case study on Modmeters, use the template for the format and subtitle

kranthi2554

Lesson4.pdf

Home >Computer Science homework help >case study on Modmeters, use the template for the format and subtitle

Lesson 4

1-1

Chapter 10

Historical view – it was a low-key activity focused on delivering projects and keeping applications up and running.

Today’s view – it has become much broader and complex, and it is recognized as an integral part of any technology- based work.

10-3

Harm constituencies both within and outside companies.

Damage corporate reputations.

Dampens an organization’s ability to compete.

10-4

C R I

M I

N A L

I N T E R F E R E N C E

Legal/ Hazards Third Regulatory Parties

External Risk

Operations Information Systems Development

People Processes Culture Controls Governance

Internal Risk

ENTERPRISE RISK

Figure 10.1 A Holistic View of IT-based Risk

Third parties (i.e., partners, software vendors, service providers, suppliers, customers).

Hazards (i.e., disasters, pandemics, geopolitical upheavals).

Legal and regulatory issues (i.e., failure to adhere to the laws and regulations).

10-6

Information risks (i.e., privacy, quality, accuracy, and protection). People risks (i.e., poorly designed business process, failure to adapt business processes). Cultural risks (i.e., risk aversion and lack or risk awareness). Control (i.e., ineffective controls). Governance (i.e., ineffective structure, roles).

10-7

Viruses

Hackers

Organized crime

Industrial spies

Terrorists

10-8

1. Focus on what’s important : • RM is not about anticipating all risks but

about attempting to reduce significant risks to a manageable level (Slywotzky and Drzik 2005).

• RM should not be about saying “no” to a risk, but how to say “yes” – thereby building a more agile enterprise (Caldwell and Mogul 2006).

10-9

2. Expect changes over time:

• RM actions should be continuous, iterative, and structured.

• Mandatory risk assessment should be implemented at different key stages.

• Ongoing reviews and process of evaluation need to be adapted (Coles and Moulton 2003).

10-10

3. View risk from multiple levels and perspectives:

• RM assessments need to include root cause and multifaceted analyses.

• Monitoring and adapting to new international standards and laws, completing overall health checks, and analysis of potential risks are new dimensions of risk.

10-11

The goal of a risk management framework (RMF) is to ensure that the right risks are being addresses at the right levels.

The RMF guides the development of risk policies and integrates appropriate risk standards and processes into existing practices (e.g., the SDLC).

Risk category Policies and standards

Risk type

Risk ownership

Risk mitigation

Risk reporting and

monitoring

The general area of enterprise risk involved (e.g., criminal, operations, third party, etc.).

It includes the general principles for guiding risk decisions.

The principles identify any standards that should apply to each risk category (i.e., SAI Global is an international standard).

Each risk should be identified and labeled with a generic name and definition, ideally linked to a business impact.

Each type of risk should have an owner, either in IT or in the business.

Owners and stakeholders should have clear responsibilities and accountabilities.

Major risks can be owned by committees (i.e., enterprise risk committee or risk review council).

Each type of risk should be associated with controls, practices, and tools for addressing it effectively.

The goal of the framework is to provide means by which risks can be managed consistently, effectively, and appropriately.

Risk metrics should be reported in a way the organization understands (e.g., high, medium, low).

Risk monitoring is an ongoing process because levels and types of risks are changing continually.

Look beyond technical risk

Develop a common language of risk

Simplify the presentation

Right size

Standardize the technology base

Rehearse

Clarify roles and responsibilities

Automate where appropriate

Educate and communicate

IT risk is involved in many types of business risks and therefore should be managed holistically.

An integrated risk management framework helps organizations understand risk and make better decisions associated with it.

10-22

Chapter 11

Although information delivery may be the responsibility of IT, information management (IM) requires a true partnership between IT and the business.

IT is involved with every aspect of IM, but information is the heart and soul of the business, and its management cannot be delegated exclusively to IT.

1. Compliance

2. Operational effectiveness and efficiency

3. Strategy

11-25

Figure 11.1 IM is Fundamental to Organizational Success – Both IT Effectiveness and Individual Performance

Stage One: Develop an IM policy.

Stage Two: Articulate operational components.

Stage Three: Establish information stewardship.

Stage Four: Build information standards.

11-27

A policy outlines the terms of reference for making decisions about information.

A policy provides guidance for accountabilities, quality, security, privacy, risk tolerances, and prioritization of efforts for IM.

A policy should be established at a very senior management level.

11-28

Figure 11.2 Operational Components of an IM Framework

Clearly articulate IM roles and responsibilities. Information stewards are responsible for meaning, accuracy, timeliness, consistency, validity, completeness, privacy and security, and compliance of information. Information stewards should be business people.

11-30

Standards ensure quality, accuracy and control goals can be met.

Use metadata repositories to cross- reference models, processes, and programs that reference information.

Standards help reduce information redundancy.

11-31

Standards require……

A unique name and definition. Data elements, examples, and character length (e.g., name prefix). Implementation requirements. Spacing and order.

11-32

Culture and Behavior Information Risk Management Information Value Privacy Knowledge Management The Knowledge-Doing Gap

11-33

Integrity – defines the information usage boundaries.

Formality – enables accurate and consistent information.

Control – once information is trusted, it can be used to develop integrated performance criteria and measures.

11-34

Transparency – describes the level of trust to speak about errors.

Sharing – exchange of sensitive and non- sensitive information amongst employees.

Proactiveness – creates an alertness to picking up new information about business conditions.

11-35

Determine internal and external interdependencies.

Determine level of information security needed and cost to implement.

Develop an information security strategy.

11-36

Information Protection

Center

Risk Management

Standards

Education & Awareness

Compliance

Identity Management

IM VALUE PROPOSITION SHOULD ADDRESS:

Strategic

Tactical

Operational

Information Value is difficult to quantify.

It takes time for an IM Investment to pay off.

IM Value is a subjective assessment.

11-38

Privacy regulations affect current and long-term IM initiatives.

Organizations must be in compliance with many new privacy regulations.

Many countries now require a chief privacy officer who helps the organization ensure IM practices for data quality and accuracy, retention, and security.

11-39

+ Context + Judgment + Intuition

KnowledgeInformation

Knowledge is a fluid mix of framed experience, values, contextual information, and expert insight that provides a framework for evaluating and incorporating new experiences and information. It originates and is applied in the minds of knowers……Thomas Davenport and Larry Prusak (1998)

Knowledge is the capability to take effective action

It is assumed that better information will lead to better decisions.

There needs to be a clear link between desired actions and the acquisition and packaging of specific information.

11-41

Start with what you have.

Ensure cross-functional coordination among all stakeholders.

Get the right incentives.

Establish and model sound information values.

11-42

Strategy People Processes Technology and Architecture Culture and Behaviors Governance

11-43

External Environment Strategic Planning Information Life Cycle Planning Program Integration Performance Monitoring

11-44

Roles and Responsibilities Training and Support Subject-Matter Experts Relationship Management

11-45

Project Management Change Management Risk Management Business Continuity Information Life Cycle - Collect, create and capture - Use and dissemination - Maintenance, protection, and preservation - Retention and disposition

11-46

IM Tools Technology Integration Information Life Cycle Organization Data Standards

11-47

Leadership IM Awareness Incentives IM Competencies Communities of Interest

11-48

Principles, Policies, and Standards Compliance IM Program Evaluation Quality of Information Security of Information Privacy of Information

11-49

Organizations face many challenges in implementing information management practices.

Although IT can take a lead in developing an information management plan, the business area must ultimately be involved in its implementation and the stewardship of information within the organization.

11-50

IT Governance
Managing IT-Based Risk
The Job of Managing IT-Based Risk
IT Risk Incidents…�(Hunter and Westerman 2007)
A Holistic View of IT-Based Risk
External Risks Come From:
Internal Risks Come From:
Criminal Risks Come From:
Holistic Risk Management (RM): A Portrait
Holistic Risk Management (RM): A Portrait (continued)
Holistic Risk Management (RM): A Portrait (continued)
A Risk Management Framework
A Basic Risk Management Framework Includes:
A Basic Risk Management Framework: Risk Category
A Basic Risk Management Framework: Policies and standards
A Basic Risk Management Framework: Risk Type
A Basic Risk Management Framework: Risk Ownership
A Basic Risk Management Framework: Risk Mitigation
A Basic Risk Management Framework: �Risk Reporting and Monitoring
Actions to Improve Risk Management Capabilities
Actions to Improve Risk Management Capabilities (continued)
Conclusion
Information Management: The Nexus of Business and IT
Information Delivery versus Information Management (IM)
Information Management Drivers
The Foundation for Creating Business Value
Framework for Information Management
Stage One : Develop an IM Policy
Stage Two: Articulate Operational Components
Stage Three: Establish Information Stewardship
Stage Four: Build Information Standards
Stage Four: Build Information Standards (continued)
Issues in IM
Culture and Behavior
Culture and Behavior (continued)
Information Risk Management
Elements of an Information Security Strategy
Information Value
Privacy
Knowledge Management
The Knowledge-Doing Gap
Getting Started in IM
Elements of IM Operations (Appendix A)
IM Operations Strategy Elements
IM Operations People Elements
IM Operations Process Elements
IM Operations Technology and Architecture Elements
IM Operations Culture and Behavior Elements
IM Operations Governance Elements
Conclusion