According to Matt Loeb, ISACA's Global CEO, this visit to China has three purposes, first is to work with relevant Chinese government departments, industries and partners to improve the level of information technology, second is to build professional communities to support the continuous education of Chinese professional and technical personnel, and third is to support higher education to cultivate the next generation of professionals.
About information security audit,Matt Loeb said that due to technological changes, the way and frequency of information system audit both will change, IT audit and risk assessment will be carried out more frequently, and professional IT auditors and related resources will become more scarce. For enterprise business, IT audit works will be more and more important. People will look at the risk from a more positive perspective.
More and more enterprises have realized that the security threat is not only a problem of technology, but also the reputation of enterprises and the confidence of partners.
At the same time, for the future trend, Matt Loeb believes that the connection between network security and IT audit will be closer and closer. <a href="https://cciedump.spoto.net/isaca-dumps.php">spoto isaca certifications</a> once conducted a survey, which shows that more than 60% of IT audit professionals believe that network security is also one of their works. All IT audit professionals should invest time and energy to understand network security issues; People engaged in network security will also come back to learn IT audit, because it is very important for technical control. This also shows that in the early stage of coping with network security challenges, we need to be familiar with the two parts of knowledge in the field of security and audit.
In addition, Tim Mason, chief marketing officer of ISACA, also said at the beginning of the conference that at the beginning of its establishment ISACA focused on "information technology audit" and "risk management", and gradually began to focus on "information security management" and "IT governance". In 2015, it launched the Cyberspace Security Nexus (CSX), he also restates ISACA's goal of "helping you realize the positive potential brought by technology" and its commitment of "building confidence, technology brings innovation". So, get ISACA’s certifications is very necessary.
After that, ISACA announced that it had reached a strategic cooperation with GooAnn, authorized the only "gold partner" in China to promote the knowledge system of ISACA jointly, and held a signing ceremony on the spot, which became the focus of the whole audience.
Chen Wei, CTO of GooAnn, said after the meeting that while GooAnn was actively participating in the practice of domestic information security and IT management and control, he was also concerned about the introduction of international IT risk control theories and methods. For this strategic cooperation with ISACA, on the one hand, raging like a storm of surging “Internet+”practices, we introduce the advanced IT risk management and control concepts and methods in the world to guide the healthy development of domestic enterprises' informatization. On the other hand, we should sum up and refine the experience of Chinese IT risk management through strengthening international cooperation. Make the future international IT management and control standards and best practices "voice from China".
At the meeting, Mr. Chen Wei also brought a sharing of < IT risk management under the Internet plus environment>>.
Mr. Chen said that with the advent of the "Internet +" era, information technology has not only been one of the five pillars of enterprises that are equally important to enterprise strategy, organizational structure, business process, and performance evaluation, but also become an important source of power for the current enterprise innovation gradually. How to enhance the ability of IT risk control and support business innovation effectively has become an important part of enterprise management. At present, the domestic enterprise informatization has gradually entered the transition period from the construction of large-scale infrastructure and application system to the construction and control. In this period, the emphasis of informatization should be gradually transferred to the following aspects: on the basis of ensuring the safe operation of IT infrastructure and IT services, integrating and developing information resources, making rapid response to customer needs, improving application level and service quality, supporting product innovation and service innovation, and maximizing the business value of the organization.
However, due to the fact that the information security and IT management and control capabilities of domestic enterprises in the transition period are far away from the actual requirements, there are still some common problems in the enterprises, such as the imperfect information technology governance structure and the insufficient ability of it to support business development and innovation; The core technology is controlled by others, and the ability of independent control is weak; The disaster recovery ability of information system is not strong, and the business continuity management mechanism is not perfect; The ability to resist major network attacks is low, and the security awareness and skills need to be improved. If these problems can not be solved properly, it will become a bottleneck restricting the development of enterprises.
There is a another highlight of "leaving for China"that is ISACA awarded the "Chairman's special contribution award" to China Construction Bank in recognition of its outstanding achievements in the practice of information security and IT risk management and control.
In the following sharing, Mr. Jin introduced the research results and practice of CCB in "the construction of information security management system of commercial banks" for the guests. The main highlights will be attached at the end of the article.
Liu Hanxi, general manager of Information Technology Department of Guosen Securities, also talked about Guosen Securities' understanding of IT risk control and its own practice in this aspect.
Mr. Liu said that for the securities industry, "operational risk" is a common risk event. It includes immature and nonstandard of process, cross check and post audit, as well as separation wall between business and technology, development and operation. At the same time, in terms of business continuity, the volatility of the market and the effectiveness of the transaction determine the lifeblood of the business continuity of securities companies. The procedural and high-frequency trading risks are very easy to trigger market fluctuations and may have a huge impact on the market.
In terms of its own practice, Guosen Securities includes compliance control, multi-level organizational system control (the president of the company serves as the director of the IT Planning Committee, and the IT backbone and main business leaders are members of the Committee), standardization construction (the first CMMI Level 3 certification in the industry in 10 years, obtaining ISO20000 certification audit for many times since 12 years, and attaching importance to the construction of isolation wall, etc.) Improve IT infrastructure and architecture management and control (complete the construction of high-level three center data center in two places, hot standby of core system, standby of disaster recovery system, and pay attention to capacity management and adjustment to cope with the demand of sky high volume market transaction), information security defense system, real-time IT system risk monitoring (based on business and system risk point monitoring) and regular risk assessment, emergency system construction, management and adjustment, etc Internal and external IT audit and the continuous change from it risk control to people-centered.
At the end of the paper, the main highlights of information security management system construction of China Construction Bank are attached:
The great integration of financial business and technology makes the business more and more dependent on the system and the system more and more complex. New technology application risk also needs attention, which increases the difficulty of defense, but also leads to risk transmission to relevant institutions.
In terms of information security strategy, CCB has its own information security management system, including organization management system, security system, security technology system, audit supervision system and continuous optimization system.
In the construction of information security management organization system, CCB is divided into "three levels" and "three lines of defense".
There are three levels:
Board of directors: responsible for formulating it risk management strategy of the whole bank, regularly listening to it risk management reports of the whole bank, and supervised by the board of supervisors;
Senior management: be responsible for defining internal information security management responsibilities and making major information security management decisions;
All departments of the head office and branches at all levels: the executive level of information security management, specifically implementing the bank wide information security management strategy and decision-making.
The corresponding three lines of defense are:
First line of Defense: operation and implementation. It includes business application departments of important information systems, information technology management departments of all centers and branches under the jurisdiction of information technology management department;
Second line of Defense: risk management. Responsible for information security management, business continuity management department, and responsible for it human resources and financial management, it compliance management, information standard management, it supplier management, computer room environment management, security and other responsibilities of the back office department. At the same time, "strengthening the professional ability of the second line of defense" is also one of the key works of CCB in the near period;
Third line of Defense: audit supervision. Establish a two-line reporting mechanism for science and technology risks, that is, the general manager of information technology management department reports the information security management situation to the president in charge of information technology and the chief risk officer respectively.
In terms of the construction of safety system, it mainly includes "risk-oriented system construction mechanism" and "specialized system transmission mechanism" (including basic safety education for all employees, technicians, safety personnel and management personnel, compilation of special training materials, etc.). In the overall framework of the system, it includes five major areas of science and technology management: risk awareness, risk control, development and construction, operation and maintenance, and comprehensive science and technology management (subdivided cooperation management, compliance management, and human property management).
What is more distinctive that is at the level of security technology system, CCB proposed to implement the requirements of hierarchical protection system, build a comprehensive security technology protection model, and put forward the concept of "security as a service" and build a "new generation security architecture" through componentization to realize a control model of business oriented security management.
CCB's new generation security architecture model implements the principle of "business development oriented" security management and control, uses common security technology, security products and complete security function modules to realize flexible deployment, balance security and customer experience, and realizes the related security strategy covering the whole business process from the business perspective and transaction process.
The "new generation" security component of CCB has supported the massive transactions of tens of millions of users, and greatly improved the risk monitoring ability. In 2015, it actively intercepted tens of thousands of risk transactions, with a cumulative amount of money.
In terms of audit supervision system and continuous optimization system, we should strengthen the specialization of audit team, the standardization of audit system and the comprehensive construction of audit coverage, continuously improve the supervision and management system, build domestic and foreign regulatory database, industry standard database, in-house database, information technology risk database and audit problem rectification database, and track regulatory requirements and industry standards, while effectively identifying IT risks, systematically organize rectification management, and carry out system review regularly.
Finally, in terms of "exploration and prospect", for continuously improving the information security management system, Mr. Jin said that he would strengthen the construction of (cross channel) trusted system, improve the social cooperation mechanism, strengthen the application of new technologies, and improve the third-party risk prevention and control system (establish the third-party access mechanism by using business PCI and other data security standards), further strengthen information security management.