Extremerisk презентация

Содержание

dude, failing to manage IT risk is serious

Слайд 1EXTREMERISK
10 WAYS POORLY MANAGED TECH
CAN DESTROY YOUR COMPANY

Слайд 2dude, failing to manage IT risk is serious

Слайд 3you might have to stop doing business altogether
stolen data can be

used against your customers
the press may have a field day on you
it will be even worse in social media
you could lose critical assets
employees or directors could go to jail
competitors may learn your secrets
you may have to pay fines
the trust you've built into your brand may disappear
IT can be extremely complex & opaque, may require very specialized skills and changes very, very fast

Слайд 4and just cause you’re a small, nimble start-up does not give

you license to be sloppy (especially if you hope to pass exit due diligence)

Слайд 5here are 10 obvious, but common, mistakes to avoid…

Слайд 601
LACK LEADERSHIP
MISTAKE

Слайд 701
LACK LEADERSHIP
Leadership must understand the strategic importance of technology risk management

They

must also be involved with decision-making and communicate like crazy

MISTAKE

Слайд 8LACK LEADERSHIP
Leadership must put in place a technology risk management (TRM)

framework that includes the right culture, policies, standards (enterprise requirements), & control procedures

They must also be responsible for communications & the quality of firm wide execution

01

MISTAKE

Слайд 9LACK LEADERSHIP
Leadership must get the right people, in the right roles,

at the right time, with the right training

01

MISTAKE

Слайд 10LACK LEADERSHIP
Leadership must ensure that risks are identified and prioritized by

likelihood and severity

01

MISTAKE

Слайд 11LACK LEADERSHIP
Leadership must identify control gaps, prioritize and budget for remediation,

& monitor projects to close them

01

MISTAKE

Слайд 12LACK LEADERSHIP
Leadership must approve & track exceptions

01
MISTAKE

Слайд 13LACK LEADERSHIP
Line managers must be engaged & accountable for TRM

TRM must

not be seen as red tape. It must be seen as a core job function of a technology manager (and disciplined/rewarded as such)

01

MISTAKE

Слайд 1402
LACK TRM FRAMEWORK
MISTAKE

Слайд 1502
LACK TRM FRAMEWORK
A TRM Framework must protect data & IT assets

from unauthorized access or disclosure, misuse, and fraudulent modification

MISTAKE

Слайд 1602
LACK TRM FRAMEWORK
A TRM Framework must ensure data confidentiality, system security,

reliability, resiliency, & recoverability

MISTAKE

Слайд 1702
LACK TRM FRAMEWORK
A TRM Framework must define roles & responsibilities
MISTAKE

Слайд 1802
LACK TRM FRAMEWORK
A TRM Framework must identify & prioritize IT assets
MISTAKE

Слайд 1902
LACK TRM FRAMEWORK
A TRM Framework must identify & assess impact and

likelihood of operational & emerging risk including internal & external networks, hardware, software, interfaces, operations, and human resources

The firm must also have a mechanism to identify risk trends externally

MISTAKE

Слайд 2002
LACK TRM FRAMEWORK
A TRM Framework must methodically & regularly inventory and

prioritize risks, controls, exceptions, and gaps

MISTAKE

Слайд 2102
LACK TRM FRAMEWORK
A TRM Framework must be updated regularly
MISTAKE

Слайд 2203
LACK PARTNER OVERSIGHT
MISTAKE

Слайд 2303
LACK PARTNER OVERSIGHT
IT provided or supported by partners must be in

scope & leadership must fully understand outsourcing risks

Outsourced IT infrastructure is still part of your TRM. You can’t wash your hands of it

* Provision or support includes system development and support, DC ops, network admin, BCP, hosting / cloud and can involve one or more parties in or out of country

MISTAKE

Слайд 2403
LACK PARTNER OVERSIGHT
Proper due diligence must ensure viability, capability, reliability, &

stability of vendors

MISTAKE

Слайд 2503
LACK PARTNER OVERSIGHT
Written contracts must define expected risk-related service levels, roles,

obligations, & control processes in detail

They must also be reviewed regularly

* For example, performance targets, service levels, availability, reliability, scalability, compliance, audit, security, contingency planning, disaster recovery and backup

MISTAKE

Слайд 2603
LACK PARTNER OVERSIGHT
A Service Level Management Framework such as the IT

Infrastructure Library (ITIL) must ensure continuing, monitored controls compliance

MISTAKE

Слайд 2703
LACK PARTNER OVERSIGHT
An exit / backup plan must be in place

to switch partners if required

MISTAKE

Слайд 2804
LACK PORTFOLIO MANAGEMENT
MISTAKE

Слайд 2904
LACK PORTFOLIO MGMT
The entire technology portfolio/platform must be managed through it's

lifecycle

The business must be engaged with portfolio strategy as a key stakeholder

MISTAKE

Слайд 3004
LACK PORTFOLIO MGMT
Enterprise architecture strategy must be supported by accurate &

accessible MIS and asset management data

MISTAKE

Слайд 3104
LACK PORTFOLIO MGMT
Leadership must define, document, & communicate the target state

platform

MISTAKE

Слайд 3204
LACK PORTFOLIO MGMT
A professional Project / Change Management Framework like Project

Management Body Of Knowledge (PMBOK) or ITIL must guide change from current to target

MISTAKE

Слайд 3304
LACK PORTFOLIO MGMT
A professional Quality Management program should ensure quality of

build and operate

For example, a documented software development lifecycle (SDLC) should effectively guide development & code quality

MISTAKE

Слайд 3404
LACK PORTFOLIO MGMT
There must be strong testing & code review controls
MISTAKE

Слайд 3504
LACK PORTFOLIO MGMT
IT Acquisition must be strategically aligned
MISTAKE

Слайд 3604
LACK PORTFOLIO MGMT
Technology exit planning must be explicit & tracked
MISTAKE

Слайд 3705
LACK SERVICE MANAGEMENT
MISTAKE

Слайд 3805
LACK SERVICE MGMT
Ongoing IT operations must be guided by a Service

Management (SM) Framework like ITIL

MISTAKE

Слайд 3905
LACK SERVICE MGMT
The SM Framework should cover:

Change Management & DevOps
Release &

Deployment Management
Capacity Management
Incident Management
Problem Management
Source Code Control
Asset Inventory & Config Management
Backup & Recovery

MISTAKE

Слайд 4006
LACK RECOVERABILITY
MISTAKE

Слайд 4106
LACK RECOVERABILITY
The firm needs a realistic, business-prioritized, strategically-aligned & simple business

continuity plan (BCP) that ensures reliability, performance, scalability, availability, and recoverability

MISTAKE

Слайд 4206
LACK RECOVERABILITY
The BCP should identify critical systems (those that must not

go down) as well as recovery point objectives (RPO) and recovery time objectives (RTO) to guide restoration service levels

MISTAKE

Слайд 4306
LACK RECOVERABILITY
The disaster recovery plan should cover multiple scenarios, expose dependencies,

& be tested regularly

MISTAKE

Слайд 4406
LACK RECOVERABILITY
Backup management must ensure that IT assets can be recovered

as soon as required, depending on priority & that dependencies are understood

MISTAKE

Слайд 4506
LACK RECOVERABILITY
There should be a Communications Plan defined in advance to

deal with various scenarios

MISTAKE

Слайд 4607
LACK DATA SECURITY
MISTAKE

Слайд 4707
LACK DATA SECURITY
You must protect data, hardware, software, and networks from

accidental or intentional unauthorized access or tampering by internal or external parties

MISTAKE

Слайд 4807
LACK DATA SECURITY
You must identify levels of data sensitivity and ensure

escalating levels of protection based upon the significance / priority of risk.

MISTAKE

Слайд 4907
LACK DATA SECURITY
You must have end-to-end data protection such as encryption

when you are dealing with confidential data

Your controls / standards must be in force wherever your data is stored or transmitted

MISTAKE

Слайд 5007
LACK DATA SECURITY
You must properly dispose of assets that hold confidential

data

MISTAKE

Слайд 5107
LACK DATA SECURITY
You must have a mechanism to monitor security &

react as required

MISTAKE

Слайд 5208
LACK SYSTEM SECURITY
MISTAKE

Слайд 5308
LACK SYSTEM SECURITY
You must protect data, hardware, software, and networks from

accidental or intentional unauthorized access or tampering by internal or external parties

MISTAKE

Слайд 5408
LACK SYSTEM SECURITY
You must identify levels of sensitivity & ensure escalating

levels of protection based upon the significance / priority of risk

MISTAKE

Слайд 5508
LACK SYSTEM SECURITY
You must ensure that IT assets are patched as

required

You must ensure that IT assets are migrated out of production before End-of-Life or End-of-Service

MISTAKE

Слайд 5608
LACK SYSTEM SECURITY
You must deploy the right level of network security

(including anti-virus) across operating systems, network devices, databases, and enterprise mobile devices

MISTAKE

Слайд 5708
LACK SYSTEM SECURITY
Key points in the infrastructure (perimeter & internal as

required) must be protected through intrusion detection & prevention tools such as firewalls

MISTAKE

Слайд 5808
LACK SYSTEM SECURITY
You must test security using vulnerability assessment & penetration

testing regularly

MISTAKE

Слайд 5908
LACK SYSTEM SECURITY
You must have a mechanism to monitor security and

react as required

MISTAKE

Слайд 6009
LACK PHYSICAL SECURITY
MISTAKE

Слайд 6109
LACK PHYSICAL SECURITY
You must protect data, hardware, software, and networks from

accidental or intentional unauthorized access or tampering by internal or external parties

MISTAKE

Слайд 6209
LACK PHYSICAL SECURITY
You must identify levels of sensitivity & ensure escalating

levels of protection based upon the significance / priority of risk

MISTAKE

Слайд 6309
LACK PHYSICAL SECURITY
There must be regular threat and vulnerability assessments
MISTAKE

Слайд 6409
LACK PHYSICAL SECURITY
You must implement appropriate physical security such as need-to-access-only

requirements & security / surveillance systems

MISTAKE

Слайд 6509
LACK PHYSICAL SECURITY
Critical resources such as air, water, power fire suppression,

& communications should be redundant where required

MISTAKE

Слайд 6610
LACK ACCESS CONTROLS
MISTAKE

Слайд 6710
LACK ACCESS CONTROLS
For critical / sensitive systems an individual must not

be granted access alone (never-alone principle)

MISTAKE

Слайд 6810
LACK ACCESS CONTROLS
The transaction process should prevent a single person from

initiating, approving, and executing by themselves (segregation of duties)

Job rotation is recommended for sensitive functions

MISTAKE

Слайд 6910
LACK ACCESS CONTROLS
Access should be limited to need-to-know (access-control principle)
MISTAKE

Слайд 7010
LACK ACCESS CONTROLS
Access should be logged and access rights should be

easy to review & modify as access rights change naturally over time

MISTAKE

Слайд 7110
LACK ACCESS CONTROLS
There must be separate environments for development, testing, and

production with controlled access to production where production access is limited and governed by segregation of duties

MISTAKE

Слайд 72SHARE THIS DECK & FOLLOW ME
(please-oh-please-oh-please-oh-please)
stay up to date with my

future slideshare posts

http://www.slideshare.net/selenasol/presentations
https://twitter.com/eric_tachibana
http://www.linkedin.com/pub/eric-tachibana/0/33/b53




Слайд 73CLICK HERE FOR MORE!!!!

Слайд 74

CREATIVE COMMONS ATTRIBUTIONS & REFERENCES
Title Slide: http://www.flickr.com/photos/23754017@N08/
Dude Slide: http://www.flickr.com/photos/karen_od/
Ewok Slide: http://www.flickr.com/photos/daviddurantrejo/
Leadership

Slide: http://www.flickr.com/photos/daviddurantrejo/
Tech Risk Mgmt Slide: http://www.flickr.com/photos/daviddurantrejo/
Partner Oversight Slide: http://www.flickr.com/photos/daviddurantrejo/
Service Mgmt Slide: http://www.flickr.com/photos/gageskidmore/
Portfolio Mgmt Slide: http://www.flickr.com/photos/fotomaf/
Recoverability Slide: http://www.flickr.com/photos/karen_od/
Data Security Slide: http://www.flickr.com/photos/daviddurantrejo/
System Security Slide: http://www.flickr.com/photos/daviddurantrejo /
Physical Security Slide: http://www.flickr.com/photos/fotomaf/
Access Controls Slide: http://www.flickr.com/photos/daviddurantrejo/
http://www.mas.gov.sg
http://www.isaca.org
http://coso.org/guidance.htm
http://www.itil-officialsite.com
http://www.pmi.org

Please note that all content & opinions expressed in this deck are my own and don’t necessarily represent the position of my current, or any previous, employers

Похожие презентации

Життя і творчість М.Коцюбинського 254
ASP.NET 4 211
Итоги 1 четверти 2016-2017 учебного года 201
Распутин Григорий Ефимович 356
Рождественский Роберт Иванович 390
Система учебников Перспективная начальная школа в образовательном пространстве Тюменской области 220

Обратная связь

Если не удалось найти и скачать презентацию, Вы можете заказать его на нашем сайте. Мы постараемся найти нужный Вам материал и отправим по электронной почте. Не стесняйтесь обращаться к нам, если у вас возникли вопросы или пожелания:

Email: Нажмите что бы посмотреть 

Что такое ThePresentation.ru?

Это сайт презентаций, докладов, проектов, шаблонов в формате PowerPoint. Мы помогаем школьникам, студентам, учителям, преподавателям хранить и обмениваться учебными материалами с другими пользователями.

Для правообладателей

Яндекс.Метрика