Professional Documents
Culture Documents
Fatigue / Obsolescence
Methods / aids to handle IT risk
• Asset Register Updates to SW in the background
• Responsibility Charts
• System set-up diagram with Risk External Events – floods, Strike/bandh, dug
identifier up cables
• Control Charts
• Pending Issues Personality and Character of Operations
team
• Risk Register
Celebrate and reward silent running
• Change control process and
documentation
People change – handover documentation
• SW update release management
and knowledge transfer
• Data back-up on end user devices
Access rights / Mail data of employees left
• Data retention policies the organisation
• Contracts database
• AMC database
Methods / aids to handle IT risk
Segregation of duties Periodic Audits
Preventive Maintenance
Dual password for key actions
Partner readiness and escalation
Escalation for vital tasks mechanism
Log of Sysadm actions Log Files Review
Restrict access of Admin to data content Sysadm Rights and actions
Service Line Reviews
Incident review
Content update and release on websites and Educate users to use resources
Intranet – Role clarity prudently
Key IT factors and the IT Risk pyramid
Poor IT – Business relations Agility
Poor project delivery
Business
Architecture
Information Application
Architecture Architecture
Technology Architecture
Enterprise Architecture
Information Architecture Principles Application Architecture Principles
Single Customer Identification Common Use Applications
Consistent Definition of Products Business Ease of Use
Identification of Customer Contact Points Architecture Re-use Before Buying
Data Accessible Across organisation Buy Before Building
Timely Information Minimise Package Modifications
Reuse Data Component-based Architecture
Use One Data Master Channel and Device Independence
Single Algorithm for Each Business Measure Integration Services Independence
Data Security Information Application Interfaces to External Environment
Common Vocabulary and Data Definitions Architecture Architecture Adopt Web-based Technologies
Centralised Analytical Data Repositories
18
Architecture Services for Projects
1.Discovery 2. Design
3. Detailed architectural
analysis Solution
2. Project
1. Preliminary (environmental scanning; Options
planning
consultation gap analysis;
advice
assessment of options etc)
New/changed
architectural
components Enterprise
required by project
Enterprise Architect
Architecture
Principles
Business
trends and New/changed
strategies architectural Implementation of
components Enterprise new/changed
Technology
required due to Architecture architecture components
trends
external factors Model (those not project specific)
Architecture Services for Projects
2. Design cont’d 3. Deployment
Cont’d Technical
Project Management
Issues
Design
Register
Specification
Implementation of
Go Live new/changed
architecture
components
(project specific)
Escalation of
architectural
issues Resolution of
architectural
Solutions Architect
issues
Incorporate
4. Architectural new/changed elements
compliance 5. Architectural into the Enterprise
review issues Architecture Model
management
Enterprise
Enterprise Architect
Architecture
Principles
Enterprise
Architecture
Model
IT Risk Management with SDLC
✓ Typical System Development Life Cycle stages:
Start
Administration Development
Protection Operation
IT Risk Management with SDLC
IT Security Convoys:
• Comprises of network, system and computer professionals, security
analysts
• Responsible to provide security needs due to changes raised in the
environment in these systems
• Support operation of RM process by identifying and eliminating potential
risks using new security control tools
Role of Staff
Professional Security Coaches:
• Play a role in improving the educational materials
• Critical role as organization staff need to be provided with security
conscious training to minimize possible risks
• Help in laying out policies and guidelines
Controls used
Technical Security Controls:
• These controls may protect against all types of existing threats
• Can become complex compared to simple ones
• System Architecture
• Security packages with combination of hardware, software and
firmware
Controls used
Management Security Controls:
• Has a correlation with technical controls and proper management
• Minimizing risks and protection of the missions of the organization
• Follow policies, guidelines and standards that protect information
throughout the organizational procedures
• Deployed to achieve goals and performance of missions of the
organization
Controls used
Operational Security Controls:
• Set up controls and guidelines to ensure security procedures
monitoring on the appropriate use of organizational assets and IT
resources
Keys to Success
A successful RM program relies on:
1. Top Management Committee
2. Full support and participation of teams of IT
3. Teams of qualified risk assessment who have experience in application
of risk assessment methods
4. Knowledgeable persons and members of the organization
5. Evaluation and estimation of risks associated with the mission