Développer une culture de la gestion des risques
Avec l’évolution du numérique se développent naturellement de nouvelles menaces, et les groupes de cyber-criminels se multiplient et perfectionnent leurs techniques de piratage. Vol de données, actes frauduleux, déstabilisations, selon la Commission européenne, 80 % des entreprises de la zone ont été touchées au moins une fois par des cyber-attaques depuis 2016. Or, les organisations ne mesurent pas toujours l’ampleur du danger que représente une cyber-attaque. La culture de la gestion des risques n’y progresse seulement qu’à l’occasion d’une confrontation douloureuse ou coûteuse avec une attaque.
Ce fut le cas du NHS (National Health Service) au Royaume Uni l’année dernière. L’organisation publique possédait des dizaines de milliers d’ordinateurs tournant sous Windows XP qui n’étaient plus maintenus par Microsoft, et ne bénéficiaient donc pas de mises à jour. C’est cette faille que les attaquants ont exploitée, impactant ainsi cinquante hôpitaux qui ne pouvaient plus accéder à leurs applications de gestion des historiques médicaux, et ne pouvaient donc plus réaliser aucune opération médicale et chirurgicale pendant plusieurs jours. NHS ne fut pas la seule victime de Wannacry : Vodafone, FedEx, Renault, Telefónica, le ministère de l'Intérieur russe ou encore la Deutsche Bahn s’en souviennent encore…
Les organisations sont encore trop vulnérables aux cyber-attaques
Toutes les applications et systèmes d’exploitation comportent des failles qui ne sont pas toujours réparées à temps par les éditeurs, et encore trop d’organisations ne mettent pas à jour suffisamment régulièrement leurs systèmes et logiciels. Ce sont ces vulnérabilités qu’exploitent les cyberpirates. Ils utilisent notamment la technique du phishing, qui consiste à usurper une identité via l’envoi d’emails frauduleux pour dérober des données ou de l’argent, et provoquer des incidents ou interruptions opérationnelles.
Si les DSI connaissent bien ces risques, pourquoi peinent-elles encore à déployer des programmes de gestions des risques IT ? Parce que les mises à jour nécessitent une préparation longue et consommatrice de ressources – une faille peut donc perdurer pendant plusieurs mois avant d’être corrigée. Mais aussi parce que le rythme de performance imposé par les directions générales étant court-termistes, ils s’opposent aux déploiements de politiques de sécurité qui nécessitent des investissements et qui ne sont profitables qu’à moyen et long terme. La sécurité est donc trop souvent vue comme un centre de coûts et non comme un centre de profits. Transformer la DSI en centre de profits Et pourtant, après Wannacry, combien les organisations ont-elles dépensé en frais d’enquêtes techniques, en honoraires d’avocats, en primes d’assurance. Quelles ont été leurs coûts non-quantifiables en termes d’interruptions d’activité et de perte de confiance de leurs clients ? Et combien d’efforts et de ressources ont-elles dédié à la sécurisation des données clients, à la mise en conformité réglementaire (notamment avec l’entrée en vigueur du RGPD le mois dernier) ainsi qu’à l’amélioration des dispositifs de cyber-sécurité ? Si les entreprises victimes de Wannacry n’ont évidemment pas révélé son coût total, les conséquences restent tout de même présentes.
Avec l’idée de tirer des leçons de cette attaque, les entreprises (déjà victimes ou même futures victimes) devraient se préparer à contrecarrer la prochaine attaque, ceci en réduisant les failles exploitables par les assaillants mais aussi en minimisant l’impact d’une telle attaque sur l’entreprise entière.
Avant de réduire les failles en question, il faut d’abord les identifier : construire un catalogue référençant tout le parc applicatif et les technologies qui les sous-tendent afin de gérer leur obsolescence et leurs risques est un bon point de départ. A la suite de cette identification, la DSI peut soit migrer les technologies obsolètes vers de nouvelles versions plus sécurisées, soit retirer de la circulation des systèmes applicatifs dangereux pour les redévelopper ou sinon déclarer et gérer le risque de continuer l’utilisation de technologies obsolètes.
Une fois les failles identifiées et adressées, il sera alors nécessaire d’analyser l’impact potentiel des applications rendues indisponibles par une attaque. Ceci est rendu possible par une analyse des processus et des fonctions de l’entreprise qui comptent sur les applications affectées. La minimisation de cet impact peut être représentée par la mise en place d’un plan d’urgence.
Si vous voulez en savoir plus sur la gestion du portefeuille applicatif dont et la maîtrise des risques liés à l’obsolescence technologique, téléchargez notre livre blanc « Trois étapes pour créer de la valeur métier grâce à la gestion du portefeuille applicatif » !
... View more
What is the Newlywed Game?
It was a TV game show that first aired in the 1960’s where newly married couples would be pitted against each other in a series of revealing question rounds to determine how well the spouses knew each other: if both spouses gave the same answer to the same question, then they won the round. The show became famous for some of the arguments that couples had over incorrect answers in the form of mistaken predictions, and it even led to some divorces.
How does it relate to an Organization?
Any organization has a certain culture and values that, in turn, steer its attitude to risk taking. Ensuring all parts of the organization abide to this risk culture is called Risk Assurance and is usually performed by Internal Audit reporting to the organization’s board. Internal Auditors usually would be the last line of defence in a series of 3. The other 2 are Controllers (1 st line as operational) and Risk Managers (2 nd line). Applying the Newlywed principle, the risks are the questions, the Risk Managers and Controllers are the spouses and the Internal Auditors are the game show host.
What do Internal Auditors usually do?
An Internal Audit Director’s job is to provide assurance to the board that the organization’s risks are managed in line with its risk attitude. In order to do so, Internal Audit has to (obviously) audit the parts of the organization less likely to abide to this risk attitude and report Findings and Recommendations to the Board. When planning Audit missions, the difficulty lies in choosing the Risks to include in the next Audit scope.
Why would Internal Audit use the Newlywed Game?
Let’s draw a parallel between the newlyweds and the 1 st & 2 nd line of defence of our organization: a marriage (or an organization) is only going to work if both spouses (Controls & Risks) communicate and are aligned with each other. If the answers to important questions regarding your marriage (organization) are different from one spouse to another (between risk managers and controllers), then we may want to have a closer look at the potential issues behind the differing answers. This kind of dichotomy between 1 st & 2 nd line of defence could be a clear marker for including the concerned risk in the next Audit scope.
How would Internal Audit use the Newlywed Game to determine scope of Audits?
When planning a Risk Based Internal Audit (RBIA), an Audit Director would have to consider which risks to audit next. Looking at a list of the risks applying to his Organization is only a starting point.
The Audit Director could then look at the answers of controllers and risk managers regarding these risks. Differing answers could raise the alarm and indicate an audit of the concerned risk is necessary.
Missing risk target (spouse 1): Risk managers are to handle assessment of Risks and set the risk appetite, reflected by a Risk Target. If the Net Risk rating does not match with the Target Risk rating desired, it would indicate that the concerned risk should be audited as risk management does not achieve the risk goals set by the board.
Ineffective Controls (spouse 2): Internal Controllers are to ensure Controls mitigating risks are designed and executed. Controls then get tested and receive a pass or fail regarding their effectiveness. Any Controls deemed ineffective means it does not contribute to reducing the risks it is meant to mitigate and its Control Level is set as Weak.
The difference between the answers regarding Risk ratings and their mitigating Controls’ effectiveness is like comparing both spouse’s answers on the newlywed game: risk managers could say that everything is mitigated effectively while controllers have very little confidence in the control measures. An Audit Director would be choosing the risks that seem to achieve their target at first but have been found to have very weak mitigating Controls.
So the following 2 scenarios from the Newlywed Game can help Internal Audit prioritize risks for their RBIA:
Risk Target is reached but the Controls are weak. The spouses’ answers do not match.
Risk Target is not reached but the Controls are strong. The spouses’ answers do not match.
A third scenario could present itself. Similar to when both spouses can have arguments but pretend everything is fine in front of the cameras during our Newlywed Game, Incidents could still take place without Risk Managers or Controllers contradicting each other.
How can Internal Auditors implement their own version of the Newlywed Game?
In many organizations, all 3 lines of defence tend to work with different tools on different registers and sometimes at odds with each other. Internal Auditors being the last line of defence, they need to ensure they have access to the most accurate and up-to-date information regarding the Risks they are to audit. Building a Risk Assurance Dashboard (available in our next version of HOPEX Internal Audit) featuring a health summary of the Risk (Net vs Target, Control Levels, Incidents) would help the Audit Director quickly identify those high priority Risks and include them in their next audit. To come back to our Newlywed Game, the point of the game is to reveal both spouses’ answers to the questions to find out if the couple has won. If Risk Managers and Controllers do not reveal their assessment of the Risks, Internal Audit is unable to concentrate on auditing the right Risks and the organization loses.
... View more
What is GDPR?
It is an EU regulation coming into force on 25th May 2018. It gives to all people living in EU the status of data subjects, entitling them to a wide array of rights that can be enforced against organisations that process personal data. These rights may limit the ability of organisations to lawfully process the personal data of data subjects, and in some cases these rights can have a significant impact upon an organisation's business model.
Does it apply to Santa’s North Pole organisation?
Santa’s list contains the names of all the EU children thus counting them as Data Subjects. The list also contains personal data such as addresses, ages and gift preferences. Combining this with all the knowledge he has on every EU child (remember that he knows when you’ve been good or bad), GDPR would definitely applies to his North Pole organisation.
What parts of GDPR apply to Santa?
Let’s take a fictional EU child: Little Johnny. Little Johnny as a EU citizen enjoys GDPR rights. There are several scenarios where Little Johnny can have a say in how his personal data is handled by Santa…
Parental consent for processing children’s personal data: Little Johnny cannot provide consent to data processing without his parents’ authorization. Even though Little Johnny is enthusiastically willing to receive his Christmas surprise Santa will need to ask his parents’ authorization to contact him.
Right to basic information: before collecting any other piece of information on Little Johnny, Santa would have to let him know what it is going to be used for. In our case, profiling to find out if Johnny has been naughty or nice.
Right to not be evaluated on the basis of automated processing: Santa has to find out who on his list has been naughty or nice. However, Little Johnny’s parents have a right to say in this regard, hence preventing Santa from reaching his final goal… and thus destroying his whole business model!
On top of the above scenarios putting a dampener on Santa’s business model, there are other rights that Santa and his IT department would have to comply with:
Identifying Data Subjects: checking that whomever is asking for their personal data is who she/he says he is. You cannot let Little Johnny get access to his personal files without checking who he is first.
Right of Access: Little Johnny should have access to his personal data whenever he wishes to.
Right of rectification: if little Johnny’s age is wrong, he should be able to request to have it corrected.
Right to erasure: unfortunately, Little Johnny does not believe in Santa anymore and wishes to be forgotten by Santa and his elves. Johnny’s personal data, past toy requests and letters should be erased.
Right of Data Portability: Little Johnny still believes in Santa but would like to take a copy of the wish list he initially sent to the North Pole and recreate it with an online retailer. Just because if Santa does not bring it, grandma just might buy it!
Why should Santa be GDPR compliant?
Setting aside the reputational impact of non-compliance to Santa, the European Union regulators could fine Santa up to €20 million. Luckily for him, Santa is a non-profit organisation otherwise his fine would be 4% of his global turnover instead! The North Pole not being part of the EU does not exempt Santa from being compliant: remember, it is the EU citizenship of the children that gives them the status of Data Subjects. The criteria for GDPR is where the kids are from, not the location of the organisation. The consequences of non-compliance go beyond financial penalties: more secure data means it is less likely the Grinch will know exactly what to do to spoil Christmas for everyone!
How can Santa achieve GDPR compliance
So before the EU regulators comes to pay Santa and his IT elves a visit next May, what should they do? Their first step would be to take a look at the following white paper “6 Steps to GDPR Compliance-by-Design”. Developed in partnership between MEGA International and Gruppo Imperiali, it describes a 6-step methodology that might just help the elves assess, remediate and demonstrate the North Pole’s compliance to GDPR.
... View more
So why would the Federation of Planets use Enterprise Architecture?
Let’s pretend the Federation of Planets wants to reproduce the success of the Enterprise NCC 1701 (both the ship and its crew) and make sure future pilots are as good as Mr Sulu.
How does the Federation of Planets model the Enterprise’s Architecture?
They would need to describe:
What the different systems of the Enterprise are
How they work together to allow the ship to fly
What skills are required to operate the Enterprise
What steps need to be followed to fly and operate the ship (rather) safely
This is what we would normally refer to as the current state. If we were in an Enterprise Architecture, we would use Applications and various Hardware/Artifacts to describe things like Propellers, Energy Dampeners, Shields, Thrusters, Communication Array and (of course) Warp Core. Resource Architectures would then describe how all these components interact together and communicate with our operators and pilots aboard the Enterprise.
The skills required of the crew would become Business Functions and the steps they “should” be following would be described by Functional Processes: “Dock Spaceship to Starbase”, “Land Spaceship on Planet Surface”, “Calculate Coordinates”, etc…
What can the Federation do with the Enterprise’s Architecture?
The Federation wants to learn from but may not want to reproduce the Enterprise itself. It was, after all, built for exploration and the motivations of the Federation have often been forced to move into a military direction for their starships’ design. The Defiant (another ship from the Trek universe) was a war ship. Both ships, whatever their purpose, still need the right components, the skilled crew and the procedures to be flown successfully and safely. Hence the Defiant, both in its design and operation, can learn from the Enterprise on the what (skills/resources), who (what skills must the crew have) and the how (procedures) of space flight.
All the Resource Architectures, Interactions, Functional Processes and Business Functions put together are what makes a spaceship able to fly. The ability to fly in space can be renamed as "Space Flight" Capability.
Capabilities can be grouped together according to a certain motivation. In our example, the Federation wants to explore uncharted galaxies. An exploration ship would not only require Space Flight but additional capabilities like Star System Surveyance.
How can the Federation reuse Capabilities?
As previously stated, the Federation’s motivations are changed by an all-out war. Our Capability Map now changes from “Exploration” to “Military”.
What the Enterprise and the Defiant have in common is the “Space Flight Capability”.
While the Enterprise already possesses some military capabilities (like Target Set Destruction), these were only implemented for defensive purposes: ay military ship like the Defiant would need these for defensive AND offensive purposes. Filling this offensive gap would be the strategic priority of the Federation.
The Federation can design new ships, adapt defensive procedures to be offensive as well as train the crew in offensive tactics and manoeuvres. Our Enterprise can also be repurposed for offensive action later on…
So, can you fly this thing?
The short answer is “You kidding me, sir?”.
The long answer could be: “Not only can I fly this thing, I also possess the skills necessary to fly any Federation starship, be it built for exploration or for military purposes. And, with a bit of tinkering, I could even take out a Bird of Prey… or 2.”
Image poster Star Trek - Star Trek Toy
Image Star Trek ships images USS Defiant - Fan pop
... View more
Let’s pretend the good man works in supply chain and the cat is a customer. Our good man considers his customer to be the "retailers" of his organization's product. However, his neighbour, who works in Marketing, would consider his customers to be "consumers". Going through other parts of the organization, our customer changes names: "purchaser" in the wholesale department, "account" to accounts payable, "buyer" in FMCG…
Is the whole organisation talking about the same customer but with different names? Not necessarily. While a customer is defined as "someone who pays for goods or services", a consumer, on the other hand, is "a person who uses goods or services". So the customer pays for the goods or service while the consumer uses them. A consumer is not a customer.
On the other hand, “retailers”, “purchaser”, “accounts” and “buyer” could be synonyms of “customer” since they also pay for products or services without the idea of consuming them.
How can we make the difference?
By specifying the relationship a customer, or its many given names, has with goods and services. A consumer only uses the goods, a customer purchases them: the relationship is different.
A retailer is a customer purchasing products with the intention to resell them. The purchase of the products makes the retailer a customer but the intention to resell these products makes it a different customer. A retailer is still a customer, just a bit more special.
How do we manage it?
By building a business glossary. Using semantics, this glossary would describe consumer and customer as 2 separate terms. Purchaser, buyer and account would be featured as synonyms of customer. Retailer would be featured as a sub-type of customer. This would allow our good man to know the difference between his retailer as a special customer and his neighbour’s consumer. Any data modeller would recognise here that semantics form the basis for information architecture (or conceptual data modelling by any other name).
Why should we manage it?
As Customers and Consumers are not the same, they are not described in the same manner. The information required by a Marketing department to identify which Consumers to target will be different from the information Accounts Payable would require to collect payments for the goods or services a Customer would have purchased. One would be interested in demographic and interests while the other is more focused on payment details.
Specifying the different aspects of Consumers and Customers allows us to:
Define a structure to store the relevant data: our Marketing team needs to know where to find their Consumer’s records.
Specify how the information is used, transformed and communicated: our Accounts Payable team needs to identify which Customers have paid their invoices or hold overdue bills.
Manage access to the information: our Accounts Payable team may have access to the payment aspects of the Customer whereas only the Sales team can create and delete a Customer’s record.
So is a customer, after all, a customer?
A customer is NOT a consumer. A customer is a purchaser is a buyer is an account is a customer. And a retailer is a special customer.
... View more