Wednesday, May 4, 2016

Third party management


Introduction

In favor of focusing and specializing on core competencies, most businesses nowadays are increasingly and heavily relying on third parties to support their businesses by outsourcing great amount of their activities such as IT support, software development, data hosting, physical security, cleaning services, heating and air conditioning, and thus subcontracting with external suppliers and service providers which are estimably responsible for driving around two-thirds of total revenue and often offer better services at low-costs. This tendency is generating numerous critical business partnerships and requires adequate control and oversight.

Third party management is the process of monitoring and managing business collaboration with external parties such as vendors, manufacturers, suppliers, partners, distributors, resellers, cleaning and security services, etc. the process is established by managing information, measuring performance, assessing risks, binding to contractual agreements and compiling to regulations.

Third party related risks

Studies revealed that the majority of recent security breaches occur as a result of third parties. Indeed, when organizations rely on third parties, their exposure to risk enlarges. If for instance a trusted vendor has deployed but poorly maintained an anti-malware software, it might end up in a massive cyber-attacks as his network gets compromised. A non-critical but trusted service provider such as an air conditioning contractor who is insecurely connected to the organization’s internal network for data synchronization or billing purposes should be then considered a high risk source. If an organization outsources the software development to a third party, he by then raises a significant risk if he closes down while the organization do not have the appropriate talent, documentation, tools or the source code itself to carry on the development and support activities.

The role or size of the third party is not as important as the nature of the relationship, the criticality of its activities, the level of access to sensitive data or property, and the organization’s liability for inappropriate behavior of its third parties. A cleaning company with access to a director's office represents a different but still significant risk relative to a supplier who provides a critical component to the production line.

When transferring operations and assets to third parties whom should be better in performance using adequate expertise and resources, businesses still assume the responsibility if any risks were to occur, combined from the likelihood of harmful events occurring and the consequence of harm, as risks remain relevant despite the fact that these operations and assets are out of the organization’s direct oversight which makes a higher burden for them to manage.

Third party risk management

Studies revealed that organizations tend to forget contracts once they’re signed, only 20% of organizations are actually including their third parties in their assessment scope.

Managing third parties is often challenging, complex and hard thus poorly addressed in most organizations, some related challenges are listed below
  • Responsibility for risk - it’s frequently unclean within organizations who is, and how they’re managing the individual or the overall third party relationships;
  • Reactive handling of risk - unless a critical issues surface and associated risks arise, organizations tend to ignore addressing third party risks;
  • Ignorance of risk factors - organization tend to prioritize third parties based on quality, cost and delivery time, assessing and managing related potential impacts and risks are often forgotten or ignored;
  • Integrity risk - if’s often hard to assure the transparency and honesty of third parties, any provided data are questionable in term of accuracy and completeness;
  • Contractual terms - contract terms are often underestimated, important factors such as right to audit, pricing changes due to taxes or discounts, timing, consequences of short and long term contracts are often ignored. Organizations lean toward standard and outdated outsourcing contract templates which do not cover recent business landscape changes and emerging technologies.
In assessing third parties, risk practitioners should consider wide range of potential risks, these risks can be grouped into the following categories
  • Financial risks - such as changes in currency rate, loss of product value, losses in market share;
  • Information risks - such as data breaches, data disclosure, data unavailability, data loss, data destruction, unauthorized access;
  • Integrity risks - such as fraud, conflicts of interest, damage of reputation;
  • Compliance risks – such as non-compliance to regulations, operating without licenses;
  • Operational risks - such as systems failures, supply chain disruptions, employees’ skills, employee’s turnover;
  • Strategic risks - such as poor business decisions, inadequate resource allocation, industry recession;
  • Technology risks - such as changing business landscape; outdated hardware, software malfunction, malware infection, denial of service, email phishing, human errors.
To overcome such threats and risks, risk practitioner should make sure to cover aspects such as
  • Outsourcing process - inventory, prioritization and selection of third parties, oversight activities, performance measurement, communication channels;
  • Business management - leadership, liability, trust, transparency, processes efficiency;
  • Information security - complying to security requirements, implementation of security controls, planning business continuity and disaster recovery, protection of intellectual property, adherence to a non-disclosure agreement (NDA);
  • Risk inventory - knowledge of exposed threats, inherent vulnerabilities, potential adverse impacts, and supposed risk scenarios
  • Contractual agreement - conforming to service-level agreement (SLA), enforcement of contract terms, constant contracts revision;
  • Regulatory compliance - conformance to relevant regulations, adoption of best practices; 
  • Assessment and auditing - right to audit, periodic risk assessments, internal auditing;
  • Ongoing monitoring - internal controls monitoring, independent and on-site reviews, reporting non-compliance.

Conclusion

In today’s world, doing business means relying on some third parties which exposes the business to significant risks. Hence, businesses should have a clear understanding of the inherent risks in their relationship with third parties. As risks continue to rise due to emerging technologies and market trends; organizations should not only establish comprehensive contractual agreements with third parties which is a step in the right direction but improve and strengthen their relationship and emphasize proactive third party risk management and make it one of main organization's goals and objectives.

Monday, May 2, 2016

Organizations goals and objectives


Introduction

Organizations exist to create value for their stakeholders by retaining a balance between achievements of profits by pursuing opportunities, optimizing the use of resources and reducing related and potential risks. In order to so, organizations need first to set clear set of objectives a goals that articulate their mission, value and reason for existence, and then strive to achieve them. While the organizations' goals represent the desired destination, the chosen objectives characterize the road map to get there.

Below some of the organizations’ typical and common goals and objectives
  • Increasing sales and market share;
  • Improving customer service and retention;
  • Strengthening partnerships; 
  • Hiring talented people and training current staff; 
  • Minimizing logistic costs; and 
  • Expanding the organizations' presence...etc.
Such goals and objectives should inevitably lead the organization to the right direction and track through achieving profitability, maintaining employees and customer’s satisfaction and thus ensuring continual growth.

Business-IT alignment

Business-IT alignment is the sustainable ability of organizations to effectively overtime integrate and use information technology to achieve their objectives and create value. In reality, a misalignment is noticed as most organizations fail to close the gap between IT and the rest of the business, this situation often enlarges due to distinction of objectives, drives, cultures, attitudes as well as ignorance. Such scenario leads often into expensive and inadequate IT deployments without real return of investment (ROI).

The alignment usually aims to improve the business value of IT investments and maintain organizations' success by
  • Building a trust relationship and facilitating communication between decision-makers and IT managers; 
  • Flexibility in implementing business plans and Enterprise Architecture;
  • Presenting the Enterprise Architecture’s capability and limitations; 
  • Efficiency in managing organizations budget and resources; and
  • Ensuring optimal return of investment (ROI) of IT funds.
Ensuring better business-IT alignment can be implemented by translating organization’s goals and objectives into adaptable, specific and mapped IT-related goals, processes and practices. This is can done by adopting standard Enterprise Architecture and IT governance frameworks as TOGAF, COBIT and ITIL.

Business-IT risk alignment

Organizations tend to have limited resources and poor considerations in implementing effective enterprise-wide risk management, it’s often to see the organization’s risk profile outdated and not aligned with their goals and objectives, and not focused on top management issues.

In responding to internal and external events, factors and changing business landscape, organization’s objectives and strategic priorities constantly changes over time to keep pace with the environment in which it operates. Unless frequently revised and updated; risk management efforts become responsive and compliance-oriented rather than supportive, and risk appetite and tolerance thresholds became unrealistic and then cannot reflect current organization’s objectives.

Organizations traditionally organize separate meetings for strategic decision-making, planning and risk related initiatives, and thus limit the interaction between these activities which generate ineffective and redundant efforts and result in additional risks. However, the alignment aims reduce such activities and eliminates the gaps in between by integrating risk management with business strategy.

Risk management activities are often limited within IT department by assessing threats and vulnerabilities related to the department’s assets only which narrows risk mitigation and exposes the rest of business to wide range of risks and uncertainties. However, risk practitioners should consider the overall business scope and extends the risk assessment to all the entities, processes and projects supported by IT division as well as external suppliers. Risk practitioner should also study previous incidents and proactively act to prevent similar incidents from occurring in future by implementing appropriate mitigation controls, and so not underestimating any potential risk.

Another key factor in establishing an effective risk alignment is setting up communication channels with top management to facilitate assessing business goals, strategies, priorities and decisions toward embracing emerging technologies, assuring regulatory compliance and covering the overall enterprise end-to-end. Moreover, Risk practitioners should be involved in assessing potential risks related to strategic and confidential plans which produce major impacts such as acquisitions, mergers, changing markets and staff reduction in order to put in place adequate and effective mitigation plans.

One of the best approaches in aligning risks with business objectives is implementing information security frameworks, risk management methodologies and standards such as
Such practices advocate for holistic approach in managing information security and associated risks and provide an assurance in achieving business objectives and thus ensuring risk alignment with business goals.

Conclusions

Risk management focuses on constant understanding, alignment and securing the organization’s strategies and objectives by promoting the adequate security controls. Moreover, associated risks can be sometimes overlooked in favor of pursuing opportunities that meet organization’s goals.

Risk practitioners should continually and intelligently advertise and over time cultivate risk culture into people’s mindset, and integrate risk management activities and practices into the overall business strategies and processes.

By admitting that risks impacting the organization can be originated either from the technology in use, the people operating this technology, or from the applied processes; failing to integrate these main sources of risk into the risk profile inevitably puts the organization in great danger.

Sunday, May 1, 2016

Enterprise Architecture

Introduction


Enterprise Architecture (EA) is the process of developing enterprise IT architecture’s description and implementation. The description focuses on a holistic and integrated view of the why, where, and who uses IT systems, how and what they are used for within an organization. The implementation develops the strategy and enables the decisions for designing, developing, and deploying IT systems to support the business operations as well as to assess, select, and integrate the technology into the organization’s infrastructure.

EA main components

Enterprise Architecture is the unifying logic for an organization core business processes and IT capabilities captured in a set of main correlated architectural modules such as
  • Business Architecture which covers the organization’s structure, objectives, processes, roles and projects;
  • Application Architecture which includes applications and interactions in between; 
  • Data Architecture which handles data, data flows and data access;
  • Technical Architecture which consist of hardware, software, systems, networks and IT platforms.
An IT system is composed by software and hardware, while the software includes programs, libraries and data which are translated into operating systems, drivers, APIs, applications and databases...etc., the hardware is the physical parts that forms a computer (e.g. motherboard, CPU, monitor, hard disk, memory...etc.).

An operating system (OS) such as OS X, Linux, Windows, Android and iOS is a component of system software that manages computer hardware and software resources and provides common services for computer programs which usually require an operating system to execute and operate on top of it.

A network such as the Internet allows computers (as network nodes) to exchange data via network devices (e.g. interfaces, switches, routers, firewalls), over communication links and mediums (i.e. cable or wireless), laid out following specific topologies (e.g. line, ring, star, mesh), which is geographically scaled (e.g. using LAN, MAN or WAN), carried out using certain protocols (i.e. TCP/IP) and caries various applications (e.g. web, email, audio and video).

An IT platform is a collection of physical or virtual resources (e.g. servers, storage, networks) that supports an overall IT environment established to capture, generate, process, transmit, present and store information. The IT platform can be formed within a single mainframe, or composed by several resources unified altogether as a single entity (e.g. middleware) in a centralized location (e.g. datacenter), or formed by decentralized components remotely interconnected (e.g. cloud computing or platform as a service).

IT platform hosts wide range of business applications such as
  • Enterprise Resource Planning (ERP), 
  • Customer Relationship Management (CRM); 
  • Human Resource Management (HRM); and 
  • Project management. 
These applications can be internally accessible within the organization premises, or externally reachable using VPN connections from users using various endpoint devices such as PCs, laptops, tablets or smartphones.

Energy related supplies and utilities such as power supply, power generators, UPS (Uninterruptible Power Supply), HVAC (Heating, Ventilating, and Air Conditioning) and air purifying are critical auxiliary assets that support the overall IT infrastructure.

Challenges in maintaining EA

Enterprise Architecture is a quarter-century concept created to align with business objectives to tackle the increasing complexity of IT systems on top of following traditional issues:
  • Lack of support and commitment from stakeholders
  • Absence of communication channels, reporting and awareness;
  • Shortage of skilled and experienced talented;
  • Incompatibility of outdated standards;
  • Inapplicability of available frameworks; 
  • Nonexistence of measurement and performance metrics…etc.
Even though, the same old issues still persist today and enlarged by the accelerating pace of emerging technologies, alignment between business and IT, besides the required talent, cost and time to put in place such concept represent the organization’s top issues in establishing a mature Enterprise Architecture.

Enterprise Architecture is often wrongfully translated to the practice of documenting the organization’s IT infrastructure and spending all the efforts applying a framework instead of solving real problems, and carrying out business changes by constantly transforming organization’s structure and behavior within a complex environment.

An Enterprise Architecture can be exposed to wide range of risks such as for instance
  • Obsolete hardware or software;
  • Equipment or application failure or malfunction;
  • Non-redundancy of services or links;
  • Unpatched vulnerabilities;
  • Misconfigured devices or settings;
  • Unlogged and untraced events;
  • Default security passwords; 
  • Poor network cabling;
  • Wireless signal interference;
  • Unprotected wireless access points;
  • Power outages;
  • Poor maintenance or maintenance fault; and 
  • Unsecured facilities...etc.
Since the IT system of an Enterprise Architecture is an interrelated set of components connected to each other; an adverse risk related to an IT subsystem can disturb the overall IT system. Hence, the risk assessment of the entire system should be established by assessing the threats, vulnerabilities and impacts related to each subsystem and component.

EA frameworks

An Enterprise Architecture Framework describes how to build and use an Enterprise Architecture by providing a set of principles, practices and tools to manage the complexity and scalability of IT systems and producing valuable description documentation.

There are countless Enterprise Architecture frameworks, some of them focus on modeling existing organization infrastructure, others focus on solving business issues. While some of the frameworks are proprietary, others are open source, certain frameworks were developed by either specialized groups, government or defense organizations. Below some of leading methodologies
As these frameworks very different in their nature and approach; the appropriate framework should be selected and used based on the organization’s criteria.

Conclusions

Enterprise Architecture is a conceptual blueprint for business processes and IT system that defines the structure and operation of an organization which intended to determine the most effective ways to achieve the current and future objectives.

The Enterprise Architecture can be seen as the well-defined set of practices for conducing organization’s mission in achieving its strategic objectives, improving decision making, adapting to market trends, creating value and realizing benefits while maintaining optimal levels of risks and use of resources.

In regard to risk management, Enterprise Architecture contributes to reduction of business risks from system failures, security breaches and reduces project delivery risks.