risk management technology concerns and futures

1. January 17, 2006 1 Risk Management Technology Concerns and Futures Security and Audit Concerns Applied to Data Management Dennis Huam�nJefferson Wells One Liberty Square Boston, MA 02109

2. 2

3. 3 Challenges facing IT audit and Security Technology affects: Data Management Service Oriented Architectures Security Audit Impacts IT Security and Audit that will: Need to embrace technology and develop metrics and dashboards to meet the challenges Approach Use Technology Risk Management techniques to develop an enterprise solution

4. 4 Data Management Concepts EMD � Enterprise master Data Required by application development and technology architecture groups Used in centralized and distributed databases requiring data integration Impacts Operational development that Needs information on Transactions, Hygiene of data (good, tainted, bad), and Confidence that data descriptions are standardized Customer Data Integration Process of tying all customer data together in one place to improve CRM Product Information Management (PIM) Keeping all product data together and accessible

5. 5 New Technology � SOA Service Oriented Architecture (SOA) Loosely coupled (independent, sharable, and technology-agnostic services) Rationale Services built to provide reusable business processes to enable Communication between business processes, and The creation of entire applications within an organization

6. 6 SOA Purpose SOA should provide Basic data movement Intricate data transformations Data cleansing Ability to use multi-services to create a multi-step, complex process

7. 7 SOA Security and Audit Concerns Databases are more useful if they have Common Vocabulary for reports and analysis Common naming conventions across the enterprise Improve the quality of heterogeneous sources for master data Beneficial because they: Provide access control and Improve use of operational data across the enterprise

8. 8 Solution Baseline Establish business policies that lead to useful data governance Business policies must Influence data implementation Ensuring data is: Stored, Protected Appropriately accessed Used according to rigorously defined enterprise-level guidelines

9. 9 Security Concerns and Practices Concerns Privacy Protection of Proprietary Information (e.g. business intelligence Practices Enterprise level guidance, policy on Role Based Access Control (RBAC) Management must buy in and affirm data governance is a business goal and distinguishing market discriminator Establish data integration rules and practices Establish conflict resolution process

10. 10 Data Management Policy Prevents Impacts Customer Attrition Revenue erosion Non-Compliance �Worst-case� = Business Failure

11. 11 Benefits Access to high quality Customer information Better Customer Relationship Management Customer data is: Same Standardized Reconciled, and Integrated Provides benefits across the enterprise Order Processing Billing Ensures that customer data is valuable and useful throughout the enterprise

12. 12 Baseline Approach Develop structure Use a Service Oriented Architecture (SOA) SOA is loosely coupled (i.e. should be independent, sharable, and technology-agnostic services The services must be built to provide reusable business processes that Enable communication between systems, and The creation of entire applications within an organization Your security team support ensures integrity and compliance practice Validating compliance requires audit support that is technically and procedurally capable

13. 13 Baseline Approach, cont. Tools Meta Data Management Requires definition and competency in Management, Development Groups, Tech Groups, Security, and Audit (Internal and External) Technology and Tools you must understand TIBCO and Web Methods Know these standards OASIS, XML, CORBA, DCOM, etc.

14. 14 Security Practices Understand Data structures and Data element relationships and dependencies Apply previous knowledge such as net diagrams technology to build Data Diagrams Communicate with Business Units, Business Developers, H/W and S/W developers, Test and Roll Out Teams, Audit, and Legal

15. 15 Audit Practices Understand the basic technology Rely on and use experts to classify inter-relationships, meanings, impacts, compliance requirements Develop and Modify IT Audit Check Lists and Procedures to build an Audit Desktop to measure compliance (Success, Failures, ToDos, etc. Identify and communicate findings Inform Management, Developers Peers in technology areas, business areas, legal, and in some case Public Relations

16. 16 Audit Procedures Use corporate communication paths to Cross-communicate Share knowledge, Improve the business environment, profitability, and reliability that Protects corporate assets Protects the customer base Maintains compliance with privacy, standards, and best business practices

17. 17 Conclusion Knowledge effectively shared and used benefits all enterprise members Developing a Enterprise Master Database (EMD) has multiple benefits for: Management Security and Audit teams Compliance Status Customer Relationship Management (CRM) An Enterprise Data Management Program provides Improved Access to information Potential ROI based on EMD understood by enterprise management Justification for expenses, time, and staff needed to implement this approach IT and Security are now seen as positive contributors to the bottom line Use of a Technology Risk Management Program, Policy, and Practices provides: A vehicle addressing all present and future database challenges Valuable and meaningful service to our customers and business partners

18. 18 References COBIT SANS reports and guidelines ISO Standards and Certification (ISO 17799, ISO 27001:2006) NIST (800 Series) CORBA OASIS XML DCOM (Distributed Component Object Model) Legislation (e.g. Federal Rules of Civil Procedure on E-discovery, Banking Regulations, HIPAA, Privacy, Security Banking Regulations HIPAA Amendments to the Federal Rules of Civil Procedure re �electronically stored information�