3. you might have to stop doing business altogether
stolen data can be used against your customers
the press may have a field day on you
it will be even worse in social media
you could lose critical assets
employees or directors could go to jail
competitors may learn your secrets
you may have to pay fines
the trust you've built into your brand may disappear
IT can be extremely complex & opaque, may require
4. and just cause you’re a
small, nimble start-up does
not give you license to be
sloppy (especially if you
hope to pass exit due
diligence)
5. here are 10 obvious, but
common, mistakes to
avoid…
7. LACK LEADERSHIP
Leadership must
understand the strategic
importance of technology
risk management
They must also be involved
with decision-making and
communicate like crazy
MISTAKE
8. LACK LEADERSHIP
Leadership must put in place a
technology risk management
(TRM) framework that includes
the right culture, policies,
standards (enterprise
requirements), & control
procedures
They must also be responsible
for communications & the
quality of firm wide execution
MISTAKE
13. LACK LEADERSHIP
Line managers must be
engaged & accountable for
TRM
TRM must not be seen as
red tape. It must be seen as
a core job function of a
technology manager (and
disciplined/rewarded as
such)
MISTAKE
15. LACK TRM FRAMEWORK
ATRM Framework must
protect data & IT assets from
unauthorized access or
disclosure, misuse, and
fraudulent modification
MISTAKE
16. LACK TRM FRAMEWORK
ATRM Framework must
ensure data confidentiality,
system security, reliability,
resiliency, & recoverabilityMISTAKE
19. LACK TRM FRAMEWORK
ATRM Framework must
identify & assess impact and
likelihood of operational &
emerging risk including internal
& external networks, hardware,
software, interfaces, operations,
and human resources
The firm must also have a
mechanism to identify risk
trends externally
MISTAKE
20. LACK TRM FRAMEWORK
ATRM Framework must
methodically & regularly
inventory and prioritize risks,
controls, exceptions, and
gaps
MISTAKE
23. LACK PARTNER OVERSIGHT
IT provided or supported by
partners must be in scope &
leadership must fully
understand outsourcing risks
Outsourced IT infrastructure is
still part of your TRM. You
can’t wash your hands of it
* Provision or support includes system development and
support, DC ops, network admin, BCP, hosting / cloud
and can involve one or more parties in or out of country
MISTAKE
24. LACK PARTNER OVERSIGHT
Proper due diligence must
ensure viability, capability,
reliability, & stability of
vendorsMISTAKE
25. LACK PARTNER OVERSIGHT
Written contracts must define
expected risk-related service
levels, roles, obligations, &
control processes in detail
They must also be reviewed
regularly
* For example, performance targets, service levels,
availability, reliability, scalability, compliance, audit,
security, contingency planning, disaster recovery and
backup
MISTAKE
26. LACK PARTNER OVERSIGHT
A Service Level Management
Framework such as the IT
Infrastructure Library (ITIL)
must ensure continuing,
monitored controls
compliance
MISTAKE
27. LACK PARTNER OVERSIGHT
An exit / backup plan must be
in place to switch partners if
required
MISTAKE
29. LACK PORTFOLIO MGMT
The entire technology
portfolio/platform must be
managed through it's
lifecycle
The business must be
engaged with portfolio
strategy as a key
stakeholder
MISTAKE
30. LACK PORTFOLIO MGMT
Enterprise architecture
strategy must be supported
by accurate & accessible
MIS and asset management
data
MISTAKE
32. LACK PORTFOLIO MGMT
A professional Project /
Change Management
Framework like Project
Management Body Of
Knowledge (PMBOK) or ITIL
must guide change from
current to target
MISTAKE
33. LACK PORTFOLIO MGMT
A professional Quality
Management program
should ensure quality of
build and operate
For example, a documented
software development
lifecycle (SDLC) should
effectively guide
development & code quality
MISTAKE
41. LACK RECOVERABILITY
The firm needs a realistic,
business-prioritized,
strategically-aligned & simple
business continuity plan
(BCP) that ensures reliability,
performance, scalability,
availability, and recoverability
MISTAKE
42. LACK RECOVERABILITY
The BCP should identify
critical systems (those that
must not go down) as well as
recovery point objectives
(RPO) and recovery time
objectives (RTO) to guide
restoration service levels
MISTAKE
43. LACK RECOVERABILITY
The disaster recovery plan
should cover multiple
scenarios, expose
dependencies, & be tested
regularly
MISTAKE
44. LACK RECOVERABILITY
Backup management must
ensure that IT assets can be
recovered as soon as
required, depending on
priority & that dependencies
are understood
MISTAKE
47. LACK DATA SECURITY
You must protect data,
hardware, software, and
networks from accidental or
intentional unauthorized
access or tampering by
internal or external parties
MISTAKE
48. LACK DATA SECURITY
You must identify levels of
data sensitivity and ensure
escalating levels of
protection based upon the
significance / priority of risk.
MISTAKE
49. LACK DATA SECURITY
You must have end-to-end
data protection such as
encryption when you are
dealing with confidential data
Your controls / standards
must be in force wherever
your data is stored or
transmitted
MISTAKE
50. LACK DATA SECURITY
You must properly dispose
of assets that hold
confidential data
MISTAKE
51. LACK DATA SECURITY
You must have a
mechanism to monitor
security & react as required
MISTAKE
53. LACK SYSTEM SECURITY
You must protect data,
hardware, software, and
networks from accidental or
intentional unauthorized
access or tampering by
internal or external parties
MISTAKE
54. LACK SYSTEM SECURITY
You must identify levels of
sensitivity & ensure escalating
levels of protection based
upon the significance / priority
of risk
MISTAKE
55. LACK SYSTEM SECURITY
You must ensure that IT
assets are patched as
required
You must ensure that IT
assets are migrated out of
production before End-of-Life
or End-of-Service
MISTAKE
56. LACK SYSTEM SECURITY
You must deploy the right
level of network security
(including anti-virus) across
operating systems, network
devices, databases, and
enterprise mobile devices
MISTAKE
57. LACK SYSTEM SECURITY
Key points in the
infrastructure (perimeter &
internal as required) must be
protected through intrusion
detection & prevention tools
such as firewalls
MISTAKE
58. LACK SYSTEM SECURITY
You must test security using
vulnerability assessment &
penetration testing regularly
MISTAKE
59. LACK SYSTEM SECURITY
You must have a mechanism
to monitor security and react
as required
MISTAKE
61. LACK PHYSICAL SECURITY
You must protect data,
hardware, software, and
networks from accidental or
intentional unauthorized
access or tampering by
internal or external parties
MISTAKE
62. LACK PHYSICAL SECURITY
You must identify levels of
sensitivity & ensure
escalating levels of protection
based upon the significance /
priority of risk
MISTAKE
64. LACK PHYSICAL SECURITY
You must implement
appropriate physical security
such as need-to-access-only
requirements & security /
surveillance systems
MISTAKE
65. LACK PHYSICAL SECURITY
Critical resources such as air,
water, power fire
suppression, &
communications should be
redundant where required
MISTAKE
67. LACK ACCESS CONTROLS
For critical / sensitive systems
an individual must not be
granted access alone (never-
alone principle)
MISTAKE
68. LACK ACCESS CONTROLS
The transaction process
should prevent a single person
from initiating, approving, and
executing by themselves
(segregation of duties)
Job rotation is recommended
for sensitive functions
MISTAKE
70. LACK ACCESS CONTROLS
Access should be logged and
access rights should be easy
to review & modify as access
rights change naturally over
time
MISTAKE
71. LACK ACCESS CONTROLS
There must be separate
environments for
development, testing, and
production with controlled
access to production where
production access is limited
and governed by segregation
of duties
MISTAKE
72. SHARE THIS DECK
& FOLLOW ME(please-oh-please-oh-please-oh-please)
stay up to date with my future
slideshare posts
http://www.slideshare.net/selenasol/presentations
https://twitter.com/eric_tachibana
http://www.linkedin.com/pub/eric-tachibana/0/33/b53
74. CREATIVE COMMONS ATTRIBUTIONS & REFERENCES
Title Slide: http://www.flickr.com/photos/23754017@N08/
Dude Slide: http://www.flickr.com/photos/karen_od/
Ewok Slide: http://www.flickr.com/photos/daviddurantrejo/
Leadership Slide: http://www.flickr.com/photos/daviddurantrejo/
Tech Risk Mgmt Slide: http://www.flickr.com/photos/daviddurantrejo/
Partner Oversight Slide: http://www.flickr.com/photos/daviddurantrejo/
Service Mgmt Slide: http://www.flickr.com/photos/gageskidmore/
Portfolio Mgmt Slide: http://www.flickr.com/photos/fotomaf/
Recoverability Slide: http://www.flickr.com/photos/karen_od/
Data Security Slide: http://www.flickr.com/photos/daviddurantrejo/
System Security Slide: http://www.flickr.com/photos/daviddurantrejo /
Physical Security Slide: http://www.flickr.com/photos/fotomaf/
Access Controls Slide: http://www.flickr.com/photos/daviddurantrejo/
http://www.mas.gov.sg
http://www.isaca.org
http://coso.org/guidance.htm
http://www.itil-officialsite.com
http://www.pmi.org
Please note that all content & opinions expressed in this deck are my own and don’t necessarily
represent the position of my current, or any previous, employers