehensive approach to the design, planning,

implementation, and governance of an enterprise

information architecture.


36/37

Risk ITRisk IT

The Risk IT framework complements ITGIs COBIT and which

provides a comprehensive framework for enterprises toidentify, govern and manage IT risk.


37/37

BS 25999BS 25999

BS 25999 is BSI's standard in the field of

Business Continuity Management (BCM). Thisstandard replaces PAS 56, a Publicly Available

Specificaon, published in 2003 on the same

subject.

Date post:	05-Apr-2018
Category:	Documents
Upload:	kgvimo
View:	218 times
Download:	0 times

IT Governance Risk Compaliance

Documents