August 19, 2014 1

IT Risks and Controls

Risk Identification, Risk Mitigation, Risk
Management, Controls Implementation
Kemal Ozmen, CISA, TSRS Manager
August 19, 2014 2
Agenda
General Concepts about IT Risks
Risk Identification and Management
Controls and Their Implementation
August 19, 2014 3
What is Risk?
Risk is the threat that an event or action will adversely affect an
organizations ability to achieve its business objectives and
execute its strategies successfully.
I N F O R M A T I O N F O R D E C I S I O N M A K I N G R I S K
Information used to support strategic, operational and financial decisions is not relevant , complete,
accurate or timely
The risk that business processes are not clearly defined, are poorly aligned with business strategies, are not
performing effectively and efficiently in satisfying customer needs, are reducing shareholder value, are
compromising the integrity of data and information, or are exposing significant assets to unacceptable losses, risk
taking, misappropriation or misuse

P R O C E S S R I S K
E N V I R O N M E N T R I S K
External forces that could significantly change the fundamentals that drive its overall business objectives and
strategies. These risks are not created by the company, but are inherent in the environment

August 19, 2014 4
FINANCIAL RISK
Currency
Interest Rate
Liquidity
Cash Transfer/Velocity
Derivative
Settlement
Reinvestment/Rollover
Credit
Collateral
Counterparty INTEGRITY RISK
Management Fraud
Employee Fraud
Illegal Acts
Unauthorized Use
Reputation
EMPOWERMENT RISK
Leadership
Authority
Limit
Performance Incentives
Communications
OPERATIONS RISK
Customer Satisfaction
Human Resources
Product Development
Efficiency
Capacity
Performance Gap
Cycle Time
Sourcing
Commodity Pricing
Obsolescence/Shrinkage
Compliance
Business Interruption
Product/Service Failure
Environmental
Health and Safety
Trademark/Brand Name Erosion
OPERATIONAL
Pricing
Contract Commitment
Measurement
Alignment
Completeness and Accuracy
Regulatory Reporting

I N F O R M A T I O N F O R D E C I S I O N M A K I N G R I S K
FINANCIAL
Budget and Planning
Completeness and Accuracy
Accounting Information
Financial Reporting Evaluation
Taxation
Pension Fund
Investment Evaluation
Regulatory Reporting
STRATEGIC
Environmental Scan
Business Portfolio
Valuation
Measurement
Organization Structure
Resource Allocation
Planning
Life Cycle
Competitor Sensitivity Shareholder Relations Capital Availability
Catastrophic Loss Sovereign/Political Legal Regulatory Industry Financial Markets
E N V I R O N M E N T R I S K
P R O C E S S R I S K
INFORMATION PROCESSING/
TECHNOLOGY RISK
Access
Integrity
Relevance
Availability
Infrastructure
August 19, 2014 5
IT Risk Definitions
Integrity
The risk that computer data and
programs are not free from error
and do not represent actual
economic events or transactions
Involves two areas:
Computer
programs/processing
Computer data
Relates specifically to all aspects
of application systems
Availability
The risk that information,
processing ability and
communications will not be
available for critical operations
and processes when needed
Access
The risk that users are given
access to systems, data or
information they do not need
Unauthorized access is gained to
confidential systems, data and
information
Relevance
The risk that information is not
relevant for the purposes for
which it is collected, maintained
or distributed
Relates to the usability and
timeliness of information that is
either created or summarized by
an application system
August 19, 2014 6
IT Risk Definitions
Infrastructure
The risk that IT core processes
are not effectively supporting the
current and future needs of the
bank
IT core processes include:
Organizational planning
Application system definition
and deployment
Logical security and security
administration
Computer and network
operations
Data and database
management
Business/data center
recovery
INFORMATION
PROCESSING/
TECHNOLOGY RISK
Access
Integrity
Relevance
Availability
Infrastructure
August 19, 2014 7
Agenda
General Concepts about IT Risks
Risk Identification and Management
Controls and Their Implementation
August 19, 2014 8
Warning Signs
No linkage of risk to value
No effort to anticipate
Ineffective strategic control
No risk management policy
Not a management priority
No integrated risk assessment framework
Fragmented effort
Narrow focus
Poor risk communications
Too little, too late
August 19, 2014 9
ABC of Risk Management
RISKS
CONTROLS
Access
Process Integrity
Relevance
Availability
?
August 19, 2014 10
Risk Management Objectives
Business Oriented
Easy To Understand
Technology Independent
Comprehensive
Flexible
Mappable to other Risk Models
August 19, 2014 11
IT Risk Management Basic Principles
IT risk management strategies should be driven by
Business Risks, not just technical risks

Effective IT risk management should encompass a
combination of strategy, organization, process and
technology

Overall IT risk management process needs to be
applied to discrete, yet interrelated, components of
an organizations business processes and related
information technology
1
2
3
August 19, 2014 12
IT Risk Management Framework
August 19, 2014 13
IT Risk Management Framework
Who does/should do
things and why?
Core competencies
Leadership styles
Values and beliefs
Communication
What is/should be the strategy?
What are the strategic objectives?
Who are the key
stakeholders/customers?
What is the value proposition?
How is the strategy going to be
operationalized?

How do/should things
work?
Policies
Business processes
Management processes
What is/should be the
technology implications?
Data architecture and
ownership
System architecture
Network architecture
Configuration
Integration
Tools
Common Language
Metrics/ Measures Structure
Culture/Values
Strategy
Skills
Technology
Processes
Organization
August 19, 2014 14
IT Risk Management Framework
What Is Needed Succeed?
What are the organization implications
(structure, etc.)?
What are the roles, responsibilities,
and skills needed to achieve the
strategic objectives/benefits?
How will individual performance be
measured?

What Is Needed To Succeed?
How can we create a common language for
definition and discussion?
How will success be measured?
When should we measure it?

What Is Needed To Succeed?
What skills do people need?
What awareness training is needed?
How can it be delivered?
How can we make continuous learning a
reality?
Common Language
Metrics/ Measures Structure
Culture/Values
Strategy
Skills
Technology
Processes
Organization
August 19, 2014 15
Managing Risks Process Flow
August 19, 2014 16
Managing Risks Process Flow
CONTINUOUSLY ASSESS SECURITY RISK CONTROL PROCESSES
Risk Mngmnt. Risk Mngmnt.
Processes Installed Processes Installed
In Place? In Place?
No
Yes
Design and Install Design and Install
a Risk Control a Risk Control
Process Process
Continuously Continuously
Assess by Assess by
Comparing to Comparing to
Best Practices Best Practices
to Identify to Identify
and Close and Close
Performance Performance
Gaps Gaps
August 19, 2014 17
Agenda
General Concepts about IT Risks
Risk Identification and Management
Controls and Their Implementation
August 19, 2014 18
Definition of Control
The Policies, Procedures, Practices
and Organizational Structures,
Designed to Provide Reasonable
Assurance that Business Objectives
will be Achieved and that Undesired
Events will be Prevented or Detected
and Corrected.
August 19, 2014 19
Definition of IT Control Objective
A Statement of the Desired Result or
Purpose to be Achieved by
Implementing Control Procedures in a
Particular IT Activity.
August 19, 2014 20
Controls Process Framework
Monitoring
Pervasive
Controls
Business
Controls
Information & Information
Processing Controls
Specific Risk Controls
Specific controls for
information processing
purposes (e.g. observation,
inquiry, inspection,
confirmation, analytical
procedures, etc.
Controls that have been
implemented once into
processes and/or systems and
are geared to produce a
specific outcome
Controls that have been
implemented by management
for process monitoring and/or
verification purposes
August 19, 2014 21
Types of Controls
Preventive controls are
designed to:
Prevent an error or irregularity
from occurring
Eliminate risks at the source
Build quality into the process
Detective controls are used as
a fail-safe method to:
Manage risks more completely
Manage risks that occur
irregularly or infrequently
Detect errors that are hard to
define and predict
System-based controls
System-based controls are
automated, programmed
procedures performed by the
computer system
People-based controls
Risk management requires
judgment
Risk environment is not stable
and changing circumstances
need to be accounted for
August 19, 2014 22
Effectiveness Controls
System-
Based
Detective
Control
Desirable
Desirable
R
e
l
i
a
b
l
e

R
e
l
i
a
b
l
e

System-
Based
Preventive
Control
People-
Based
Detective
Control
People-
Based
Preventive
Control
High probability of
human error and
non-detection
Human error eliminated,
risk prevented before
occurrence
High probability of
human error and
non-prevention
Human error
eliminated, but no
prevention
System-based
controls are
more reliable
Preventive
controls are
more desirable
August 19, 2014 23
Effective Controls
RISKS CONTROLS
IT BUSINESS RELATED RISKS CONTROL ELEMENTS
Strategy &
Policy
Manage
Deployment
Technology
Architecture
Monitor
Events
RESULTS OF
INFORMATION
TECHNOLOGY
RISK ASSESSMENT
1
2
August 19, 2014 24
Control Elements
Strategy & Policy
Management policies set the tone for the effectiveness of the entire IT risk
management program
Policies should:
Define managements view of risk acceptance
Be concise, understandable and enforceable
Be customized to the specific business unit to which they apply
Encompass the critical systems and processing environments
Establish guidelines and examples for consistency
August 19, 2014 25
Control Elements
Manage
Deployment
Manage Deployment is a series of
processes that include:
Managing the technical
architecture including networks
Establish IT Administration
function to enforce established
policies and procedures
IT internal controls design in new
and modified applications
User, Resource, Group Strategy
& definition
Adding, changing and modifying
Addressing organizational
changes
IT standards training and
awareness
August 19, 2014 26
Control Elements
Monitor
Events
Monitor Events is a series of processes that
include:
Evaluating impact of IT on users and
technical architecture
Identification of IT-relevant risks in new
technologies and applications
Defining and evaluating abnormalities
through effective reporting, audit trails,
violation reports, etc.
Changes in organizational dynamics
Compliance with policies
Re-certification of users and
rights/privileges
Breach detection
August 19, 2014 27
Control Elements
P
D
E
T
PHYSICAL
NETWORK
PLATFORM
DATA/DBMS
APPLICATION
PROCESS
Technology
Architecture
P - Strategy & Policy
D - Managed Deployment
E - Monitor Events
T - Technology Architecture
August 19, 2014 28
Questions and
Answers
10 minutes