310 likes | 320 Views
Learn about the types of IT risks that executives and audit committees may overlook, the risks of cloud computing, and how to ask meaningful questions about IT risks. Discover the indicators of larger issues and effective communication strategies.
E N D
Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks
Learning Objectives • Participants will learn about: • The types of IT risks which may go unaddressed by executives and audit committees • Risks of cloud computing • The types of questions around IT risks that will solicit the most meaningful responses • What types of responses to questions on IT risks may be indicative of bigger issues • How to communicate more effectively topics surrounding IT risks
What boards say… Nearly half of boards surveyed are dissatisfied with their ability to oversee IT risk * Source: Oliver Wyman’s Global Risk Center and the National Association of Corporate Directors (NACD)
What boards say… • The top three reasons: • Insufficient expertise at the board level • Insufficient communication on company's IT strategy and operations • Lack of integrated business IT strategy picture presented by management to board * Source: Oliver Wyman’s Global Risk Center and the National Association of Corporate Directors (NACD)
Questions Executives Should Ask • How many times have we been successfully hacked this year? • What you should know: Foreign hackers are attacking U.S. businesses every day. • Red flag answers from management: “We haven’t.”
Questions Executives Should Ask • How many people can access our customers’ or employees’ sensitive data? • What you should know: Many organizations don’t know the answer. • Red flag answers from management: “We have SOX controls.”
Questions Executives Should Ask • Who is going to lose their job if the implementation goes poorly? • What you should know: Accountability is often one of the biggest hurdles to a successful implementation. • Red flag answers from management: Naming anyone not at the meeting.
Questions Executives Should Ask • What is the definition of a successful project? Budget? Timing? Functionality? • What you should know: Consultants usually get paid more when projects go poorly and rarely do the stakeholders set the definition of a success up front. • Red flag answers from management: “A system that does what it’s supposed to do.”
Questions Executives Should Ask • Are our laptops and other portable devices encrypted? • What you should know: Encrypting a laptop can help show adequate controls and possibly will allow you to avoid liability for data breaches. • Red flag answers from management: “It costs too much.”
Questions Executives Should Ask • Do we enforce strong passwords? • What you should know: Easily guessed passwords make hackers’ lives easier. • Red flag answers from management: “Our users will just write them down.”
Questions Executives Should Ask • Has our disaster recovery plan been fully and completely tested in the past year? • What you should know: If you don’t test the plan, it’s likely to not work when you need it. • Red flag answers from management: “We haven’t tested it.”
Questions Executives Should Ask • How do we know our service providers are keeping our data safe? • What you should know: A lot of customer and proprietary data is provided to third parties by many organizations. • Red flag answers from management: “We get a SAS No 70 report” or “It’s in our contract.”
Guiding Principles Advice • Invite IT leadership and IT auditors to audit committee meetings periodically. • Don’t be afraid to ask the tough questions about IT. • Don’t be afraid to probe the responses to your questions. • Consider holding executive sessions with IT leadership and IT auditors.
The Cloud • Should we be using the cloud?
Reactions to the Cloud • Why is my CIO talking about the weather? • Is this just a sales ploy so I pay more for what I’m already getting? • Are these computers in the sky somewhere? What happens if it rains? • So you want me to put my critical business information and computer operations in a place I can’t see at some company I’ve never heard of?
The History of Computing – 1970s and Early 80s Overview: • Mainframes dominated the landscape • Workstations had little processing power, effectively “thin clients” • Network infrastructure was often contained within a single building and was proprietary • Users needed to be at the physical site
The History of Computing – 1970s and Early 80s Characteristics: • Biggest security threats were insiders • Privacy laws were in their infancy • Disaster recovery plans focused on the physical building and data center with offsite recovery centers. • Storage took up significant space • Few people had email • Few people had cell phones • Phones were separate from the computer network
The History of Computing – Late 1980s and Early 90s Overview: • Client server architecture started to replace mainframes • Workstations had more processing power • Network infrastructure was beginning to use standard protocols. • Many companies started creating company-wide networks using private lines • Companies cautiously used the internet for limited purposes • Users needed to be at the physical site
The History of Computing – Late 1980s and Early 90s Characteristics: • Biggest security threats were insiders • Privacy laws were in their infancy • Disaster recovery plans focused on the physical building and data center with offsite recovery centers • Storage took up significant space • Email and cell phones were still the exception • Phones were separate from the computer network • “Outsourcing” was generally related running a physical large data center
The History of Computing – 1990s Overview: • Client server architecture widely replaced mainframes • Workstations had much more processing power, laptops started to be adopted but were much less powerful. • “Thin clients” re-emerged • Network infrastructure still used several standards • Many companies started using the internet, but still not for critical business • Most users needed to be at the physical site • “Outsourcing” was generally related running a physical large data center with some application service providers
The History of Computing – 1990s Characteristics: • Biggest security threats were insiders, but network and internet connectivity began introducing new security risks • Privacy laws were in their infancy • Disaster recovery plans focused on the physical building and data center with offsite recovery centers • Storage took up significant space, but less than before • Email and cell phones were widely adopted • Phones were separate from the computer network • Data center hosting became more popular as did application service providers
The History of Computing – 2000s Overview: • Client server architecture dominates the landscape • Workstations and laptops had much more processing power • Smart phones widely used • Network infrastructure came to one standard • VPN was adopted on a widespread basis • Many companies started using the internet for critical business applications • Significant move towards application service providers and remote data center hosting • Most users could now work remotely
The History of Computing – 2000s Characteristics: • Biggest security threats were now from the internet • Security vulnerabilities of major products were easily exploited • Privacy laws began to take form • Disaster recovery plans still focused on the physical building and data center with offsite recovery centers • Storage became inexpensive and small • Smart phones and laptops were the norm – data now resided outside the company, but generally only on company devices • Phones began to get integrated with the computer network
Computing – Today Overview: • Client server architecture dominates the landscape with widespread “virtualization” • Workstations and laptops are powerful, but little is run on them making most operate more like “thin clients” • Smart phones widely used • Network infrastructure on one standard and VPN heavily used • Most companies use the internet for critical business • Majority of users can work remotely • Many companies exploring the use of the cloud
Computing – Today Characteristics: • Biggest security threats are state sponsored cyber attacks • Major developers better at security • Privacy laws much more robust • Disaster recovery plans still focused on the physical building and data center with offsite recovery centers • Storage is extremely inexpensive and small • Smart phones and laptops are the norm – data resides outside the company, including on personal devices • Phones often integrated with the computer network
What is the Cloud • Virtualized servers and applications running in remote data centers that may have redundancy between data centers
Cloud Considerations • Security • Cloud providers may be more of a target for hackers since they are widely known as service providers, however they also typically have very deep security resources to manage those risks • The cloud might be accessed from anywhere, so end user security access configurations tend to be more important • Third party cloud providers potentially have significant access to any system in their environment • Key considerations • Can your internal IT resources secure your environment based on your risk profile better than the cloud? • Do you have strong enough end user security? • Does the cloud provider have a type 2 SOC 2 report over Security?
Cloud Considerations • Availability and disaster recovery • Cloud providers tend to use hardened data centers with redundancy between locations • Heavy reliance on network connectivity to access cloud resources • Key considerations • Do you think you can harden your data centers as well as the cloud data centers? • Has your disaster recovery and business continuity plan been revised to address end user computing? • Do you have adequate network redundancy? • Does the cloud provider have a type 2 SOC 2 report over Availability?
Cloud Considerations • Privacy • Cloud providers may be more of a target for hackers since they are widely known as service providers, however they also typically have very deep security resources to manage those risks • Third party cloud providers potentially have significant access to any system in their environment • If there is a breach at the cloud provider you may still be responsible for compliance with privacy laws and the impact • Key considerations • Are you able to comply with all of the privacy requirements relevant to your industry • Does the cloud provider have a type 2 SOC 2 report over Privacy?
Cloud Considerations • Cost • With cloud providers there is much less capital spending • The cost of personnel with expertise in maintaining servers, infrastructure, and security can be spread across many organizations, potentially decreasing cost • Key considerations • Are you comparing “apples to apples”?
Cloud • Questions?