• No results found

Information Security in the framework of Enterprise Risk Management (ERM)

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Information Security in the framework of Enterprise Risk Management (ERM)"

Copied!
12
0
0

Loading.... (view fulltext now)

Download now ( 12 Page )

Full text

(1)

Information Security in the framework of

Information Security in the framework of

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

ERM, a widespread practice in Financial Institutions ERM, a widespread practice in Financial Institutions Value

Value –– based ERM is driven by shareholder valuebased ERM is driven by shareholder value Strategic

Strategic –– ERM is driven by the internal control imperativeERM is driven by the internal control imperative Integral part of sound business management

Integral part of sound business management

Originally applied in managing insurance portfolios Originally applied in managing insurance portfolios

Moves beyond the Financial Risk Agenda and concerns about Moves beyond the Financial Risk Agenda and concerns about Strategic and Operational Issues

(2)

Information Security in the framework of

Information Security in the framework of

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

Particularly important to Banking ( Basel Committee on Banking Particularly important to Banking ( Basel Committee on Banking supervision, 2003 )

supervision, 2003 )

Regulators guide financial institutions by not only suggesting Regulators guide financial institutions by not only suggesting

effective Risk Management Techniques but also determining what effective Risk Management Techniques but also determining what kind of risks to consider and held accountable for

kind of risks to consider and held accountable for Accountability means setting aside adequate

Accountability means setting aside adequate Capital to compensate to compensate in accordance with the magnitude of the risks

in accordance with the magnitude of the risks

International Bank Capital regulation and Corporate

International Bank Capital regulation and Corporate GovernaceGovernace are are two areas where ERM practices are observable

(3)

Information Security in the framework of

Information Security in the framework of

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

Still ERM is a rather elusive and under

Still ERM is a rather elusive and under –– specified conceptspecified concept COSO 2003 forms a framework for diverse implementation COSO 2003 forms a framework for diverse implementation techniques applied mainly in internal control

techniques applied mainly in internal control

It requires the prioritization and ordering of the various risk It requires the prioritization and ordering of the various risk management elements into

management elements into Manageable Control Cycles and the and the appointment of Risk Management Officers for

appointment of Risk Management Officers for impleme-impleme-ntationntation, , monitoring and improvement

monitoring and improvement

However for any given organization, the Risk Management Practice However for any given organization, the Risk Management Practices s often form a

(4)

Information Security in the framework of

Information Security in the framework of

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

The ERM Framework is organized by

The ERM Framework is organized by Risk TypeRisk Type

Hazard risks:

• Liability suits (e.g., operations, products, environmental) • Fire and other property damage

• Storms and other natural disasters • Theft and other crime

• Personal injury, disease, disability (including work-related injuries and diseases)

• Business interruption Financial risks, such as:

• Price (e.g. asset value, interest rate, foreign exchange, commodity) • Liquidity (e.g. cash flow, call risk, opportunity cost)

• Credit (e.g. default, downgrade). • Inflation/purchasing power

(5)

Information Security in the framework of

Information Security in the framework of

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

The ERM Framework is organized by

The ERM Framework is organized by Risk TypeRisk Type

Operational risks, such as:

• Business operations (e.g. customer satisfaction, human resources, product • development, capacity, efficiency, product/service failure, trademark/brand • erosion)

• Empowerment (e.g., leadership, change readiness) • Information technology (e.g. relevance, availability)

• Integrity (e.g., management fraud, reputation)

Information/business reporting (e.g., budgeting and planning, accounting

• Pension funds, investment evaluation, taxation Strategic risks, such as:

• Competition • Customer wants

• Demographic and social/cultural trends • Technological innovation

• Capital availability

(6)

Information Security in the framework of

Information Security in the framework of

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

Monitor and Review

Monitor and Review

Treat / Exploit Risks

Treat / Exploit Risks

Assess and prioritize

Assess and prioritize

Risks

Risks

Integrate Risks

Integrate Risks

Analyze

Analyze –– Quantify RisksQuantify Risks Identify Risks Identify Risks Establish Context Establish Context Strategic Strategic Operational Operational Financial Financial Hazard Hazard Process Step Process Step

Some Risk Management Process steps apply to each Risk Type individually, and some, to all Risk Types according to the following grid

(7)

Information Security in the framework of

Information Security in the framework of

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

For enterprises that use IT to support operations, the impact of IT risks must be evaluated against the significance and the value of the business operations being affected

Traditional financial instruments (like Insurance or Hedging) may prove inadequate compensation mechanisms to cover from losses emanating from poor IT security

Management of IT Risks is transformed from departmental exercises, to business wide issues

The management risk side of a business is integrated into Strategic Planning and Budget in a holistic manner

In this respect, Financing of IT Risk Mitigation is optimized and more importantly justified

(8)

Information Security in the framework of

Information Security in the framework of

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

Renowned organizations identify the trend often as

Renowned organizations identify the trend often as ““Convergence”Convergence

The term underlines the necessity for bringing together all comp

The term underlines the necessity for bringing together all components that onents that affect an organization

affect an organization’’s securitys security The

The ““ConvergedConverged”” approach enables enterprises to prevent, detect, respond to approach enables enterprises to prevent, detect, respond to and recover from various security incidents by cross examining a

and recover from various security incidents by cross examining and bringing nd bringing together departments, people, processes and technology

together departments, people, processes and technology

An alliance between leading Security Organizations like the ASIS

An alliance between leading Security Organizations like the ASIS

International, ISSA and ISACA studied the trend and witnessed gr

International, ISSA and ISACA studied the trend and witnessed growing owing interest among senior executives that realize its importance

interest among senior executives that realize its importance

The identification of security risks and interdependencies betwe

The identification of security risks and interdependencies between business en business functions and processes within the enterprise will lead to the d

functions and processes within the enterprise will lead to the development of evelopment of new managed processes (

new managed processes (ASIS International)ASIS International)

The complexity and significance increases if we consider Terrori

The complexity and significance increases if we consider Terrorism, Cyber sm, Cyber Attacks, Internet Viruses, Identity Theft, Fraud etc.

(9)

Information Security in the framework of

Information Security in the framework of

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

Is this of interest to Greek companies ? My experience :

Is this of interest to Greek companies ? My experience :

Greek companies, listed with U.S.A stock exchanges have recently

Greek companies, listed with U.S.A stock exchanges have recently faced the challenge of faced the challenge of addressing Risk Management at the Enterprise Level by seriously

addressing Risk Management at the Enterprise Level by seriously taking into account that taking into account that their business is IT enabled (SOX compliance

their business is IT enabled (SOX compliance ……)) IT risks tend to severely affect the

IT risks tend to severely affect the Availability and and Continuity of services and of services and resources. Email and critical ERP systems fall into this categor

resources. Email and critical ERP systems fall into this category (ey (e--bookings bookings ……)) Sharing and exchange of information with critical suppliers is i

Sharing and exchange of information with critical suppliers is increasing (logistics ncreasing (logistics ……)) Confidential international collaboration is developing (e

Confidential international collaboration is developing (e--data rooms data rooms ……)) Integrators that participate in National and International Tende

Integrators that participate in National and International Tenders address the issue of rs address the issue of Infromation

Infromation Security and Confidentiality on their way to the submission deadlineSecurity and Confidentiality on their way to the submission deadline Full Service, instant Backup Email Systems are becoming mandator

(10)

Information Security in the framework of

Information Security in the framework of

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

Driving Forces Driving Forces ::

Enterprises are becoming more complex in a global economy Enterprises are becoming more complex in a global economy External partners are increasing (Outsourcing)

External partners are increasing (Outsourcing)

The value of intangible assets and information is increasing in The value of intangible assets and information is increasing in relation to the traditional value of

relation to the traditional value of ““hardhard”” assetsassets

Physical and Information security should be combined to deliver Physical and Information security should be combined to deliver an an holistic result

holistic result

Compliance and Regulatory regimes are growing Compliance and Regulatory regimes are growing Pressure to reduce costs is increasing

(11)

Information Security in the framework of

Information Security in the framework of

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

Security Professionals and IT Strategists need to collaborate wi

Security Professionals and IT Strategists need to collaborate with theth the

•BoardBoard •

•Process ownersProcess owners •

•Process developersProcess developers •

•External stakeholdersExternal stakeholders

in order to in order to

•Conceive Strategies for avoiding potential problemsConceive Strategies for avoiding potential problems •

•Secure BudgetsSecure Budgets •

•Design, Implement, Deliver, Support and Improve Design, Implement, Deliver, Support and Improve Cost EffectiveCost Effective Secure Secure Processes for the

Processes for the Extended EnterpriseExtended Enterprise

•Educate and Educate and PreparePrepare people for emergenciespeople for emergencies

at the Enterprise Level at the Enterprise Level

(12)

Information Security in the framework of

Information Security in the framework of

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

Bibliography

Bibliography

[1] Enterprise Risk Management in Action.

[1] Enterprise Risk Management in Action. AnetteAnette Mikes. London School of Mikes. London School of Economics. Discussion Paper 35.

Economics. Discussion Paper 35.

[2] Convergence of Enterprise Security Organizations. Booz

[2] Convergence of Enterprise Security Organizations. Booz--AllenAllen--Hamilton.Hamilton. [3] Linkage of Risk Management, Capital Management, and Financia

[3] Linkage of Risk Management, Capital Management, and Financial l Management. Aaron

Management. Aaron HalpertHalpert, Leslie , Leslie MarloMarlo

Michael A. Vlahakis

Michael A. Vlahakis

Dr. Engineering in Informatics

Dr. Engineering in Informatics -- National Technical University of AthensNational Technical University of Athens Vgenopoulos & Partners Law Firm, IT Director

References

Download now ( PDF - 12 Page - 82.01 KB )

Related documents

Muscle Activation During Grasping With and Without Motor Imagery in Healthy Volunteers and Patients After Stroke or With Parkinson's Disease

Abstract: The present study assessed whether motor imagery (MI) produces electromyographic activation in specific muscles of the upper limb during a hand grasping and arm-lifting

Mobile agents for the database management using Jini

The first step in building an agent host is to create a remote interface, the service template that agents will look for via the Jini lookup

Obtenção de leite integral sem colesterol com a utilização de β-cyclodextrina

Con concentraciones menores a 1,7% de ß-CD se obtuvo un % de extracción de 92%, que es un valor adecuado para considerar la leche como libre de colesterol,

M O N O C H R O M E S I T A L I E N S

F O R E W O R D Opera Gallery Monaco is proud to present the exhibition of works of artists from around the world who have contributed to monochrome painting Monochromes Italiens ,

Audiovisual Services over ADSL

Operator network ADSL Modem ADSL collect network DSLAM xDSL Architecture with QoS guarantee Home network Gateway Devices Walled – Garden "trusted"

THE UNEARNED NO CLAIM BONUS. C. P. WELTEN Amsterdam

The problems concerning this point and concerning the procedure for a negative reserve are not

Attitude Heuristics of Mental Illness Proneness and Sexual Orientation

Every person unconsciously uses attitude heuristics to categorize individuals as either “good” or “bad.” The current study examines the question of whether or not age and

Speech perception in noise in the elderly: interactions between cognitive performance, depressive symptoms, and education

Conclusion: Level of education, cognitive performance, and depressive symptoms influence the speech perception in noise of elderly hearing aids users.. The better the cognitive level