1 8 - Management and Operation of Technology Infrastructure Management and Operation of Technology...
-
Upload
zackary-allday -
Category
Documents
-
view
214 -
download
0
Transcript of 1 8 - Management and Operation of Technology Infrastructure Management and Operation of Technology...
1
8 - Management and Operation of Technology Infrastructure
Management and Operation of Technology Infrastructure
© Robert G Parker – UW-CISA 2010
8 - Management and Operation of Technology Infrastructure
• 40% of Respondents were using the cloud
• 20% planned to use the cloud within 24 months
• 22% were in the process of evaluating the cloud
Dealing with changing infrastructure environments and the new technologies that are driving business changes and creating risks and management issues
Source: Informationweek Analytics
Of the remaining 18%, 6% decided not to use clouds and 12% has no plans to evaluate them.
Concerns associated with infrastructure management included :
• Control of data handling systems that are outside of the formal system, such as the use of spreadsheets (13)
S-2
3
• User managed data bases that are locally developed and processed within business units but which may lack rigorous processes typically associated with IT-developed solutions such as quality reviews, testing, change management and access controls.
• Security of data that is or can be stored on portable devices or that is easily moved among stakeholders
8 - Management and Operation of Technology Infrastructure
Empowered Users
Portable Devices
© Robert G Parker – UW-CISA 2010
8 - Management and Operation of Technology Infrastructure
• Increasing use of cloud computing without an understanding of the associated risks (Lack of a cloud risk management strategy)
• Increasing risks associated with the quality and integrity of information processed and presented from these ad hoc systems and applications.
• Increased risks of subsequent and ongoing problems caused by incomplete, unperformed or erroneous unchecked change management procedures.
• Lack of ‘Security over information moved between various sites, or stored, on moveble/moblie media
• Lack of control over portable media
Business Risks
S-4
© Robert G Parker – UW-CISA 2010
8 - Management and Operation of Technology Infrastructure
• Implement requirements for, and conduct full technology and business risk assessment prior to adopting new technologies
• Where ad hoc systems and applications are integrated into the enterprise’s information systems, ensure that controls exist and are operation to validate the integrity of the information prior to it further use.
• Establish, adhere to and monitor rigorous change management procedures
• Implement procedures, such as encryption over information at rest, in transit and while archives to minimize the risk of an information breach
• Implement and monitor procedures over when portable may be used, the types of information that may be placed on them and the security and control restrictions over them
Operational / Technology Risk Management
S-5
© Robert G Parker – UW-CISA 2010S-6
9 - Business Continuity and Pandemic Awareness
Business Continuity and Pandemic Awareness
© Robert G Parker – UW-CISA 2010
9 - Business Continuity and Pandemic Awareness
Information technology departments have an obligation to provide services throughout the enterprise. However, they are frequently challenged in developing and testing effective technology disaster recovery plans due to lack of enterprise planning, lack of funding or denial of the potential severity of the risks.
Lack of meaningful preparedness for a pandemic
Entity centric continuity plans; inward focus
Lack of supply chain resiliency, redundancy
Lack of comprehensive continuity plans
Plans have not been tested
Plans are not being maintained
S-7
The Same Issues
© Robert G Parker – UW-CISA 2010S-8
9 - Business Continuity and Pandemic Awareness
Lack of meaningful preparedness for a pandemic
No single point of contact
Conflicting messages, priorities
Plans differed by region
Different groups defined as high risk
Initially insufficient vaccine
Numerous individuals not vaccinated
No instructions for travellers across Canada
Coughing in the crook of your arm campaign was effective
We Dodged the Bullet - This Time!
© Robert G Parker – UW-CISA 2010S-9
9 - Business Continuity and Pandemic Awareness
Entity centric continuity plans; inward focus
• Plans do not consider third party infrastructure
• Plans do not consider up stream and down stream impacts
• Plans do not address catastrophes• Impact on immediate area• Impact on foreign operations• Risk mitigation strategies and plans• Financial and cash flow issues• Impact on franchised operations
Business Continuity Plans frequently address only recovery of the business and its infrastructure:
© Robert G Parker – UW-CISA 2010S-10
9 - Business Continuity and Pandemic Awareness
A Catastrophe Poorly Handled
© Robert G Parker – UW-CISA 2010S-11
9 - Business Continuity and Pandemic Awareness
For Want of a Nail
The Shoe was Lost
© Robert G Parker – UW-CISA 2010S-12
9 - Business Continuity and Pandemic Awareness
For Want of a Shoe
The Horse was Lost
© Robert G Parker – UW-CISA 2010S-13
9 - Business Continuity and Pandemic Awareness
For Want of a Horse
The Battle was Lost
Lack of Supply Chain Resiliency, Redundancy
© Robert G Parker – UW-CISA 2010S-14
9 - Business Continuity and Pandemic Awareness
For Loss of a Battle
The Kingdom was Lost
Contingency Planning or Catastrophe
Lack of Comprehensive Continuity Plans
© Robert G Parker – UW-CISA 2010S-15
9 - Business Continuity and Pandemic Awareness
Plans Have Not Been Tested
A BCP or DRP that has not been Tested is Not a Valid Plan
It is an Idea of What May Have to be Performed
Plans are Not Being Maintained
An out of date BCP or DRP Likely does not Reflect the Current Environment, Risks, etc.
Relying on an Out of Date Plan Will Likely Not Result in a Successful Outcome
© Robert G Parker – UW-CISA 2010S-16
Business Continuity and Pandemic Awareness
Expansion of the Panama Canal to handle super tankers
17
Business Continuity and Pandemic Awareness
Business Reaction
Business Continuity Risk ManagementChanging external environment not reflected in BCP-DRP plansLack of understanding of supply chain risksLack of understanding and knowledge of extend to which up stream and down streams supply and delivery business are addressing their BCP-DRPLack of effective communicationIt won’t happen to me
Reassess BCP and DRP initiativesImplement plans to link BCP-DRP to enterprise and IT risk management initiativesEnsure supply chain risk are monitored and assessedImplement employee awareness and training programs, newsletters
© Robert G Parker – UW-CISA 2010S-18
10 - Impact of the Economy on Information Technology
Impact of the Economy on Information Technology
© Robert G Parker – UW-CISA 2010
10 - Impact of the Economy on Information TechnologyThe financial crisis and following recession resulted in the restructuring of many organizations, including, for many, their Information Technology departments. With the recession waning, concern has been expressed over increasing IT departments’ to their previous staffing levels
Concerns over adopting new technologies as a means of controlling costs while meeting the increasing needs for IT:
• Virtualization• Cloud Computing• BYOC
Concern over risks of increased fraud and malicious activity; disgruntled employees and lack of control
Concern over controls over outsourcing; • Intellectual capital, customer information, other information assets• Contract Management -adhering to schedules, providing capacity,
saleability
S-19
© Robert G Parker – UW-CISA 2010S-20
Thank You For Your Interest and Participation
Robert G. Parker