Testing tools and AI - ideas what to try with some tool examples
Michigan Bankers Association Best 2014 enterprise risk management ppt
1. Enterprise Risk Management for
Community Banks
Brian T. O’Hara CISA, CISM, CRISC, CISSP
CISO The Mako Group, LLC
btohara@makopro.com
http://www.linkedin.com/in/brianohara/
Twitter: @brian_t_ohara
2. The Mako Group, LLC
• IT & Info Sec Auditing
• IT Risk Assessments
• Security Training
• Vulnerability
Assessments
• Social Engineering
• PCI DSS 3
• FISMA Audits
• Penetration Testing
• Gap Assessments
• SOC 1 and SOC 2
• SOX 404
• HIPAA
• Virtual CISO
3. The Mako Group, LLC
• 1570 Woodward Ave.
Detroit, MI 48266
Phone: 313.355.0538
Email: detroit@makopro.com
• 110 West Berry Street - Suite 2400
Fort Wayne, IN 46802
Phone: 260.267.5999
Email: fortwayne@makopro.com
• 8555 River Road - Suite 315
Indianapolis, IN 46240
Phone: 317.941.MAKO (6256)
Email: indianapolis@makopro.com
4. BIO
• CISO of The Mako Group, LLC
• ISSA Fellow
• Program Chair, CINT Ivy Tech NE
• Adjunct Faculty Indiana Tech
• CISSP - Certified Info Systems Security Prof.
• CISA - Certified Information Systems Auditor
• CISM - Certified Information Security Manager
• CRISC - Certified Risk Info System Controls
5. BIO
• CAE of The Mako Group, LLC
• CPA
• MSA – Masters of Accountancy
• ISACA Detroit Chapter
• CISA - Certified Information Systems Auditor
• Previously ran the Sarbanes-Oxley and FDICIA
programs for Ally Bank
6. What Is ERM?
• Enterprise Risk Management (“ERM”) is a
strategic business discipline that supports the
achievement of an organization’s objectives by
addressing the full spectrum of its risks and
managing the combined impact of those risks as
an interrelated risk portfolio. (http://www.rims.org/erm/pages/WhatisERM.aspx)
7. ERM Elements?
• Tied to Bank’s Strategic Plan
• Chief Risk Officer (Top Down Approach)
• Correlations (non-silo)
• Target Objectives
• Measurable
• Focus on Outcomes
8. ERM Principles
• Not just about Risk Mitigation
– It is a management system
• Management Model that leads to action
• Unified Approach
• Answers Key Questions
9. Quiz 1
• Who Invented the World Wide Web?
• Tim Berners-Lee
10. ERM Key Questions
• Do we understand risk across the enterprise?
• What is the reward?
• Is the risk acceptable?
• Is the reward great enough?
• Does it link strategies?
• Is it supported from the top down?
• Are discussions made with input to business as
opposed to protecting lines of business?
11. Who Is ERM Designed For?
• Community Banks?
• Size?
• Complexity?
• Affordability?
• Value Add?
13. ERM Value?
• Provides a more robust picture of risk
• Corrects Silo Risk Mentality
• Provides Greater Transparency
• Delivers Effective Resource Allocation
• Shifts Focus from Reactive to Proactive
• Examiner Expectations
14. Sound ERM
• IT Risks Rolled Up
• NO Risk Silos
• Integrated with Business Strategy
• Provides More Accurate Picture of Tolerance
• More Effective Resource Allocation
• Proactive v Reactive
• Helps Identify Key Controls
15. Poor ERM
• Risk Silos
• Poor View of Overall Risks
• Reactive rather than Proactive
• Examples
– Target
– TJ Max
– Heartland Payment Processors
23. Quiz 3
• Who sent the first official “email” over the
internet?
• Mark Tomlinson
24. When is ERM not a good fit?
• Lack of Sr. Management Buy in
• Size and complexity of operations
• Too expensive, cost v benefit
25. ERM Problems
• Lack of single unifying framework
• Remains reactive
• Discounts insiders (relies on “experts”)
• Does not calculate mitigation costs
• Fails to rank risk
• Lack of academic studies showing
effectiveness
26. Cybersecurity Framework
• NIST Creation
• Fits smaller community banks
• Easily tailored and scalable
• Encompasses ERM key components
• Provides control mappings to standards
• Above and beyond examiner expectations
• Affordable implementations
27. The Mako Group’s Approach (Hybrid)
• Guided (organization is the expert)
• Holistic
• Eclectic
• Customized based on organization needs
• Based on value added
• Built to optimize resource allocation
28. Conclusions
• ERM is not always a good fit
• Can be costly
• Can add unforeseen visibility
• Can add predictive value
• Can still provide guiding principles
29. Summary
• ERM value still unclear
• ERM is a holistic approach
• More Complex
• More about choosing pieces that work for you
• Hybrid approaches using models like
Cybersecurity Framework provides best of
both worlds
30. THANKS
Brian T. O’Hara CISA, CISM, CRISC, CISSP
CISO The Mako Group, LLC
btohara@makopro.com
http://www.linkedin.com/in/brianohara/
Twitter: @brian_t_ohara
Notes de l'éditeur
As an information security firm, The Mako Group specializes in protection - providing security through auditing, testing and assessments. And, we do it all with the highest quality standards possible. That means an exclusive team of executive-level staff, easy-to-understand reviews and a proprietary audit guide that's the most comprehensive in the industry.
When you choose The Mako Group, you're gaining a partnership that dives into the very core of your overall security, ensuring that your company and entire control environment are stronger as a result. And that adds up to a better, more secure future for you.
Mr. O’Hara has been involved in the field of information security for over 17 years and currently serves as the CISO for The Mako Group, LLC, an IT Security Consulting company specializing in Auditing and Information Security for the Health Care, Manufacturing, Retail and Financial industries as well as both the private and public sectors. As CISO, his responsibilities include overseeing and managing security related functions including but not limited to audit and regulatory compliance reviews, development and implementation of Risk Management frameworks and internal security and development of strategic planning with regard to emerging technologies. He holds a BA from Indiana University, Bloomington and an MA from the University of North Dakota.
When Brian isn’t out speaking or trying to solve your business security problems he spends time riding his bike, playing one of seven instruments and walking one or more of his five dogs (shelties named after musicians). In addition he enjoys eating his wife Brenda’s famous gourmet cooking
Shane O’Donnell has been involved in the fields of Accounting, Risk Management and Audit for over 10 years and currently serves as the Chief Audit Executive for The Mako Group, an IT Security Consulting company specializing in Auditing and Information Security for the Health Care, Manufacturing, Retail and Financial industries as well as both the private and public sectors. As CAE his duties include overseeing the overall audit function, developing The Mako Group engagement methodology and servicing The Mako Group’s clients.
Shane holds a BA in Accounting from Western Michigan University and an MSA in Accounting from Walsh College. He received his initial audit training at PricewaterhouseCoopers and was the Manager of Financial Controls at Ally Bank prior to joining The Mako Group. As Chief Audit Executive, Shane’s responsibilities include:
Developing and overseeing the application The Mako Group audit methodology
Performing comprehensive risk assessments identifying vulnerabilities and creating actionable plans to mitigate outstanding risks
Performing training with new staff members to maintain high level of service to customers
Partnering with companies to improve and test compliance with applicable rules and regulations
Mr. O’Donnell has presented and conducted training on topics of interest to the audit community such as:
Sarbanes-Oxley Compliance
FDICIA Compliance
Risk Management
Internal Control Implementation
Mr. O’Donnell is an active member in the Detroit Chapter of ISACA and is a Certified Public Accountant and Certified Information Systems Auditor.
Enterprise Risk Management (“ERM”) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.
ERM represents a significant evolution beyond previous approaches to risk management in that it:
Encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.);
Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual “silos”;
Evaluates the risk portfolio in the context of all significant internal and external environments, systems, circumstances, and stakeholders;
Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks;
Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature;
Views the effective management of risk as a competitive advantage; and
Seeks to embed risk management as a component in all critical decisions throughout the organization
(http://www.rims.org/erm/pages/WhatisERM.aspx)
Is ERM really meant for community banks and at what size does it begin to make sense?
Person owned credit unions are specifically exempted from performing ERM activities in NCAU regs.
http://coso.org/-ERM.htm
http://www.rims.org/resources/erm/Pages/default.aspx
http://ww.iso.org
FFIEC – see included documents
http://www.jnj.com
http://www.nist.gov
Cybersecurity Framework – see included documents
One common theme throughout the literature has to do with the difficulties discussing technical findings with the C Suite. Most authors recommend that risk be discussed in terms of the opportunities to the organization and how it fits with the risk tolerance profile.