INFORMATION

TECHNOLOGY (IT)
RISK
Elmar C. Francisco, MSEE
Risk Management
ELMAR C. FRANCISCO

Former Operations Support Lead, Hewlett-Packard Asia Pacific

Former Systems Administrator, Hewlett-Packard Asia Pacific (Unix/Linux)

Former Systems Administrator Technical Lead, Indra Systems Philippines as a service

provider for Globe Telecom Information Systems Group

Currently a Faculty Researcher at TUP-Manila

Research Interest: Printing Systems, Internet-of-things, Image Processing

MS Electrical Engineering major in Electronics Engineering, ITILv3 Foundations Certified,

Registered Electronics Engineer
  the potential that a given threat will
exploit vulnerabilities of an asset or group
of assets and thereby cause harm to the
organization. It is measured in terms of a
IT RISK combination of the probability of
DEFINITION occurrence of an event and its
consequence(ISO, 2008).
 Any risk to information technology

 Ref: ISO/IEC, "Information technology -- Security

techniques-Information security risk management"
ISO/IEC FIDIS 27005:2008
IT RISK MANAGEMENT

 Strategic process of administering the

assessed risk
 Risk assessment focuses on
identifying, quantifying, and
prioritizing risks
 The goal of risk management is to
manage the risks across the agency
 IT Risks are special because they can
take down the entire business
Ref: http://karimabadi.ca/it-risk-
management/
ENTERPRISE IT MANAGEMENT
 ASPECTS OF IT RISKS

Ref: http://karimabadi.ca/it-risk-management/
 DATA PRIVACY ACT OF 2012

 AN ACT PROTECTING
INDIVIDUAL PERSONAL
INFORMATION IN
INFORMATION AND
COMMUNICATIONS SYSTEMS
IN THE GOVERNMENT AND THE
PRIVATE SECTOR, CREATING
FOR THIS PURPOSE A
NATIONAL PRIVACY
COMMISSION, AND FOR OTHER
PURPOSES
DATA PRIVACY ACT OF 2012
 Companies with at least 250 employees or access
to the personal and identifiable information or
of at least 1,000 people should register with the
National Privacy Commission and comply to the
Act
 All personal information must be collected for
reasons that are specified, legitimate, and
reasonable.
 Personal information must be handled properly.
Information must be kept accurate and relevant
 Personal information must be discarded in a way
that does not make it visible and accessible to
unauthorized third parties.
ITIL

 Information Technology
Infrastructure Library
(ITIL) is a library of
volumes describing a
framework of best
practices for delivering IT
services (CIO.com)
 ITIL v3, focuses on
business and IT (hardemancountryschools.org)

integration
 VOLUMES OF ITIL (BMC.COM)

1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service
Improvement
INCIDENT MANAGEMENT

 Aims to restore normal service

operation as quickly as possible
and minimize the adverse effect
on business operations
Incident - unexpected disruption to
a service (freshservice.com)
e.g. Unexpected Server Reboot or
Shutdown, Server Hang,
Application not running,
application slowdown, network
down
Event - any detectable or
discernible occurrence that
has significance for
Infrastructure or delivery of
service (warning, information,
error) EVENT
MANAGEMENT

e.g. CPU/memory utilization

exceeds threshold, tape
backup finished, backup not
running
 REQUEST
FULFILLMENT

 Fulfillment of Service
Requests

Service Request
examples – Password
reset, account
creation and
deletion, minor
software installation,
system reporting
beyond what is usual
(k, Zab)
SAMPLE PRIORITY MATRIX
 PRIORITY MATRIX
(IMPACT VS URGENCY)
Impact Urgency
• 1 High – damage is highly
 1 High – widespread time sensitive (several
 2 Medium – VIP)
department level • 2 Medium - increases
considerably over time
 3 Low – single/few (few VIP)
users • 3 Low - only marginally
increases over time (no
VIP)
 PRIORITY MATRIX EXERCISE

 Office 365 student login failed

 Computer of TUP President hangs
 Unable to send email attachment
 TUP No WiFi
 No Office LAN
 Unexpected Data Cap of one user
 No *143# Urgency (High, Medium, Low)
 Billing Computation System Failure Impact (H-Widespread, M-
Moderate, L-Limited)
A bank server inside a Telecom Datacenter
has the application not running properly

Stakeholders are now in a conference

including the Application and the SysAd
CASE 1: ONE-
SysAd needs to restart the server remotely CHARACTER
(work from home)
DISASTER
SysAd forget to enter the “r” option in the
command line (r means reboot)

SysAd goes to Makati Datacenter to press

the button

Effect: Delayed restoration of service,

unnecessary effort
CASE 1: ONE-CHARACTER DISASTER
 PROBLEM AND CHANGE
MANAGEMENT
 Problem aims to resolve the
root causes of incidents and
thus to minimize the adverse
impact of incidents
 Change management is the
discipline that guides how we
prepare, equip and support
individuals to successfully
adopt change in order to
drive organizational success
and outcomes.

(imgur)
ROOT-CAUSE ANALYSIS
TECHNIQUES: FIVE-WHY’S
 Why? - Fail in one subject
 Why? - Fail in the final exam
 Why? - Mind and body not conditioned
 Why? - Two hours of sleep
 Why? - Facebook until 3AM

Solution: Management of Social Media Time or Deactivate FB

before final exam, Focus, Use time management tools
ISHIKAWA DIAGRAM (FISHBONE)

From ASQ
SERVICE-LEVEL
MANAGEMENT
 Service-level management
provides for continual
identification, monitoring
and review of the levels of IT
services specified in
the service-level
agreements (SLAs)
 A service-level
agreement (SLA) is a
commitment between a
service provider and a client
(e.g. Internet service
providers and telcos )
KEY
PERFORMANCE
INDICATOR (KPI)

 Evaluate the success

of an organization
or of a particular
activity

 Green – Above
threshold
 Yellow/Orange –
within threshold
range
 Red – below
threshold
 Responsible -(also Recommender)Those
who do the work to complete the task

Accountable -(also Approver or final

approving authority)The one ultimately
answerable for the correct and thorough
RESPONSIBILITY completion of the deliverable or task
ASSIGNMENT
MATRIX Consulted -(Consultant or counsel)Those
whose opinions are sought

Informed - Those who are kept up-to-date

on progress
RESPONSIBILITY ASSIGNMENT MATRIX
(RACI CHART)
 four eyes principle
is a risk
control technique
that requires two
people to be
physically present in
the same place when
an activity occurs.

FOUR-EYES
PRINCIPLE
CASE 2: CBA COMPUTER OUTAGE (2012)

 CBA was hit with an IT outage due to a faulty

software patch that left some of its branch
offices operating at limited capacity .
 CBA is a platinum account of HP, who is in charge
of their outsourced IT services
 Urgency: Critical
 Impact:Widespread
 Effect: 95% of the branches of CBA have limited
capability on that day, CBA Union demands
performance target adjustments
 https://www.zdnet.com/article/cba-outage-a-wake-up-call-for-hp-
analysts/
Shares of Cebu Air, Inc. jumped
Wednesday to hit the ceiling price in the
morning trade, recovering from a sharp
drop reportedly caused by a trading
error.

Shares of the Philippines’ largest budget

carrier climbed P29 or 50% to P87 apiece
Wednesday morning. CASE 3: CEBU
PACIFIC STOCK
PRICE SPIKE
Cebu Air dropped 38% to close at P58
each on Tuesday
Ref: Philstar (July 10 2019)

The broker confirmed it was a ”trader

error”, costing millions of losses and a
shock between PSE traders
CONCLUSION

 In this age of globalization, 4th

Industrial Revolution and
information age, data is
becoming increasingly significant
in every aspect of our lives.
Hence, processing, transfer and
retrieval of both personal and
institutional information and
technology is already a necessity.
Indeed, data is the new oil.
XIE XIE !!! ☺