信息技术:风险因素和管理.ppt
- 文档编号:18768957
- 上传时间:2023-11-05
- 格式:PPT
- 页数:64
- 大小:697KB
信息技术:风险因素和管理.ppt
《信息技术:风险因素和管理.ppt》由会员分享,可在线阅读,更多相关《信息技术:风险因素和管理.ppt(64页珍藏版)》请在冰点文库上搜索。
InformationTechnology:
RiskFactorsandKeyControlAreas信息技术:
风险因素和管理,2,OutlineoftheDiscussion提纲,ITexaminations-integrationandratingsIT检查综合与分级KeyITrisksandmitigatingcontrolsIT主要风险与化解方法Integratedsupervision-ITandfinancial综合监督IT和财务ITissues-businesslinereviewsIT问题业务部门检查Businessresiliency业务恢复Serviceprovider/outsourcingrisks服务提供商/外包的风险E-bankingissues电子银行问题,3,ITExaminations-IntegrationandRatingsIT检查综合与分级,Partofsafetyandsoundnessexamination是安全性和稳定性检查的一部分Targetedexaminationmaybedoneforcomplexinstitutionsorspecificissues目标检查可用于综合性机构或特别事件Singlecompositeratingofperformance-“URSIT”rating-maybeasinglerating-e.g.strong,satisfactory,fair,marginallysatisfactory,unsatisfactory性能的单一因素评级“URSIT”评级可能是单一评级如很好、满意、一般、基本满意、不满意,4,Four“URSIT”components:
“URSIT”的4个组成部分:
Audit审计Management管理DevelopmentandAcquisition开发和购置SupportandDelivery支持和交付,ITriskfactorsIT风险因素:
Organizationalrisk机构风险Infrastructurerisk基础设施风险Integrityrisk完整性风险Securityrisk安全性风险Availabilityrisk有效性风险,ITExaminations-IntegrationandRatingsIT检查综合与分级,5,ScopeofITExaminationIT检查的范围,Otherkeyfactors:
其他主要因素implementationofnewsystems新系统的使用significantchangesinoperationsincludingmergersorsystemconversions运作发生重大变化,包括合并或系统转化newormodifiedoutsourcingrelationshipsforcriticaloperations重要运作出现新的或调整后的外包关系,6,Areastoconcentrateon集中于以下领域:
significantindustrytrends/issues重大的行业趋势/事件businesslineswhereinternalcontrolsorriskmanagementareheavilydependentoninformationtechnology内控或风险管理主要依靠信息技术的业务部门follow-uponissuesraisedbyinternalauditorinthelastreportofexamination跟踪内审或最后检查报告提出的问题,ScopeofITExaminationIT检查的范围,7,DegreeofControl控制的程度,LevelofITrisks-dependsondegreeofcontrolIT风险的水平取决于控制程度In-houseoperations-100percent内部操作100%retainsallresponsibilityauthorityandaccountability保留所有的职责权限和义务Outsourcedoperations-0percent外包操作0%delegatessomeauthoritytoanoutsidepartythroughacontractwhileretainingaccountability通过合同将部分权限委派给外部机构,同时保留责任Vendor-0percent卖主0%productsdevelopedwithoutbankinput;carefullyevaluatetherisks不用银行投入的产品开发;仔细评估风险,8,AnalysisofURSITRatingFactorsURSIT评级因素的分析,InternalAuditreviewincludes内部审计检查包括:
Overalleffectivenessoftheauditprocess整个审计过程的有效性Auditindependence审计的独立性Adequacyofriskassessmentmethodology风险评估方法的适宜性Scope,frequency,accuracyandtimelinessofinternalandexternalauditreports内部和外部审计报告的范围、频率、准确性和及时性Extentofauditparticipationinapplication,development,acquisitionandtesting审计在应用、开发、盘购和测试方面的参与程度ITauditstaffandqualificationsIT审计人员和资格QualityandeffectivenessofinternalandexternalauditasitrelatestoItcontrols内部和外部审计在IT管理方面的质量和效力Overalladequacyofplanvs.ITrisks计划的充分性与IT风险,9,AnalysisofURSITRatingFactors,cont.URSIT评级因素的分析(续),Managementreviewincludes管理层检查包括:
Level/qualityofoversightandsupportofITprocessesIT程序监督与支持的水平/质量Effectivenessofriskmonitoringsystemsincludingidentification,measurement,monitoringandcontrollingrisks风险监督体系的有效性,包括风险识别、度量、监督和控制Managementplanning-newactivities-successionplan管理层规划新的活动连续性计划AdequacyofMISreports管理信息系统报告的充分性Awarenessofandcompliancewithlawsandregulation法律法规的认知和遵守Managementofcontracts,outsourcing,andservicedeliveryandmonitoringofthearrangements合同、外包、服务交付的管理和监督,10,Developmentandacquisitionreviewincludes:
开发和盘购检查包括:
OversightandsupportofsystemsdevelopmentandacquisitionactivitiesbyseniormanagementandBoard高级管理层和董事会对于系统开发和盘购予以监督和支持Accountabilityforsystemsdevelopment系统开发的义务AdequacyofSDLCandprogrammingstandards同步数据链路控制(SDLC)和编程标准的适宜性Qualityofprojectmanagementprograms,systemsdocumentationandsoftwarereleases专案管理程序、系统文件和软件发布的质量Independenceofqualityassurancefunction保证质量的职能的独立性Integrityandsecurityofthenetwork,systemandapplicationsoftware网络、系统和应用软件的完整性与安全性Involvementofclientsintheacquisitionprocess盘购过程中的客户参与,AnalysisofURSITRatingFactors,cont.URSIT评级因素的分析(续),11,Supportanddeliveryreviewincludesadequacyof支持和交付检查包括:
Operatingpolicies,procedures,andmanuals运做方针、程序和手册Physicalandlogicalsecurityincludingdataprivacy可操作的、合理的安全措施,包括数据保密Securitypolicies,procedures,andpracticesinallunitsandatalllevelsoffinancialinstitution金融机构各级别、各部门都有安全方针、程序和操作要求Servicelevelsthatmeetbusinessrequirements能够满足业务需求的服务水平Datacontrolsoverpreparation,input,processing,andoutput数据准备、输入、处理和输出的管理Corporatecontingencyplanningandbusinessresumption公司应急计划和业务恢复Programs/processesmonitoringcapacity/performance程序/程序监督能力/表现Qualityofassistanceprovidedtousers向客户提供的援助的质量ControlsoverandmonitoringofOSPsOSP的管理和监督Firewallarchitectures/securityofpublicnetworks防火墙体系/公共网络安全,AnalysisofURSITRatingFactors,cont.URSIT评级因素的分析(续),12,IntegrationofKeyRiskFactors/Ratings主要风险因素的整合/分级,ReviewITrisksataninstitution-widelevel在机构范围内检查IT风险Developprocessestoevaluatetherisks开发风险评估程序IncorporateinformationneededforITratingintoriskevaluation将IT评级需要的信息与风险评估相结合EvaluateITriskswhenreviewingspecificbusinesslinesorproducts在检查具体的业务部门或产品时,对IT风险进行评估,13,DefinitionofOrganizationalRisk机构风险的定义,Theriskthatineffectivemanagementprocesseswillresultininformationsystemsthatarenotadequatelyorappropriatelyalignedwith,orsupportiveofthebusinessprocessesandmissionoftheorganization由于管理程序无效,造成信息系统不能充分或适当地支持业务运转及完成机构目标所带来的风险,14,OrganizationalRisk-ManagementProcesses机构风险管理程序,Strategicplanning战略规划Managementandreportinghierarchy管理层和报告层级Managementsuccession管理的连续性Independentreviewfunction-e.g.internalaudit独立的检查职能如内审,15,OrganizationalRisk-KeyIssues机构风险主要问题,Competitiveadvantage竞争优势Criticaltoglobalcompetition对于全球竞争很重要Criticaltoamerger-whosesystemstouseandhowtointegrate对于合并很重要用谁的系统,如何整合Linkagetostrategicplanning与战略规划相联结End-users-shouldunderstandthesystemsandbeincludedinthedecisions终端用户应该了解系统并在决策中予以考虑,16,OrganizationalRisk机构风险,Centralversuslocaldecisionmaking总部与本地的决策Useofconsultants顾问的使用Developmentofsystemsonaglobalbasis开发全球性系统Decisionmakinginsmallerinstitutions小规模机构的决策,17,OrganizationalRisk-KeyControls机构风险主要管理,Preventative预防Strategicplan战略计划Successionplanning连续规划Communications沟通Staffing人员配置Policies/procedures方针/程序Segregationofduties职责分工Crosstraining/jobrotation交叉培训/岗位轮换Documentation文件,18,Detective检查Managerialreports管理报告Financialreports财务报告Variancereports差异报告Employeeappraisals员工考核Errorstatisticsandlogs错误统计和记录Internalandexternalaudit内部和外部审计,OrganizationalRisk-KeyControls机构风险主要管理,19,Corrective整改Education教育Newplansorprocedures新计划或程序Outsourcing外包Replacementofmanagement更换管理层,OrganizationalRisk-KeyControls机构风险主要管理,20,InfrastructureRisk基础设施风险,Riskthattheunderlyingdesignandindividualcomponentsofanautomatedinformationsystemwillnotmeetcurrentandlong-termorganizationalobjectives自动信息系统的设计或个别组成部分不能满足机构当前或长期目标所带来的风险,21,InfrastructureRiskArchitecture基础设施风险体系建设,Underlyingdesignoftheinformationtechnologysystemanditsphysicalandlogicalcomponents:
信息技术系统的可操作的、合理的架构设计:
Networkcommunications网络通信Hardware硬件Software:
operatingsystems,communicationssoftware,databasemanagementsystems,programminglanguagesanddesktopsoftware软件:
操作系统、通信软件、数据库管理系统、编程语言和桌面软件,22,TypesofComputerSystems计算机系统的种类,PCs/workstations个人电脑/工作站Clientserver-typicallyaLAN客户服务器常见的是局域网Localareanetwork局域网Mid-range中频Mainframe主机,23,InfrastructureRisk基础设施风险,Choiceofplatforms-openserverversusmainframes平台的选择开放式服务器与主机Flexibilityversuscomputingability灵活性与计算能力,24,InfrastructureRisk-KeyControls基础设施风险主要管理,Preventative:
预防Strategicandtacticalplans战略和战术计划Feasibilitystudy可行性研究Procurementpolicy获取方针Systemdevelopmentmethodology系统开发方法Capitalplansandprocedures资本预算和程序Changecontrol改造管理Acceptancetesting验收测试,25,Detective:
检查Inventorysystems存货系统Self-assessment自我评估Internalandexternalaudit内部和外部审计,InfrastructureRisk-KeyControls基础设施风险主要管理,26,Corrective:
整改Retrofit翻新式样Re-engineer重新设计Translate/transform调整/转换,InfrastructureRisk-KeyControls基础设施风险主要管理,27,IntegrityRisk完整性风险,Riskthatasystem,application,orcomputerprogram,andtheresultinginformationflows,willnotsatisfyend-userbusinessrequirementsandexpectations系统、应用软件或电脑程序以及由其产生的信息流不能满足终端用户业务需要和期望所带来的风险,28,IntegrityRisk完整性风险,Keypartofthisprocess-System关键问题系统DevelopmentLifeCycleSDLC开发生命周期同步数据链路控制Initiation发起Requirements需求Design设计Programming编程Testing测试Implementation实施Evaluation评估Maintenance维护,29,IntegrityRisk-KeyControls完整性风险主要管理,Preventative:
预防AdherencetoSDLC遵循SDLCQualityassuranceprogram质量保证程序Changecontrol改造管理Acceptancetesting验收测试Capacityplanning容量规划Resourcescheduling资源安排,30,Detective:
检查Self-assessment自我评估Internalandexternalaudit内部和外部审计Acceptancetesting验收测试Performancemonitoring运行监督Machinediagnostics/logs机器诊断/记录Errorstatistics错误统计,IntegrityRisk-KeyControls完整性风险主要管理,31,Corrective:
整改Redesignofapplication重新设计申请Filerotationandretention文件的运转和保存Recoveryandrestart恢复和重新开始Replacement置换Rescheduledemand重新制定需求,IntegrityRisk-KeyControls完整性风险主要管理,32,SecurityRisk安全性风险,Thepotentialthatcontrolbreacheswillresultinunauthorizedaccess,modification,destruction,ordisclosureofinformationassetsduringtheircreation,transmission,processing,maintenance,orstorage信息资产在创建、传输、处理、维护或储存的过程中,管理漏洞导致信息的擅自存取、更改、破坏和披露的潜在风险,33,Utilizepreventativeanddetectingcontrols-physicalandlogical利用预防和检查的控制手段可操作的、合理的Physical-isolatemainframesandservers可操作的主机与服务器分离Logical-restrictaccesstosystemsandchangestosystems;createaudittrails;periodicallyreviewaccess;encryptcriticalinformation合理的限制系统的进入和更改;创建审计报告;定期检查登录状况;对重要信息加密,SecurityRisk安全性风险,34,SecurityRisk-KeyControls安全性风险主要管理,Preventative:
预防Physical/logicalaccesscontrol可操作的/合理的登录管理Capacitymodeling容量模型Proprietarynetworks自有网络Switchabilityrouting可转换路由Protocols协议Publicnetworks公共网络Encryption/authentication加密/证明Accesscode登录密码,35,Detective:
检查Violationrepor
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 信息技术 风险 因素 管理