Transcript Document

TOP 10 TECHNOLOGY INITIATIVES
9. Preventing and Responding to Computer Fraud
IT Security Ranked #2
Preventing and Responding Computer Fraud Ranked #9
Preventing Involves:
• Effective Risk Management
• Proper Design and Operation of Controls
• Effective Monitoring
• Event Identification
• Event Escalation
• Effective Response Program
S-1
© 2013 - Robert G. Parker
TOP 10 TECHNOLOGY INITIATIVES
9. Preventing and Responding to Computer Fraud
Crisis Response:
• Planning and Preparation
• Incident Identification
• Incident Stabilization and Containment
• Incident Remediation
• Incident Communications
• Incident Recovery
• Incident Monitoring Reporting
Communication Is Key to Ensuring Stakeholders are Informed and “On-side”
S-2
© 2013 - Robert G. Parker
TOP 10 TECHNOLOGY INITIATIVES
9. Preventing and Responding to Computer Fraud
Has appropriate policies in place to
detect management override abuse
42%
Knows what to do should a fraud-related
incident occur
Has adequately designed our systems to meet regulatory
and legislative requirements to prevent fraud from occurring
Appropriately designed policies and internal controls to
v
reduce IT-related fraud risks to an appropriate level
47%
51%
56%
Has considered the fraud risks associated with Information Technology
(IT)
S-3
© 2013 - Robert G. Parker
60%
TOP 10 TECHNOLOGY INITIATIVES
S-4
© 2013 - Robert G. Parker
TOP 10 TECHNOLOGY INITIATIVES
10. Managing Vendors and Service Providers
Outsourcing and Offshoring are Not New
Outsourced Service Offerings are Not New
What is New is the Technology - Specifically Cloud Computing
SaaS (Software as a Service) provides users with application software ..
SaaS facilitates deployment of applications without the cost and
complexity of buying and maintaining the software.
PaaS (Platform as a Service) provides users with a computing platform
or solution stack.
IaaS (Infrastructure as a Service) a virtualized platform combined with
storage and a network. Billing of services is based on the amount of
resources consumed. The cost will typically reflect the level of activity
S-5
© 2013 - Robert G. Parker
TOP 10 TECHNOLOGY INITIATIVES
10. Managing Vendors and Service Providers
Issues & Risks - Security, Privacy, Availability and Continuity
Security – Cloud providers’ security practices, co-mingling of data from
other users, cloud service providers' business practices, SSAE 16/3416
Privacy – Cloud providers’ privacy practices, location of data, possible
breach of Canadian/Provincial laws (e.g. PHI)
Availability – Cloud providers’ financial stability, robustness of
infrastructure, redundancy of critical components, up-time record
Continuity – Business continuity and disaster recovery plans, incident
response plans/history
Compliance – Ability to comply with legislative, regulatory and industry
requirements, e.g. privacy, (PIPEDA) security (ISO 27002), financial (GLB,
PCI), Health Care, HIPPA, HiTech, PHIPA
S-6
© 2013 - Robert G. Parker
TOP 10 TECHNOLOGY INITIATIVES
10. Managing Vendors and Service Providers
All the old outsourcing risks exist; plus some new ones
S-7
© 2013 - Robert G. Parker
TOP 10 TECHNOLOGY INITIATIVES
10. Managing Vendors and Service Providers
KPMG survey reveals state of IT outsourcing
Karl Flinder - 18 September 2012
Survey Population
£14bn worth of UK IT services contacts ($21 Cdn)
Total IT budget of £30bn ($45 Cdn)
Survey Results
76% of organisations will continue to outsource IT at the same level
Only 19% said they will outsource more
Savings is still cited as a key factor for 76% of respondents
90% of public sector organisations outsourcing IT
Only 29% have it provided from offshore
This compares with 66% of organisations across all sectors
Source:: http://www.computerweekly.com/news/2240163409/KPMG-survey-reveals-state-of-IT-outsourcing
S-8
© 2013 - Robert G. Parker
TOP 10 TECHNOLOGY INITIATIVES
10. Managing Vendors and Service Providers
Able to negotiate a sufficiently flexible
contract that will allow the entity to
reasonably adjust/exit the contract as needed
30%
Knows when a Vendor/Service Provider is complying or
not-complying with its service level agreement (SLA)
38%
Follows a specific process that enables the organization
v
to easily identify a reliable Vendor/Service Provider
Is performing the appropriate due diligence before
v
engaging a Vendor/Service Provider
S-9
© 2013 - Robert G. Parker
40%
40%
TOP 10 TECHNOLOGY INITIATIVES
10. Managing Vendors and Service Providers
Able to validate the sufficiency and completeness of terms
v
& conditions within a service level agreement (SLA)
41%
Able to analyze the cost implications
v of starting to use/switching
to a Vendor/Service Provider
Understands and has adequately assessed the risk of using a
v
Vendor/Service Provider
48%
51%
With Responses to 6 out of the 7 Questions at Less Than 50%
Confidence Level There is Need for Extensive Changes to
Management and Governance Knowledge, Skills and
Resources
S-10
© 2013 - Robert G. Parker
TOP 10 TECHNOLOGY INITIATIVES
What Messages Did You Obtain From The Survey?
1. Managing and Retaining Data
2. Securing the IT Environment
3. Enabling Decision Support and Analytics
4. Managing IT Risk and Compliance
5. Governing and Managing IT Investment and Spending
6. Ensuring Privacy
7. Managing Systems Implementation
8. Leveraging Emerging Technologies
9. Preventing and Responding to Computer Fraud
10. Managing Vendors and Service Providers
S-11
© 2013 - Robert G. Parker
TOP 10 TECHNOLOGY INITIATIVES
Thank You
for
Your Interest and Participation
Robert G Parker
S-12
MBA, FCA, CPA•CA, CISA, CRISC, CMC
© 2013 - Robert G. Parker