using frameworks for grc productivityc.ymcdn.com/sites/€¦ · · 2011-11-11using frameworks for...

Using Frameworks For GRC Productivity

Presented By:Gary Sheehan, CISSP, HISP

Advanced Server Management Group, Inc.

Introduction

Gary Sheehan, CISSP, HISP

Director, GRC Services

Advanced Server Management Group, Inc.

925 Euclid Avenue

Suite 1510

Cleveland, Ohio

gsheehan@asmgi.com

216.255.3056

Abstract

Regulations, compliance requirements, internal controls , contractual requirements and risk put pressure on an organization from every direction. Even more confusing, governance , risk management, compliance and security are all terms used by various departments and at various levels within an organization. Though their meanings are somewhat consistent across an organization, the communication and

consistent across an organization, the communication and implementation of solutions that address these specific concerns are often inconsistent and incomplete.

Failure to implement efficient and effective policies, processes and technologies can threaten the reputation of your corporate brand and the overall success of your organization.

Agenda

� Why?

� What is GRC

“The most efficient and

effective way to deal with

the ever-growing array of

regulations and compliance

� What is GRC

� Using Frameworks

� Summary

� Q/A

regulations and compliance

requirements is to establish

a framework of consistent

internal controls.”

The Association for Accountants & Financial

Professionals in Business 2009

Definitions

� Governance — The process by which policies are set and decision making is executed.

� Risk Management — The process for addressing risk with a balance of mitigation through the application of controls, transfer through insurance and acceptance through governance mechanisms.

� Compliance — The process of adherence to policies, requirements and decisions. Includes both voluntary and mandatory requirements

� Internal Controls - Policies, procedures, practices and organizational structures put in place to reduce risks and provide reasonable assurance that an organization’s business objectives will be achieved and undesired events will be prevented, or detected and corrected

� Today’s Top Issues for IT

– Providing Value to the Organization

– Next-Gen / Mobile / Smart Devices and

Tablets

– Social Media / Social Business

– Cloud Computing

– Consumerization of IT

– Dealing with Big Data (Variety, Volume and

Velocity)

2011 CIO Magazine

“IT must either start partnering with business

leaders to lead the organization and evolve the

organization, or become a commoditized utility while

the business figures out the moves on their own.”

10/02/2011 - http://www.zdnet.com/blog/hinchcliffe/the-big-five-it-trends-of-the-

next-half-decade-mobile-social-cloud-consumerization-and-big-data/1811

“There's a sizable gap between what IT

departments are doing and what companies -- and

presumably the CIOs who participated in this survey

-- think they ought to be doing.”

07/2010 Survey – Deloitte – 1,000 IT Executives

� 33% viewed as stewards

� Over 50% enabling growth & enhancing

productivity

� 33% should offer a competitive advantage

� Only 10% responded that the CIO should be a

“revolutionary”

� Over 50% IT executives want to be viewed a

strategists or revolutionaries.

IT Strategist IT Revolutionary

Identifies a problem

and comes up with a

technological solution

Understands the

goals of the

organization and

uses technology to

create new revenue

Matt Law and Suketu Gandhi

Deloitte Principals

create new revenue

streams or radical

new ways to deliver

services

IT Strategist IT Revolutionary

Saves money on paper

and ink by using

electronic receipts

instead of printed ones.

electronic receipts

tied to company's

customer loyalty

program, analyze

their buying behavior,

Matt Law and Suketu Gandhi

Deloitte Principals

their buying behavior,

emails savings, &

lures customers into

the company's social

media networks.

� www.securitynewsportal.com

� www.ssnbreach.org

� www.adamdodge.com/esi/

� www.attrition.org

� www.infosecnews.org

� www.privacyrights.org

� www.darkreading.com/index.jhtml

478 reported breaches affecting over 30,301,437 records.

40% of the reported breaches could not estimate

how many personal records were compromised!

Key Business Benefits Include:

� Supports organizational integration of executive

and staff agendas through effective governance

� Promotes the understanding of enterprise risk in

terms of dollar-value and corporate brand impact

� Facilitates prioritizing IT initiatives based on risk

level and business value

� Can reduce costs

� Can help create additional revenue opportunities

Aberdeen Group

Why – Five Years Ago

� Business recognizes little value from IT

investments

� Too much risk for the return we are getting

� Slow decision making

� Project overruns and delays

� Lack of stability, availability, protection and

recoverability

� Compliance surprises

� Resource waste - inefficient

� Working within silos

What is GRC?

Compliance

Risk Governance

Where does one begin?

PerformanceSecurity

GRC is system of people, processes and technology that enables an organization to:

� use an integrated approach to complete activities related to governance, risk management and compliance -- and --

What is GRC?

management and compliance -- and --

� achieve business objectives while minimizing risk and protecting asset

value.

Based on a 2010 Open Compliance & Ethics Group (OCEG) definition of GRC

What is GRC

There two ways to describe GRC.

IT: Governance, Risk and Compliance

Business: Guard Assets

Revenue Enhancement

Cost Reductions

What is GRC?

Phases:

� Education

� Communication

� Documentation

� Platform / Application

� Measurement

WHAT HAVE YOU DONE

LATELY TO ENHANCE

OUR STRATEGY INTO

THE NEXT ADJACENCY

AND INCREASE OUR

COMPETITIVE ADVANTAGE

EXCELLENT!I DON’T

KNOW WHAT

THAT MEANS

EVERYTHING!

What is GRC?

� Education breeds Documentation

� Documentation breeds Awareness

� Awareness breeds Interest

� Interest breeds Confidence

� Confidence breeds Action

Education:

� Confidence breeds Action

� Action breeds Ownership

� Ownership breeds Accountability

� Accountability breeds Governance

� Governance breeds Compliance

� Compliance breeds Risk Reduction

� Less Risk breeds Better Security

What is GRC?

Keys to Success� Cultural change� Top down approach� Integration & collaboration� Concentrate on

Communication:

� Concentrate on– People

… then

– Process

…then

– Technology

It’s Not Impossible

What is GRC?

� Assemble an IT GRC Steering Committee� Define what IT GRC means to your

organization.� Survey your organization's compliance

Communication:

landscape, governance posture and risk environment.

� Determine the most logical entry point and develop a phased approach.

� Establish a clear business case, considering both short-term and long-term value.

� Determine how success will be measured.

What is GRC?

Documentation

What is GRC?

Documentation is considered to be a critical

business asset in a GRC environment.

� Breeds awareness

� Provides direction

Documentation

� Provides direction

� Provides proof

� Connects strategy to tactical

� Subject to PDCA (continuous improvement)

What is GRC?

Automation Opportunity

� e-GRC and focus on business process workflow

� IT-GRC and focus on business process integration

Platform & Measurement

Measurement � Metrics are key

elements in either

purchase.

Using Frameworks for GRC

Compliance

Risk Governance

Security

Where does one begin

PerformanceSecurity

A framework is a structure for

documenting, implementing and

improving a set of concepts,

processes, methods, technologies,

standards, procedures and cultural

changes necessary for a complete

product.

Business Governance:Compliance & Governance

Business Performance: Performance & Governance

Information Technology GovernanceCompliance, Governance, Business Alignment

Information Technology ServicesBusiness Alignment, Performance, Governance

Security ServicesBusiness Alignment, Security, Compliance

Business GoalsBusiness Goals

SOX, GLBA, PCI, HIPAA, FISMA…

Growth, Cost Reductions, Efficiency, Productivity, Quality, Accountability…

Frameworks help achieve your business objectives by improving

your governance of IT services, infrastructure, and security.

Compliance Voluntary Mandatory

Policies, Contracts

Corporate GovernanceCorporate Governance

Systems, Applications, Infrastructure, Data ManagementSystems, Applications, Infrastructure, Data Management

IT Governance IT Governance

The Value Of Frameworks

Corporate GovernanceCorporate Governance

Business GoalsBusiness Goals

SOX, GLBA, PCI, HIPAA, FISMA…

Growth, Cost Reductions, Efficiency, Productivity, Quality, Accountability…

Compliance Compliance Voluntary MandatoryVoluntary Mandatory

Policies, Contracts

Frameworks help achieve your business objectives by improving

your governance of IT services, infrastructure, and security.

Corporate GovernanceCorporate GovernanceCOSO COSO Balanced ScorecardBalanced Scorecard

Security Management Security Management ISO27001ISO27001--2 / NIST2 / NIST

IT Service Management IT Service Management ISO 20000 / ITILISO 20000 / ITIL

Systems, Applications, Infrastructure, Data ManagementSystems, Applications, Infrastructure, Data Management

COBIT COBIT IT GovernanceIT Governance COBIT COBIT

� Initiating, implementing,

maintaining, and improving

information security

management in an

organization.

ISO/IEC27002

ISO 27001-2

organization.

� Risk-based assessments.

� Focuses on implementing

internal controls to reduce risk

and enable an organization to

meet its business goals and

objectives.

� Mapping (voluntary & mandatory requirements)

� Helps to establish governance & compliance

� Can be partnered with an established risk

methodology

ISO 27001-2

� Plays well with Cobit, COSO, ITIL and

performance frameworks

� Promotes best practices

� Internationally tested & accepted

� Holistic approach to security that promotes

business efficiencies and/or improvements

� Internationally recognized Service

Management certification and standard– ISO 20000 Part 1 – Formal Specification

– ISO 20000 Part2 - Code of Practice

ISO 20001-2

– ISO 20000 Part2 - Code of Practice

� Only concerns itself with the processes,

policies, documentation, roles and

responsibilities associated with service

delivery and service support.

� Represents an industry consensus

on quality standards for IT service

management processes.

� Designed to ensure professional

and cost-effective customer

ISO 20001-2

and cost-effective customer

service where risks are

understood and managed.

� The best possible service to meet

a customer’s business needs

within agreed resource levels

� Focuses on IT governance and

compliance

� COBIT is a widely accepted IT governance

framework that emphasizes IT regulatory

compliance,

� Helps organizations to increase the value attained

from IT

� Enables business alignment to IT resources by

allowing managers a means to associate control

requirements, technical issues, value and

business risks.

� Provides a toolset that allows managers to bridge

the gap between control requirements, technical

issues and business risks.

� The business orientation of COBIT consists of

linking business goals to IT goals.

� COBIT provides metrics and maturity models to

measure achievement.

� COBIT identifies the related responsibilities of

business and IT process owners.

� Why?

� What is GRC

� Using Frameworks

Summary

Questions & Answers

GetReplies or

Replies or Confirmation

gsheehan@asmgi.com

using frameworks for grc productivityc.ymcdn.com/sites/€¦ · · 2011-11-11using frameworks for...

Documents

grc base parcel grc base point

grc foundation: transforming data to information ·...

grc access

the guide to grc frameworks and implementation -...

grc applications overview/...

implementing an integrated grc approach with sap grc · pdf...

building an effective grc process with trustedagent grc

understanding grc

insights on grc grc technology au1488

glassﬁbre reinforced concrete (grc) - grc - gulf · pdf...

grc leadercon - grc software for risk, compliance, and audit

absolute grc-

architectural glass reinforced concrete - grc … grc july...

sap grc online training | sap grc tutorials | sap grc...

grc dashboards - runtime installation · 2019. 7. 1. ·...

grc overview.pptx

integrated grc

grc training: risk owners - mitweb.mit.edu/grc-sod/grc...

risk management discussion - erm vs grc -...

new boundaries - the straits times...jul 25, 2015 ·...