Context for IT Operational risks
Changes galore :  Pressures on IT
Projects
OS and SW changes
Processes
Regulations
Competitive pressures
Technology
Hardware Upgrades
Hackers/espionage
People changes
Dissatisfied employees
M&A
Corporate and BU strategy
 More services
 Lower costs
 Faster service
 Simplify
 Extend reach of IT
 New Devices/systems
 Employee aspirations
 Expectations of all Stakeholders
 More options for functions other than in-house
IT
 New Partners
 Many Projects
 New Customers of IT
 Hidden problems
Context in which Operations teams operate
✓ Lower importance in hierarchy
✓ Lack Management support
✓ Incomplete documentation
✓ Legacy Hardware, software, asset record – forever evolving
✓ Too many projects, Operations not fully involved
✓ Not enough recognition for good work done in operations
Components / stake-holders
HW  Service Providers Power
SW ( incl Middleware, BI)  Project Teams Building access
Communication Fire Safety
LAN/WiFi Visitors
 Procurement teams
Remote access
Web Servers/Extranet
 Staff
Mobile
 Remote locations
Cloud
Third party interfaces
 Employees
End User devices
DR Sites  Top Management
 Partners
ITIL - IT Services management
✓ ….or In-house OVP
IT Operations Manager Responsibilities
Duties and Responsibilities
• Support and maintain a complex landscape of applications and systems from a
variety of vendors, including legacy technologies, across multiple physical, virtual and
cloud platforms
• Spearhead an ambitious IT transformation programme; identify and put in motion
steps to mitigate technical risks.
• Responsible for prioritising and managing incidents, and acting as a final point of
escalation for all technical issues, producing RCAs where appropriate.
• Ensuring all services and infrastructure is proactively monitored, and capacity is
managed, producing reports and dashboards as necessary
• Ensuring business-critical services are highly-available and backed by a strong
Business Continuity/Disaster Recovery strategy
IT Operations Manager Responsibilities
Duties and Responsibilities
Setting SLAs and monitoring service levels on support incidents and service requests, and
producing reports where necessary
Defining operational processes and policies/procedures in areas such as security and systems
maintenance in line with best practices and industry standards
Supervising, mentoring and motivating a multi-functional team of support technicians and IT
engineers, supporting their professional development with PDPs, appraisals and frequent
reviews
Assist Project/Programme Managers to scope, plan and report on technical projects such as
system upgrades, office moves, and the introduction of new systems.
Work closely with other technical teams such as Development, IT Change Management and
Database Administrators
Review and recommend new technologies and procedures to further IT innovation and maturity
Work with the IT Director and Dev Team Leads on projects, budgeting and strategy.
IT Operations Manager Responsibilities
✓ Support and maintain a complex landscape of applications and systems from a
variety of vendors, including legacy technologies, across multiple physical, virtual and
cloud platforms
✓ Spearhead an ambitious IT transformation programme; identify and put in motion
steps to mitigate technical risks.
✓ Responsible for prioritising and managing incidents, and acting as a final point of
escalation for all technical issues, producing RCAs where appropriate.
✓ Ensuring business-critical services are highly-available and backed by a strong
Business Continuity/Disaster Recovery strategy
✓ Assist Project/Programme Managers to scope, plan and report on technical projects
such as system upgrades, office moves, and the introduction of new systems.
Processes in Addressing IT Risks
Enterprise IT Architecture
Governance and exception processes
Policies
HW, SW, Communications, fair use, data access, data retention, back-up , licensing,
ethics, etc
Standard Operating Procedures
Installation, monitoring, escalation, testing, planning for next quarter etc
Training
Controls
Audits
Processes in Addressing IT Risks
Escalation Procedures
Early warning systems
Risk Register
Change Management
Key role in Projects / testing
Incident Management
Business Continuity Planning / DRP
Processes in Addressing IT Risks
Support of Top Management
Position in top team
Character of Operations personnel – assertion

Fatigue / Obsolescence
Methods / aids to handle IT risk
• Asset Register  Updates to SW in the background
• Responsibility Charts
• System set-up diagram with Risk  External Events – floods, Strike/bandh, dug
identifier up cables
• Control Charts
• Pending Issues  Personality and Character of Operations
team
• Risk Register
 Celebrate and reward silent running
• Change control process and
documentation
 People change – handover documentation
• SW update release management
and knowledge transfer
• Data back-up on end user devices
 Access rights / Mail data of employees left
• Data retention policies the organisation
• Contracts database
• AMC database
Methods / aids to handle IT risk
Segregation of duties
Dual password for key actions
Escalation for vital tasks
Log of Sysadm actions
Restrict access of Admin to data content
Update SOPs
 Periodic Audits
 Preventive Maintenance
 Partner readiness and escalation
mechanism
 Log Files Review
 Sysadm Rights and actions
 Service Line Reviews
 Incident review
 Electrical audits
 Upcoming Business Events
 Interface with Business Teams
 Impact of budget cuts on operations
 Impact of Projects on Operations
Methods / aids to handle IT risk
Management reporting and reviews  Monsoon readiness
Benchmarking  DR Rehearsals
 Maintenance window
Connect with other organisations and other
locations to know what might happen
 Plan to work at 75% capacity
Knowledge Management
 Support Partner as integral to all
activities
Procurement Process , Leadtimes
 KPIs and Early warning mechanisms

Content update and release on websites and  Educate users to use resources
Intranet – Role clarity prudently
Key IT factors and the IT Risk pyramid
Poor IT – Business relations Agility
Poor project delivery

Applications do not meet business requirements

Manual data integration required Accuracy
Significant implementation underway or recently completed

Data not compartmentalized

Applications need standardization
Lack of internal controls in applications Access
Network not reliable at all locations
High IT staff turnover Poor backup/recovery
Infrastructure not standardized Poor understood processes and
applications Availability
Ineffective patch/upgrade management Missing skills for new initiatives
Old technology Regulators will find deficiencies
Recommended approach to fix the Foundation
✓ Focus on availability and access .
✓ Create and test BCP/DRP/incident management plan
✓ Develop the Enterprise Architecture and its Governance .
✓ Initiate the EA Program
✓ Embed controls , reviews and audits to proactively address issues
Enterprise Architecture

Business
Architecture

Information Application
Architecture Architecture

Technology Architecture
Enterprise Architecture
Information Architecture Principles
Single Customer Identification
Consistent Definition of Products
Identification of Customer Contact Points Architecture
Data Accessible Across organisation
Timely Information
Reuse Data
Use One Data Master
Single Algorithm for Each Business Measure
Data Security Information
Common Vocabulary and Data Definitions Architecture
Centralised Analytical Data Repositories
Application Architecture Principles
Common Use Applications
Business Ease of Use
Re-use Before Buying
Buy Before Building
Minimise Package Modifications
Component-based Architecture
Channel and Device Independence
Integration Services Independence
Application Interfaces to External Environment
Architecture Adopt Web-based Technologies

Technology Architecture Principles

Technology Architecture
Technical Environment for the Future Consistent Office Environment
Use Proven Technologies Ensure Enterprise-Wide Integration of IT Security
Disaster Recovery / Business Continuity Non-Repudiation
Interoperability Deploy a Perimeter Layer Protecting Internal
Control Technical Diversity Network Access
A Single Integrated WAN based on IP Protocol Security Infrastructure to Support Distributed
Users
Use Portals to Provide Security at a Higher Level 17
Enterprise Architecture
Technology Architecture Components

18
Architecture Services for Projects
1.Discovery 2. Design

Project Management Business Project

idea Business Charter Business
Case
Requirements
Functional
Specification Technical
Specification
Design
Specification
PTO
Advice regarding Ongoing advice
Preliminary advice
implementation to refine Recommended
re: solution options &
(eg cost/time) of project shape technology
architectural implications
technology solutions solution
Solutions Architect

3. Detailed architectural
analysis Solution
2. Project
1. Preliminary (environmental scanning; Options
planning
consultation gap analysis;
advice
assessment of options etc)

New/changed
architectural
components Enterprise
required by project
Enterprise Architect

Architecture
Principles
Business
trends and New/changed
strategies architectural Implementation of
components Enterprise new/changed
Technology
required due to Architecture architecture components
trends
external factors Model (those not project specific)
Architecture Services for Projects
2. Design cont’d 3. Deployment

Cont’d Technical
Project Management
Issues
Design
Register
Specification

Implementation of
Go Live new/changed
architecture
components
(project specific)
Escalation of
architectural
issues Resolution of
architectural
Solutions Architect

issues
Incorporate
4. Architectural new/changed elements
compliance 5. Architectural into the Enterprise
review issues Architecture Model
management

Enterprise
Enterprise Architect

Architecture
Principles

Enterprise
Architecture
Model
IT Risk Management with SDLC
✓ Typical System Development Life Cycle stages:

Start

Administration Development

Protection Operation
IT Risk Management with SDLC

SDLC Stage Stage Characteristics Support from risk

management
Start • Need for a clear IT Identified risks in
system support of system
• Purpose and range of strategies, have been
a written IT system used
IT Risk Management with SDLC

SDLC Stage Stage Characteristics Support from risk

management
Development • IT system has been Could use defined risks
designed, purchased, for support of analyses
programmed and/or of IT security systems
reconstructed
IT Risk Management with SDLC

SDLC Stage Stage Characteristics Support from risk

management
Operation • Designs of security The process of risk
systems must be management supports
ready, capable, the evaluation of system
tested and approved operation
IT Risk Management with SDLC

SDLC Stage Stage Characteristics Support from risk

management
Protection The system operates its Risk management
own functions and with action is used for
adding software, and renewed credit of the
making changes in periodic systems, or
processes, organization when essential changes
policies and customs, in the production-
this system will improve operation environment
of a system have
occurred
IT Risk Management with SDLC

SDLC Stage Stage Characteristics Support from risk

management
Administration This stage includes Risk management
information hardware actions in parts of a
and software system will be
consideration. implemented for
These actions might assurance of
consist of activation, appropriate hardware
filing, rejection or and software
destruction of consumption
information
Role of Staff
Chief Managers:
• Make certain that necessary resources are applied
• Evaluate results of risk management activities in decision making
• Need to participate and support the program operations
• Aids in reducing risk of the IT mission

Chief Information Officer (CIO):

• Responsible for planning, budgeting and implementation of security
sectors of IT information
Role of Staff
Owners of information and systems
• Responsible for making sure that prompt controls are in place for
inspection
• Pay attention to homogeneity, trustworthiness and accessibility of IT
systems
• Must know their roles and fully support this process

Operational and Business Managers:

• Responsible for business tasks and IT formation processes
• Must take an active part
• Responsible people who have authority in making decisions
Role of Staff
IT security program managers and computer security officers:
• Play role of a leader
• Identify, estimate the value and risk reductions in IT systems
• Structured approach

IT Security Convoys:
• Comprises of network, system and computer professionals, security
analysts
• Responsible to provide security needs due to changes raised in the
environment in these systems
• Support operation of RM process by identifying and eliminating potential
risks using new security control tools
Role of Staff
Professional Security Coaches:
• Play a role in improving the educational materials
• Critical role as organization staff need to be provided with security
conscious training to minimize possible risks
• Help in laying out policies and guidelines
Controls used
Technical Security Controls:
• These controls may protect against all types of existing threats
• Can become complex compared to simple ones
• System Architecture
• Security packages with combination of hardware, software and
firmware
Controls used
Management Security Controls:
• Has a correlation with technical controls and proper management
• Minimizing risks and protection of the missions of the organization
• Follow policies, guidelines and standards that protect information
throughout the organizational procedures
• Deployed to achieve goals and performance of missions of the
organization
Controls used
Operational Security Controls:
• Set up controls and guidelines to ensure security procedures
monitoring on the appropriate use of organizational assets and IT
resources
Keys to Success
A successful RM program relies on:
1. Top Management Committee
2. Full support and participation of teams of IT
3. Teams of qualified risk assessment who have experience in application
of risk assessment methods
4. Knowledgeable persons and members of the organization
5. Evaluation and estimation of risks associated with the mission