某电信运营企业IT风险管理实践研究
摘要
随着信息技术在企业的广泛应用,IT与企业业务日益融合,IT治理迅速成为公司治理和内部控制的核心。如何建立完善的IT风险管理机制,强化IT风险管控能力,成为现代企业必须面对的一个重要课题。《萨班斯法案》为在美国的上市公司建立了很高的行为规范,明确了许多前所未有的责任及相应的处罚。作为在美上市企业,W集团公司是世界上最大的电信运营商之一。为了满足《萨班斯法案》的要求,同时提高企业IT管控水平,W集团公司启动了IT风险管理项目。
本文在充分调研的基础上,结合W集团公司的业务发展和管理需求,参考COBIT等相关标准,梳理出了W集团公司IT管控的流程体系。并在此基础上,设计出W集团公司IT风险控制矩阵,对信息系统存在的风险进行识别、评估,有利于及时对企业重大风险进行处置,选择合适的控制措施。采用矩阵方式对各控制点进行定期审查,实时跟踪,有利于风险控制工作流程趋于规范化、标准化,提高工作效率,便于进行风险监控,最大限度地提高正面事件的影响,最大限度地降低负面事件的影响。最后,通过TOP TEN问题的分析,对关键风险控制点提出具体的修补举措建议,使得修补措施更加完善和具有可操作性。本文的研究,着眼于企业所面临的实际问题,具有较强的现实意义,是对电信运营商如何提升IT风险管理水平这一课题进行的有益探索。
With the widespread application of Information Technology in enterprises, the integration of IT and business services is becoming more and more popular. IT governance plays a key role in enterprise governance and internal control. A major task faced by the modern enterprise is how to build a perfect IT risk management mechanism to improve the ability of IT management and control. The Sarbanes-Oxley Act built up a very high behavior standard for the listed company in the United States and specified many unprecedented responsibilities and corresponding punishments. As a listed company in the United States, W Group Company is one of the biggest telecom operators in the world. To meet the requirements of Sarbanes-Oxley Act and improve the IT control level, W Group Company launched a project of IT risk management.
Based on the thorough investigation, this article regularized the IT management framework of W Group, combining with the company's business development and management needs, with the reference of relevant standards, such as COBIT etc. And based on this, the IT risk control matrix of W Group was designed, to identify and evaluate the current risk of IT systems, which will help the company to manipulate the big risk in time and choose the right control solutions. The regular risk evaluation and real-time control at each control point by matrix play an active role in the standardization of risk control and the improvement of efficiency, which help to control risk and improve the effect of positive side and reduce the effect of negative side. At last, by the analysis of the TOP TEN problems, some suggestions to the key risk control point were proposed. The research in this paper based on the real problems faced by enterprises and is constructive and significant to the improvement of IT risk management in telecom enterprises.
本文在充分调研的基础上,结合W集团公司的业务发展和管理需求,参考COBIT等相关标准,梳理出了W集团公司IT管控的流程体系。并在此基础上,设计出W集团公司IT风险控制矩阵,对信息系统存在的风险进行识别、评估,有利于及时对企业重大风险进行处置,选择合适的控制措施。采用矩阵方式对各控制点进行定期审查,实时跟踪,有利于风险控制工作流程趋于规范化、标准化,提高工作效率,便于进行风险监控,最大限度地提高正面事件的影响,最大限度地降低负面事件的影响。最后,通过TOP TEN问题的分析,对关键风险控制点提出具体的修补举措建议,使得修补措施更加完善和具有可操作性。本文的研究,着眼于企业所面临的实际问题,具有较强的现实意义,是对电信运营商如何提升IT风险管理水平这一课题进行的有益探索。
With the widespread application of Information Technology in enterprises, the integration of IT and business services is becoming more and more popular. IT governance plays a key role in enterprise governance and internal control. A major task faced by the modern enterprise is how to build a perfect IT risk management mechanism to improve the ability of IT management and control. The Sarbanes-Oxley Act built up a very high behavior standard for the listed company in the United States and specified many unprecedented responsibilities and corresponding punishments. As a listed company in the United States, W Group Company is one of the biggest telecom operators in the world. To meet the requirements of Sarbanes-Oxley Act and improve the IT control level, W Group Company launched a project of IT risk management.
Based on the thorough investigation, this article regularized the IT management framework of W Group, combining with the company's business development and management needs, with the reference of relevant standards, such as COBIT etc. And based on this, the IT risk control matrix of W Group was designed, to identify and evaluate the current risk of IT systems, which will help the company to manipulate the big risk in time and choose the right control solutions. The regular risk evaluation and real-time control at each control point by matrix play an active role in the standardization of risk control and the improvement of efficiency, which help to control risk and improve the effect of positive side and reduce the effect of negative side. At last, by the analysis of the TOP TEN problems, some suggestions to the key risk control point were proposed. The research in this paper based on the real problems faced by enterprises and is constructive and significant to the improvement of IT risk management in telecom enterprises.
引文
[1]Project Management Institute, A Guide to the Project Management Body of Knowledge, Project Management Institute Standard Committee,2004, p237-268
[2]Committee of Sponsoring Organizations (COSO), Enterprise Risk Management Framework, USA,2004. http://www.coso.org/
[3]IT Governance Institute, COBIT 4.1. USA,2007. http://www.itgi.org/
[4]The Office of Government Commerce (OGC). IT Infrastructure Library(ITIL) V3. UK.2007. http://www.itil-officialsite.com/
[5]International Organization for Standardization (ISO), Code of Practice for Information Security Management, ISO/IEC 17799, Switzerland,2005
[6]国务院国有资产监督管理委员会,《中央企业全面风险管理指引》,中国,2006
[7]朱海林等,《IT服务:管理、控制与流程》,机械工业出版社著,2006,p16-36
[8]胡克瑾,《IT审计》(第二版),电子工业出版社,2004,383-457
[9]吕洪涵,吕廷杰,萨班斯法案下公司内部控制系统构建及评审探讨[J].北京邮电大学学报(社会科学版),2004,(04).
[2]Committee of Sponsoring Organizations (COSO), Enterprise Risk Management Framework, USA,2004. http://www.coso.org/
[3]IT Governance Institute, COBIT 4.1. USA,2007. http://www.itgi.org/
[4]The Office of Government Commerce (OGC). IT Infrastructure Library(ITIL) V3. UK.2007. http://www.itil-officialsite.com/
[5]International Organization for Standardization (ISO), Code of Practice for Information Security Management, ISO/IEC 17799, Switzerland,2005
[6]国务院国有资产监督管理委员会,《中央企业全面风险管理指引》,中国,2006
[7]朱海林等,《IT服务:管理、控制与流程》,机械工业出版社著,2006,p16-36
[8]胡克瑾,《IT审计》(第二版),电子工业出版社,2004,383-457
[9]吕洪涵,吕廷杰,萨班斯法案下公司内部控制系统构建及评审探讨[J].北京邮电大学学报(社会科学版),2004,(04).