Avaliação dos riscos dos processos estratégicos da governança de TI

Pontes, Roberta Pinto Coelho Maciel

02 August 2018

Submitted by Sara Ribeiro (sara.ribeiro@ucb.br) on 2018-12-04T11:52:46Z No. of bitstreams: 1 RobertaPintoCoelhoMacielPontesDissertacao2018.pdf: 2813246 bytes, checksum: 08608fe7fab4d1e6d8702fc959fccecb (MD5) / Approved for entry into archive by Sara Ribeiro (sara.ribeiro@ucb.br) on 2018-12-04T11:52:57Z (GMT) No. of bitstreams: 1 RobertaPintoCoelhoMacielPontesDissertacao2018.pdf: 2813246 bytes, checksum: 08608fe7fab4d1e6d8702fc959fccecb (MD5) / Made available in DSpace on 2018-12-04T11:52:57Z (GMT). No. of bitstreams: 1 RobertaPintoCoelhoMacielPontesDissertacao2018.pdf: 2813246 bytes, checksum: 08608fe7fab4d1e6d8702fc959fccecb (MD5) Previous issue date: 2018-08-02 / The objective of this scientific research was to evaluate the strategic risks associated to IT Governance processes, using a specific method through which it was possible to measure the capability of these processes and to identify the associated risks, in an integrated way. The COBIT 5 PAM method was chosen to evaluate the processes and the scenario analysis tool was used to identify the risks. The method application was done in an institution and the processes selected for evaluation were the strategic level provided in COBIT 5, which composes the EMD domain. The risk identification was based on scenario analysis, using the results fixed in the PAM for capacity level 1 (in which the process is expected to fulfill its purpose) as an ideal scenario and as the actual scenario presented in the process evaluation. Aftering identified risks, they were submitted to a manager’s forum to be validated and prioritized. The result shows that the risk assessment method was efficient, as the risks were recognized by the managers. Also identified were the processes that need to be increased to mitigate the risks considered relevant were also identified. The direct association between processes, already evaluated in their capacities, and the resulting risks, already prioritized, allowed this simultaneous analysis. / O objetivo deste estudo foi avaliar os riscos estratégicos associados a processos de Governança de TI, utilizando um método próprio por intermédio do qual foi possível, de maneira integrada, mensurar a capacidade desses processos e levantar os riscos a eles associados. Foi escolhido o método PAM do COBIT 5 para avaliar os processos e utilizada a ferramenta análise de cenários para levantar os riscos. A aplicação do método foi feita numa instituição e os processos selecionados para avaliação foram os de nível estratégico previsto no COBIT 5, que compõe o domínio EMD. Já o levantamento dos riscos foi feito a partir de análise de cenário, utilizando como cenário ideal os resultados previstos no PAM para o nível de capacidade 1 (no qual está previsto que o processo cumpre a sua finalidade) e como cenário real aquele apresentado na avaliação do processo. Após os riscos levantados, eles foram submetidos a um fórum de gestores para serem validados e priorizados. O resultado demonstra que o método para levantamento de risco foi eficiente, na medida que os riscos foram reconhecidos pelos gestores. Foram também identificados os processos que precisam ser incrementados para mitigar os riscos considerados relevantes. A associação direta entre processos, já avaliados em suas capacidades, e os riscos decorrentes, já priorizados, permitiu esta análise simultânea.

Riscos de TI

Governança de TI

Avaliação de processos

Riscos estratégicos de TI

Process assessment

IT strategic risks

IT governance

IT risks

Управление информационными рисками на промышленных предприятиях : магистерская диссертация / Information Risk Management in Industrial Enterprises

Криницын, К. А., Krinitsyn, K. A.

January 2017

Магистерская работа состоит из введения, трех глав, заключения, списка литературы из 45 источников. Основное содержание изложено на 106 страницах, работа включает 12 таблиц, 12 рисунков и 2 приложения. Основное содержание работы. В первой главе «Сущность информационных рисков» определены основные понятия, связанные с управлением рисками, информационными технологиями, оценкой рисков. Описана классификация информационных рисков по различным критериям, рассмотрены общепринятые принятые методы анализа и управления рисками. Во второй главе «Роль информационных рисков в деятельности промышленных предприятий» проведен анализ тенденций развития информационных технологий на промышленных предприятиях, проведен анализ использования систем управления рисками на промышленных предприятиях. Так же в этой главе проведен анализ влияний информационных рисков на деятельность промышленных предприятий на примере ООО «ВИЗ-Сталь». В третьей главе определено понятие систему управления информационными рисками (СУИР) и предложено использовать ее в деятельности как основного элемента по минимизации влияния информационных рисков. Ключевым элементом для этой системы стала разработанная классификация информационных рисков. / The master's work consists of an introduction, three chapters, conclusion, a list of literature and 45 sources. The main content is set out on 106 pages, the work includes 12 tables, 12 drawings and 2 applications. The main content of the work. In the first chapter "The essence of information risks", the main concepts associated with risk management, information technology, risk assessment are defined. The classification of information risks by different criteria is described, generally accepted accepted methods of analysis and risk management are considered. In the second chapter, "The Role of Information Risks in the Activity of Industrial Enterprises," an analysis of trends in the development of information technology in industrial enterprises was conducted, an analysis was made of the use of risk management systems in industrial enterprises. Also in this chapter, an analysis of the effects of information risks on the activities of industrial enterprises on the example of OOO VIZ-Stal. In the third chapter, the concept of an information risk management system (ISIR) is defined and it is proposed to use it in the activity as the main element in minimizing the impact of information risks. A key element for this system was the developed classification of information risks.

MASTER'S THESIS

INFORMATION RISKS

MANAGEMENT

IT-RISKS

INFORMATION SYSTEMS

INFORMATION TECHNOLOGIES

RISK ANALYSIS

RISK MANAGEMENT METHODS

INFORMATION ASSETS

ANALYSIS OF INFLUENCE

ИНФОРМАЦИОННЫЕ РИСКИ

УПРАВЛЕНИЕ

IT-РИСКИ

АНАЛИЗ РИСКОВ

ИНФОРМАЦИОННЫЙ АКТИВ

АНАЛИЗ ВЛИЯНИЯ