1 / 31

Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks

Learn about the types of IT risks that executives and audit committees may overlook, the risks of cloud computing, and how to ask meaningful questions about IT risks. Discover the indicators of larger issues and effective communication strategies.

topete
Download Presentation

Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks

  2. Learning Objectives • Participants will learn about: • The types of IT risks which may go unaddressed by executives and audit committees • Risks of cloud computing • The types of questions around IT risks that will solicit the most meaningful responses • What types of responses to questions on IT risks may be indicative of bigger issues • How to communicate more effectively topics surrounding IT risks

  3. What boards say… Nearly half of boards surveyed are dissatisfied with their ability to oversee IT risk * Source: Oliver Wyman’s Global Risk Center and the National Association of Corporate Directors (NACD)

  4. What boards say… • The top three reasons: • Insufficient expertise at the board level • Insufficient communication on company's IT strategy and operations • Lack of integrated business IT strategy picture presented by management to board * Source: Oliver Wyman’s Global Risk Center and the National Association of Corporate Directors (NACD)

  5. Questions Executives Should Ask • How many times have we been successfully hacked this year? • What you should know: Foreign hackers are attacking U.S. businesses every day. • Red flag answers from management: “We haven’t.”

  6. Questions Executives Should Ask • How many people can access our customers’ or employees’ sensitive data? • What you should know: Many organizations don’t know the answer. • Red flag answers from management: “We have SOX controls.”

  7. Questions Executives Should Ask • Who is going to lose their job if the implementation goes poorly? • What you should know: Accountability is often one of the biggest hurdles to a successful implementation. • Red flag answers from management: Naming anyone not at the meeting.

  8. Questions Executives Should Ask • What is the definition of a successful project? Budget? Timing? Functionality? • What you should know: Consultants usually get paid more when projects go poorly and rarely do the stakeholders set the definition of a success up front. • Red flag answers from management: “A system that does what it’s supposed to do.”

  9. Questions Executives Should Ask • Are our laptops and other portable devices encrypted? • What you should know: Encrypting a laptop can help show adequate controls and possibly will allow you to avoid liability for data breaches. • Red flag answers from management: “It costs too much.”

  10. Questions Executives Should Ask • Do we enforce strong passwords? • What you should know: Easily guessed passwords make hackers’ lives easier. • Red flag answers from management: “Our users will just write them down.”

  11. Questions Executives Should Ask • Has our disaster recovery plan been fully and completely tested in the past year? • What you should know: If you don’t test the plan, it’s likely to not work when you need it. • Red flag answers from management: “We haven’t tested it.”

  12. Questions Executives Should Ask • How do we know our service providers are keeping our data safe? • What you should know: A lot of customer and proprietary data is provided to third parties by many organizations. • Red flag answers from management: “We get a SAS No 70 report” or “It’s in our contract.”

  13. Guiding Principles Advice • Invite IT leadership and IT auditors to audit committee meetings periodically. • Don’t be afraid to ask the tough questions about IT. • Don’t be afraid to probe the responses to your questions. • Consider holding executive sessions with IT leadership and IT auditors.

  14. The Cloud • Should we be using the cloud?

  15. Reactions to the Cloud • Why is my CIO talking about the weather? • Is this just a sales ploy so I pay more for what I’m already getting? • Are these computers in the sky somewhere? What happens if it rains? • So you want me to put my critical business information and computer operations in a place I can’t see at some company I’ve never heard of?

  16. The History of Computing – 1970s and Early 80s Overview: • Mainframes dominated the landscape • Workstations had little processing power, effectively “thin clients” • Network infrastructure was often contained within a single building and was proprietary • Users needed to be at the physical site

  17. The History of Computing – 1970s and Early 80s Characteristics: • Biggest security threats were insiders • Privacy laws were in their infancy • Disaster recovery plans focused on the physical building and data center with offsite recovery centers. • Storage took up significant space • Few people had email • Few people had cell phones • Phones were separate from the computer network

  18. The History of Computing – Late 1980s and Early 90s Overview: • Client server architecture started to replace mainframes • Workstations had more processing power • Network infrastructure was beginning to use standard protocols. • Many companies started creating company-wide networks using private lines • Companies cautiously used the internet for limited purposes • Users needed to be at the physical site

  19. The History of Computing – Late 1980s and Early 90s Characteristics: • Biggest security threats were insiders • Privacy laws were in their infancy • Disaster recovery plans focused on the physical building and data center with offsite recovery centers • Storage took up significant space • Email and cell phones were still the exception • Phones were separate from the computer network • “Outsourcing” was generally related running a physical large data center

  20. The History of Computing – 1990s Overview: • Client server architecture widely replaced mainframes • Workstations had much more processing power, laptops started to be adopted but were much less powerful. • “Thin clients” re-emerged • Network infrastructure still used several standards • Many companies started using the internet, but still not for critical business • Most users needed to be at the physical site • “Outsourcing” was generally related running a physical large data center with some application service providers

  21. The History of Computing – 1990s Characteristics: • Biggest security threats were insiders, but network and internet connectivity began introducing new security risks • Privacy laws were in their infancy • Disaster recovery plans focused on the physical building and data center with offsite recovery centers • Storage took up significant space, but less than before • Email and cell phones were widely adopted • Phones were separate from the computer network • Data center hosting became more popular as did application service providers

  22. The History of Computing – 2000s Overview: • Client server architecture dominates the landscape • Workstations and laptops had much more processing power • Smart phones widely used • Network infrastructure came to one standard • VPN was adopted on a widespread basis • Many companies started using the internet for critical business applications • Significant move towards application service providers and remote data center hosting • Most users could now work remotely

  23. The History of Computing – 2000s Characteristics: • Biggest security threats were now from the internet • Security vulnerabilities of major products were easily exploited • Privacy laws began to take form • Disaster recovery plans still focused on the physical building and data center with offsite recovery centers • Storage became inexpensive and small • Smart phones and laptops were the norm – data now resided outside the company, but generally only on company devices • Phones began to get integrated with the computer network

  24. Computing – Today Overview: • Client server architecture dominates the landscape with widespread “virtualization” • Workstations and laptops are powerful, but little is run on them making most operate more like “thin clients” • Smart phones widely used • Network infrastructure on one standard and VPN heavily used • Most companies use the internet for critical business • Majority of users can work remotely • Many companies exploring the use of the cloud

  25. Computing – Today Characteristics: • Biggest security threats are state sponsored cyber attacks • Major developers better at security • Privacy laws much more robust • Disaster recovery plans still focused on the physical building and data center with offsite recovery centers • Storage is extremely inexpensive and small • Smart phones and laptops are the norm – data resides outside the company, including on personal devices • Phones often integrated with the computer network

  26. What is the Cloud • Virtualized servers and applications running in remote data centers that may have redundancy between data centers

  27. Cloud Considerations • Security • Cloud providers may be more of a target for hackers since they are widely known as service providers, however they also typically have very deep security resources to manage those risks • The cloud might be accessed from anywhere, so end user security access configurations tend to be more important • Third party cloud providers potentially have significant access to any system in their environment • Key considerations • Can your internal IT resources secure your environment based on your risk profile better than the cloud? • Do you have strong enough end user security? • Does the cloud provider have a type 2 SOC 2 report over Security?

  28. Cloud Considerations • Availability and disaster recovery • Cloud providers tend to use hardened data centers with redundancy between locations • Heavy reliance on network connectivity to access cloud resources • Key considerations • Do you think you can harden your data centers as well as the cloud data centers? • Has your disaster recovery and business continuity plan been revised to address end user computing? • Do you have adequate network redundancy? • Does the cloud provider have a type 2 SOC 2 report over Availability?

  29. Cloud Considerations • Privacy • Cloud providers may be more of a target for hackers since they are widely known as service providers, however they also typically have very deep security resources to manage those risks • Third party cloud providers potentially have significant access to any system in their environment • If there is a breach at the cloud provider you may still be responsible for compliance with privacy laws and the impact • Key considerations • Are you able to comply with all of the privacy requirements relevant to your industry • Does the cloud provider have a type 2 SOC 2 report over Privacy?

  30. Cloud Considerations • Cost • With cloud providers there is much less capital spending • The cost of personnel with expertise in maintaining servers, infrastructure, and security can be spread across many organizations, potentially decreasing cost • Key considerations • Are you comparing “apples to apples”?

  31. Cloud • Questions?

More Related