Enterprise Risk Management & IT Compliance March 30, 2010 Presented by: Ken Rowe, Director Enterprise Systems Assurance & Chief Security Officer University.

Slides:

Advertisements

Similar presentations

Risk Management at Harvard – Panel Discussion Harvard IT Summit

Advertisements

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Internal Control–Integrated Framework

Lisanne Sison Director ERM Bickmore

IMFO Audit & Risk Indaba June 2012

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Control and Accounting Information Systems

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

ERM for the Non-Risk Manager

Risk Assessment Frameworks

CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Information Systems Controls for System Reliability -Information Security-

©2013 CliftonLarsonAllen LLP cliftonlarsonallen.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business.

Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

The Government Finance Officers Association

Information Technology Audit

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

© Compliance Aid 2011 ADOPTING A SYSTEM OF CONTINUOUS RISK MANAGEMENT 1.

The role of internal audit in enterprise-wide risk management (ERM)

Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.

Chapter 3 Internal Controls.

RISK ASSESSMENT 2010/2011 M.J Ramakgolo. THE PURPOSE The aim of the risk assessment session is to develop the Strategic Risk Profile for the municipality.

1 Enterprise Risk Management (ERM) Program PNM Resources, Inc. March 29, 2007 Presentation to American Public Power Association March 2007 Austin, Texas.

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253

Stephen Vink Senior Vice President Group Risk Management and Internal Audit Lessons learned from ERM.

Building a Corporate Risk Culture Shane Troyer, CPA, CIA, CFE, CISSP Principal Operational Advisory Joost Houwen, CISA,

Enterprise Risk Management

The Chicken or the Egg: A study of Risk Management and Strategic Planning Presented by Raven Henderson Raven Lane, LLC.

Monitoring Internal Control Systems Johann Rieser Senior Auditor, Ministry of Finance, Vienna.

Internal Control in a Financial Statement Audit

Agency Risk Management & Internal Control Standards (ARMICS)

Risk Management For the Board of The Law Society 16 February 2005.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

The Connection between Risk Management and Internal Control in Organizations Mag. Norbert Wagner Budapest,

Enterprise Risk Management Chapter One Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

© 2003 DelCreo, Inc. All rights reserved. | U.S. Toll-free 866.DELCREO | International 001/ |

Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.

RISK MANAGEMENT : JOURNEY OR DESTINATION ?. What is Risk? “ Any uncertain event that could significantly enhance or impede a Company’s ability to achieve.

McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.

Chapter 9: Introduction to Internal Control Systems

Information Security IBK3IBV01 College 2 Paul J. Cornelisse.

CAS Spring Meeting June 2007 Introduction to ERM …The Measurements, Quadrants, Tools, and Solutions Prof. Mark C. Vonnahme Fox Family Clinical Professor.

Managing Uncertainty, Creating Opportunity Enterprise Risk Management J. Brown, CEO.

Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.

1 COSO ERM Framework Update Our Next Challenge and Opportunity September 2015.

The Role of the CRO in ERM Networking Evening Colin Ledlie 12/05/08.

Dolly Dhamodiwala CEO, Business Beacon Management Consultants

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

Company LOGO Chapter4 Internal control systems. Internal control  It is any action taken by management to enhance the likelihood that established objectives.

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

#127 – Risk Management Basics Deborah Frazer, CPA CISA CISSP Senior Director, Internal Audit PalmSource, Inc.

Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

JMFIP Financial Management Conference

Information Security Program

ENTERPRISE RISK MANAGEMENT IN THE CASE OF THE FINANCIAL SERVICE SECTOR

Office 365 Security Assessment Workshop

With current ethical challenges, is it safe to say Risk Management processes are responsive to an accountable government? CIGFARO- AUDIT &RISK INDABA.

Understanding the Principles and Their Effect on the Audit

COSO and ERM Committee of Sponsoring Organizations (COSO) is an organization dedicated to providing thought leadership and guidance on internal control,

Internal Audit & Enterprise Risk Management

Internal control - the IA perspective

In the attack index…what number is your Company?

Presentation transcript:

Enterprise Risk Management & IT Compliance March 30, 2010 Presented by: Ken Rowe, Director Enterprise Systems Assurance & Chief Security Officer University Office of Administrative Information Technology Services

Why Traditional Practices Fail  Traditional Security Perspective  Enclave-based  Technology-focus  Enterprise Risk Management (ERM)  Security as an IT Enabler  Compliance Requirements  Risk Assessment  Data-Centric Security  Limitation of Enclaves  Insufficiency of Malware Protection  Data approach

Beyond Enclaves  Necessity of the Enclave  Strong Security Architecture of the Data Center  Multiple Levels / Control Points  Changing Landscape  Internet-facing Services  Clouds  PDAs  Data Migration

Does Security Benefit the Business  Do you understand the Business Strategic Plan?  Enterprise Risk Management (ERM)  Functional Business Risk  Compliance Risk  PCI DSS, HIPAA, SOX, GLBA, FFIEC, FTC Red Flag, FCRA, FOIA  Include Lost Opportunity Cost  Assessing Risk  Vulnerability Scanning Leads to Technical Risk Statements  Always evaluate risk in terms of the Business  Threat / Vulnerability / Impact => Risk

Enterprise Risk Management  COSO Definition Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.  Enterprise Risk Management (ERM)  Aligning Risk Appetite and Strategy  Enhancing Risk Response Decisions  Reducing Operational Surprises and Losses  Identifying and Managing Multiple and Cross-Enterprise Risks  Seizing Opportunities  Improving Deployment of Capital

Compliance Example - GLBA Designate one or more employees to coordinate its information security program Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks Design and implement a safeguards program, and regularly monitor and test it Employee Management and Training. Information Systems. Detecting and Managing System Failures. Select service providers that can maintain appropriate safeguards Evaluate and adjust the program in light of relevant circumstances

Taking a Data-Centric Approach  Data at Rest / in Motion / in Use  Encompass full range of data  Address Compliance  Who / What / Where / Why  Least Privilege  Segregation of Duty  Responsive Controls  Data Classification  Establishing Business Owners / Delegation  Acceptable Risk Levels  Enforcement

Summary  Business Oriented  ERM Perspective  Address Compliance  Vision for Data-centric  Prioritize Technologies

Summary  Business-Oriented  ERM Perspective  Address Compliance Needs  Vision for Data-centric  Prioritize Technologies

Questions?