IT Governance Challenges

21st Century Technology - 18th Century Controls. Is Our Assurance Paradigm Fit For Purpose?

Date:
Wednesday 5 June 2013

Time:
6.00pm for 6.30pm

Venue:
Southampton Solent University, East Park Terrace, Southampton, SO14 0RD | Maps
7 minutes walk from Sothampton Central Station

Cost:
Free of charge, for both BCS and Non-BCS members.

This will be jointly with the Hampshire Branch, BCS IRMA and Quality SGs and Southampton Solent University.

Speaker: John Mitchell PhD, MBA, CEng, CITP, FBCS, CISA, CGEIT, CFIIA, QiCA, CFE, Managing Director, LHS Business Control

Impact of poor control in business terms?
IT staff are usually good at identifying costs, but usually weak at identifying benefits. Because many IT controls are invisible, IT staff find it difficult to describe the impact of a control failure in business terms. Reporting that port 80 is insecure does little to alert business management to the consequences associated with this finding.

Can we explain what a control is?
Controls cost money and they slow down our systems, so it is important to know what they are providing us with. All controls are processes, but not all processes are controls. Both cost us money, so it is essential that we understand the difference.

Do we understand how controls work?
The working of a control is a mystery to most people, including auditors, but if we don’t know how they work how can we assess their effectiveness and whether they are worth the investment? After all, there are other things we can spend our money on when times are tight. Is trust an effective control mechanism? Trust is certainly cheap, but that it not the same thing as providing value.

Do our controls really manage our 21st century risks?
Many risk registers indicate a move from inherent red risk to residual green risk as the result of controls being in place. However, is the red to green really justified? Are the controls suitably designed and implemented to justify the move from red to green? Does it reduce likelihood, or consequence, because a single control cannot do both things?

Can we measure control effectiveness?
Are we able to state, with some high degree of assurance, that a control is good or poor? Do we have embedded monitors and early warning indicators in place to alert us of a potential failure in our control umbrella? Are they working as intended?

What about the future?
In the last 40 years we have advanced from simple batch programs running on mainframe computers to cloud computing. The point of a access is now a tablet, or cell phone. How can we provide assurance over mobile phone apps using cloud computing coupled with Bring Your Own Device (BYOD)? Are we capable of controlling assets when we have no idea where they are stored? Personal data has always been important, but the advent of social networking sites now means that we are giving it away at an accelerating rate. Are our assurance tools able to manage beyond 2013 when they are already doubtful today?

Dr John Mitchell is an international authority on corporate governance, risk management, the impact of regulatory and compliance issues on the delivery of corporate services and cybercrime. He has presented papers on these subjects at many international conferences and holds ISACA’s (International Systems & Control Association) prestigious John Kuyers’ award for best conference contributor. He runs regular seminars on corporate governance & assurance, risk management, control self assessment, the problems associated with the development and provision of computer systems and the detection and prosecution of corporate fraud.

He is a Chartered Engineer, Chartered Information Technology Professional, a Certified Fraud Examiner, a Certified Information Systems Auditor and is Certified in the Governance of Enterprise IT. John is a Fellow of the Institute of Internal Auditors (UK) and a Fellow of the BCS where he is a member of its governing Council. He is also Chair of the Audit Committee of ISACA’s London Chapter.

He has been an expert adviser in a number of UK commercial and criminal cases and has been featured in a major British computing publication as the ‘IT Detective’. He has over 30 years practical control experience and an international reputation for advising organisations on their governance strategies and associated methodologies.

PDF Icon Presentation - John Mitchell