1 · Web viewAppendix 1 – Final Risk and Mitigation Register, May 2015 Appendix 2 – Risk...

Department of Public Service Delivery (DPSD)

ICT Operations Assurance Plan

2015Version 0.931 May 2015

Document ApprovalName / Title Sign-off Date

Recommended by Chief Information Officer

Recommended by Head of Agency Risk / Assurance

Approved by Chief Executive

Received and filed by GCIO ICT Assurance

IMPORTANT: This document provides an illustrative example of a populated ICT operations assurance plan and does not reflect the actual risks or controls of a particular agency. Agencies using this template must determine what assurance activities are required based on their own assessment. Sample text in this document should not be used in actual assurance plans unless it reflects the true position of the agency. All names of individuals in this document are fictional.

DOCUMENT CONTROLDocument History

Version Issue Date Author Description of Changes

0.1 31/1/15 Jim Riskowner Initial draft

0.2 15/2/15 Jim Riskowner Inserted risks and ratings

0.3 18/2/15 Jim Riskowner Populated schedule

0.4 20/2/15 Jim Riskowner Updated schedule

0.5 3/3/15 Jim Riskowner Updated schedule

0.6 3/4/15 Robert Chackitout Updated schedule

0.7 1/5/15 Paul Schmidt Updated schedule

0.8 15/5/15 Maria Veracruz Inserted references to attachments

0.9 31/5/15 Jim Riskowner Draft to GCIO

Key ContactsName Title Contact Details

Robert Chackitout Chief Information Officer 04 000 0000

Jen Locktight Chief information Security Officer

022 000 000

Jude Gardner Head of Risk / Assurance 022 000 001

Jim Riskowner Principal IT Risk Advisor 04 000 0000, 027 000 0000

FY 2016 Assurance Plan – Version 0.9 (Web SAMPLE) 31 May 2015 of 24

This is an illustrative example only – it should not be taken as a benchmark or government policy

Table of Contents

1. CONTEXT............................................................................................................4

1.1 Key Objectives and Outcomes.........................................................................4

1.2 Scope and Approach.........................................................................................4

1.3 Key Risks............................................................................................................5

1.4 Roles, Accountability and Responsibilities – Overall Plan............................6

1.5 Monitoring and Reporting Process..................................................................7

1.6 Referenced Documents.....................................................................................8

2. ASSURANCE SCHEDULE OVERVIEW.............................................................9

2.1 Assurance Approach.........................................................................................9

2.2 Lessons Learned................................................................................................9

2.3 Decisions / Assumptions.................................................................................10

2.4 Roles, Accountability and Responsibilities – Individual Activities.............10

2.5 Assurance Budget............................................................................................11

2.6 Assurance Schedule........................................................................................11

3. DETAILED ASSURANCE SCHEDULE.............................................................12



1. CONTEXT1.1 Key Objectives and Outcomes

The objective of this document is to outline how over the course of FY16 our agency will obtain confidence that ICT operations will support and enable our agency’s key business objectives.

In order to carry out its mandate of managing key risks and system-wide risks, the Government Chief Information Officer (GCIO) has required that all departments and agencies submit ICT operations assurance plans covering significant risk areas by 30 June 2015.

ICT risks are business risks

In fulfilling our mandate to deliver services to the public, we depend on the effective, secure and reliable operation of our ICT systems. In addition, opportunities frequently arise to leverage technology to improve our business outcomes. We must be able to both maintain the operation of our existing ICT systems, and be in a position where our agency’s leaders can confidently take advantage of technology-enabled opportunities.

Our business, operational, and support functions face a number of risks due to their reliance on ICT to both support and enable their objectives. Some risks have negative consequences, and some are clear opportunities. Good management of risks, embedded in all business decisions, helps ensure we are efficient, effective, and focussed on the outcomes that matter most to those we serve.

Following our organisation’s risk management framework and methodology, we continually assess our ICT operations risks and apply mitigations to bring risk within an acceptable tolerance.

This ICT Operations Assurance Plan outlines the assurance activities planned for FY15/16 to provide objective evidence that controls and other mitigations are working. These activities may include, for example: analysis of information obtained through monitoring, routine or special reviews by management or governance bodies, and audits / reviews by internal or external parties.

In the area of ICT security, our agency has been responding to surveys by the GCIO which have sought information on our governance, policy, and controls for securing publicly accessible systems. In our responses to these surveys we have committed to achieving a “3” on the survey’s maturity scale by March 2015. A “3” indicates:

A structured IT security assurance programme is in place. The programme is approved and regularly reviewed by an independent governance group.

This plan, with its strong focus on ICT security, will fulfil our commitment to having a structured programme of assurance in place.

1.2 Scope and ApproachThis assurance plan is part of the agency’s overall risk management and assurance approach, and specifically covers ICT operations risk areas: i.e. business-as-usual (non-project) risks related to the technology with which we manage and transmit our information.

The GCIO has informed us of the top 5 system risk areas self-identified by agencies in its ICT Operations Risk Survey, which took place in March 2014. These are:

Information Security Management (including the security aspects of Privacy)



Service Continuity Management Service Portfolio Management Capacity Management Supplier Management.

Our Senior Leadership Team has confirmed that these top 5 risk areas are indeed the significant risk areas for our organisation. We have over 30 critical operational systems, including 15 public-facing systems, and our reputation and ability to deliver services depends on these systems being secure and available. In addition, we can increase our effectiveness and return on investment by strategically managing our service portfolio and the capacity of our systems and people. Finally, with more of our systems and support being outsourced, including to the ‘cloud’, we need to have confidence in our own ability to confirm that our suppliers meet expectations, and to obtain assurance from them.

Our assurance planning process will continue to evolve over at least the next three years. As we proceed along the journey toward risk management and assurance maturity, we will bring other areas of ICT operations into our formal annual plans. While this year we have prioritised and are including the highest risk areas in the formal plan, there are many other assurance activities occurring regularly across other ICT operational areas.

As described in Section 2.1, in collaboration with stakeholders, we have arrived at this plan by:

Identifying our specific risks within each of the top 5 risk areas Determining what assurance activities were already planned Identifying where there were assurance gaps Deciding which assurance activities would be most valuable to add or revise over the coming

year.

We then created a schedule of assurance activities for FY15/16 that is achievable and, most importantly, will be of value to decision makers.

1.3 Key Risks As a result of the process described in Section 1.2, at a high level, and within the “top 5” risk

areas, we identified the following key risks:

Key Risks Current Risk Rating1. Information may be accessed / accessible by unauthorised person. High

2. Our ICT services could be providing greater value. High

3. Capability / capacity to provide IT services may be lost following a disaster / outage.

High

4. Suppliers may not be protecting our information (including DR). High

5. Suppliers may not perform and/or opportunities to increase value may be missed.

High

6. We may not have enough staff with the right skills to meet our objectives related to ICT.

Moderate

7. Staff may be using unlicensed software and this may result in a legal penalty or security breach.

Moderate

8. Current suppliers may not be able to continue to meet business needs into the future.

Moderate



9. ICT systems may not provide sufficient storage and performance. Moderate

1.4 Roles, Accountability and Responsibilities – Overall PlanThe table below outlines the key roles and responsibilities in developing and managing this

plan.

1. Accountability

Overall accountability for the assurance plan.Acceptance of the residual business risk.

Chief ExecutiveHelen Beck

2. Responsibility2i. PreparationPreparation /sign-off of the assurance plan (annually).

Chief Information OfficerRobert Chackitout

Recommendation of the assurance plan to the Chief Executive.


Head of Risk / AssuranceJude Gardener

2ii. Monitoring

Ongoing monitoring of progress against this plan, and the consolidated results of the assurance activities.


Ongoing monitoring of progress against this plan, and the consolidated results of the assurance activities.

Updating the plan mid-cycle in response to changing priorities.

Chief Information Officer, in consultation with Head of Risk / Assurance

Jude Gardener

Tracking of action items (such as control improvement initiatives and remediations).

Chief Information Officer to be provided status updates monthly by assigned action owners.

Robert Chackitout2iii. ReportingApproval of monthly assurance summary report (see Section 1.5)



Preparation and distribution of monthly assurance summary report (see Section 1.5)

Principal IT Risk Advisor

Reporting of assurance results to the Risk and Audit Committee.


2iv. QualityQuality of plan and monthly assurance reporting. Chief Information Officer

Robert Chackitout

3. Contributing



Contributing to the plan, confirming the scope / timing of assurance activities they sponsor.


Chief Information Security OfficerJen Locktight

Privacy OfficerTina Flavell

Chief Operating OfficerSimon Weyland


Manager, Internal AuditCynthia Cho

1.5 Monitoring and Reporting Process

The results of each assurance activity will be reported to stakeholders as detailed in the terms of reference, standard operating procedure, or other document that defines each activity. A list of those to receive the results must be agreed for each activity.

In addition, assurance providers must send the results of completed assurance activities to the CIO and Principal ICT Risk Advisor as soon as the results are finalised, or sooner if the results indicate a serious issue or urgent opportunity. On a monthly basis, the Principal ICT Risk Advisor (in the Office of the CIO) will compile these results into a Monthly ICT Operations Assurance Summary for the CIO.

The Monthly ICT Operations Assurance Summary will include at a minimum:

Progress against the plan (are the assurance activities on schedule? on budget?) Key results from the previous month (summary) Indication of increasing or decreasing confidence in controls over each key risk from Section

1.3 (key risk dashboard) Any new risks identified (with a summary of how these were escalated / recorded) Any new adjustments needed to assurance or controls (with action plans) Challenges and successes.

The CIO and Head of Risk / Assurance will review and approve the Monthly ICT Operations Assurance Summary, directing where necessary on any new risks or adjustments to the plan. Copies will then be made available to the Senior Leadership Team and the Chief Executive.

The Head of Risk / Assurance will report quarterly to the Risk and Audit Committee on the progress of the ICT Operations Assurance plan, and escalate to the Risk and Audit Committee any critical risks. Protocols for this reporting have been added to the Internal Audit and Risk charters, and supporting procedures documents.

Notwithstanding the above process, any significant new risks or assurance information must be escalated immediately to the appropriate level. In some cases it will be appropriate to communicate assurance results and/or key risks (including opportunities) to the GCIO to support its system-wide view; the scope of this reporting will be agreed with the GCIO.

The results of the assurance activities, and lessons learned from the process, will be used to inform the development of the FY16/17 Annual ICT Operations Assurance Plan, which will be developed beginning in February 2016 and completed by 30 June 2016.



1.6 Referenced DocumentsAppendix 1 – Final Risk and Mitigation Register, May 2015

Appendix 2 – Risk Appetite statement, January 2015



2. ASSURANCE SCHEDULE OVERVIEW2.1 Assurance Approach

To develop the assurance schedule for FY15/16, we first sought to understand the relevant risks within each of the top 5 areas. We liaised with Risk, Internal Audit, managers, the Senior Leadership Team and other stakeholders to collect information on risks and controls they had already identified. For new risks or risks that were not yet rated, we worked with stakeholders to evaluate the risks, with due consideration of the “risk appetite” of our agency, and identified controls.

Next, we sought to determine what activities were already planned or underway to give us assurance the controls are managing the risks. Through this process, we identified some areas where we felt there was not enough assurance in place, and other areas where different assurance providers would be duplicating assurance effort.

Where there were gaps, we worked with assurance providers to identify new activities to give us the assurance we need. We also identified actions for further improving controls. Throughout the process, we consulted key internal and external stakeholders to understand their assurance expectations.

We then created a schedule of assurance activities for FY15/16 that is achievable and, most importantly, that will be of value to decision makers.

2.2 Lessons Learned

As this is our first annual plan, we are not carrying over lessons learned from a previous year. However, our Chief Information Officer and Head of Risk / Assurance attended several GCIO workshops in which other agencies shared the lessons they had learned in developing and implementing formal assurance plans.

Agencies reported that key to the success of an operations assurance plan is good engagement between ICT and the business on risks. Those responsible for implementing this plan should help the business and ICT understand and agree to the linkage between business objectives and ICT risks. In this way ICT staff will have greater appreciation for the business goals ICT supports, and business managers will have a better appreciation of how ICT risks impact their goals. If this is done well, it will be clear that assurance planning is not a compliance exercise, but a driver of value for the organisation.

In developing this plan we held three workshops with business and ICT management stakeholders and team leaders to discuss the linkage between business goals and ICT risks. These were valuable discussions that helped those who will direct ICT assurance activities better understand the current priorities of business managers. The discussions also helped shape the focus, frequency and scope of assurance activities for the upcoming year. The business managers who participated obtained a better understanding of the ICT risks and opportunities that underlay the initiatives and deliverables that are top of mind for them. Following the workshops, we saw increased engagement and more frequent discussions between ICT and the business at multiple levels, reflecting a new, common understanding of risk and the value of assurance.



2.3 Decisions / Assumptions

Due to a limited assurance budget, we were not able to include in our FY15/16 schedule assurance activities covering all the controls and other mitigations that work to keep our risk within an acceptable level.1

For example, we were only able to schedule limited coverage of the moderate risk areas in scope (areas 6-9 in Section 1.3). However, we have planned at least one assurance activity in each area.

We note that in many areas of ICT, new controls are being embedded to bring the level of risk within the “risk appetite” expressed by the Senior Leadership Team (Appendix 2). Implementing these controls has a cost, as does providing for continued assurance over them. Some of this cost can be recovered through efficiencies identified through the assurance activities themselves (e.g. some assurance activities pay for themselves).

Better management of the service portfolio and supplier management are two areas in scope where the assurance investment is most likely to result in tangible cost savings and direct financial value to ICT and the agency in the near and long term.

2.4 Roles, Accountability and Responsibilities – Individual Activities

As discussed above, many parties will be involved in providing the required assurance, including:

Front line staff – Routine checks. Management – Monitoring and upward reporting of KPIs, risks and issues. Service desk – Aggregate reporting on events, incidents, and problems. Risk team – Risk registers, operational monitoring reports and deep-dive reviews to help us

manage risk. Security team – Oversight on patch levels, vulnerabilities, security incidents, and other areas. Privacy team – Breach reporting and analysis by which we can assess our privacy controls. Internal audit – Scheduled ICT audits according to the three-year internal audit plan. External audit – External audit procedures which may provide assurance. Security contractor –Services such as independent controls testing and penetration testing to

help us identify exposures. Data centre provider – Monitoring reports, notifications, and SLA reporting as agreed. Also

provides annual “SOC2” assurance reports which independently confirm its controls are in place.

Supplier manager—Monitoring the performance of suppliers, including obtaining assurance from them.

Management consultants – Assessments of where we can achieve more value for our ICT investment, and better align our initiatives to our strategic and operational goals.

External agencies / regulators – Views on compliance and risk within the context of their mandates.

GCIO – Shared information on system-wide risks, lessons learned, assurance guidance.

For each activity, there will be two primary functional roles as follows:

1 This response is to illustrate that GCIO expects agencies to report any difficulties in meeting assurance requirements, including resource constraints. A statement like this would likely be followed up with discussions with GCIO as to whether the decision to delay the needed assurance is reasonable.



The activity owner, or sponsor, will be the management-level employee or executive who must ensure that the assurance activity is carried out and that the results are delivered according to a terms of reference or similar agreement.

The assurance provider is responsible for carrying out the activity according to the terms of reference, and delivering results in timely manner.

Specific activities and deliverables are listed in the Assurance Schedule (Section 3).

2.5 Assurance Budget

The estimated cost of the FY15/16 assurance activities is as below. This amount comes from various departmental budgets, including Risk, Internal Audit, and other functional teams, in addition to ICT, and is a rough estimate of the cost only. The estimate does not include assurance costs borne by suppliers.

Although risk and assurance are ultimately part of everything we do, the amount below does not include the cost of all controls or routine risk management activities embedded in business-as-usual operational processes. It includes only the assurance activities that report upward to give us confidence that our controls and mitigations are working.

NZD $

Estimated Assurance Cost $xxx,xxx

2.6 Assurance ScheduleRefer to Section 3 for the schedule of assurance activities planned for FY16.



3. DETAILED ASSURANCE SCHEDULEBelow are the assurance activities that will occur in FY16 over ICT Operations:

Risk Area(see

Legend)

Assurance Activity

Control Objective Specific Activity and Deliverable Owner Assurance Provider Frequency / Timing

Key RiskHigh / Medium

1, 3 User access reviews

Access to network / system / folders is authorised

ICT sends list of current users to department heads and supplier managers, also noting users with remote access. Department heads review and sign off attesting that access for users in their area is appropriate. Exceptions must be noted with evidence of follow-up attached. ITSM reviews for completeness.

CIO Department heads,Supplier managersITSM reviews for completeness

Quarterly Information may be accessed / accessible by unauthorised person.Staff may be using unlicensed software and this may result in a legal penalty or security breach.

1 Remote access token audit

Remote access is authorised.

Physical stocktake of remote access tokens and comparison with token register maintained by ICT.

ITSM Security team Q2 (Annual)

Information may be accessed / accessible by unauthorised person.

1 User access controls audit

Logical access is generally well-controlled.

Review of the design and effectiveness of user access controls. Internal Audit produces a report with recommendations. Management (department heads) are responsible for providing a response and remedial actions for any findings.

Manager, Internal Audit

Department heads (response and actions)

Internal audit Q3 (Tri-annual)


Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 of 24 This is an illustrative example only – it should not be taken as a benchmark or government policy

Risk Area(see

Legend)

Assurance Activity



1 Encryption testing

Data is encrypted as per our security standards

Security staff run a series of tests on network segments or functions where encryption is required.

ITSM Security team Q1, Q4 (Twice yearly)


1 Review of privileged user access (logs)

Super-user access to the network, operating system and direct access to the databases is authorised and monitored.

Risk team reviews system activity logs on a sample basis to determine whether activity by privileged users is appropriate.

Risk Manager

Risk team Q4 (Annual)


1 Review of privileged user access (controls)


Internal Audit reviews the design and effectiveness of controls related to super user and direct data access.

Manager, Internal Audit

Internal Audit Q3 (Annual)

Information may be accessed / accessible by unauthorised person.Suppliers may not be protecting our information (including DR).

1 Sensitive data alert review.


Internal audit tests alerts on sensitive data tables to ensure triggers are working, and reviews a sample of historical alerts to see whether appropriate follow-up was done.

ITSM Internal Audit Monthly Information may be accessed / accessible by unauthorised person.

1,5 Site alarm testing and report review

Data centre is alarmed at perimeter and at internal doors.

Service provider tests alarms, and the data centre manager reviews and reports on the results of testing, and on alerts and alarms raised during the week.

Supplier manager

Data centre provider

Weekly, reported in data centre provider’s monthly report




Risk Area(see

Legend)

Assurance Activity



1,5 Review of door / server rack access logs

Data centre door access is limited to authorised staff.

Data centre manager reviews access logs for doors and server racks and compares against authorised access list. Signs check sheet to evidence review.

Supplier manager


Weekly, reported in data centre provider’s monthly report


1 Inspections of locks, cabling, network jacks at all offices

Sensitive ICT equipment and access points at our offices are secured.

Security team members inspect for physical security exposures at all sites using a good practice checklist.



1,5 Review of site visitor logs

Visitors to the data centre are authorised.

Supplier manager compares visitor access log and system-generated logs to the list of pre-authorised visitors. Supplier manager signs off that all visitors were authorised.

Supplier manager

Supplier manager (Based on documentation provided by data centre manager)

Monthly Information may be accessed / accessible by unauthorised person.

Suppliers may not be protecting our information (including DR).

1,3,4,5 SOC 2 report on data centre controls

Physical access is generally well-controlled.

Devices / processes ensure uninterruptible power.

ISAE (NZ) 3000 Service Organisation Controls Report on AICPA Trust Service Principles. The report follows the SOC 2 model (USA/Canada).

ITSM Data centre provider orders report by an independent service auditor (Data centre provider funds the review)

Q1 (Annual)




Risk Area(see

Legend)

Assurance Activity



1,5 External penetration test

Network perimeter is secured against intrusion.

Set of tests run by a security contractor simulating an attack via the Web. Security contractor provides a report with findings and recommendations.

Supplier manager

Security contractor Q1 (Annual)


1 Internal penetration test

Systems are secured against internal attack.

Set of tests run by a security contractor simulating an attack from within the agency. Security contractor provides a report with findings and recommendations.

ITSM Security contractor Q1 (Annual)


1 Fraud Risk Review

Systems are secured against internal attack.

Fraud risks are assessed and ranked, possibly identifying ICT exposures. Report produced, and actions identified.

CISO (with regard to the ICT-related risks)

Internal audit Q3 (Annual)


1 Critical and high security patch level reporting

Important software patches are applied.

Security team reports on outstanding critical and high security patches, noting any approved exemptions and timetable for patching.

ITSM,Technical leads (response and actions)

Security team provides report.

Technical leads are assigned to complete remediation.


1 Vulnerability mitigation reports

Vulnerabilities are managed.

Security team reports on known vulnerabilities and mitigations. Report is updated monthly.

ITSM Security team (requires input from technical leads)




Risk Area(see

Legend)

Assurance Activity



1 Privacy breach reporting and analysis

Privacy breaches are reported and assessed.

Privacy officer reviews and reports on breaches reported during the previous month, identifying trends, internal control weaknesses, and lessons learned.

Privacy officer

Privacy officer Monthly Information may be accessed / accessible by unauthorised person.

1 Privacy controls review

Privacy controls are being followed.

Internal audit assesses the privacy controls in place, testing to for control effectiveness.

Chief executive

Internal audit Q1 (Bi-annual)


1 Privacy impact analysis (PIA) updates

Privacy risks are revisited when systems undergo changes impacting privacy.

Triggered by CAB flagging of changes that might have a privacy impact, systems are re-assessed for privacy. Artefacts are produced that supplement the original PIA.

Privacy officer

Privacy team in collaboration with system owner and technical leads

Upon changes to systems that could impact privacy


1 Privacy maturity assessment

Our privacy maturity is known and continuously improved.

Privacy specialists conduct high-level maturity assessment of privacy practices, assessing against the Privacy Act.

Privacy officer

Privacy contractor Q4 (Bi-annual)


1 Security training / induction summary reporting.

Employees and contractors are inducted and periodically trained on their security responsibilities.

Security team verifies all new starters during the previous month (employees and contractors) have received security induction and have signed off on acceptable use policy.

ITSM Security team Monthly Information may be accessed / accessible by unauthorised person.

1 Internal security breach analysis

We use learnings from internal security breaches to strengthen our security programme.

Roll-up analysis of any internal security breaches that occurred during the previous two quarters, to include instances of security policy / acceptable use violations.

ITSM Security team Q2 and Q4 (Twice yearly)




Risk Area(see

Legend)

Assurance Activity



1 System accreditation

Systems are accredited.

Systems are formally accredited and the residual risk accepted, following a robust certification process. (Cost estimate includes certification)

Chief executive

CISO Upon renewal of accreditation


1 Accreditation status reporting

Systems are accredited.

Monthly updates from CISO to CIO on the certification and accreditation status of systems.

CIO CISO Monthly Information may be accessed / accessible by unauthorised person.

2 Application portfolio analysis

We know where our systems are providing value and where they are not.We know what options are available in the market.

Complete the GCIO Application Portfolio Management (APM) survey, which will give insights into our application portfolio, including risks and opportunities to increase value.

CIO / GCIO CIO Q2 (One off, but other related assurance activities will follow)

Our ICT services could be providing greater value.

2 Ageing systems report

Software that is no longer supported and outdated infrastructure is replaced.

Quarterly tracking of outdated software and infrastructure to give visibility on status of systems. Report to the CIO.

CIO ICT Operations Manager

Quarterly Our ICT services could be providing greater value.

2,4 Infrastructure status and strategy report.

Infrastructure is well managed to ensure it is providing business value.

Current and target state of infrastructure is reported and linked to current business strategy /objectives. Report to the CIO.

CIO Infrastructure Manager

Q1 (Annual)


2,4 Network monitoring summary

The network is well managed and meets business needs.

Performance reporting to CIO with commentary on linkage to changing business requirements.

CIO Network Administrator

Monthly ICT systems may not provide sufficient storage and performance.



Risk Area(see

Legend)

Assurance Activity



2,4 User survey The network is well managed and meets business needs.

We track and follow up on incidents related to storage and performance.

Other objectives

Users complete a survey on a number of areas such as network latency, download speeds, application crashes. Users are asked to identify how IT applications and infrastructure can better help them achieve their goals.


Q1 (Annual)


ICT systems may not provide sufficient storage and performance..

2 Storage monitoring summary

Storage is well managed and meets business needs.

Performance reporting to CIO with commentary on linkage to changing business requirements.

CIO Network Administrator

Monthly ICT systems may not provide sufficient storage and performance.

2 Software license audit

All our software is properly licensed.

Compliance review and report of software licenses across the application portfolio.

CIO Risk team Q3 Our ICT services could be providing greater value.Staff may be using unlicensed software and this may result in a legal penalty or security breach.

1,2 Unapproved software audit

Staff are installing only approved software.

Compliance review of installed software using automated tools.


1,2 Unapproved cloud / web service audit

Staff are not using unapproved cloud services (Dropbox, Gmail).

Compliance review of installed software using automated tools.




Risk Area(see

Legend)

Assurance Activity



3 Disaster recovery test and report

Disaster recovery can restore systems in accordance with business requirements

Test of disaster recovery plan, and report of results with analysis and recommendations.

CISO ICT Operations Manager

Quarterly Capability / capacity to provide IT services may be lost following a disaster / outage.Suppliers may not be protecting our information (including DR).

3 Independent review of BCP / DR plans

Disaster recovery plans and controls are robust and fit for purpose.

Review of disaster recovery plans and comparison to recognised good practice controls and procedures.

CISO Internal audit Q3 (Tri-annual)

Capability / capacity to provide IT services may be lost following a disaster / outage.

3,5 Reporting on success of power tests

Devices / processes ensure uninterruptible power

Results of power testing included in monthly SLA reporting pack.

Supplier Manager


Monthly Capability / capacity to provide IT services may be lost following a disaster / outage.Suppliers may not be protecting our information (including DR).

3,5 Test restore of data from backup

Our data can be restored from backup.

Test restore of data, with summary report and recommendations.

ITSM ICT Operations Manager

Quarterly Capability / capacity to provide IT services may be lost following a disaster / outage.

3 Verification of DR plan key contact numbers

Details in our disaster recovery plans are up to date.

Administrator verifies and updates details.

ITSM ICT administrator Monthly and as needed




Risk Area(see

Legend)

Assurance Activity



3 Business Impact Analysis

Disaster recovery plans are aligned with business requirements.

Critical functions are assessed in a BCP / DR context and RPO and RTO are reconfirmed.

CIO Business continuity response team leads, with business input

Q4 (Annual)


4,5 Performance / storage incident reporting

We track and follow up on incidents related to storage and performance.

Performance and storage summary, including metrics and incident summary.

ICT Operations Manager

Service desk Monthly ICT systems may not provide sufficient storage and performance.

1,3,5 GCIO cloud assessment tool

Cloud systems can provide sufficient storage and performance

We have considered good practice in managing cloud suppliers.

Complete risk assessment and related tool as per the GCIO publication “Cloud Computing: Information Security and Privacy Considerations.”

Chief Executive

CIO One per cloud supplier. For new systems this will be done alongside certification. For existing systems, refer to schedule.




Risk Area(see

Legend)

Assurance Activity



4 Operational staffing needs analysis

We have sufficient operations and management staff with the right skills.

Analysis of current staffing levels vs. forecasted needs, considering existing skill sets. Reporting to CIO.


New updates monthly following last year’s big review.Q4 –(Annual major review, monthly updates)

We may not have enough staff with the right skills to meet our objectives related to ICT.

5 Supplier Management Framework Review

We have considered good practice in managing cloud suppliers.

Analysis of the framework and templates for supplier management plans.

CIO Internal Audit Q1 (One-off)

Suppliers may not perform and/or opportunities to increase value may be missed.

1,3,4,5 Key supplier SLA dashboard

We monitor and assess the reports provided by suppliers.

SLA reports from suppliers rolled up into monthly report on key KPIs with additional analysis.


Monthly Suppliers may not perform and/or opportunities to increase value may be missed.

1,3,5 Supplier issues / breach report

We track important supplier issues to resolution.

Incident and breach reporting from suppliers rolled up into monthly summary with additional analysis.

CIO ICT Operations Manager (Based on ongoing monitoring of breach / incident register).

Monthly Suppliers may not be protecting our information (including DR).



Risk Area(see

Legend)

Assurance Activity



1,5 Verification of supplier certifications

Supplier independent certifications / reports are sufficient and current.

Review of current status of any relevant third-party certifications claimed by suppliers.


Suppliers may not be protecting our information (including DR).

4,5 Strategic analysis of projected needs vs. supplier capability

Supplier strategy is aligned with longer term business goals.

Check-up on alignment of business strategy, ICT strategy, and supplier capability projected to 1, 2 and 5 years.

CIO CIO Q3 (Annual)

Current suppliers may not be able to continue to meet business needs into the future.



The following activities have been deferred to FY17 for the reasons stated in Section 2.3:

Risk Area(see

Legend)

Assurance Activity Control Objective

Specific Activity and Deliverable

Owner Assurance Provider

Frequency Key RiskHigh / Medium

5 Review of supplier management plans

Controls and procedures are in place to manage suppliers consistently and effectively.

Internal audit assessment of a sample of plans to see if they align with the supplier management framework.

ICT Operations Manager

Internal audit

Bi-annual Suppliers may not be protecting our information (including DR).Suppliers may not perform and/or opportunities to increase value may be missed.

5 Supplier health checks

Suppliers are reviewed for their viability.

Analysis of factors that could impact future performance key of suppliers.


Annual Current suppliers may not be able to continue to meet business needs into the future.

4 ICT governance review

Our governance groups have sufficient ICT understanding.

Survey of ICT and non-ICT governance groups that impact ICT. Do they need more training to better inform decisions related to ICT?

CIO External consultant

Bi-annual We may not have enough staff with the right skills to meet our objectives related to ICT.



Risk Area(see

Legend)

Assurance Activity Control Objective

Specific Activity and Deliverable

Owner Assurance Provider

Frequency Key RiskHigh / Medium

4 Functional staffing needs analysis

We have sufficient second and third line (functional) staff with the right ICT skills. (e.g. Security, Risk, Internal Audit).

Input is solicited from ITSM, Privacy Officer, Risk and Internal Audit on the state of their current skill sets with regard to ICT.

CIO(Other functional leads retain accountability for their staffing)

Functional Managers, reporting to CIO

Annual We may not have enough staff with the right skills to meet our objectives related to ICT.

4 Capacity planning We forecast demand to plan strategically for capacity.

Using modelling tools, update capacity forecast, applying scenario analysis. Report.


Quarterly ICT systems may not provide sufficient storage and performance.



1 · Web viewAppendix 1 – Final Risk and Mitigation Register, May 2015 Appendix 2 – Risk...

Documents

Transcript of 1 · Web viewAppendix 1 – Final Risk and Mitigation Register, May 2015 Appendix 2 – Risk...