|
|
Enterprise IT Risk Management
According to the Information Systems Audit and Control Association (ISACA)
“Risk management is the process of identifying vulnerabilities and threats to
the information res-1ources used by an organization in achieving business objectives, and
deciding what countermeasures to take in reducing risk to an acceptable level, based on
the value of the information resource to the organization.” The process of risk management
is an ongoing iterative process which must be repeated indefinitely. The business environment
is constantly changing and new threats and vulnerability emerge every day. The choice of
countermeasure used to manage risks must strike a balance between productivity, cost,
effectiveness of the countermeasure, and the value of the informational asset being protected.
An effective risk management program encompasses the following four phases:
| • |
Risk assessment, as derived from
an evaluation of threats and vulnerabilities. |
| • |
Management decision. |
| • |
Control implementation. |
| • |
Effectiveness review. |
As businesses continue to face increasing pressures from new legal and regulatory
requirements, the organization’s Board are simultaneously also faced with challenges to manage
and control these risks while assuring your organization achieves its mission and objectives.
Recent years have seen heightened concern and focus on risk management and it became increasingly
clear that a need exists for organizations to incorporate acoupled with continuous breaches of personal sensitive data calls for organizations to effectively
implement an Enterprise IT Risk Management framework with the premise that this function will provide
a calls for organizations to effectively
implement an Enterprise IT Risk Management framework with the premise that this function will provide
value for its stakeholders.
Information Technology Internal Auditing
DataGuardZ provides complete Information Technology Internal Auditing services to meet your company’s needs.
Given the sweeping overhaul of regulatory requirements targeting Information Technology, companies are now required to have an independent assessment of the degree of compliance and such reporting is addressed at the executive management level. Furthermore, such regulatory requirements (e.g. Sarbanes-Oxley Act of 2002) has raised the profile and responsibility of internal auditors at both publicly and privately held companies. Internal auditors are now being asked to assume a more strategic role — one that is tied to the overall assessment of risk. However, conducting a thorough audit of your company’s Information Technology is easier said than done. It presents a human resource challenge for many businesses. Auditors are being asked to take on new responsibilities and leadership roles that not only require additional staff but with thorough technical skill sets as well, both of which are in high demand. Rather than constantly struggle to hire, train and retain internal resources, many organizations have begun to outsource the entire IT Audit function or co-source specific engagements with DataGuardZ to supplement the lack of their specialized needs.
DataGuardZ will perform a thorough and technical audit of the following areas:
| • |
Firewall Security |
| • |
Router Security |
| • |
Operating System Security |
| • |
Virtualized Systems |
| • |
Cloud Computing |
| • |
Telecommunication Security |
| • |
Web Server Security |
| • |
Application Security |
| • |
Desktop Security |
| • |
Wireless Security/td>
|
| • |
Intrusion Detection Systems |
| • |
Database Security |
Information Security
DataGuardZ consultants can assist your organization by assessing the effectiveness of your Security Governance program and Vulnerability Assessment and Remediation process.
Security Governance:
| • |
Information Security Policies, Procedures and Standards |
| • |
Information Security Risk Assessments and Measurement |
| • |
Information Security Awareness |
| • |
Vendor Management Program and Third Party Security Reviews |
| • |
Risk Acceptance Program |
| • |
Incident Response Program |
| • |
Access Certification |
Vulnerability Assessment and Remediation:
| • |
Network Security |
| • |
Physical Security |
| • |
Wireless Security |
| • |
War Dialing |
| • |
Application Security Testing |
| • |
Co-Location Security |
Business Continuity Planning
Unexpected disruptions are never in anyone’s plans. However, it is necessary
to take the time to consider how your business would continue operating in
the event that such disruption actually occurred. Otherwise, you could be
risking all the work you’ve put into building a successful organization.
Most businesses will experience threats to their critical systems - threats such as power outage, fire, flood or a computer virus. Critical systems disruptions — no matter how long — can cause severe financial losses and threaten the survival of your organization.
Businesses depend heavily on computer technology, communications and automated systems. Disruption for even a few days can cause irreparable financial damage. While all types of disruptions can’t be predicted or prevented, their effects can be mitigated. That’s why an effective business continuity plan is so important. It not only provides your organization with a comprehensive statement of actions to be taken before, during and after a disruption to minimize its impact, it also offers a certain level of comfort in knowing that if a catastrophe occurs, it will not result in complete financial disaster.
DataGuardZ can assist your organization in building a solid Business Continuity Program and Disaster Recovery environment using standards established by
the Disaster Recovery Institute International. Specifically in the below areas:
| • |
Program Initiation and Management |
| • |
Risk Evaluation and Control |
| • |
Business Impact Analysis |
| • |
Business Continuity Strategies |
| • |
Emergency Response and Operations |
| • |
Business Continuity Plans |
| • |
Awareness and Training Programs |
| • |
Business Continuity Plan Exercise, Audit and Maintenance |
| • |
Crisis Communications |
| • |
Coordination with External Agencies |
ISO 27001 Certification
ISO 27001 was published by the International Organization for Standardization (ISO) on 15 October 2005.
Essentially, ISO/IEC 27001 defines an Information Security Management System (ISMS) and complements
the ISO/IEC 17799 'code of practice' standard, itself first published as BS 7799-1. The two standards are closely aligned and related, but perform distinctive roles.
ISO/IEC 27001 is a standard setting out the requirements for an information security management system (ISMS).
The standard is designed to ensure the selection of adequate and proportionate security controls that protect
information assets and give confidence to interested stakeholders, including an organization's customers,
shareholders and regulators.
ISO 27001 is a risk based approach for assessing, evaluating, treating and managing Information and
Asset security risks, a review process for re-assessing the risks and the effectiveness of this system and
to have an internal ISMS audit process for checking compliance.
Benefits of Certification
Some of the benefits of implementing the ISO 27001 standard are as follows:
| • |
Brings your organization to compliance with legal, regulatory, and statutory requirements. |
| • |
Significantly limits security and privacy breaches. |
| • |
Market differentiation due to positive influence on
company prestige. |
| • |
Provides a process for Information Security and Corporate Governance. |
| • |
ISO 27001 certification is recognized on a worldwide basis. |
| • |
Increases vendor status of your organization. |
| • |
Increase in overall organizational efficiency and
operational performance. |
| • |
Minimizes internal and external risks to business continuity. |
| • |
Reduces operational risk while threats are assed and vulnerabilities are mitigated. |
DataGuardZ team is certified by the British Standards Institute (BSI)and provides ISO 27001
consulting, auditing, and training services to companies of all sizes and in all industries.
We assist clients to achieve ISO 27001 compliance and / or registration. The ISO/IEC 27001
certification, like other ISO management system certifications, usually involves a three-stage
audit process:
| • |
Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence
and completeness of key documentation such as the organization’s information security
policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP).
|
|
|
| • |
Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS
against the requirements specified in ISO/IEC 27001 Consultant. The auditors will seek
evidence to confirm that the management system has been properly designed and implemented,
and is in fact in operation (for example by confirming that a security committee or similar
management body meets regularly to oversee the ISMS).
|
|
|
| • |
Stage 3 involves follow-up reviews or audits to confirm that the organization remains
in compliance with the standard. Certification maintenance requires periodic re-assessment
audits to confirm that the ISMS continue to operate as specified and intended.
|
Our solutions help companies leverage their resources to provide value add throughout the company.
Whether you are looking for a small amount of guidance, or a complete turn-key system, we can help.
We measure our success by your improvement.
Continuous Auditing and Monitoring (CAM) -
Data Analytics
A Continuous Auditing and Monitoring (CAM) program allows your organization to use technology combined with our resident skill sets and experiences to effectively analyze risk data on a periodic basis. As a result, any significant anomalies, discrepancies , inconsistencies can be detected on a timely basis followed by a root cause analysis in order to prevent future occurrences mitigating risks.
An effective implementation of our CAM program will allow your organization to automate analytics to run on a continuous basis allowing the audit methodology to move from a historical and ad-hoc review process to one that is both current and timely. Rather than identifying control breakdowns and instances of fraud, errors and abuse that have occurred in the past, our CAM process can now meet the increasing expectations of regulators, audit committees and management through timely insight. Such insight will reduce operational inefficiencies and risk to the business. In addition, our CAM process will effectively maximize your organizations Sarbanes Oxley 404 efforts by
focusing on key controls for proper financial reporting, such as:
| Cash |
| • |
Bank statement reconciliations |
| • |
Bank statement review for reasonableness |
| Accounts Payable |
| • |
Vendor addition review |
| • |
Batch payment approval |
| • |
Monthly accounts payable expense accrual |
| • |
Travel and expense report review |
| Accounts Receivable |
| • |
Application of customer payments |
| • |
Bad debt review |
| Revenue |
| • |
Review for potential revenue loss |
| • |
Accrual posting |
| Inventory |
| • |
Parts obsolescence review |
| • |
Monthly liquid inventory review |
| Payroll |
| • |
Rate change approvals |
| • |
Supervision and approval of hours |
Management and business process owners receive timely notification of potential control breaches, evaluate the risk and resolve potential problems before they escalate. By monitoring and reporting on the strength of financial and operational controls on a continuous basis, organizations create a stronger and more effective control environment resulting in operational and compliance benefits such as:
| Operational Benefits |
| • |
Identifying trends/correlations that were not evident |
| • |
Identifying and supporting the need for a business process change |
| • |
Empowering management to make better decisions |
| Compliance Benefits |
| • |
Identify potential fraud |
| • |
May help meet certain regulatory requirements |
| • |
Potential cost savings |
|
