dr bakari presentation
TRANSCRIPT
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
1
Is IT governing us or are we governing it?
Managing ICT Related Risks: Who is Responsible and What Went Wrong?:
Dr. Jabiri Kuwe Bakari (BSc. Computer Sc., Msc. (Eng.) Data Communication, Ph.D.)
Lecturer & Director, Institute of Educational Techn ologyThe Open University of Tanzania
E- mail: [email protected]
Hilton Double Tree Hotel-Osterbay,Slipway Road
8th December, 2010
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
2
Agenda• Introduction••• An overview of ICT and its Security An overview of ICT and its Security An overview of ICT and its Security
ProblemProblemProblem••• ICT related risksICT related risksICT related risks••• What went wrongWhat went wrongWhat went wrong••• Who is responsibleWho is responsibleWho is responsible••• Lessons from othersLessons from othersLessons from others••• What can be done?What can be done?What can be done?
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
3
Technology Trend• Stone, Iron, Industry, Information Age!• The world has now moved from natural
resources to information economy.• Information held by public and private
organisation’s information systems is among the most valuable assets in the organisation’s care and is considered a critical resource, enabling these organisations to achieve their objectives
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
4
• Because the organization's value have moved from tangible to intangible assets the risks has moved too, hence the overall cooperate risk management should take a new track
• Today ICT is in Almost all National Critical Infrastructure
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
5
ICT in Critical National infrastructures� Private and public organizations, government, and
the national security system increasingly depend on an interdependent network of critical physical and information infrastructures. Examples – energy production, transmission, and distribution– telecommunications, – financial services, – transportation sectors: railways, highways, airports etc.– systems for the provision of water and food for human
use and consumption– continuity of government.– chemical industry and hazardous materials– agriculture– defence industrial base– gas and oil storage and transportation
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
6
� The national economy is increasingly reliant upon certain critical infrastructures and upon cyber based information systems
� Any compromise or attacks on our infrastructure and information systems may be capable of significantly harming our economy!
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
7
Agenda••• IntroductionIntroductionIntroduction• An overview of ICT and its Security
Problem••• ICT related risksICT related risksICT related risks••• What went wrongWhat went wrongWhat went wrong••• Who is responsibleWho is responsibleWho is responsible••• Lessons from othersLessons from othersLessons from others••• What can be done?What can be done?What can be done?
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
8
Information security is about protection of ICT assets/resources in terms of Confidentiality Integrity Availability – (information and services)Access Control to Information Involves: Protective/Proactive , Detective , Reactive and/or Recovery Measures
An overview of ICT & its security Problem
Valuable asset of organizations-Information Valuable asset of
organizations-Information
Software ( Operating Operating systems, Application systems, Application software) set of software) set of instructionsinstructions
ICT
Holistic View of ICT security Problem
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
9
Managing ICT security is a continuouscontinuous processprocess by which an organisation determines whatwhat needs to be protected and whywhy ; whatwhat it needs to be protected from (i.e. ThreatsThreats and VulnerabilitiesVulnerabilities ); and howhow (i.e. mechanisms) to protect it for as long as it exists.
Malicious software ( Virus, Virus, worm or denialworm or denial --ofof --service service attack, Backdoors, salami attack, Backdoors, salami attacks, attacks, spywarespyware , etc.), etc.) can be introduced here !
Holistic Approach required
Valuable asset of the organizations-Information
Valuable asset of the organizations-Information
An overview of ICT security Problem
Physical security of the hardware
Authorised user abusing his/her privileges e.g. Disgruntled staff
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
ICT related risks from the Business Perspective
Business risks result from using ICT as business enabler without having in place proper ICT Governance and related risks controls.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
11
Refer GOLDEN TULIP HOTEL, DAR ES SALAAM
23th August, 2006 Workshop
Four Years Ago
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
12
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
13
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
14
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
15
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
16
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
17
• Problem by then
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
18
Security Management in the organisations -
Tanzania
Perception Problem
At the strategic level(Absence of ICT Security policy, no defined budget for ICT security, Perceived as technical problem and not business risk)
At the operational (perceived to belong to the IT departments and in some cases not coordinated)
Absence of designated ICT security personnel/unit.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
19
Perception Problem
Ad-hoc
An overview of ICT Security Management in the organisations -
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
20
By Mid – 2007 - A Final Holistic Approach for Managing ICT Security in Organisations was produced
Strategic (Top)
Management’s
Backing
(GL-01)
Technical
Management's
Backing
(GL-02)
Quick
Scan
(GL-04)
Form
Project
Team & Plan
(GL-03)
General
Management’s
attention &
Backing
(GL-05)Risk
Assessment/
Analysis
(GL-08)
Mitigation
Planning
(GL-09)
Develop
Counter
Measures
(GL-10)
Operationalisation
(ICT Security
Policy, Services &
Mechanisms)
(GL-11)
Maintenance
(Monitor the
Progress)
(GL-12)
Review/Audit
ICT Security
(GL-06)
Awareness
& Backing of
General staff
(GL-07)
INTERNALISED & CONTINUOUS PROCESS
INTRODUCTION OF ICT
SECURITY MANAGEMENT
PROCESS (INITIALISATION)
The Organisation
The Organisation’s goal & services
The Environment
Stakeholders
Presented in a book: ISBN Nr 91-7155-383-8
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
21
Each process maps the Holistic View of the security Problem
Users
Valuable asset-Information
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
22
Management team discussing ICT security Problem
Users
Valuable asset-Information
This is a technical problem
This is a business
Problem
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
23
Four Years Later - More developments and more
problems….
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
24
Agenda••• IntroductionIntroductionIntroduction••• An overview of ICT and its Security Problem An overview of ICT and its Security Problem An overview of ICT and its Security Problem • What went wrong••• Who is responsibleWho is responsibleWho is responsible••• Lessons from othersLessons from othersLessons from others••• What can be done?What can be done?What can be done?
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
25
problem
ICT Service delivery problems
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
26
Problems related to failure
of accessing computerized services in a number of
connected offices or outlets.
customer at ATM
ICT Service delivery problems
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
27
ICT Service delivery problems
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
28
Customers waiting to pay their taxes!
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
29
Deposit ,Withdraw &Send money using mobile phone
Transactions delays
ICT operational incidents
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
30
ICT hardware disposal
Sensitive information found from the hard disks
ICT disposal management
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
Is IT governing us or are we governing it?
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
• Despite of many technical solutions available-The problem of management of ICT-related risks in organisations are increasingly becoming major concerns to many ICT-dependent organisations
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
33
What went Wrong?And why in Tanzania?
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
ICT Risk Management Drivers – a Comparative Study of Sweden,
USA,India, and Tanzania
IEEE CRiSIS 2007
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
• The interesting questions here was, – what is it that makes the difference?
– Is it because of the consequences of globalisation?
– Is it because of the different regulations and requirements that need to be complied with in a given country?
– Is it because of market pressure or customer demand?
– Is it because of different cultures, in that, according to Robbins, national culture continues to be a powerful force in explaining a large proportion of organisations’ behaviour?
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
Objectives • The objective of this study was to investigate the
effects of some possible ICT risk management drivers on the process of getting senior management involved in ICT risk management, and hence accountable.
• The investigation was carried out by taking case study of four countries namely Sweden, USA, India, and Tanzania.
• The drivers investigated were mainly – Globalisation,
– Market Pressure, – Customer Demand and
– Regulatory Requirements.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
Examples of ICT Risk Management Drivers
• One condition for global collaboration between different organisations, cultures and time zones is a “common language”, i.e. internationally accepted standards and frameworks.
• By using these standards and frameworks, security and quality can be defined, agreed on and followed up.
• One further advantage is the fact that offshore suppliers are normally certified, using these standards and frameworks.
• Their prospective customers can more easily assess security and quality requirements.
SarbanesSarbanes --Oxley Act in Oxley Act in 2002 (SOX)2002 (SOX) -- controlled and controlled and enforced by the US Securities enforced by the US Securities
and Exchange Commissionand Exchange CommissionCommittee of Sponsoring Committee of Sponsoring OrganizationOrganization ’’s (COSO) s (COSO) frameworkframework
Control Objectives for Control Objectives for Information and related Information and related TechnologyTechnology -- an IT an IT governance frameworkgovernance framework
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
Research approach, Methodology
• Based on the four studies, status and experiences of how ICT risk management is being practised in organisations in Sweden, USA, India and Tanzania was investigated
• Findings from the four studies were used as input to investigate senior management’s involvement in the ICT risk management process.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
Studies in the four Countries (Swedish)• Study on Swedish government agencies concerning the use
of IT security - Indicated. – lack of support from senior management. – ICT security is not carried out in a systematic way which
makes it difficult for the management to prioritise between different risks and countermeasures, causing difficulties in following up the state of security.
• The use of models for return on security investment also shows the lack of support from senior management
Another study was carried out by interviewing information security managers and risk managers at 7 large Swedish trade and industry organisations making extensive use of ICT, most of them also with large international operations. – The overall summary of the result from the study is that
risk analysis is not used as a method to allocate resources for increasing the security level for the ICT systems.
The reason for this is probably that The reason for this is probably that using risk analysis has not gained the using risk analysis has not gained the approval of the managementapproval of the management
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
Studies in the four Countries (USA) • The USA study was based on the “2006 CSI/FBI Comput er Crime and
Security survey” which is based on the responses of 616 computer security practitioners in US corporations, governme nt agencies, financial institutions, medical institutions and un iversities . – The survey indicated a substantial decrease in the total dollar
amount of financial losses resulting from security breaches. • Probably this due to the Introduction of SOX
– “The Sarbanes-Oxley Act has changed the focus of in formation security in my organisation from technology to one of corporate governance”.
• For example, the Act requires that: – CEO and CFO to personally certify the correctness i n the financial
reports (section 302); – Demands the certification of the underlying (IT) pr ocesses (section
404); – Financial events of importance must be reported wit hin four days
(section 409); – The person who deliberately destroys documents, phy sical or
electronic, including e-mail, may be sentenced to u p to twenty years’ imprisonment (section 802)
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
41
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
Studies in the four Countries (India)• The study in India was based on the medium-sized
company as a representative of an outsourcing company in India, on the assumption of getting an average indication (2006).
• An example was iGATE corporation which was ISO2000 certified, ISO27001 certified, COBIT maturity level 5 and SOX compliant.
• The reason they have done this is that they see it is absolutely essential to have these standards and frameworks implemented for them to remain in business.
• In India, customer demand and market pressure makes security a top priority for senior management. – several Indian offshore suppliers are listed on the
USA stock market and so have to fulfil SOX requirements and have the same level of security in place
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
Studies in the four Countries (Tanzania) • The study in Tanzania took place between 2003 and 2006 -
the respondents were mainly senior management, Chief Financial Officers, Operational managers, IT Managers and general and technical staff.
• The study indicated that the focus of the organisations is on what is commonly known as “Computerisation”. – Very little or no attention at all is paid to managing ICT-
related risks. • This was partly found to be due to the following reasons:
– not knowing that they are vulnerable to ICT-related risks as a result of computerisation
– ICT risk is not seen as a risk to the organisation’s business;– the relaxed culture and lack of formal ICT and ICT security
policies and procedures; – believing that ICT security is a technical problem and
therefore both ICT in general and ICT security in particular being set aside for more important things.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
Today in Tanzania …
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
45
• Poor Planning and Management of ICT– Lack of alignment between ICT strategy and
business strategy– High Cost of ICT with low or unproven return on
investment (ROI)
• ICT Staff with inadequate skills– Non ICT -ICT staff, coupled with Non ICT –ICT
vendors and Sometimes Non ICT - ICT Consultants
– Where Relevant skills exist, they are underutilised
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
46
• Problems in Acquisition of ICT related Solutions– Ad hock and Uncoordinated ICT
initiatives Mostly Vendor OR donor driven solutions
– with too much dependence on vendor & Donor
– not local tailored
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
47
ICT Dept/Division/Dir
Tender board
PMU
TenderEvaluation
team
User Dept Vendor
Vendor communicate direct
to user
StoreGood practiceBad practiceICT Disposal
Lack of ICT expert
Lack of appropriate ICT expert
Problem in Acquisition of ICT related Solutions
They are the expert – Recall Set of Instructions! Tech. are consulted for
inspection against the specification/ If software
then run in test environment
- A lot of security implications
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
48
• No proper ICT related Risk Management – Security policy and procedures not in place
– Inadequate business continuity measures– Serious ICT operational incidents
– ICT not meeting nor supporting compliance requirements
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
49
• Obsolete Organization Structure– ICT function seen as only operations not
across-cutting– Structure should consider current ICT
development and its social-economic impacts
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
50
CEO
DirectorsDirectors Directors
LineManagers
LineManagers
LineManagers
LineManagers
LineManagers
ICTDept
Strategicfunction
Management function
Operational function
Obsolete Org structures
Under staffed
Not well utilized especially in public org
No clear job description
Not motivated
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
51
Lack of awareness about ICT related Risks to customers – while
talking about Internet Banking
How many people have read the Bank customer service
contract/agreement
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
52
••• IntroductionIntroductionIntroduction••• An overview of ICT and its Security An overview of ICT and its Security An overview of ICT and its Security
ProblemProblemProblem••• What went wrongWhat went wrongWhat went wrong••• Who is responsibleWho is responsibleWho is responsible• Lessons from others••• What can be done? What can be done? What can be done?
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
• Referring to the studies, one can see that Market Pressure and Customer Demand, which lead to regulatory requirements such as SOX, are significant risk management drivers.
SOX Requirements
(Including frameworks)
USA INDIA
SWEDEN
Market Pressure & Customers Demand
TANZANIA
Weak demand
Weak demand
Strong demand
Strong demand
Strong demand
Strong demand
Weak demand
Strong demand (Only in some
cases)
Globalisation effect
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
• The key point was to get senior management’s backin g and involvement in the ICT risk management process
• This study shows that even though there are international standards and frameworks for feedback on how the ICT risks are handled in an organisation , Compliance with Regulations seems to be the strongest driver actually effecting involvement of senior managers in the ICT risk management process.
• However, in noting this, we also include – but view it as happening in earlier feed-back cycles – that Globalisation, Customer Demand and Market Pressure are drivers that initiate regulations (such as SOX) and thus interact as indicated earlier.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
• Through Regulation (such as SOX), senior managers were in varying degrees held personally accountable; – We have seen for example some sections, as
mentioned, are very tough.
• However, there is still a need to identify more drivers of ICT risk management in the international and national scenes- it seems important to investigate how national, organisational and security cultures can blend and adapt in order to handle ICT security risks as part of the ordinary business processes.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
56
Currently empirical data concerning the influence of cultural factors on ICT risk management are weak. We
are now researching on how cultural factors might affect or drive the ICT risk management
process.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
57
••• IntroductionIntroductionIntroduction••• An overview of ICT and its Security An overview of ICT and its Security An overview of ICT and its Security
ProblemProblemProblem••• What went wrongWhat went wrongWhat went wrong• Who is responsible••• Lessons from othersLessons from othersLessons from others••• What can be done?What can be done?What can be done?
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
58
ICT is critical and strategic to organization’s business operations
ICT involves huge investments and great risks
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
59
•Top management and oversight bodies that are vested with day to day planning, organizing, controlling, directing and staffing responsibilities have a broad stake in ensuring everything, including ICT matters, are properly manned and managed.
•Boards of Directors are vested with such responsibilities
•ICT related risks management requires strategic direction and driving force and that Board is responsible through the CEO.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
60
••• IntroductionIntroductionIntroduction••• An overview of ICT and its Security An overview of ICT and its Security An overview of ICT and its Security
ProblemProblemProblem••• What went wrongWhat went wrongWhat went wrong••• Who is responsibleWho is responsibleWho is responsible••• Lessons from othersLessons from othersLessons from others• What can be done?
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
61
• Cooperate boards compositions to include ICT experts, just like the way we include board members with legal and finance competences
• organization’s goal and its strategic objectives well aligned with ICT strategies.
• Tender Boards and Tender Evaluation Committees should also include personnel with ICT expertise
• Organization structures should be reviewed to place ICT at the strategic level not only technical/operational level
• Industry and Academic should facilitate research in ICT risk-related issues, to perfectly foresee the future and potential incoming threats.
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
62
• The principle goal of an organization risk management process should be to protect the organization and its ability to achieve their mission
• and therefore ICT related risks management be part of the overall cooperate risk management because the value have moved from tangible to intangible assets
Conclusion and Outlook
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
Approaching IT governance • Aligning IT & Business• Managing service delivery
for promised service level• Managing Resource for
max benefit• Managing Risk to foresee
problem and mitigate• Measuring Performance to
monitor and report on delivery performance
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
How could the management of ICT related Risks be improved, in order to
reduce the potential financial damage as a result of computerisation?
Answer: A Holistic Approach for Managing ICT Security in Non-Commercial Organisations. A Case Study in a Developing Country
Presented in a book: ISBN Nr 91-7155-383-8
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
How to Plan and design a suitable ICT Security Management Process
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
66
It's now the intangible economy !Information is the most valuable asset and is the o nly
commodity that can be stolen without being taken!
If organizations do not address these problems then they should expect severe financial damage resulting fr om Services interruption, reputations damage, Loss of strategic information, liability claims, loss of pr operty,
The dependence on ICT to business Core operations makes the ICT an important strategic tool
©2010 Open University of Tanzania – Dr. Jabiri K. Bakari
67
Thank you!