Upload
dominick-norton
View
215
Download
2
Tags:
Embed Size (px)
Citation preview
WorldbankAddressing Technology Risks for Successful E-Government Initiatives
January 30, 2007
Werner Lippuner, Ernst & Young LLP, Washington D.C.
2
Overview
E-Government Challenges & Expectations IT Risk Management Lesson’s Learned
3
E-Government
e-Government uses of information and communication technology (ICT) to exchange information and services with citizens, customers, businesses, and other governmental organizations to
improve efficiency, provide convenience, and enable accessibility.
Delivery Models Government-to-Citizen /
Government-to-Customers (G2C) Government-to-Business (G2B) Government-to-Government (G2G)
Technologies WWW, E-Mail, Instant Messaging, Online
Communities, RSS, XBRL PDA, SMS / MMS, 3G, GPRS WiFi, WiMAX, Bluetooth RFID, Biometrics, Smart Cards Many others
4
Government to Citizens, Customers, and BusinessesConduct Transactions / Exercise RightsPurchase and pay for products and servicesPay taxesRepay loansElectronic Voting
Submission/Filing of InformationReport complaints, fraud, corruption, or accidents Apply for a government positionApply for grants and loansFile taxes online
Access to General InformationAccess public information provided by the Government (Laws,
rules, regulations, forms, statistics, etc.)
Other ServicesE-mail eLearning, a program for people to
learn online (Taiwan) mySchool offers e-assistance, help
with homework, test prep (Luxembourg)
Dating service Pen-pal service
Access to Personalized InformationUser account registrationAccess benefits statementsReview process status (e.g. Visa processing, court
cases, etc)
Exchange of InformationFinancial InformationHealth Information
5
Government-to-Government
Sharing of Information The E-Vital initiative establishes common electronic
processes for Federal and state agencies to collect, process, analyze, verify and share death record information.
GeoData.gov, makes it easier, faster, and less expensive to find, share, and access geospatial information across all levels of government.
Streamlining of Communication Disaster Management provides Federal, state, and local
emergency managers online access to disaster management related information, planning, and response tools.
SAFECOM serves as the umbrella program within the Federal government to help local, tribal, State, and Federal public safety agencies improve public safety response through more effective and efficient interoperable wireless communications.
Sharing of Processes and Resources E-Training Initiative the Federal government is migrating on-line
training services from over 40 agencies to one. The Enterprise Human Resource Integration (EHRI) Initiative
is providing HR managers and specialists with a data warehouse and workforce planning and analysis capabilities such that trends for retirement, promotions, and reassignments can be accurately and efficiently forecast.
E-Payroll, through the efforts of multi-agency teams, is continuing the migration of agencies from the present 26 providers to 2 payroll partnerships, with a projected lifecycle cost savings/cost avoidance of $1.1 billion.
Integrated Acquisition Environment (IAE) has resulted in an agency-shareable single vendor-performance file; a single vendor registration area that makes it easier to do business with the Federal government.
Sharing of Information to Provide access convenient and continuous access to up-to-
date information Eliminate redundancies and data quality problems
Streamlining of Communication to Enable interoperability Ensure timely and accurate exchange of information
Sharing of Processes and Resources Eliminate redundant functions Reinforce consistency of processes and procedures.
Source: eGov.gov
6
EXPECTATIONS
Challenges & ExpectationsSTAKEHOLDERS Citizens Visitors Regulators Government Agencies Others
DRIVERS Mission & Objectives Trust & Reputations Asset & Capital Management Expenditures & Budget Regulations
CHALLENGES Digital Divide Social, Cultural and Educational Issues Existing Infrastructure Legacy Systems, Decentralization, and Interoperability
Delivering ValueAvailabilityAccessibilityInfrastructureReliabilityGovernanceInnovation
Managing CostProject
ManagementProgram
Management
Managing RiskConfidentialitySecurityData IntegrityApplicationsPrivacyIdentity & Access
ManagementIncident Response
Facilitating ChangeProgram
ImplementationChange
ManagementInteroperabilityControl Monitoring
Supporting Compliance
Regulatory Compliance
Vendor Risk Management
Monitoring Outsourced Operations
Volume Cost Management Regulatory Requirements
Governance - IT Governance – IT Risk Management
7
IT Governance
IT Governance Supports the effective and efficient management of information resources (e.g.,
people, funding, and information) Helps facilitate the achievement of agencies’ missions and objectives. Measures and manages IT performance Ensures IT risks and costs are appropriately controlled
IT Risk Management Assesses risk Develops risk mitigation strategies Monitors risk
8
Components of Risk
VulnerabilityOpen to attack, damage, or loss
ThreatAn event that could cause loss
ResourcesAvailable means
exploits
impacts
Impact
Like
lihoo
d
Loss of a data center
Hardware Failure
Risk
ControlSafeguard,
Countermeasure
protects
reduces
9
Risk Management Process
Risk AssumptionRisk AvoidanceRisk Limitation Risk TransferRisk Sharing
Identify & Prioritize Risk
Mitigate Risk
MonitorReport
GovernanceDecision MakingAccountability
Continuous alignment with:- Agency Environment- Agency Mission & Objectives
Risk AwarenessEarly Detection of ProblemsManaging Resources / Spending
Risk Management Goals
Achieve Agency Objectives
Protect Stakeholders
Control Expenditures
10
Regulatory Environment
Legislation Federal Managers'
Financial Integrity Act (FMFIA)
Federal Information Security Management Act (FISMA)
eGovernment Act Health Insurance
Portability & Accountability Act (HIPAA)
Gramm Leach Bliley Act (GLB)
Others
Standards & Guidelines Office of Management &
Budget (OMB) National Institute of
Standards & Technology (NIST)
Others
Frameworks COSO COBIT ITIL ISO Others
Leads to…. Extensive set of defined IT security and
controls requirements (and options) Various reporting requirements Multiple owners and stakeholders
Requires…Focus on risk from an enterprise
perspective to align resources with riskCoordination among involved partiesSharing of risk informationChange management
11
Control Requirements
Regulatory Requirements Business Requirements Stakeholder Expectations Inherent Risk
IT Management Process Planning & Organization Maintenance & Acquisition Delivery & Support Monitoring
Confidentiality Integrity Availability
IT Infrastructure Datacenters Networks Operating Systems Databases
Business Process Initiation Authorization Recording Processing Reporting
Drive requirements regarding …..
Which drive control objectives within….
To define or assess controls, these components need to be linked
12
Linking Resources
Functional Owner
DBAProgram Developers
UsersAudit
Legal
Processing Organization
Security
People
LANs
WANs
Transactions
Systems
Platforms
ApplicationProcesses
TechnologyInfrastructure
Business ProcessCriteria• Confidentiality• Availability• Integrity
Procurement
Sub Process
Confidentialit
y Integrity
Availability
People Data Application Database Operating system
Telcom Facility
Ordering Program Manager
Contracting Officer
Goods
Pricing
Ariba
PeopleSoft
Oracle Unix T-1 Dedicated
Facility 1
Functions
Data
13
Control Baseline Approach
Threat Vulnerability Analysis
Threat List
Safe-guards
Vulnerability
Resource Threat Vulnerability Risk
Hardware Fire Lack of fire suppression Loss of Hardware
Data Virus Lack of Anti-Virus Software Loss of Data
Controls Baseline Analysis
Baseline Controls Control Gap
Control Objective Control Technique Control Gap Risk
Hardware is protected from environmental hazards Fire suppression system is installed
Fire detection system is in stalled
Personnel are appropriately trained
Only a fire detection system is installed. Handheld extinguishers are available, team in not trained.
Loss of Hardware
System is protected from malicious software Anti-virus software is installed Antivirus software is not installed. Loss of Data
14
Control Objectives
Controls Entity-level Infrastructure-level Transaction-level
Controls Prioritization Focus on controls that cover key control objectives
Controls Rationalization Consider controls that cover multiple control objectives
Controls Automation Optimize the use of automated controls
Control Objectives Automated Manual Hybrid
Prevent Detect
15
Lifecycle of a Control
Design
Improve
Assess
Monitor
Implement
Test
Report
Controls design is not a focus during new systems implementations
Controls often need to be retrofitted to meet business and compliance needs
Disconnect between application and manual controls
Controls not properly document Controls assessed for multiple
purposes Controls dependencies often not
transparent Controls automation and monitoring
technologies not fully used
Reporting process not effectively designed to satisfy all stakeholders’ needs
16
Risk Considerations – New System Initiative
Are risk management and regulatory requirements spelled out in the Statement of Work? Is there sufficient contract oversight to ensure that contractual specifications are being met? Are controls to mitigate risks and provide compliance clearly defined and assigned? Does the systems and process documentation include the documentation of controls? Are controls subject to review for their design effectiveness? Are control features in systems fully utilized? Are manual controls in business processes aligned with the automated controls provided by
the system to prevent control gaps and overlaps? Are measures in place to maintain the control posture during the system replacement phase? Are controls periodically tested to assess their operating effectiveness? Are provisions in place to keep the documentation up-to-date? Are standard processes and configurations followed at all locations? ……
17
Risk Management Challenges
Identification of resources in a decentralized environment Linkage between IT infrastructure, applications, and business processes Linkage between managerial, operational, and technical control Consideration of outsourced processes, including development and operations Risk assessment viewed as a compliance requirement rather than a management function Complexity of regulatory requirements Dynamics in technology and demands Coordination of assessment activities Documentation and sharing of assessment results
These challenges could lead to risk being assessed: in a vacuum and in a fragmented fashion and not linked to the agencies mission at a point-in-time versus period over time
18
Defining a Framework
Co-development
Approach and Methodology
InternalAudit
Risk Manager
Milestones
Team composition
Tools
Goals and Objectives
Information Criteria
Timing
Project Sponsor Reporting
Executive Management
19
Risk Assessment Approaches
Approaches
Point-in-Time
Continuous
Baseline
Self Assessment
Quantitative Qualitative
Evaluation
Timing Identification
Team
Independent Collaborative
Threat Vulnerability
20
Risk Management CultureRisk Management Process
Driver
Ad-HocReactiveBottom-UpIsolatedFragmentedInformal
RepetitiveMeasurable
ValidatedContinuousEntity-Wide
Aligned w/ Agency ObjectiveTop Down
IncidencesFailures
Agency ObjectivesRisk Culture
AuditLegal Requirement
Regulatory RequirementsIsolated Initiatives
21
Risk Management Program – Lessons Learned
Organization & Accountability Clarification and delineation of responsibilities between various functions (agency
management, program management, IT management, internal review, inspector general, etc)
Linking decentralized activities to a enterprise-wide framework Top-down planning Bottom-up reporting Facilitate coordination among various risk management functions
IT Governance Multi-disciplinary review boards for strategy, investments, risk, etc. Align risk management efforts to agency needs
22
Risk Management Program – Lessons Learned
Driving a Culture of Risk Management Tone at the top Awareness Training
Policies & Procedures Documentation of risk management policies and procedures Standards and practices Communication protocols and reporting requirements
23
Risk Management Program – Lessons Learned
Staffing Skill set Capacity
Training Common language Standardized approach
Technology Documentation of processes, controls, and assessments Controls automation / Controls monitoring
24
Risk Management Program – Lessons Learned
Performance Measures Definition of metrics and performance measures to assess risk management efforts
Monitoring Continuous monitoring of risk management activities and its results Reporting structure, accountability
25
Conclusion
Risk management activities are, consciously or unconsciously, executed by various functions
within an agency. Linking these activities through coordination and communication vastly enhances
the effectiveness of the overall risk management program.
26
Contact Information:
Werner LippunerErnst & Young LLPWashington, D.C.
© 2007 Ernst & Young LLP.
All Rights Reserved.
Ernst & Young is a registered trademark.
www.ey.comERNST & YOUNG LLP