Transcription
Deposit Insurance Corporation of OntarioIT Risk ManagementGuidance for Boards and Audit CommitteesOctober 29, 2013DAVID FLORIO, CPA, CA IT, PCI QSA, CRMAPARTNER, BUSINESS RISK SERVICESGRANT THORNTON LLP
With an introduction fromRichard Dale, Director, Regulatory Affairsof DICO2
Agenda The importance of Information TechnologyWhy IT Governance is ImportantIT Risks and ControlsQuestions to askUnderstanding the answers provided Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.3
The Importance of ITIn Today's business environment, multiple market forces – ranging fromsecurity concerns to an aging infrastructure – exert pressure on CreditUnions' limited I/T resourcesMarketcrisisresponseProfitabilityx - ulatoryrequirementTechnologymaturationThese market pressures create significant complexity and lack of clarity regarding how aCredit Union ought to pro-actively assess it's IT environment Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.4
Why is IT Governance Important? IT is pervasive across the organization, with manyissues and opportunities Board members are not necessarily ITknowledgeable, but need to challenge strategiesand provide direction to management If the Board is not asking the right questions, theorganization can be put at risk The Board needs to ask questions in order toprevent situations from occurring Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.5
IT Governance – Reality CheckExamples of potential issues/breeches Human errors and systems glitches caused nearly two-thirds ofdata breaches globally in 2012. In 2011, the average cost per record of a data breach in thefinancial sector was the third highest at 247, and 27 percenthigher than average. Since 2005, 13 percent of data breaches globally recorded by thePrivacy Rights Clearinghouse were in the financial sector,exposing more than 256 million records. Through 2016, the financial impact of cybercrime will grow 10percent per year due to the continuing discovery of newvulnerabilities.Symantec - Data Breach Trends & Stats Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.6
Why is IT Governance Important?IT is Strategic to Credit UnionsWouldn’t you want to know whether your CreditUnion's information technology is: Likely to achieve its objectives? Resilient enough to learn and adapt? Judiciously managing the risks it faces? Appropriately recognizing opportunities andacting on them? Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.7
IT Strategic Impact Grid Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.8
What should Boards do about it? Be driven by stakeholder value Adopt an IT governance framework Ask the right questions Focus on IT Alignment with the business Value delivery Risk management Measure resultsITStrategicAlignmentStakeholderValue DriversPerformanceMeasurementAdapted from IT Governance Institute presentations Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.IT ValueDelivery9RiskManagement
IT Governance FrameworkProvideDirectionSet Objectives IT is aligned with thebusiness IT enables thebusiness andmaximizes benefits IT resources areused responsibly IT-related risks aremanagedappropriatelyIT ActivitiesCompareMeasurePerformanceAdapted from IT Governance Institute presentations Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.10 Increase automation(make the businesseffective) Decrease cost(make the enterpriseefficient) Manage risks(security, reliabilityand compliance)
Risk ManagementWhat'sMissing?IT is fundamental to the business so if it does not workcorrectly then the business could have significant issues! Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.11
IT Risk ManagementThe board should manage enterprise risk by: Ascertaining that there is transparency about thesignificant risks to the organization Being aware that the final responsibility for riskmanagement rests with the board Being conscious that risk mitigation can generatecost-efficiencies Considering that a proactive risk management approachcreates competitive advantage Insisting that risk management is embedded in theoperation of the enterprise“It is the things you do not see that could get you!”Adapted from IT Governance Institute presentations Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.12
IT Risk ableOccasionalAs low asreasonablypractical SeverityFigure 1. Tailoring the risk management plan. Definitions for probability andseverity should be part of a device-specific risk management plan. (From IEC60601-1-4.) Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.13
Risks and Threats External Internal Intentional Unintentional Unauthorized access toresources Virus infection Internal attacks from disgruntledstaff Errors and omissions duringroutine processes and projects HW/SW failures Fire, flood, power loss,emergency evacuation Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.14
Some additional typical IT Risks Inappropriate access to data, programs, hardwareTransmission of data in the clearLack of authentication of transacting partiesLoss of visible audit trailUntested backup and restoration of dataUnauthorized and untested program changesNot managing IT peopleVague policies Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.15
Information Technology Controls Entity Level Controls IT Strategy aligned with business strategy Access Controls Logical controls to protect private information and secure systemsand data Physical Security controls to protect IT assets Change Controls Ensure system changes are appropriately approved and testedbefore they go live IT Operations Controls Ensure systems are available (e.g. BCP/DRP) Managing 3rd party outsourced providers Logging access and review Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.16
Why is Access Control Important?Let's look at segregation of dutiesSegregation of duties is enforced with IT g Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.3Recording17
Questions to Ask - Tactical Do we know where our data is?Do we know who is accessing our data?Do we know if changes to systems work and don't have a negative affect onsomething else?Have we done proper clearance on people with powerful (administrator)privileges?How well have we tested our information security measures, incident response,DRP, BCP and crisis management programs?Would we know if we had been hacked or our systems were not working?Do projects Get initiated by robust cost/ benefit analysis? Get managed using issues and risk registers, and accurate progressreporting? Get tested based on requirements before implementation? Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.18
Questions to Ask - Strategic 'Soft' questions– Do we think 'it can't happen to us'?– Are IT and business units talking? Do we know how much we are spending acrossthe organization? Do we know what the cost of a breach could be? Are IT and Policies formally documented? Is there appropriate succession planning in placefor the IT group? Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.19
IT Governance SummarizedObjectives To understand the issues and the strategic importance of IT To ensure that the enterprise can sustain its operations and To ascertain it can implement the strategies required to extend its activities into thefutureGoal Ensuring that expectations for IT are met and IT risks are mitigatedPosition Within broad governance arrangements that cover relationships between the entity'smanagement and its governing body, its owners and its other stakeholders andproviding the structure through which: The entity's overall objectives are set The method of attaining those objectives is outlined The manner in which performance will be monitored is describedAdapted from IT Governance Institute presentations Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.20
Things to remember One size doesn't fit all Determine if an IT Strategy exists, and inquire if it islinked to the business strategy Understand how the Institution's IT assets anddepartment support the current business and plans foradapting to future needs Ensure mechanisms are in place to enable the Board toperiodically assess the Institution's IT capability Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.21
Reference MaterialsIT FrameworksITILISO/IEC 38500:2008 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.22
Questions, answers and discussion David Floriodavid.florio@ca.gt.com(416) 369-6415 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd.23
Severity Probability. Broadly acceptable region As low as reasonably practical (ALARP) region Intolerable region. Figure 1. Tailoring the risk management plan. Definitions for probability and severity should be part of a device-specific risk management plan. (From IEC 60601-1-4.)
