COBIT Case Study

COBITCaseStudy:ITRiskManagementinaBankThiscasestudyisareal-lifeexampleofusingCOBIT®forITriskmanagementwithinaglobalbank.COBITwasusedeffectivelyformanagingriskwithinthetechnologyteamstoensurethatappropriateITgovernanceandITassuranceprocesseswereutilisedthroughoutthebank.BackgroundThebankinthegivencaseisaglobalconglomeratewithoperationsinmorethan50countriesandwithmorethan125,000employeesacrosstheglobe.Thebank’stechnologyteamsarelocatedthroughouttheworldtosupportgloballinesofbusiness.TheITteamsincludedevelopmentcentresthatarepartofthebankandothersthatareoutsourcedtovendors,aswellastechnologybackofficesthatsupportITinfrastructureandservices.Thebankhadahistoryofmultiplegovernanceandassurancetemplatesandprocessesfollowedbydifferentteams,regionsandlocations.Hence,thekeychallengewastocreateacommongovernanceandassuranceprocessacrosstechnologyteams.Thetechnologygovernanceandassuranceprogrammewasdesignedthroughariskmanagementframeworktoensureeffectiveriskandcontrolmanagement.Theframeworkwasdefinedtoaddressexistingriskandcontrolmanagementweaknesses,suchas:ImmatureprocessesforassessingandtestingcomplianceLackofasinglecontrolrepository,resultingincontrolduplicationLackofaclear,repeatableprocessforcompletingriskassessmentsThenewframeworkwasexpectedtoenabletechnologyteamstounderstandthesignificantoperationalrisksandtheirimpactonthewiderorganisationby:AddressingareasinwhichriskswerenoteffectivelycontrolledAllowingtechnologyexecutivestodemonstrateregulatoryresponsibilitiesefficientlyUsingacommonplatformforreportingallregulatoryrequirementsacrossregionsandcountriesEffectivelyreportingtechnologyriskandcontrolweaknessesthatmayimpactthebusinessImplementingastandardprocessacrossregionsandofficestoensureconsistencyandavoidduplicationofreportingUseofCOBITThegovernanceteamdecidedtouseCOBITasastandardframework.Ateamofprofessionals—includingrisk,ITsecurityandUSSarbanes-OxleyActprocessexperts—wassetuptodefinetheprocessesandtemplates.Theteamprimarilyworkedonthreeareas:1.Definingaframeworktouse—Controlobjectiveframework(COF)2.Identifyingastandarddefinitionof‘entities’againstwhichrisksandcontrolsweretobeevaluated—Keyentitymanagementmodel3.Identifyingariskmanagementprocess—Riskandcontrolassessment(RCA)Keystepsintheprocessofdevelopinganewriskmanagementframeworkaredescribedinthefollowingsections.Step1—DefiningCOFTheCOFwasdefinedtolinkrisksaffectingtechnologyofficesandindustrystandardbestpracticecontrolsasdefinedbyCOBIT.ThreeobjectivesweresetwhilstdefiningtheCOF:1.Itshouldactasatooltofacilitatetheeffectiveassessmentofrisksandcontrolswithintechnology.2.Itshouldactasareportingframeworktodemonstratehowtechnologysatisfiesreportingregulatoryrequirements,includingthoseofSarbanes-Oxley.3.Itshouldactasanaidtodrivemanagementassurance.ThestepsinimplementingCOFusingCOBITincluded:Identifyprincipalrisks—TheprincipalrisksoflevelIweredefinedandfrozenbasedonearlierinformation.Thoseidentifiedincludedrisksrelatedtotechnology,operations,people,legalandregulatory,financialreporting,financialcrime,brand,andchange.IdentifylevelIIrisks—TheprincipalriskwasfurtherbrokendownintolevelIIrisks.Asanexample,the‘technologyprincipalrisk’wasfurtherdrilleddownto:-Inadequatedesign/testingofITsystems-UnavailabilityofITsystems-LackofITsecurityIdentifycontrolobjectives—ForeachofthelevelIIrisks,controlobjectiveswereidentifiedusingCOBIT.Figure1indicatesthemappingofthelevelIIriskswiththecontrolobjectivesidentifiedagainsteachofthetechnologyrisks.BenefitofStep1Priortoimplementingthisframework,eachentity,organisationandlocationhaditsownsetofcontrols.COBIThelpedindevelopingandmanagingasinglelistofcontrolsforeachtypeofriskthroughthemappingofneededcontrolstoCOBIT.Inturn,thisassistedwiththeattestationofeachtypeofrisk,whichprovidedconfidencetoseniorexecutivesonthereportingandattestationprocess.Subsequently,ariskassessmentprocesswasdevelopedtodefinerisksandcontrols.ThishelpedinensuringthatadequatecontrolsweredeployedtocovertheprincipalrisksandlevelIIrisks.Step2—IdentifyingEntitiesforManagingRisksandControlsThekeyentitymanagementmodelwasdefinedtoincludeITbuildingblocks,againstwhichriskandcontrolassessmentsweretobeperformed.TheITbuildingblocksarelogicallylinkedtogetherforreportingpurposestoprovideariskandcontrolassessmentforallsupportingserviceswithinthepurviewofthetechnologyoffice.TheITbuildingblocksweredefinedas:Processentities—Theserepresenttheprocessesusedtosupport,controlandmanagetheITenvironment.AnycontrolissuesinaprocessentitywouldaffectmanyITservices,e.g.,changecontrolispervasiveacrossmostITservices.Supportingservicesentities—Linkingwithprocessandtechnologyentitiesallowsforacompleteend-to-endriskandcontrolassessmentforthatsupportingservice,e.g.,interfacingrisksamongsttechnologyentities,service-levelrisksforend-to-endITservice,andintegrationrisks(themanagementofhandoffsbetweendepartments).Technologyentities—Theserepresentthe‘traditional’ITcomponents,e.g.,servers,applications,networksandfirewalls.TheservicemapsandtheRCAprocesswereusedtofacilitatetheidentificationofthekeytech