dr bakari presentation

©2010 Open University of Tanzania – Dr. Jabiri K. Bakari

1

Is IT governing us or are we governing it?

Managing ICT Related Risks: Who is Responsible and What Went Wrong?:

Dr. Jabiri Kuwe Bakari (BSc. Computer Sc., Msc. (Eng.) Data Communication, Ph.D.)

Lecturer & Director, Institute of Educational Techn ologyThe Open University of Tanzania

E- mail: [email protected]

Hilton Double Tree Hotel-Osterbay,Slipway Road

8th December, 2010


2

Agenda• Introduction••• An overview of ICT and its Security An overview of ICT and its Security An overview of ICT and its Security

ProblemProblemProblem••• ICT related risksICT related risksICT related risks••• What went wrongWhat went wrongWhat went wrong••• Who is responsibleWho is responsibleWho is responsible••• Lessons from othersLessons from othersLessons from others••• What can be done?What can be done?What can be done?


3

Technology Trend• Stone, Iron, Industry, Information Age!• The world has now moved from natural

resources to information economy.• Information held by public and private

organisation’s information systems is among the most valuable assets in the organisation’s care and is considered a critical resource, enabling these organisations to achieve their objectives


4

• Because the organization's value have moved from tangible to intangible assets the risks has moved too, hence the overall cooperate risk management should take a new track

• Today ICT is in Almost all National Critical Infrastructure


5

ICT in Critical National infrastructures� Private and public organizations, government, and

the national security system increasingly depend on an interdependent network of critical physical and information infrastructures. Examples – energy production, transmission, and distribution– telecommunications, – financial services, – transportation sectors: railways, highways, airports etc.– systems for the provision of water and food for human

use and consumption– continuity of government.– chemical industry and hazardous materials– agriculture– defence industrial base– gas and oil storage and transportation


6

� The national economy is increasingly reliant upon certain critical infrastructures and upon cyber based information systems

� Any compromise or attacks on our infrastructure and information systems may be capable of significantly harming our economy!


7

Agenda••• IntroductionIntroductionIntroduction• An overview of ICT and its Security

Problem••• ICT related risksICT related risksICT related risks••• What went wrongWhat went wrongWhat went wrong••• Who is responsibleWho is responsibleWho is responsible••• Lessons from othersLessons from othersLessons from others••• What can be done?What can be done?What can be done?


8

Information security is about protection of ICT assets/resources in terms of Confidentiality Integrity Availability – (information and services)Access Control to Information Involves: Protective/Proactive , Detective , Reactive and/or Recovery Measures

An overview of ICT & its security Problem

Valuable asset of organizations-Information Valuable asset of

organizations-Information

Software ( Operating Operating systems, Application systems, Application software) set of software) set of instructionsinstructions

ICT

Holistic View of ICT security Problem


9

Managing ICT security is a continuouscontinuous processprocess by which an organisation determines whatwhat needs to be protected and whywhy ; whatwhat it needs to be protected from (i.e. ThreatsThreats and VulnerabilitiesVulnerabilities ); and howhow (i.e. mechanisms) to protect it for as long as it exists.

Malicious software ( Virus, Virus, worm or denialworm or denial --ofof --service service attack, Backdoors, salami attack, Backdoors, salami attacks, attacks, spywarespyware , etc.), etc.) can be introduced here !

Holistic Approach required

Valuable asset of the organizations-Information

Valuable asset of the organizations-Information

An overview of ICT security Problem

Physical security of the hardware

Authorised user abusing his/her privileges e.g. Disgruntled staff


ICT related risks from the Business Perspective

Business risks result from using ICT as business enabler without having in place proper ICT Governance and related risks controls.


11

Refer GOLDEN TULIP HOTEL, DAR ES SALAAM

23th August, 2006 Workshop

Four Years Ago


12


13


14


15


16


17

• Problem by then


18

Security Management in the organisations -

Tanzania

Perception Problem

At the strategic level(Absence of ICT Security policy, no defined budget for ICT security, Perceived as technical problem and not business risk)

At the operational (perceived to belong to the IT departments and in some cases not coordinated)

Absence of designated ICT security personnel/unit.


19

Perception Problem

Ad-hoc

An overview of ICT Security Management in the organisations -


20

By Mid – 2007 - A Final Holistic Approach for Managing ICT Security in Organisations was produced

Strategic (Top)

Management’s

Backing

(GL-01)

Technical

Management's

Backing

(GL-02)

Quick

Scan

(GL-04)

Form

Project

Team & Plan

(GL-03)

General

Management’s

attention &

Backing

(GL-05)Risk

Assessment/

Analysis

(GL-08)

Mitigation

Planning

(GL-09)

Develop

Counter

Measures

(GL-10)

Operationalisation

(ICT Security

Policy, Services &

Mechanisms)

(GL-11)

Maintenance

(Monitor the

Progress)

(GL-12)

Review/Audit

ICT Security

(GL-06)

Awareness

& Backing of

General staff

(GL-07)

INTERNALISED & CONTINUOUS PROCESS

INTRODUCTION OF ICT

SECURITY MANAGEMENT

PROCESS (INITIALISATION)

The Organisation

The Organisation’s goal & services

The Environment

Stakeholders

Presented in a book: ISBN Nr 91-7155-383-8


21

Each process maps the Holistic View of the security Problem

Users

Valuable asset-Information


22

Management team discussing ICT security Problem

Users

Valuable asset-Information

This is a technical problem

This is a business

Problem


23

Four Years Later - More developments and more

problems….


24

Agenda••• IntroductionIntroductionIntroduction••• An overview of ICT and its Security Problem An overview of ICT and its Security Problem An overview of ICT and its Security Problem • What went wrong••• Who is responsibleWho is responsibleWho is responsible••• Lessons from othersLessons from othersLessons from others••• What can be done?What can be done?What can be done?


25

problem

ICT Service delivery problems


26

Problems related to failure

of accessing computerized services in a number of

connected offices or outlets.

customer at ATM



27



28

Customers waiting to pay their taxes!


29

Deposit ,Withdraw &Send money using mobile phone

Transactions delays

ICT operational incidents


30

ICT hardware disposal

Sensitive information found from the hard disks

ICT disposal management


Is IT governing us or are we governing it?


• Despite of many technical solutions available-The problem of management of ICT-related risks in organisations are increasingly becoming major concerns to many ICT-dependent organisations


33

What went Wrong?And why in Tanzania?


ICT Risk Management Drivers – a Comparative Study of Sweden,

USA,India, and Tanzania

IEEE CRiSIS 2007


• The interesting questions here was, – what is it that makes the difference?

– Is it because of the consequences of globalisation?

– Is it because of the different regulations and requirements that need to be complied with in a given country?

– Is it because of market pressure or customer demand?

– Is it because of different cultures, in that, according to Robbins, national culture continues to be a powerful force in explaining a large proportion of organisations’ behaviour?


Objectives • The objective of this study was to investigate the

effects of some possible ICT risk management drivers on the process of getting senior management involved in ICT risk management, and hence accountable.

• The investigation was carried out by taking case study of four countries namely Sweden, USA, India, and Tanzania.

• The drivers investigated were mainly – Globalisation,

– Market Pressure, – Customer Demand and

– Regulatory Requirements.


Examples of ICT Risk Management Drivers

• One condition for global collaboration between different organisations, cultures and time zones is a “common language”, i.e. internationally accepted standards and frameworks.

• By using these standards and frameworks, security and quality can be defined, agreed on and followed up.

• One further advantage is the fact that offshore suppliers are normally certified, using these standards and frameworks.

• Their prospective customers can more easily assess security and quality requirements.

SarbanesSarbanes --Oxley Act in Oxley Act in 2002 (SOX)2002 (SOX) -- controlled and controlled and enforced by the US Securities enforced by the US Securities

and Exchange Commissionand Exchange CommissionCommittee of Sponsoring Committee of Sponsoring OrganizationOrganization ’’s (COSO) s (COSO) frameworkframework

Control Objectives for Control Objectives for Information and related Information and related TechnologyTechnology -- an IT an IT governance frameworkgovernance framework


Research approach, Methodology

• Based on the four studies, status and experiences of how ICT risk management is being practised in organisations in Sweden, USA, India and Tanzania was investigated

• Findings from the four studies were used as input to investigate senior management’s involvement in the ICT risk management process.


Studies in the four Countries (Swedish)• Study on Swedish government agencies concerning the use

of IT security - Indicated. – lack of support from senior management. – ICT security is not carried out in a systematic way which

makes it difficult for the management to prioritise between different risks and countermeasures, causing difficulties in following up the state of security.

• The use of models for return on security investment also shows the lack of support from senior management

Another study was carried out by interviewing information security managers and risk managers at 7 large Swedish trade and industry organisations making extensive use of ICT, most of them also with large international operations. – The overall summary of the result from the study is that

risk analysis is not used as a method to allocate resources for increasing the security level for the ICT systems.

The reason for this is probably that The reason for this is probably that using risk analysis has not gained the using risk analysis has not gained the approval of the managementapproval of the management


Studies in the four Countries (USA) • The USA study was based on the “2006 CSI/FBI Comput er Crime and

Security survey” which is based on the responses of 616 computer security practitioners in US corporations, governme nt agencies, financial institutions, medical institutions and un iversities . – The survey indicated a substantial decrease in the total dollar

amount of financial losses resulting from security breaches. • Probably this due to the Introduction of SOX

– “The Sarbanes-Oxley Act has changed the focus of in formation security in my organisation from technology to one of corporate governance”.

• For example, the Act requires that: – CEO and CFO to personally certify the correctness i n the financial

reports (section 302); – Demands the certification of the underlying (IT) pr ocesses (section

404); – Financial events of importance must be reported wit hin four days

(section 409); – The person who deliberately destroys documents, phy sical or

electronic, including e-mail, may be sentenced to u p to twenty years’ imprisonment (section 802)


41


Studies in the four Countries (India)• The study in India was based on the medium-sized

company as a representative of an outsourcing company in India, on the assumption of getting an average indication (2006).

• An example was iGATE corporation which was ISO2000 certified, ISO27001 certified, COBIT maturity level 5 and SOX compliant.

• The reason they have done this is that they see it is absolutely essential to have these standards and frameworks implemented for them to remain in business.

• In India, customer demand and market pressure makes security a top priority for senior management. – several Indian offshore suppliers are listed on the

USA stock market and so have to fulfil SOX requirements and have the same level of security in place


Studies in the four Countries (Tanzania) • The study in Tanzania took place between 2003 and 2006 -

the respondents were mainly senior management, Chief Financial Officers, Operational managers, IT Managers and general and technical staff.

• The study indicated that the focus of the organisations is on what is commonly known as “Computerisation”. – Very little or no attention at all is paid to managing ICT-

related risks. • This was partly found to be due to the following reasons:

– not knowing that they are vulnerable to ICT-related risks as a result of computerisation

– ICT risk is not seen as a risk to the organisation’s business;– the relaxed culture and lack of formal ICT and ICT security

policies and procedures; – believing that ICT security is a technical problem and

therefore both ICT in general and ICT security in particular being set aside for more important things.


Today in Tanzania …


45

• Poor Planning and Management of ICT– Lack of alignment between ICT strategy and

business strategy– High Cost of ICT with low or unproven return on

investment (ROI)

• ICT Staff with inadequate skills– Non ICT -ICT staff, coupled with Non ICT –ICT

vendors and Sometimes Non ICT - ICT Consultants

– Where Relevant skills exist, they are underutilised


46

• Problems in Acquisition of ICT related Solutions– Ad hock and Uncoordinated ICT

initiatives Mostly Vendor OR donor driven solutions

– with too much dependence on vendor & Donor

– not local tailored


47

ICT Dept/Division/Dir

Tender board

PMU

TenderEvaluation

team

User Dept Vendor

Vendor communicate direct

to user

StoreGood practiceBad practiceICT Disposal

Lack of ICT expert

Lack of appropriate ICT expert

Problem in Acquisition of ICT related Solutions

They are the expert – Recall Set of Instructions! Tech. are consulted for

inspection against the specification/ If software

then run in test environment

- A lot of security implications


48

• No proper ICT related Risk Management – Security policy and procedures not in place

– Inadequate business continuity measures– Serious ICT operational incidents

– ICT not meeting nor supporting compliance requirements


49

• Obsolete Organization Structure– ICT function seen as only operations not

across-cutting– Structure should consider current ICT

development and its social-economic impacts


50

CEO

DirectorsDirectors Directors

LineManagers

LineManagers

LineManagers

LineManagers

LineManagers

ICTDept

Strategicfunction

Management function

Operational function

Obsolete Org structures

Under staffed

Not well utilized especially in public org

No clear job description

Not motivated


51

Lack of awareness about ICT related Risks to customers – while

talking about Internet Banking

How many people have read the Bank customer service

contract/agreement


52

••• IntroductionIntroductionIntroduction••• An overview of ICT and its Security An overview of ICT and its Security An overview of ICT and its Security

ProblemProblemProblem••• What went wrongWhat went wrongWhat went wrong••• Who is responsibleWho is responsibleWho is responsible• Lessons from others••• What can be done? What can be done? What can be done?


• Referring to the studies, one can see that Market Pressure and Customer Demand, which lead to regulatory requirements such as SOX, are significant risk management drivers.

SOX Requirements

(Including frameworks)

USA INDIA

SWEDEN

Market Pressure & Customers Demand

TANZANIA

Weak demand

Weak demand

Strong demand

Strong demand

Strong demand

Strong demand

Weak demand

Strong demand (Only in some

cases)

Globalisation effect


• The key point was to get senior management’s backin g and involvement in the ICT risk management process

• This study shows that even though there are international standards and frameworks for feedback on how the ICT risks are handled in an organisation , Compliance with Regulations seems to be the strongest driver actually effecting involvement of senior managers in the ICT risk management process.

• However, in noting this, we also include – but view it as happening in earlier feed-back cycles – that Globalisation, Customer Demand and Market Pressure are drivers that initiate regulations (such as SOX) and thus interact as indicated earlier.


• Through Regulation (such as SOX), senior managers were in varying degrees held personally accountable; – We have seen for example some sections, as

mentioned, are very tough.

• However, there is still a need to identify more drivers of ICT risk management in the international and national scenes- it seems important to investigate how national, organisational and security cultures can blend and adapt in order to handle ICT security risks as part of the ordinary business processes.


56

Currently empirical data concerning the influence of cultural factors on ICT risk management are weak. We

are now researching on how cultural factors might affect or drive the ICT risk management

process.


57


ProblemProblemProblem••• What went wrongWhat went wrongWhat went wrong• Who is responsible••• Lessons from othersLessons from othersLessons from others••• What can be done?What can be done?What can be done?


58

ICT is critical and strategic to organization’s business operations

ICT involves huge investments and great risks


59

•Top management and oversight bodies that are vested with day to day planning, organizing, controlling, directing and staffing responsibilities have a broad stake in ensuring everything, including ICT matters, are properly manned and managed.

•Boards of Directors are vested with such responsibilities

•ICT related risks management requires strategic direction and driving force and that Board is responsible through the CEO.


60


ProblemProblemProblem••• What went wrongWhat went wrongWhat went wrong••• Who is responsibleWho is responsibleWho is responsible••• Lessons from othersLessons from othersLessons from others• What can be done?


61

• Cooperate boards compositions to include ICT experts, just like the way we include board members with legal and finance competences

• organization’s goal and its strategic objectives well aligned with ICT strategies.

• Tender Boards and Tender Evaluation Committees should also include personnel with ICT expertise

• Organization structures should be reviewed to place ICT at the strategic level not only technical/operational level

• Industry and Academic should facilitate research in ICT risk-related issues, to perfectly foresee the future and potential incoming threats.


62

• The principle goal of an organization risk management process should be to protect the organization and its ability to achieve their mission

• and therefore ICT related risks management be part of the overall cooperate risk management because the value have moved from tangible to intangible assets

Conclusion and Outlook


Approaching IT governance • Aligning IT & Business• Managing service delivery

for promised service level• Managing Resource for

max benefit• Managing Risk to foresee

problem and mitigate• Measuring Performance to

monitor and report on delivery performance


How could the management of ICT related Risks be improved, in order to

reduce the potential financial damage as a result of computerisation?

Answer: A Holistic Approach for Managing ICT Security in Non-Commercial Organisations. A Case Study in a Developing Country

Presented in a book: ISBN Nr 91-7155-383-8


How to Plan and design a suitable ICT Security Management Process


66

It's now the intangible economy !Information is the most valuable asset and is the o nly

commodity that can be stolen without being taken!

If organizations do not address these problems then they should expect severe financial damage resulting fr om Services interruption, reputations damage, Loss of strategic information, liability claims, loss of pr operty,

The dependence on ICT to business Core operations makes the ICT an important strategic tool


67

Thank you!

dr bakari presentation

Business

jabiri kuwe bakari bsc

information infrastructures

information economy

information age

placeproper ict governance

physical security

ict asbusiness enabler

national security system