COBIT 5 for IT Policies and Risk - bpug- · PDF fileGroup Technology and Operations Deutsche...
Transcript of COBIT 5 for IT Policies and Risk - bpug- · PDF fileGroup Technology and Operations Deutsche...
Deutsche Bank
COBIT 5 for IT Policies and Risk
6th October 2015
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Contents
How COBIT 5 is used for IT Management Policy
COBIT 5 as Basis for Risk Management
What COBIT, ISO, etc. Don’t Tell You
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
COBIT 5 as Basis for Policies
How COBIT 5 is used for IT Management Policy
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Further Reading
10/6/2015 2010 DB Blue template
3
Praxiswissen COBIT, Markus Gaulke
mit Praxisbeitrag zum Thema
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
COBIT 5 Product Family
10/6/2015 2010 DB Blue template
4
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
COBIT 5 Enabling Processes
06/10/2015 2010 DB Blue template
5
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
DB Policy Built in Two Steps
06/10/2015 2010 DB Blue template
6
Version 1 (published)
9 out of 37 COBIT
Processes have been
included in V1.1 of the
IT Management Policy.
Version 2
All 37 COBIT
Processes will be
included in V2 of the IT
Management Policy.
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
COBIT 5 as Basis for Risk Management
COBIT 5 for Risk
Risk Scenarios
Risk Management Process
Other Standards
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
COBIT 5 Products
10/6/2015 2010 DB Blue template
8
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Risk Scenarios
06/10/2015 2010 DB Blue template
9
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Risk Scenarios
06/10/2015 2010 DB Blue template
10
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Risk Scenarios
06/10/2015 2010 DB Blue template
11
See Appendix for Sample
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Risk Management Process
06/10/2015 2010 DB Blue template
12
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Risk Management in ISO Standards
06/10/2015 2010 DB Blue template
13
ISO 31000:2009(E) ISO/IEC 27005:2011
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
PMBOK 4th Edition
10/6/2015 2010 DB Blue template
14
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
ISO/IEC 27005:2011
10/6/2015 2010 DB Blue template
15
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
What COBIT, ISO, etc. Don’t Tell You
Some Problems with Current Risk Assessment Methods
Some Answers
Some Advanced Answers
References
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Risk Assessment Methods
10/6/2015 2010 DB Blue template
17
If your Risk Assessment is wrong ... ... mitigation is addressing
the wrong problems
Waste
Bad Decisions
How do you know it works? Effectiveness of
methods not verified
Some methods are
known not to work
Methods that do work
are not used
Probability x Loss Assumes Risk Neutral (most people are risk averse)
Loses Information
Assumes Risks are
independent
Risk of extensive defaults
on subprime loans
Risk of novel financial
products
Risk of failure of AIG
Low
Low
Low
Financial Crisis
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Risk Assessment Problems
06/10/2015 2010 DB Blue template
18
Catastrophic Overconfidence
Near misses or survivals
increase risk tolerance
Logical Errors Misconception of Chance
Conjunction Fallacy
Law of Small Numbers
Variance in Small Samples
Insensitivity to Prior Probabilities
Experience of “Experts” Non-Random
(Selective) Memory-Based
Logical Errors in Conclusions
Inconsistent
Framing Posing question differently gets
different answers
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Ordinal Scales
06/10/2015 2010 DB Blue template
19
1 – 2 – 3 – 4 – 5 High – Medium – Low
Unlikely – Possible - Likely
Understanding varies widely
between individuals
Range Compression High = > €100m €500m is also High
Clustering
Presumption of Regular Intervals
No Validation against Reality
They are not units of measure
Cannot be added / multiplied
2 is not twice as good as 1
They ignore (psychological) research
Bias
Framing
Inconsistency
Etc.
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Probability and Measurement
06/10/2015 2010 DB Blue template
20
Probability
Unambiguous description of uncertainty
50% Probability = Total Uncertainty
Measurement
Observation based
uncertainty reduction
about a quantity
It has been done before
You think you can’t measure it?
You have more data than you think
You need less data than you think
Getting more data is more economical than you think
You probably need completely different data than you think
Wrong Distribution
Not everything is Gaussian
Catastrophes, common mode
and cascade failures tend to be
Power Law
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Answer 1 – Know our Risk Appetite Answer 2 – Model the Risks
10/6/2015 2010 DB Blue template
21
Document Risk Appetite/Tolerance
Model Uncertain Systems
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Answer 3 - Calibration
10/6/2015 2010 DB Blue template
22
After calibration, 9 out of 10
answers will be in the given range.
Calibrated Estimators
Give estimates with ranges which are correct 90%
of the time.
Know the confidence of binary (true/false)
answers.
It is not very difficult to learn! (1/2 day training)
The resulting range may be wide, but it can be narrowed
by MEASUREMENT.
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Answer 4 – Monte Carlo Simulation Advanced
10/6/2015 2010 DB Blue template
23
Monte Carlo Simulation
Generates 1000’s of random values for each
variable in a model and shows the distribution of
the results.
Can take
• Distributions
• Correlations
into account.
Easily implemented with Excel or other tools.
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Answer 5 – Bayes 1/2 Very Advanced
10/6/2015 2010 DB Blue template
24
Bayesian Networks
Nothing known about Design,
Complexity, Testing Quality or
amount of usage.
Update prior knowledge with new information.
Invert conditional probabilities.
Additional Information
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Answer 5 – Bayes 2/2
10/6/2015 2010 DB Blue template
25
Bayesian Networks
Update prior knowledge with new information.
If zero defects found in
testing
and
complexity known to be high
there is a high probability that
testing was poor
and design was good
Defects expected in operation
are lower, but
Additional Information
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Answers – Other
10/6/2015 2010 DB Blue template
26
Organisation
Positions
Incentives
Certifications
Community
Scientific
Approach
Quality Control
Validate against
event history
Use empirical
observations
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
References
10/6/2015 2010 DB Blue template
27
The Failure of Risk Management – Why it is Broken and How to Fix It
Douglas W. Hubbard, 2009
How to Measure Anything – Finding the Value of “Intangibles” in Business, 3rd Edition
Douglas W. Hubbard, 2014
Risk Assessment and Decision Analysis with Bayesian Networks
Norman Fenton, Martin Neill, 2013
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
Appendix
Sample COBIT 5 Risk Scenario
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
10/6/2015 2010 DB Blue template
30
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
10/6/2015 2010 DB Blue template
31
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
10/6/2015 2010 DB Blue template
32
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
10/6/2015 2010 DB Blue template
33
Group Technology and Operations
Deutsche Bank Alan Shepherd
ISACA/BPUG COBIT in der Praxis
10/6/2015 2010 DB Blue template
34