1 / 22

Chapter 15: Assessing Risks in IT Operations

Chapter 15: Assessing Risks in IT Operations. MBAD 7090. Objectives. Understand Risk Assessment Guidance and Standards Enterprise Risk Management (ERM) Internet Risks IT Insurance. Risk Assessment.

kiora
Download Presentation

Chapter 15: Assessing Risks in IT Operations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 15: Assessing Risks in IT Operations MBAD 7090 IS Security, Audit, and Control (Dr. Zhao)

  2. IS Security, Audit, and Control (Dr. Zhao) Objectives • Understand Risk Assessment • Guidance and Standards • Enterprise Risk Management (ERM) • Internet Risks • IT Insurance

  3. IS Security, Audit, and Control (Dr. Zhao) Risk Assessment • Risk assessment is a tool or technique for evaluating the level of risk for a given process or function • Jointly done by management and auditors • An ongoing basis • A video: a risk assessment framework

  4. IS Security, Audit, and Control (Dr. Zhao) Guidance and Standards • U.S. National Institute of Standards and Technology (NIST) • Federal Information Processing Standards (FIPS) • Automated Security Self-Evaluation Tool (ASSET) • Government Accounting Office (GAO) • IMTEC 8.1.4: An audit guide for assessing acquisition risk • Assessing the reliability of computer-generated data

  5. IS Security, Audit, and Control (Dr. Zhao) GAO

  6. IS Security, Audit, and Control (Dr. Zhao) GAO

  7. IS Security, Audit, and Control (Dr. Zhao) Guidance and Standards (continued) • AICPA • Statement on audit standards (SAS) • SAS70 service organization • Examples: insurance and medical claims processors, hosted data centers, application service providers (ASPs), and credit processing organizations. • Type I audit: opinion on the fairness of the presentation of the service organization's description of controls • Type II audit: opinion on whether the specific controls were operating effectively during the period under review.

  8. IS Security, Audit, and Control (Dr. Zhao) Guidance and Standards (continued) • ISACA Risk Assessment • Institute of Internet Auditors (IIA) • Risk exposures in four areas • Reliability and integrity of financial and operational information • Effectiveness and efficiency of operations • Safeguarding of assets • Compliance with laws, regulations, and contracts

  9. IS Security, Audit, and Control (Dr. Zhao) COSO Enterprise Risk Management (ERM) • ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

  10. IS Security, Audit, and Control (Dr. Zhao) Traditional Risk Management • Silos: manage risks in separate compartments • Insurance risk, technology risk, financial risk, environment risk, etc. • Lack of enterprise wide coordination • Lack identification of emerging risks

  11. IS Security, Audit, and Control (Dr. Zhao) ERM Process • Identify • Formal audit or inspection • Operations process flowchart • Financial statement analysis • Risk analysis questionnaires • Measure • Critical • Important • Unimportant

  12. IS Security, Audit, and Control (Dr. Zhao) ERM Process • Monitor • Control • Avoidance: possibility/practicality • Prevention • Reduction • Transfer: insurance/contractual management • Retention

  13. IS Security, Audit, and Control (Dr. Zhao) Why ERM • Organizational Oversight • Magnitude of problem • “Especially in the area of asset-liability modeling and treasury management models to manage risks in the higher volatile capital markets’ activity of derivative trading and speculation.”

  14. IS Security, Audit, and Control (Dr. Zhao) Why ERM (continued) • Increased business risks • Technology and the Internet • Increased worldwide competition • Free trade and investment worldwide • Complex financial instruments • Deregulation of key industries • Changes in organizational structures from downsizing, reengineering, and mergers • Increasing customer expectations

  15. IS Security, Audit, and Control (Dr. Zhao) Why ERM (continued) • Regulatory issues • Recommended by the Basel Committee • Market factors • Meeting shareholder expectations • Corporate governance • A video: ERM system

  16. IS Security, Audit, and Control (Dr. Zhao) A Case • Microsoft has a campus of more than 50 buildings in the quake-prone Seattle area and therefore earthquakes are a risk. • Q: Please take a holistic perspective in identifying risks of an earthquake.

  17. IS Security, Audit, and Control (Dr. Zhao) Web Issues • Risks • Intruders • Hackers • Unauthorized access

  18. IS Security, Audit, and Control (Dr. Zhao) Web Controls • Security policies and procedures • Permissive policy: allowing all traffic to flow between the internal network and the Internet except that which is explicitly disallowed • Prudent policy: selectively allow traffic that is explicitly allowed by the protocol and excludes any other

  19. IS Security, Audit, and Control (Dr. Zhao) Web Controls (continued) • Firewalls • A system that control the traffic flow between the Internet and a company’s internal resources • A video • Encryption • Encode/decode the original information • A video

  20. IS Security, Audit, and Control (Dr. Zhao) IT Insurance • What can be insured? • An object with sufficient number and quantity to allow a reasonable close calculation of probable loss • Accidental loss • Losses must be capable of being determined and measured • Minimal catastrophic hazard

  21. IS Security, Audit, and Control (Dr. Zhao) Insurable vs. Not Insurable Risks Insurable Risks Not Insurable Risks • Property risks • Personal risks • Legal liability risks • Market risks • E.g., season price changes • Political risks • E.g., war or overthrow of the government • Production risks • E.g., failure of machinery

  22. IS Security, Audit, and Control (Dr. Zhao) IT Insurance Selection • Identifying risks • Estimating probability of loss and size of loss • Select the best and most cost-effective method to manage risk and loss • Tax consideration • Opportunity cost of funds • An example

More Related