Transcript Document

8 - Management and Operation of Technology Infrastructure
Management and Operation of Technology
Infrastructure
1
8 - Management and Operation of Technology Infrastructure
Dealing with changing infrastructure environments and the new technologies
that are driving business changes and creating risks and management issues
• 40% of Respondents were using the cloud
• 20% planned to use the cloud within 24 months
• 22% were in the process of evaluating the cloud
Of the remaining 18%, 6% decided not to use clouds and 12% has
Source: Informationweek Analytics
no plans to evaluate them.
Concerns associated with infrastructure management included :
• Control of data handling systems that are outside of the formal
system, such as the use of spreadsheets (13)
© Robert G Parker – UW-CISA 2010
S-2
8 - Management and Operation of Technology Infrastructure
• User managed data bases that are locally developed and
processed within business units but which may lack rigorous
processes typically associated with IT-developed solutions
such as quality reviews, testing, change management and
access controls.
Empowered Users
• Security of data that is or can be stored on portable devices
or that is easily moved among stakeholders
Portable Devices
3
8 - Management and Operation of Technology Infrastructure
Business Risks
• Increasing use of cloud computing without an understanding of the
associated risks (Lack of a cloud risk management strategy)
• Increasing risks associated with the quality and integrity of
information processed and presented from these ad hoc systems and
applications.
• Increased risks of subsequent and ongoing problems caused by
incomplete, unperformed or erroneous unchecked change
management procedures.
• Lack of ‘Security over information moved between various sites, or
stored, on moveble/moblie media
• Lack of control over portable media
© Robert G Parker – UW-CISA 2010
S-4
8 - Management and Operation of Technology Infrastructure
Operational / Technology Risk Management
• Implement requirements for, and conduct full technology and business risk
assessment prior to adopting new technologies
• Where ad hoc systems and applications are integrated into the enterprise’s
information systems, ensure that controls exist and are operation to
validate the integrity of the information prior to it further use.
• Establish, adhere to and monitor rigorous change management procedures
• Implement procedures, such as encryption over information at rest, in
transit and while archives to minimize the risk of an information breach
• Implement and monitor procedures over when portable may be used, the
types of information that may be placed on them and the security and
control restrictions over them
© Robert G Parker – UW-CISA 2010
S-5
9 - Business Continuity and Pandemic Awareness
Business Continuity and Pandemic Awareness
© Robert G Parker – UW-CISA 2010
S-6
9 - Business Continuity and Pandemic Awareness
Information technology departments have an obligation to provide services
throughout the enterprise. However, they are frequently challenged in
developing and testing effective technology disaster recovery plans due to lack
of enterprise planning, lack of funding or denial of the potential severity of the
risks.
Lack of meaningful preparedness for a pandemic
Entity centric continuity plans; inward focus
Lack of supply chain resiliency, redundancy
Lack of comprehensive continuity plans
Plans have not been tested
The Same Issues
Plans are not being maintained
© Robert G Parker – UW-CISA 2010
S-7
9 - Business Continuity and Pandemic Awareness
Lack of meaningful preparedness for a pandemic
No single point of contact
Conflicting messages, priorities
Plans differed by region
Different groups defined as high risk
Initially insufficient vaccine
Numerous individuals not vaccinated
No instructions for travellers across
Canada
Coughing in the crook of your arm campaign was effective
We Dodged the Bullet - This Time!
© Robert G Parker – UW-CISA 2010
S-8
9 - Business Continuity and Pandemic Awareness
Entity centric continuity plans; inward focus
Business Continuity Plans frequently address only recovery of the business
and its infrastructure:
• Plans do not consider third party infrastructure
• Plans do not consider up stream and down stream impacts
• Plans do not address catastrophes
• Impact on immediate area
• Impact on foreign operations
• Risk mitigation strategies and plans
• Financial and cash flow issues
• Impact on franchised operations
© Robert G Parker – UW-CISA 2010
S-9
9 - Business Continuity and Pandemic Awareness
A Catastrophe Poorly Handled
© Robert G Parker – UW-CISA 2010
S-10
9 - Business Continuity and Pandemic Awareness
For Want of a Nail
The Shoe was Lost
© Robert G Parker – UW-CISA 2010
S-11
9 - Business Continuity and Pandemic Awareness
For Want of a Shoe
The Horse was Lost
© Robert G Parker – UW-CISA 2010
S-12
9 - Business Continuity and Pandemic Awareness
Lack of Supply Chain Resiliency, Redundancy
For Want of a Horse
The Battle was Lost
© Robert G Parker – UW-CISA 2010
S-13
9 - Business Continuity and Pandemic Awareness
Lack of Comprehensive Continuity Plans
For Loss of a Battle
The Kingdom was Lost
Contingency Planning
or Catastrophe
© Robert G Parker – UW-CISA 2010
S-14
9 - Business Continuity and Pandemic Awareness
Plans Have Not Been Tested
A BCP or DRP that has not been Tested is Not a Valid Plan
It is an Idea of What May Have to be Performed
Plans are Not Being Maintained
An out of date BCP or DRP Likely does not Reflect the Current
Environment, Risks, etc.
Relying on an Out of Date Plan Will Likely Not Result in a Successful
Outcome
© Robert G Parker – UW-CISA 2010
S-15
Business Continuity and Pandemic Awareness
Expansion of the Panama
Canal to handle super tankers
© Robert G Parker – UW-CISA 2010
S-16
Business Continuity and Pandemic Awareness
Business Reaction
Reassess BCP and DRP initiatives
Implement plans to link BCP-DRP to enterprise and IT risk management
initiatives
Ensure supply chain risk are monitored and assessed
Implement employee awareness and training programs, newsletters
Business Continuity Risk Management
Changing external environment not reflected in BCP-DRP plans
Lack of understanding of supply chain risks
Lack of understanding and knowledge of extend to which up stream and
down streams supply and delivery business are addressing their BCP-DRP
Lack of effective communication
It won’t happen to me
17
10 - Impact of the Economy on Information Technology
Impact of the Economy on Information Technology
© Robert G Parker – UW-CISA 2010
S-18
10 - Impact of the Economy on Information Technology
The financial crisis and following recession resulted in the restructuring of
many organizations, including, for many, their Information Technology
departments. With the recession waning, concern has been expressed over
increasing IT departments’ to their previous staffing levels
Concerns over adopting new technologies as a means of controlling costs
while meeting the increasing needs for IT:
• Virtualization
• Cloud Computing
• BYOC
Concern over risks of increased fraud and malicious activity; disgruntled
employees and lack of control
Concern over controls over outsourcing;
• Intellectual capital, customer information, other information assets
• Contract Management -adhering to schedules, providing capacity,
saleability
© Robert G Parker – UW-CISA 2010
S-19
Thank You For Your Interest and Participation
Robert G. Parker
© Robert G Parker – UW-CISA 2010
S-20