FixNix InfoSec SolutionsGRC Suite of 17 Products

How FixNix add value?•Process Automation: By automating the compliance management processes the organization will dramatically reduce the time being spent by staff members, line managers, and senior managers on risk and compliance related activities.•Collaboration: Employees are able to carry out team activities in a productive manner with the collaborative environment that FixNix provides.

•Consistent Process: FixNix enforces a consistent process across the enterprise, eliminating any deviations and error eliminating the cost and time associated with repeated processes and multiple checks.•Resource Utilization: With the entire compliance process streamlined and automated with the FixNix solution, the organization can better utilize its resources.•Comprehensive Visibility: Comprehensive visibility provided by FixNix has lowered the risk of non-compliance and executives can be assured of higher customer and investor confidence.

Challenges faced by industry in Compliance process

Enable Federated organizational structure and leverage technology for sustainability, consistency, efficiency and transparency across this organizational architecture.Managing documentation, risk, controls and reporting of internal controls having a number of limitations

•There was no easy way to share risks and controls between processes in the system. As a result, the compliance teams ended up having to define a number of redundant controls in their existing system. This redundancy made change management very challenging.

•The system lacked document management and change reporting capabilities. Although current versions were readily available, comparison of controls and documents to prior periods was completely manual and it was difficult to implement strict access control or deploy a streamlined process for change management.

The system lacked role-based views, making it difficult for stakeholders such as executives to use the system.

FixNix Asset Management can cater the needs of

• ISO Asset Management Workflows• ITIL Asset Management• Maintaining CMDB• Asset Gap Analysis and Asset Protection Platform

Asset management

Asset Registry / Inventory Phase

Asset Registry / Inventory Phase

•This phase mainly involves the creation of assets.•You are prompted to provide the following properties for any asset creation. Physical Properties(like IP, MAC, asset sub type etc.,)Security Properties(like C/I/A values etc)Assignment Properties(like asset custodian, owner, user, current location etc)

Current level of protection(You can alternately use the import feature for bulk addition of any kind of asset.)

•Information Assets•Computer / Servers•Source Code Assets•Service Assets•Mobile Assets•Document Assets•Miscellaneous (Coffee Machine, Printers & any other Consumable Assets)•Vehicle Assets

Type of Assets you can maintain with FixNix Asset Registry

Assessment / Evaluation Phase

The evaluator / CIO needs to understand the current level of protection and is responsible for defining the controls in the below classifications.

•Labelling•Transport / Transmission•Addressing•Storage•Disposal

Assessment / Evaluation Phase

Action Phase

Custodian is responsible for implementing the controls that are recommended by evaluator/CIO and needs to describe the action statements taken by him and is responsible for providing the evidence documents.

Action Phase – Custodian Role

Owner is responsible for defining fair usage policies and he needs to communicate it with all the asset users. He needs to get acknowledgement from all the asset users that they have understood and accepted the policies.

Action Phase – Owner Role

Review Phase

The evaluator needs to review to the actions taken by custodian and owner. Reviewer is supposed to take a decision on the actions and he needs to define a closure statement and a next review date

Review Phase

Whistle-blower/Hotline

•Definition of Whistle-Blowing

One who reveals wrong-doing within an organization to the public or to those in positions of authority.One who discloses information about misconduct in their workplace that they feel violates the law or endangers the welfare of others.One who speaks out, typically to expose corruption or dangers to the public or environment.

•Types of Whistle-Blowing• Internal Whistle-Blowing

When an individual advocates beliefs or revelations within the organization.

• External Whistle-Blowing

When and individual advocates beliefs or revelations outside the organization.

•Stages of Whistle-Blowing

Mainly three stages of whistle blowing given below

1.Blow the whistle

2.View Status

3.Evaluator Login

•Blow the Whistle

Blow the WhistleHere we should mention what type of whistle and to whom you want send complaint whistle.Requester Information Details description of whistle complaint and what is your idea to solve the problem.SubmissionRules and regulation about whistle

•Blow the Whistle

Blow the WhistleHere we should mention what type of whistle and to whom you want send complaint whistle.Requester Information Details description of whistle complaint and what is your idea to solve the problem.SubmissionRules and regulation about whistle

•Requester Information

Blow the WhistleHere we should mention what type of whistle and to whom you want send complaint whistle.Requester Information Details description of whistle complaint and what is your idea to solve the problem.SubmissionRules and regulation about whistle

•Requester Information

Blow the WhistleHere we should mention what type of whistle and to whom you want send complaint whistle.Requester Information Details description of whistle complaint and what is your idea to solve the problem.SubmissionRules and regulation about whistle

•SubmissionlHere only mentioned all rules and regulation of whistle complaint.

l1.First each person should accept the rules and regulations

l2.Then person can file a whistle

•Submission

View status

A person who informs on a person or organization regarded as engaging in an unlawful or immoral activity. Person can check given below

Person can check status of whistle complaintPerson can add comment and send mail to

authority person.Person can check the entered information

Status

Continue...

Evaluator Login

lEvaluator can do following things arelEvaluator can view the whistle complaintslEvaluator can give solution to particular problemlEvaluator can chat to personlEvaluator can update the status of whistle complaint

Business Continuity Management(BCM)

Analyzing the Resources:

The analysis phase consists of impact analysis, threat analysis and impact scenarios for Resources. If impact is Critical, two values are assigned:

Recovery Point Objective (RPO) – the acceptable latency of data that will not be recovered

Recovery Time Objective (RTO)  – the acceptable amount of time to restore the function

The recovery time objective must ensure that the Maximum Tolerable Period of Disruption (MTPoD) for each activity is not exceeded.

Business Plan:These phase identifies the most cost-effective disaster recovery solution that meets two main requirements from the impact analysis stage.

Analysing the Operating Expenses(OPEX) and Capital Expenditure(CAPEX) for the designing Business Plan.

Implementation:

These Stage defines whether the Business Plan is Implemented or not. Any Queries/Actions need to take?

The implementation phase involves policy changes, material acquisitions, staffing and testing.

Acceptance and Testing:

The purpose of testing is to achieve organizational acceptance that the solution satisfies the recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws or solution implementation errors.

Testing May include:Table-Top ExerciseFunctional Test

Maintenance Phase:Maintenance Cycle is divide to 3 parts:

MonthlyAnnuallyBi-Annually

Issues found during the testing phase often must be reintroduced to the analysis phase.

Compliance management

Main Features Single repository for regulations and standards

Centralized repository for compliance related organizational data

Allow for gathering of data from non technology sources such as people

Map compliance data to regulations and standards

Allow for generation of reports, export data for use with other systems within an organization

Title and Content Layout with Chart

Main FeaturesProvide management dashboards for compliance status with the ability to drill down across departments, geographies etc.Allow for creation of custom compliance frameworks or modify existing onesProvide reminders to people for addressing compliance related tasks in an optimal mannerManage exceptions and activities related to complianceProvide an exhaustive audit trail for all compliance related actions through the whole process

FRAUD MANAGEMNET SYSTEM{Automate the alerting and prevention of fraudulent

activities}

What is a Fraud?

Fraud is a type of criminal activity, defined as:•‘Abuse of position, or false representation, or prejudicing someone's rights for personal gain'.•Put simply, fraud is an act of deception intended for personal gain or to cause a loss to another party. The general criminal offence of fraud can include:•Deception whereby someone knowingly makes false representation or they fail to disclose information or they abuse a position.•Fraudsters are always finding new ways to trick you out of your money. 

What is Fraud Management System?

•Fraud Management System (FMS) that allows you to analyze data from any source{Eg: Whistle Blower}, investigate hypotheses to discover new patterns and root causes, identify fraudulent activity in real time, and manage workflows that eliminate threats.•Fraud Management Systems are used to automate the alerting and prevention of fraudulent activities and to exclude the “human factor”.

What Are the Challenges forCompanies?

Fraud costs public and private enterprises hundreds of billions of dollars each year. Exponential increase of frequency and �sophistication of fraud, waste, and abuse. Diverse, complex, and constantly changing �fraud schemes and strategies. Huge volumes of data from multiple sources.� Operational and organizational silos�

How big is the problem?

•The typical organization loses 5% of its revenues to fraud.•2011 estimated and projected global total fraud loss $3.5 trillion.

Fraud Management Benefits

•Decrease fraud losses through real-time analysis.•Improve operational efficiency by automated processes.•Improve investigator efficiency with real-time analyses and metrics.•Maximize detection efficiency by early identification and prediction of future risk.•Improve process efficiency through real-time monitoring.•Investigate, analyze and prevent fraud in ultra-high volume environments

Recommendations

•If your company is at risk for significant financial loss as a result of fraud, Fixnix Fraud Management is certainly worth a look at a very low cost compared to other GRC competitors. •First quantify the risk and then assess the cost of your current efforts to contain and mitigate that risk.• If you employ fraud investigators, you must have some measure of their success and chances are you measure the number of potential cases investigated, along with the number of real occurrences of fraud. •The goal should not necessarily be to increase the number of cases of fraud detected, but to detect fraud more quickly and to minimize the number of cases you chase that lead to no fraud (fewer cases of false positives). 

•File a Fraud.

•Fraud List

•Fraud Investigate

Project Management

•File new project

•List all programs

•Project Detail list

•Audit Detail of project

•Project Submission

Policy Management

FixNix Policy Management

●With FixNix Policy Management, you gain a meaningful understanding of what governs your business and can formulate policies appropriately to assist achieving corporate objectives and demonstrating compliances●Key BenefitsoReduction in the time and effort required to create and update

policies.oMapping with Standards and ControlsoCommunication of Policies are made easyoReports GenerationoDashboards with drill down chartsoVersion Management of Policies are made in a consistent manner.

Dashboard

New Policy

Create your policies in a 5 easy stepsStep 1: General Information Step 2: Scope, Purpose & DescriptionStep 3: Mapping Standards & Controls Step 4: Assign the handlersStep 5: Date & Other settings

Step 1: General Information

Step 5: Date and Others

Step 2: Scope, Purpose and Description

Step 2: Mapping Standards and Controls

Step 4: Handlers

Step 4: Handlers

View Policy

Creating a new version of your policy.Can view all the versions of policy

Viewing Policy

Reviewing Policy

Approving Policy

Incident Management

Incidents can be any failure or interruption to an IT service or a Configuration Item/Asset. These can get created fromFrom Event ManagementFrom Web InterfaceUser Phone CallEmail Technician Staff

Incident File

Incident Evaluation

Incident Resolution

Incident Closure

Contract Management

Fixnix Contract Management is a web-based tool designed to automate the entire contract process end-to-end.It simplifies the way contracts are managed, tracked and reported.An automated contract management process involves 3 “lifecycle” stages: File contract, Approval & renewal. Full-featured automated contract management should allow you to have complete visibility and control over any given contract from its inception to its renewal. For each step in the contract management process, automated solutions prevent clogs and speed up sales cycles.Integrating FixNix Contract Management into your business process will effectively enforce compliance & mitigate business risks, and acts as a directory of information for all your clients and candidates.

File

Approval

Renewal

Vendormanagement

objectives

•Government Watch List (what they are, laws, and enforcement actions)•HIPAA, how it affects facilities from a vendor perspective, BAA’s, etc.•Immunization testing, what is required, CDC and OSHA regulations•Training requirements, and OSHA rules and regulations•Access Controls

Establish a Vendor Relationship PolicyEstablish a formal process for annual vendor reviewsAssign and train vendor relationship managersEstablish a mechanism for tracking vendor management activities

What to do - 10,000 Foot

Which Vendors

All Vendors get costlyWhich group of vendors give you the best bang for your buck?

Access to Customer InformationCritical for OperationsCritical to Customer ServiceBased on $ amount of the contractOtherwise visible/high risk (website host, video

equipment in the CEO’s office)

The Vendor Manager role

WhoCentralizedDistributed (with centralized management)

Skillset and toolsTime RequirementsAccountability

Tools Overview

Vendor Management PolicyAnnual review checklistCritical StatisticsVendor Contract and SLAVendor Management RecordsOpen and Resolved Issues ListVendor financial and third party review reports

Vendor Management Policy

Describes the organizations beliefs, objectives, and general procedures related to vendor management/service provider oversightKey things in ours

Required/recommended vendorsAssignment of responsibilitiesAccountabilityBasics of annual reviews

Tools – Vendor Contract and SLA

Outlines the services provided and expectations of each entityOutlines recourse for resolving issues Where is the vendor contract storedContract termination dateDate or period of notice prior to renewal or terminationInsurance coverage of the carrierPrivacy and other regulatory expectations

Tools – Vendor Management Records

Records and reports of previous vendor management activities for this vendorUsed to identify trends Reminder of concerns from prior reviews, have these been resolved?

What Does It Mean To Healthcare?

•Vendor Management = Risk Management•Managing Risk to patients

– healthcare-associated infections account for an estimated 1.7 million infections and 99,000 associated deaths each year

– 13,779 TB cases (a rate of 4.6 cases per 100,000 persons) were reported in the United States in 2006.

– Patient Privacy and Patient Rights•Security of the hospital and hospital property•Managing Conflict of Interest•Cost controls with proper device and medication approval processes

Risk reduction

•Access Controls– Cold Calling– Appointment setting– Medical mistakes due to interruptions

Without Interruption

With Interruption

Procedural failure rate

69.6% 84.6% (with three interruptions)

Clincal error (at least one)

25.3% 38.9% (with three interruptions)

Estimated risk of major error

2.3% 4.7% (with four interruptions)

Challenges Facing A Facility

•Vendor Company– Financials

• Bankruptcies• Liens• Judgments

– Legal Standing• Involved with Anti-Kickback

Legislation– Liability Insurance– HUB’s– Conflict of Interest

•Vendor Representatives

– Immunizations• MMR• TB• Varicella• Influenza

– Cold Calling– Background Check– Conflict of Interest– Contact Information– Proper Training

Choices

Cost– Human capital

– Design the system – Programming– Manage the information

– Development time– Administer the program– Higher cost to vendor

community

Cost– Normally at no or little cost

to you– Administer the program– Lower cost to vendor

community

Develop your own system

Use a service

How fixnix helps to tackle this ?

Listing of vendors

Approve or reject vendors

Questions?