IT RISKIT Managers Roundtable event – 06/24/15

Presentation by Simon Cousins

Some Current Day Risks

How do companies remain current with technological advances, attracting the next generations of employees, while mitigating risk associated with emerging and modern tech ?  

How do companies manage BYOD ?

Where should company data be ? Is the Cloud an option ? 

Use Of A Risk MatrixA very useful tool for heat map risk analysis

https://en.wikipedia.org/wiki/Risk_Matrix

A useful resource can be found at The Risk Management Guide

http://www.ruleworks.co.uk/riskguide/risk-profile.htm

Discussion Point - BYOD

iOS - AppleAndroid - GoogleWindow Phone - Microsoft

Are devices in your company…

• Company owned ?• Employee owned ?• Mixed ?• Unknown ?

Considerations

What is your risk tolerance ?Where are your biggest risks ?

Discussion Point – BYOD – IT ConsiderationsManaging and securing data. While the devices themselves are one concern, the data flowing back and forth between the devices, the corporate network, and the cloud is another major issue. Even if IT has a handle on which devices are accessing the network and their risk postures, controlling what information the device accesses and what happens to that information once it leaves the enterprise network can be very tricky. Consider the following common scenario: An employee opens an email attachment from his/her corporate email box and chooses to save it to a personal cloud storage service, such as iCloud or Dropbox. When employees transfer enterprise data into public cloud services, IT usually loses its ability to manage the data from that point forward. Another potential issue is employees forwarding or sending sensitive information from mobile devices to parties that should not have access to that information. This may happen via email or through a cloud storage and collaboration service. In either case, IT needs some way to manage what employees can and cannot do with content accessed on mobile devices.

Managing risks from apps. Apps themselves present a risk. It has been well documented that the prevalence of Android malware has spiked right along with the popularity of the platform. This is less of a problem on iOS devices because of the closed nature of the Apple ecosystem, but it's not a nonexistent issue. When employees download consumer applications to their personal devices, enterprises have no way of knowing the risk profile of that application. An app could be full of malware — which could then corrupt the entire device OS, putting the information on all the other apps at risk — and it could also be asking for information that a company would prefer it didn't have access to, such as contacts. Understanding the risk profile of various applications is an important step to safeguarding the overall health of the device.

Source : IDC Market Spotlight – The Evolution of Enterprise Mobility Management: Protection Enables Productivity

Discussion Point – Cloud Storage & Services

Why The Cloud ?• PAAS (Platform As A Service)

• SAAS (Software As A Service)• Consumer grade

(Unmanaged)

Where is your data and what is your strategy ?

• Consider industry regulations• Protection of intellectual property• Transmission and sharing of data

Discussion Point – EmployeesHow do companies remain current with technological advances, attracting the next generations of employees, while mitigating risk associated with emerging and modern tech ?

Recruiting and retaining employees who maintain existing systems and employees who implement new and future technologies overlaps.

Discussion Point – The Next Thing ?The Internet Of Things is happening all around us.

Smoke detectorsSmart ThermostatsRefrigerators that order foodMedication reminders

More information at http://postscapes.com/internet-of-things-examples

The sharing of data, location, environments and other PII is evolving at a rapid pace.

The associated risks of managing the surge in the world of IOT needs to be managed.

IT RISK Resources• NIST

• PMI.orgHas some good articles general risk management from a project mgmt. standpoint

• Harvard Business Review

• E&Yhttp://www.ey.com/GL/en/Services/Advisory/Turning-risk-into-results-Managing-risk-for-better-performance

• COBIT

• COSO

• ISACA

• ISC2