Tài liệu IT Risk Management for Financial Services pdf

Yet, as much as institutions have invested in traditional risk management, too many enterprises have been slow to implement best practices for information technology IT risk management..

IT Risk Management for Financial Services

An Essential Strategy for Business Success

Executive summary 4

Overview 4

The challenge to the enterprise 6

Five steps to risk management best practices 7

Symantec’s approach to best practices implementation 13

Putting our strategy to work 14

Executive summary

Assuming and managing risk is one of the important roles the financial services industry plays

for its customers The key, of course, is to manage risk profitably Risk involves the many domain

areas of expertise such as credit, investment, casualty, interest rate, and other traditional risks faced by financial services providers To be successful, financial institutions understand that sound information management is critical to effectively serving customers while meeting planned profit objectives

Yet, as much as institutions have invested in traditional risk management, too many enterprises have been slow to implement best practices for information technology (IT) risk management IT risks include anything from a network shutdown that paralyzes the business,

to liability for failure to protect private data Because it is dispersed throughout the enterprise, business-critical information is not always easy to protect

Symantec has developed a comprehensive approach to IT risk management, based on our industry-leading best practices and technologies in the security and infrastructure management areas Our approach to reducing IT risk enables a bank, brokerage firm, or insurance company

to align the risk and cost of infrastructure, putting information technology assets on the same sound footing as other business assets

This white paper describes best practices for enterprise IT risk management, the challenges faced by financial service providers in implementing best practices, and Symantec’s solution to those challenges

Overview

Operational risk has always been a part of doing business Today, however, management is increasingly required to identify, quantify, and manage the broad range of operational risks The Sarbanes-Oxley Act in the United States, and Basel II globally have made all levels of operational risk management, including IT risk, a board-level topic in every major financial institution today These regulations require increased control and effective management of information assets throughout the institution As a part of meeting these requirements, successful, forward-looking enterprises are developing specific strategies and policies for IT risk management

IT risk management involves two complementary components: security and availability.

Information is worthless and can even be a liability, if it’s not secure Secure information is useless if it can’t be efficiently stored and readily accessed

Individuals, corporations, and whole economies are increasingly dependent on the Internet

and networked IT systems The daily value that these systems deliver is often not readily apparent

or easy to measure Risk exposure can be equally elusive—dispersed among a number of

departments, business service providers, and functions, and in a variety of forms

Typical IT risks include lost business or productivity due to IT infrastructure downtime

or disaster, liability for failing to keep customer data private, fines for regulatory violations,

or inability to defend lawsuits due to inadequate record keeping Recent headlines have

demonstrated how anything from a lost laptop to a Category 1 hurricane can trigger a major

incident Each of these can be more broadly labeled as an “information incident.”

Throughout the globe, the rapidly evolving matrix of legislation and regulation requires new

levels of privacy, security, and documentation Audit and accountability requirements increasingly

hold corporate board members, officers, and managers legally responsible—encouraging financial

institutions to take a closer look at IT-related due diligence policies and business practices

In addition, the industry itself is developing and mandating standards such as communication

and interoperability requirements Figure 1 depicts a sampling of this global trend

Figure 1 A sampling of global directives in financial services

Sarbanes-Oxley (SOX)

Bank Secrecy Act (BSA)

Graham Leach Bliley Privacy Act (GLBA) Payment Card

Industry Standards (PCI)

USA Patriot

Payments Area (SEPA) Basel II

Federal Financial Institution Examination Council (FFIEC)

National Association

of Securities Dealers Rules (NASD) U.S Securities and

Exchange Commission Rules

(SEC)

Markets in Financial Instruments Directive (MiFID)

European Union Market Abuse

1 The Oxford Executive Research Briefing, The Impact of Catastrophes on Shareholder Value Rory F Night and Deborah J Pretty, 1996

A recent Harvard Business Review report1

identified company directors’ leading IT concerns:

• Is the company getting adequate ROI from information resources?

• Is there an effective, up-to-date plan in place for disaster response and recovery?

• Are management practices in place to prevent hardware, software, and legacy applications from becoming obsolete?

• Are corporate systems adequately protected against criminal intrusions?

• Do we have management practices in place to ensure 24x7 levels, including tested backup?

• Are there any possible IT-based surprises lurking out there?

Shareholders are paying attention, too: One study, by Oxford Executive Research, found that companies that recovered quickly from major operational disasters increased their share price by

5 percent on average versus the market Companies that struggled to regain their operations took

a 20 percent drop in relative value Reducing the risk of losing market value is critical to meeting long-term business objectives in the capital-sensitive financial services industry

Security is the headline-grabbing component of IT risk But on a day-to-day, profit-and-loss

level, information availability is just as important Diverse financial institutions need to handle an

explosion of channel interaction including email, instant messaging, and online transactions, managing both the information flow and the records they generate Retention requirements create

a challenge to efficiently archiving growing volumes of data Management teams must have information available on demand, where and when it’s needed Business continuity and disaster recovery plans need to be dynamically designed, implemented, and tested to make sure information remains accessible when the worst happens, and throughout periods of rapid change

The challenge to the enterprise

Many boards and management teams lack knowledge of the extent of exposure to IT risk This hampers their ability to exploit the growing array of risk management tools in a financially effective way A bank, brokerage firm, or insurance company must be able to identify, quantify, and manage information risk as predictably as they currently manage their unique industry risks

To do this, IT organizations must cost-justify remediation measures

By quantifying business impact, minimizing exposure, and planning for disaster, a financial

institution can go a long way towards putting information risk on a more businesslike footing In

addition, those who manage IT risk effectively tend to be far more operationally efficient than

those who do not

A successful enterprise needs to treat information technology risk within the integrated

framework of business risk management IT risk management alone does not yet have the kind of

well-developed statistical or actuarial models that make financial risk assessment reasonably

precise However, “roughly right” approaches based on heuristics and experience yield reliable,

valuable, and usable measures of IT risk These approaches enable IT managers to assess the

business impact of IT risks, and to demonstrate the ROI of prevention and remediation measures

Effective IT risk management requires a comprehensive approach involving security,

availability, performance, and compliance IT risk is dispersed across departments, locations,

and business lines, and needs to be addressed in ways that challenge conventional organizational

charts Corporate officers and executives need to take a leadership role in developing IT risk

management strategies and policies Moreover, IT risk management exists in a constantly

changing environment and requires unremitting monitoring and continuous improvement

Five steps to IT risk management best practices

Symantec has developed a five-step methodology that can be used throughout all segments of

the financial services industry to develop effective IT risk management strategies Using this

method, institutions can improve their information security and availability at an appropriate

pace, and know both the results and the return at every stage

Risk has always been a part of financial services In fact, the industry is compensated for

taking and managing risk, whether in making loans or extending insurance coverage These

risk-taking activities are strategic to the institution As technology plays an increasing role in financial

services, IT risk management should also be viewed as a strategic tool just as it is in credit risk

management In extending credit, an institution’s underwriting process is, to a large extent, a risk

assessment Avoiding unprofitable loan risk assures safety and soundness In the same way, an

accurate assessment of the threat environment in IT can help a bank, brokerage firm, or insurance

company avoid spending money on remediation measures that may not be cost-justified

Improved IT efficiencies can then free up funds for an institution’s core mission

The Symantec five-step IT Risk Management Methodology consists of the following elements:

1 Develop an awareness of IT risks

2 Quantify the business impact

3 Design solution(s)

4 Align the costs of IT risk management to business value and implement solution(s)

5 Build an institutional capability to manage IT risk

Step 1: Develop an awareness of IT risks

IT risks can take many forms, including the costs related to the loss of data as well as lost productivity due to lack of access to the data Risks, costs, and opportunities for improvement fall into four major categories:

• Security—Information is altered or used by unauthorized people Example causes: computer crimes, internal breaches, cyberterrorism

• Availability—Information is not accessible because of system failure or slowdown or cannot

be recovered in sufficient time subsequent to a security or availability incident Example causes: configuration changes, lack of redundancy in architectures, human errors, external threats, natural disasters

• Performance—Information is not provided when it is needed or major new sources of demand for information cannot be handled cost-effectively Example causes: distributed architectures, business growth, siloed architectures, peak demand, heterogeneity in the IT landscape

• Compliance—Information handling can violate any one of the ever-changing and fast-growing number of regulatory requirements Example causes: inadequate technology, outdated compliance policies, human error or malfeasance

Step 2: Quantify the business impact

It is essential to understand the risks that have been discovered in terms of the probability of an event that would trigger the risk, and the time value of the exposure should such risk occur Further, the risks need to be quantified for each critical business application Knowing these two parameters allows the decision-maker to plot the values on a simple two-dimensional graph and

to assign mitigation/remediation priorities to different applications A simple and consistent

methodology yields better results than a complex analysis in assuring the ability to evaluate and

make effective risk management decisions

Figure 2 is a graphic depiction of the cost calculation process Each institution will make

adjustments appropriate to meet its unique business needs

Figure 2 A sample of calculating the cost of risk

To be effective, policy must then go beyond a list of categories Quantifying risk requires a

view of the multiple dependencies between risks as well as understanding the potential for

downstream implications Here are some examples:

• An exploited security vulnerability may contribute to a recoverability risk This impacts the

institution’s business continuity

• An application performance issue that prevents data access may provide the opening for a

security risk This can result in loss of information while the organization is focused on solving

performance problems

• Individual risk management efforts in one area may expose compliance risk in another if risk

management is not coordinated throughout the enterprise

The business impact may be direct or indirect—including financial, legal, and operational

dependencies Downstream implications include negative customer experience that comes with

poor performance or one-off risk management requirements that complicate doing business with

Employee Error

Customer Error

IT Disaster Terrorism

Noncompliance Remediation

External Fraud

Internal Fraud

Natural Disaster

Loss of Customer Information High

High Low

Downtime Cost to the Business

the institution Unaddressed, negative customer experience will expose a new, more pernicious risk: customer attrition

Just as in assessing the risk of any financial service, quantifying the business impact of IT

risk gets to the core issue of being able to manage the enterprise risk equation By better quantifying the potential financial impact of various operational risks, institutions are better able

to justify the cost of remediation, and better able to judge what level of risk exposure is best suited to their strategic goals

Step 3: Design solution(s)

IT risks have different root causes, and thus different approaches are required to manage and

mitigate them Broadly speaking, these approaches require a combination of process, people,

technology, and information

Processes for running data center and IT operations are rapidly evolving The best-run IT organizations are moving from a haphazard, “job shop” model to a more rigorously designed, executed, and measured systematic approach IT Infrastructure Library (ITIL), International Organization for Standardization (ISO), and other standards are emerging to describe “best-of-breed” IT operational processes

On the other end of the risk spectrum, institutions are paying more attention to the role their people play in the battle to reduce risk Companies are experimenting with a wide range of techniques, including awareness-building, identity- or role-specific authority, new divisions of labor, new roles and specialists, and enhancement of risk mitigation capabilities at all levels At the customer level, education, awareness, and proactive communication are also key elements to establishing a holistic risk management approach

The technology of IT risk management is becoming more helpful to human efforts Rapid advances have been made in such areas as long-distance replication, clustering, content, intrusion and phishing detection, data protection and backup, vulnerability assessment, and policy management Importantly, these tools are being integrated to offer workflow-driven solutions designed to follow customized processes and regulatory requirements Event-driven automation is increasingly taking the place of onerous manual analysis and remediation Information itself plays a role in IT risk management—information on the latest threats and vulnerabilities, from the instant they appear anywhere on the globe An effective IT risk

management solution involves real-time information and proactive intelligence on security

threats, and facilities for rapid recovery when new threats strike Of course, the key is to be

proactive with this information at the policy, technology, staff, and customer level

Step 4: Align the costs of IT risk management to business value and

implement solution(s)

Investments in process, people, technology, and information are required to mitigate risks

However, since IT budgets are under constant pressure to deliver more value for the same money,

leading institutions will not over-invest or under-invest in IT risk management solutions

IT Service Optimization has emerged over the past few years as the most promising approach

to align the costs of IT to the business value With this approach, the role of IT with respect to the

business evolves from a “cost center” to a “service center.” As it evolves under the IT Service

Optimization approach, the IT organization masters four primary activities:

• Providing IT as a collection of well-defined services, developed and managed by a “service

management” group that interfaces with the business

• Exposing these services to the business through service-level agreements and charge-backs to

the business

• Building and maintaining a shared, heterogeneous infrastructure to improve capital utilization

and reduce costs, rather than building custom systems for each business application

• Running IT operations in an automated fashion to increase labor efficiency and reduce costs

A number of leading organizations are first applying the IT Service Optimization concept by

building “storage utilities.” The storage utility provides data storage for business application

usage through different service classes, for example:

• “Platinum” storage service with very high performance, availability, recoverability, and security

• “Gold” storage service with moderate performance, availability, recoverability, and security

• “Bronze” storage service with low performance, availability, recoverability, and security

The costs of these different storage services are exposed to the business—”Platinum” is

typically 10 times more costly than “Bronze” service, for example As a result, a company can