1 / 182

Management Awareness Training

Awareness Training Series. Management Awareness Training. Dan Hadaway CISA, CISM Managing Partner i nfo t ex. Objectives. What is IT Governance, and what does a typical IT Governance program look like? What is the management team’s role in the IT Governance Program? What is the ISO’s role?

yule
Download Presentation

Management Awareness Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Awareness Training Series Management Awareness Training Dan Hadaway CISA, CISMManaging Partnerinfotex

  2. Objectives • What is IT Governance, and what does a typical IT Governance program look like? • What is the management team’s role in the IT Governance Program? • What is the ISO’s role? • What should the management team know to ensure proper IT Governance? • How can management help manage technology risk?

  3. Today’s Agenda • Management Awareness Resources • Five Tenets of IT Governance • The IT Governance Program • The Risk Assessment • Information Technology Audits • Vendor Due Diligence • Awareness Training • New Risks for 2011/2012 • The 2011 Audit Results

  4. Today’s Agenda • Management Awareness Resources • Five Tenets of IT Governance • The IT Governance Program • The Risk Assessment • Information Technology Audits • Vendor Due Diligence • Awareness Training • New Risks for 2011/2012 • The 2011 Audit Results

  5. In this next section • We will become familiar with the “workshop portal” and this presentation. • We will hear credentials that can be used to log onto the workshop portal. • We will learn what is on the “workshop portal.” infotex

  6. Available Tools . . . • IT Audit Test Types • The ISO Job Description • Awareness Training Procedure • Management Awareness Training Procedure • Governance Policy Development Chart

  7. Available Tools . . . • Management Guidelines for Social Media • User Guidelines for Social Media • Management Talking Points for Mobile Banking and Social Media

  8. Available Tools . . . • Wireless Banking Article (Top Five Risks) • Wireless Banking Article • Wireless Banking Risk Assessment • Wireless Banking Due Diligence Kit

  9. Our Credentials • Information Security • CISAs, CISMs, CISSPs • Developed my first AUP in 1988 • Updating our process annually • Been doing Annual UAT for banks since 2002 • GLBA, BSA, OFAC, FACTA, HIPAA • Assessments, IT Audits, Consulting • Managed Services (Network Monitoring)

  10. Nomenclature • Information Security Strategy • Information Security Program • IT Risk Management Program • IT Governance Program Essentially the same thing.

  11. IT Governance Program • Combines: • Serve Business Mission • Manage Technology Risk (information security)

  12. Today’s Agenda • Management Awareness Resources • Five Tenets of IT Governance • The IT Governance Program • The Risk Assessment • Information Technology Audits • Vendor Due Diligence • Awareness Training • New Risks for 2011/2012 • The 2011 Audit Results

  13. In this next section • We will learn five basic tenets of IT Governance that all management team members should know. • We will learn why IT Governance is concerned with Risk Management • We will learn “the one control” and why this workshop is important. infotex

  14. #1

  15. #1: Serve the Mission Information Technology must be aligned with the Business Strategy of the bank!

  16. Strategy Alignment • Facilitate business tactics • Assists in business processes • Creates a competitive edge • Increases Communication with “all four corners of the bank” especially customers. • Provides accurate information to management

  17. Strategy Alignment • Deliver a Return on Investment • Tangible Return • Check 21 takes advantage of quicker check processing. Imaging System reduces paper costs. • Fees charged for various services. • Intangible Return • Firewall mitigates risk of internet hacking. • On-line Banking provides convenience to customers.

  18. Management Role • Determine technologies that will best facilitate business tactics. • Determine appropriate time to deploy new technologies (Apply Pressure)

  19. Management Role • Search and Selection Process • Cost/Benefit  Benefit/Risk  When??? • Risk Analysis • Requirements Definition • Request for Proposal

  20. Management Role • Negotiate Contracts(as per Vendor Management Procedure) • Implementation • From a user perspective • Return to risk analysis • Return to cost/benefit analysis • Return to features analysis • Ongoing Vendor Due Diligence (as per Vendor Management Procedure)

  21. When is the appropriate time?

  22. 1. Align IT with Business Strategy Roger’s Diffusion Theory of Innovation • Innovators • Early adopters • Early majority • Late majority • Laggards Everett M. Rogers' Diffusion of Innovations

  23. 1. Align IT with Business Strategy Stages of Innovation • Knowledge • Persuasion • Decision • Implementation • Confirmation Risk Assessment? Security Controls Everett M. Rogers' Diffusion of Innovations

  24. 1. Align IT with Business Strategy Early Adopters in Banking • Physical Security • Information Security Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations

  25. 1. Align IT with Business Strategy Late Majority / Laggard • Virtualization • Cloud Computing • Social Media • Telecommuting Softwareforcloudcomputing.com Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations

  26. 1. Align IT with Business Strategy Risk/Benefit Evolution Curve Price, Problems Value Features, Sophistication Time

  27. 1. Align IT with Business Strategy Risk/Benefit Evolution Curve Price, Problems Value Features, Sophistication Time

  28. 1. Align IT with Business Strategy Risk/Benefit Evolution Curve Price, Problems Laggards Early Majority Late Majority Value Innovator Early Adopter Features, Sophistication Time

  29. Digital Video Security • Innovators • Early adopters • Early majority • Late majority • Laggards 2012

  30. Secure Messaging • Innovators • Early adopters • Early majority • Late majority • Laggards 2012

  31. Remote Access in Banks • Innovators • Early adopters • Early majority • Late majority • Laggards 2010

  32. Social Media in Banks • Innovators • Early adopters • Early majority • Late majority • Laggards 2011

  33. Wireless Banking • Innovators • Early adopters • Early majority • Late majority • Laggards 2013

  34. #2

  35. #2: Manage the Risk Information, Technology, and Information Technology expose the bank to risk!

  36. #2) The Risk Spectrum • There is no such thing as 100% security! Ignore it? Obsession?

  37. #2) The Risk Spectrum • There is no such thing as 100% security! Ignore it? FFIEC Guidelines

  38. How do you decide? • There is no such thing as 100% security! Risk-basedRemediation Ignore it? FFIEC Guidelines

  39. Principle Number Two Information Security is about ACCEPTING RISK.

  40. #3

  41. When you are finishedserving a customer, what do you typically do? A. Cross Customer Service off the to-do list. B. File the experience away as one you hope you’ll never have to do again. C. Learn from the experience and try to serve the next customer better. D. Move on to the next project. A process question

  42. Fundamental #3 It's a process!

  43. Which means . . . • No crossing it off the list. • No filing it away. • No wishing you never have to deal with it again.

  44. And means . . . • Its cyclical. • You learn from each cycle. • It is constantly improving (we hope). • It’s about managing risk and ensuring alignment with other business processes.

  45. And to improve . . . . • We must start by measuring. But remember that metrics are all relative.

  46. Fundamental #3 It's a process!

  47. #4

  48. What is the Number 1 form of Identity Theft? A. Pretext Calling B. Drive-by Attacks (Trojan Horses installed by rogue websites.) C. Insider Data Theft D. Phishing E. Other Important Point Question

  49. Source: Javelin Research 2009 Identity Fraud Survey Report a survey of 25,000 adults.

  50. 4) It’s not really Technical People Technology Policy Process

More Related