technology risk. technology determines the future of human race man's way of life has depended...

Technology riskTechnology risk

Technology determines the future of human race

Man's way of life has depended on technology Man's way of life has depended on technology since the begin of civilizationsince the begin of civilization

Modern technology tends to be thought of in Modern technology tends to be thought of in terms of the advances brought about by terms of the advances brought about by computers and electronic communications but it computers and electronic communications but it is in transport, medicine and energy that we have is in transport, medicine and energy that we have seen the greatest impact upon our lives. It is seen the greatest impact upon our lives. It is these areas that distinguish the first world from these areas that distinguish the first world from the second and third worlds.the second and third worlds.

If poverty and disease are to be alleviated and If poverty and disease are to be alleviated and the environment sustained, then technology must the environment sustained, then technology must be harnessed on a vast and all inclusive scale. be harnessed on a vast and all inclusive scale.

Technology determines the future of human raceSignificant technology is created by tens and Significant technology is created by tens and hundreds of individuals working together across social hundreds of individuals working together across social and geographic boundaries. and geographic boundaries.

Technologists determine the future of the human race. Technologists determine the future of the human race. Advances require vast resources and companies that Advances require vast resources and companies that are prepared to take risksare prepared to take risks

There is an illusion that modern technologies emerge There is an illusion that modern technologies emerge exclusively through a process of invention that has its exclusively through a process of invention that has its roots in science.roots in science.

This process of evolution requires the most This process of evolution requires the most sophisticated knowledge of science and engineering.sophisticated knowledge of science and engineering.

Technology determines the future of human race

Most technologies require the full spectrum of technical Most technologies require the full spectrum of technical subjects and they must take in to account, social, subjects and they must take in to account, social, environmental economic, and political factors.environmental economic, and political factors.

Technologies are rarely static, they are for ever Technologies are rarely static, they are for ever evolvingevolving..

Because of this relentless change, education must be Because of this relentless change, education must be continuous and be broad as well as deepcontinuous and be broad as well as deep..

Those who failed to understand in the 1980s that cars Those who failed to understand in the 1980s that cars were to become systems of interacting computers, were to become systems of interacting computers, rather than mechanical devices, have quite simply rather than mechanical devices, have quite simply gone out of businessgone out of business..

Information TechnologyToday, the health and viability of most businesses is heavily Today, the health and viability of most businesses is heavily dependent on the strength and security of their information dependent on the strength and security of their information technology technology ((ITIT) ) infrastructureinfrastructure..

As a result, IT has become a highAs a result, IT has become a high--priority issue in executive priority issue in executive suites and corporate boardrooms, driving top management to suites and corporate boardrooms, driving top management to provide proactive sponsorship for efforts that will ensure provide proactive sponsorship for efforts that will ensure adequate IT security and availabilityadequate IT security and availability. . And create an operating And create an operating environment that effectively manages — and mitigates — environment that effectively manages — and mitigates — risks. The environment includes:risks. The environment includes:

1.1. Protecting IT assets against external viruses, cyber terrorism Protecting IT assets against external viruses, cyber terrorism and other malicious attacks and internal security threats and other malicious attacks and internal security threats

2.2. Ensuring software application controls integrity Ensuring software application controls integrity 3.3. Improving IT processes Improving IT processes 4.4. Addressing regulatory compliance on IT applications.Addressing regulatory compliance on IT applications.

Information Technology

Information Privacy and ConfidentialityInformation Privacy and Confidentiality

Consumers have long been concerned with the issue Consumers have long been concerned with the issue of privacyof privacy. .

Likewise, business customers are increasingly Likewise, business customers are increasingly focused on maintaining the confidentiality of their focused on maintaining the confidentiality of their proprietary information held by othersproprietary information held by others. .

It is critical for businesses to ensure that consumer It is critical for businesses to ensure that consumer privacy and corporate confidentiality meet stated privacy and corporate confidentiality meet stated policiespolicies

Technology Innovation and ManagementTechnology Innovation and ManagementIt is better to allow the market It is better to allow the market - - the customer the customer - - to decide whether to decide whether technology companies succeed as with any business enterprisetechnology companies succeed as with any business enterprise..

��StartStart--up companies, especially those emerging from universities, up companies, especially those emerging from universities, are based upon a naive assumption that their new technology will are based upon a naive assumption that their new technology will inevitably generate new customersinevitably generate new customers. .

Technology companies should be led by those who understand the Technology companies should be led by those who understand the market, with the creative technologists standing at their right hand, market, with the creative technologists standing at their right hand, and the financiers acting in a service roleand the financiers acting in a service role. .

Most successful technologies change human behavior. The most Most successful technologies change human behavior. The most successful new products allow people be to be lazier successful new products allow people be to be lazier - - the remote the remote control is a good examplecontrol is a good example..

Successful startSuccessful start--ups estimate influencesups estimate influences on human physiology on human physiology. . The The most obvious examples are the cinema, television, 3D video and most obvious examples are the cinema, television, 3D video and audioaudio. .

Technology Risk and responsibilityTechnology Risk and responsibility

What are the responsibilities of the technologist? Is it acceptable to develop weapons of mass destruction, unhealthy foods, transport systems that lead to decadent lifestyles, or communication systems that make it easy to distribute knowledge?

Who decides? Is it up to the individual technologist or for companies, or governments to decide?

It is for companies to develop ethical policies together with their employees, just as it is for universities with their staff and students.

Technology Risk and responsibilityTechnology Risk and responsibility

What are the areas where we are likely to see the most significant advances in the next ten or twenty years, bearing in mind that technologists are famous for over-estimating what will happen in the next five years, while underestimating what will happen in twenty years? The Internet was an excellent example of the latter, as was the personal computer.

Who will be the winners in the race to develop future technologies? How long will the hierarchy of nations remain the same with the USA predominating, followed by Japan, Europe, Singapore, Taiwan, Australasia, with the third world far behind? When will China and India begin to compete in development as well as the manufacture of high technology products?

It is the technologist that is determining how we live.

Technology risk managementTechnology risk management

Technology effectively permeates/controls the Technology effectively permeates/controls the operations of the entire institution and therefore operations of the entire institution and therefore defies/resists/challenges compartmentalization.defies/resists/challenges compartmentalization.

Technology enables key processes that the institution Technology enables key processes that the institution uses to develop, deliver, and manage its products, uses to develop, deliver, and manage its products, services, and support operations. So what, then, is the services, and support operations. So what, then, is the proper approach to technology risk management?proper approach to technology risk management?

Technology risk managementTechnology risk management

As stated by the famous writer, educator, and As stated by the famous writer, educator, and management consultant, Peter Drucker, management consultant, Peter Drucker, ""If you can't If you can't measure it, you can't manage itmeasure it, you can't manage it." ."

The process of effective technology risk management The process of effective technology risk management begins with risk identification in the context of the begins with risk identification in the context of the institution's overall business strategyinstitution's overall business strategy. .

Understanding the role that technology plays in enabling Understanding the role that technology plays in enabling core business operations establishes the framework for core business operations establishes the framework for understanding where relevant risks lieunderstanding where relevant risks lie..

The point is that technology risks are merged The point is that technology risks are merged throughout the business and must be addressed throughout the business and must be addressed holisticallyholistically. .

Technology risk management for banksTechnology risk management for banks

Looking at the big pictureLooking at the big picture

A technology risk assessment begins with the bank's strategic plan, recognizing the role that technology plays, and the critical systems that gather, process, and store information.

The next step involves assessing the relative importance of the various systems, databases, and applications based on the nature of their function, the criticality of data that they support, and their importance to core business operations.

At this point, it is also necessary to look at the architecture of the bank's systems and networks to determine their interconnections with other internal and external systems.

This process will reveal system access points and other critical junctures where security mechanisms will need to be in place.

Technology risk management for banksTechnology risk management for banksBy understanding the role that technology plays in supporting various business functions, bank management is in a better position to determine the relative importance of these functions and prioritize the systems, applications, and data involved.

The process of understanding how information flows through the bank, and where data is entered, transferred, and stored will also reveal areas of potential vulnerability. This is where system and network diagrams can be particularly helpful; however, they must be up-to-date and comprehensive.

An information classification program can be instrumental in prioritizing data, and the systems and applications through which it flows. Information classification involves distinguishing classes of data, or systems, and assigning relative priorities. A basic classification system might incorporate three or four categories ranging from "highly confidential" to "public" with various degrees in between.

Technology risk management for banksTechnology risk management for banksOnce categorized, each class of data would be accorded certain treatment. Knowing the classifications allows bank management to trace the flows of information with an eye to ensuring proper protection throughout the system. Obviously, one would not want to see "highly confidential" and "public" information following the same transmission path or stored on the same computer server with only elementary controls

The bank's outsourcing strategy must also be taken into account. In the process of identifying relevant data flows and information processing activities, relationships with service providers must be evaluated for the roles and responsibilities of each party.

The bank's system diagram should incorporate service provider relationships, identify where data is passed between systems, and document the relevant controls that are in place. When conducting an overall assessment of technology risk, the bank must consider outsourced systems as extensions of its own.

Technology risk management for banksTechnology risk management for banksIdentifying the gaps

With a comprehensive understanding of what information exists, and its relative importance, bank management is now ready to identify potential gaps. By mapping existing security programs to the system diagram, controls and procedures can be evaluated for adequacy.

This process begins with the bank's existing security program, including both physical and information technology components. For each system that enters, processes, stores, or transfers data that the bank has classified as "highly confidential", controls should be in place that are commensurate with the information they protect. The information classification process will assist bank management in focusing attention on priority areas first and pinpointing key areas of vulnerability.

The dynamics of information technology represented by the speed that new hardware, software, and services, introduces a new dimension to vulnerability assessment. In order to evaluate the controls surrounding systems that host critical data, bank management must have the tools and expertise to assess the technology that enables them. With each new release of an operating system, software application, or device, a variety of security holes may be introduced.


Furthermore, as changes and enhancements are made to a system, they, in turn, affect its configuration and overall security posture. Therefore, part of the vulnerability assessment needs to look at how the bank is keeping up with vulnerabilities in the technology that it directly or indirectly employs..

Bank management also needs to consider the processes in place at its service providers and partners to identify and address their vulnerabilities. Particularly in situations where multiple service providers are involved, controls and responsibilities for enforcing them may be unclear or undefined.

Bank management should carefully review controls over data transfer points and also ensure that the operators of all linked systems are undertaking comprehensive vulnerability assessments. Service provider contracts should include a requirement to this effect and also provide that timely action be taken to address identified vulnerabilities that affect classes of information that have been pre-defined as critical or sensitive.

Technology risk management for banksTechnology risk management for banksVulnerabilities and threats

It is important to distinguish vulnerabilities-which have been characterized above as gaps in the bank's existing controls and security processes-from threats.

Vulnerabilities are weaknesses that are present in a system that, if attacked, could result in significant harm. Threats represent the agents that can act on the vulnerabilities, to exploit them, and thereby cause harm. Generally, vulnerabilities alone will not result in a problem, but require action.

By identifying and prioritizing the gaps in the bank's information architecture where controls fail to adequately protect important information, management has defined its vulnerabilities. However, an understanding of internal and external threats is necessary in order to put these vulnerabilities into perspective.


Threats can come from a wide variety of sources. Traditionally, threats have been categorized as internal (incompetent employees, contractors, service providers, and former insiders that retained information or access privileges) and external (hackers, competitors).

Natural and man-made disasters should also be considered as external sources of attack.

Approximately 80% of attacks come from within an organization and 20% come from the outside.


Each bank can develop a threat assessment based on its environment, competitive strategy, marketplace, geographic location, and other characteristics that evaluates the likelihood of occurrence. It is equally important to consider the magnitude of impact that would result from each threat scenario.

Threat analyses are a mixture of facts, forecasts, estimates, and judgment. The end goal is not precision, but a better understanding of what the bank is up against and which threats deserve priority attention, given the known vulnerabilities.

The process of identifying threats must occur in the context of the bank's business strategy in order to differentiate significant threats from those that are less significant. The answer of "what is significant"? will vary from bank to bank based on its risk tolerance and its ability to mitigate and manage its vulnerabilities and threats.


Managing technology riskManaging technology risk

Identifying vulnerabilities and threats provides bank Identifying vulnerabilities and threats provides bank management with a view of the risks faced by the bank given management with a view of the risks faced by the bank given the enabling role of information technologythe enabling role of information technology. .

An appropriate risk management strategy can be developed An appropriate risk management strategy can be developed and implementedand implemented. . There are three alternatives that can be used There are three alternatives that can be used individually and in combinationindividually and in combination: : risk management via internal risk management via internal processes and controls, risk management via outsourcing or processes and controls, risk management via outsourcing or contracting out the activity; and risk transfer via the purchase of contracting out the activity; and risk transfer via the purchase of insurance coverageinsurance coverage..

Bank management must evaluate these options in order to Bank management must evaluate these options in order to devise a strategy that provides maximum benefit to the bank. devise a strategy that provides maximum benefit to the bank. Generally, the benchmark question involves the extent of the Generally, the benchmark question involves the extent of the bank's internal resources and ability to develop and administer bank's internal resources and ability to develop and administer the necessary controls in-house.the necessary controls in-house.


The bank can also evaluate options for hiring temporary The bank can also evaluate options for hiring temporary contractors or outsourcing the activity to a service provider contractors or outsourcing the activity to a service provider that has the necessary infrastructure. that has the necessary infrastructure.

Risk transfer via insurance represents a relatively new Risk transfer via insurance represents a relatively new alternative for technology; however, a number of new alternative for technology; however, a number of new policies addressing "cyber-insurance" are now available. policies addressing "cyber-insurance" are now available.

The most appropriate strategy generally involves a mix of The most appropriate strategy generally involves a mix of risk management techniques that are driven by the bank's risk management techniques that are driven by the bank's internal capabilities and risk tolerance. internal capabilities and risk tolerance.

The bank's technology risk management process will be The bank's technology risk management process will be intertwined with other risk management processes and intertwined with other risk management processes and overall business strategy. As such, it will continue to be overall business strategy. As such, it will continue to be revisited and refined.revisited and refined.

Example: Technology Risk ModelExample: Technology Risk Model (Protiviti, 2006)

Example: Technology Risk ModelExample: Technology Risk Model (Protiviti, 2006)Protiviti model is based on turning risk to an advantage and Protiviti model is based on turning risk to an advantage and realizing that not all risks are created equalrealizing that not all risks are created equal. . Some need to be Some need to be eliminated quicklyeliminated quickly. . Others help you to gain competitive Others help you to gain competitive advantageadvantage. . It is crucial to understand risks It is crucial to understand risks - - clearly, objectively clearly, objectively - - and to create a plan of action.and to create a plan of action.

The goal of Protiviti's technology risk model is to see all of the The goal of Protiviti's technology risk model is to see all of the factors affecting IT environmentfactors affecting IT environment..

The model illustrates the risks and other aspects of IT The model illustrates the risks and other aspects of IT environmentenvironment. . The model can be viewed from the outside in to The model can be viewed from the outside in to evaluate the risks that face your IT organizationevaluate the risks that face your IT organization. . Alternatively, Alternatively, the model can be viewed from the inside out to understand the the model can be viewed from the inside out to understand the technology and risks related to processestechnology and risks related to processes. .


The model is surrounded with overall technology risk The model is surrounded with overall technology risk categoriescategories. . It provides all components of the model to It provides all components of the model to serve as a common languageserve as a common language..

Moving inward, the model identifies the drivers for Moving inward, the model identifies the drivers for success in the IT organization success in the IT organization - - including good including good business unit alignment, strong program management business unit alignment, strong program management and solid value for costand solid value for cost. . You learn which of these and You learn which of these and other drivers are truly critical, and which risks may other drivers are truly critical, and which risks may undermine your successundermine your success. .

Next, the model illustrates the core processes that Next, the model illustrates the core processes that comprise an IT organizationcomprise an IT organization. . Processes both create Processes both create and manage the risks you face every dayand manage the risks you face every day. .


Moving further inward, the model shows the key Moving further inward, the model shows the key technology components and applications needed to technology components and applications needed to support the businesssupport the business.. The specific risks inherent in The specific risks inherent in each of these technologies shall be understoodeach of these technologies shall be understood. . Therefore, process to manage change and continuity Therefore, process to manage change and continuity of each component to provide a solid IT foundation of each component to provide a solid IT foundation shall be secured and built shall be secured and built ..

At the core of the model is the organization’s business At the core of the model is the organization’s business processes processes - - the end in mind for a focused IT the end in mind for a focused IT organization.organization.

Success is achieved only when IT is effectively Success is achieved only when IT is effectively aligned with the businessaligned with the business. .

technology risk. technology determines the future of human race man's way of life has depended...

Documents