grc– the way forward
DESCRIPTION
Are you managing GRC in the most effective manner? Is it contributing to business governance or becoming a burden ? We will discuss the current state of GRC and recognized business drivers as well as supportive risk management infrastructures. Strategies for the alignment of business interests with enterprise GRC programs to establish a complete, auditable, less time consuming program which benefits from management visibility and compliance readiness will additionally be presented. Utilize GRC to manage your business, not to burden it. James P Finn, Modulo James has twenty five years experience in security and disaster recovery consulting, managing and delivering enterprise solutions to more than 200 worldwide commercial and government clients. He has held various management and consulting positions in the information security field including as a worldwide IBM Corporate Auditor for Information Security reporting to the Corporation’s Board of Directors and the as the founding Principal of both the IBM and Unisys Security Consulting Practices and as Vice President of Risk Management for Modulo. He has consulted in more than 38 countries (U.S., Asia, Europe, South America) on business, technical security and recovery solutions to assist clients to achieve and maintain effective goverance across the full spectrum of security and business recovery disciplines. James is a Microsoft MSRA trained assessor, a KPMG trained SOX auditor and also holds Business Continuity certifications. He is frequently requested as a speaker at international industry conferences, live webcasts and TV and radio news shows and is the author of over 50 media articles on computer securityTRANSCRIPT
Agenda
• GRC Current State• Business Risk• Risk Management Evolution• GRC Maturity Goals• Your Risk Management• Business Challenges• GRC Automation Best Practices • Questions ?
GRC Current State • A reactive and siloed approach to GRC is a recipe for disaster and leads to . . .
• Lack of visibility. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture.
• Wasted and/or inefficient use of resources. Silos of risk and compliance lead to wasted resources.
• Unnecessary complexity. Varying risk and compliance approaches introduce greater complexity to the business environment.
• Lack of flexibility. Complexity drives inflexibility -the organization is not agile to the dynamic business environment it operates in.
• Vulnerability and exposure. A reactive approach leads to greater exposure and vulnerability
Risk Management Challenges
• Multiple standards to choose from• Technology focused, not business centric• Control identification required for each standard• Lack of skilled auditors across all platforms• No documented, thorough, consistent methodology• Proper, effective, repeatable analysis not in place• Detailed recommendations not complete• No definable return on investment• No knowledgebase for additional assessments• Management visibility not faciliatated• This can all be automated using GRC software
Risks
• Your Brand• Stakeholders (e.g., board, management, employees)• Contractual Relationships (e.g., supply-chain,
vendors, contractors)• Informal Relationships (e.g., NGOs, media)• Your business information security and privacy
Are you trying to manage a problem or leveragebusiness information ?
Risk Management Evolution
Current State • Fragmented silos• Mostly reactionary• Individual projects • Separate from mainstream
processes and decision-making
• Spreadsheets, spreadsheets, spreadsheets
• Limited and fragmented use of technology
Future State • Integrated management &
performance• Proactive planning &
execution • Integrated capability• Embedded within
mainstream processes and decision-making
• Coordinated transactions & shared data
• Architected solutions
GRC Maturity Goals
• Achieve business objectives• Enhance organizational culture• Increase stakeholder confidence• Prepare & protect the organization• Prevent, detect & reduce adversity• Motivate /inspire desired conduct• Improve responsiveness & efficiency• Optimize economic & social value
• Automate the manual siloed approach to GRC management – Solution Required: Distributed database driven platform with common policy,
asset, reporting and incident repository
• Comply with multiple regulations– Solution Required : Effectively manage the policy lifecycle and map multiple
policies to common controls
• Lower IT and enterprise risk– Solution Required : Consistently measure and communicate risk posture across
enterprise
• Reduce cost of people resources and IT infrastructure overhead– Solution Required : Automate common tasks and leverage technology in place
without adding the complexity of agents
Customer Challenges
Business Risk• Where risk is understood and evaluated as part of corporate strategy and
performance, it is set in a business context and mapped to corresponding KPI. • Risk management aligned to business strategy results in:
– Risk aligned in the context of the business • Risk does not operate as an island unto itself, but is defined and managed
in the context of where the business is heading –its goals and objectives • Executives and management should clearly be able to see how risk
supports or hinders execution of business strategy
– Risk managed within the context of business cycles.
– Findings influence strategic planning and investments• Risk management supports and enables the business to execute a
strategic plan and maximize return on investments
Effective GRC SolutionComprehensive GRC Solution
• Enterprise and IT Risk Management
• Compliance Management• Policy Management• Vendor Risk Management• Remediation/Incident/
Exception Management • Security Reporting &
Remediation• Business Continuity
Management• Audit Management
Management Integrated GRC Platform
• Multi-language web based platform
• Integrated database driven distributed architecture
• Extensive knowledge base of frameworks, regulations and best practices
• Intelligent dashboard & reporting• Ready to implement with the
flexibility to configure• Integration services API• Role based access control• Encrypted
Today's Fragmented ApproachInventory
Evaluation
Remediation
Policies
This requires an automated GRC Management approach that brings together silos of risk and
compliance into a comprehensive management platform
Analysis
Risk Management Process• Sound risk-based decision making is critical to
the success of any risk management program • ..enterprises must move toward the formalization
of risk management processes with appropriate accountability, transparency and measurability
• Risk management must be undertaken as a new approach to addressing business threats
Gartner, April 2009
• Business risk is more than operational and financial
• Total enterprise risk management includes enterprise IT risk
Best Practices
GRC Automation
GRC Tool Manager modules
Basic Modules Service Modules GRC Portal
Knowledge Management
Organization
Policy Management Governance
Compliance Management
Continuity
Wor
kflow
Home
Administration
Das
hboa
rd
Risk Management ERM
Risk Management Cycle
• Inventory• People, Process,
Technology. Environment
• Relevance Levels
Inventory
• Knowledge Base• Automated
Collectors• Web Interviews• In person Interviews
Analyze• Reports• Indexes• Charts• Tables
Evaluate
• Recommendation follow-up
• Workflow Manager
Treat
SYSTEMS
BUSINESSPROCESSES
ASSETS
Top-Down “Governance” Approach
Eliminate Compliance Silos
Laws & Regulations
SOX
FISMA
BASEL II NIST
Frameworks
17799
COBIT
Evidence
DOC
BKP
PASSWORD
ControlsPEOPLE
POLICY
SERVER
GRC tools provides comprehensive support for the most commonly faced regulations, standards & frameworks, and more
• A130• Basel II• BS25999• COBIT• DIACAP• DOD 8500.2• FFIEC• FIPS 199• FISAP• FISMA
Sample Frameworks
• GLBA• HIPAA• ISO27001• ISO27002• ITIL• NERC-CIP• NIST 800-53a• OSHA• PCI DSS• SOX
Comprehensive Knowledge Base,
including…Technologies
Cisco Router w/IOS 12Oracle 8 and 9iMicrosoft SQL Server 7.0, 2000, 2005.Unix Solaris 8 and 9Microsoft Exchange 5.5, 2000, 2003 Microsoft IIS 4.0, 5.0, 6.0SAP AG R/3 4.0B, 4.6D Apache 1.3.27Windows XP, 2000, 2003, VistaLinuxAccess Point - WLAN Application System in ProductionCheck Point VPN 1/Firewall 1 NGIBM Lotus Notes R5Microsoft ISA Server 2000, 2004PDAFirewalls
PeopleIT TechnicianSenior ManagerSecurity OfficersArea or Process ManagerEnd User
ProcessesDeveloped Application System (15408)Change ManagementData and System BackupSystems Continuity ManagementContracts with VendorsBusiness Process Information FlowIT Security OrganizationISO 27001ISO 17799:2005CobiT 4.0 - IT Process MaturityFISMAPCI Data Security StandardHIPAA – NIST 800-66BITs - FISAP – AUP and SIG
Physical ControlsDatacenterOffice
Live
Update
350 Knowledge Bases
20,000 Controls
5000 Data
Collectors
Web
Ser
ver
Win
do
ws
Ro
ute
r
Ora
cle
Un
ix
Acc
ess
Co
ntr
ol
Ch
ang
e
Man
ag
emen
t
Ph
ysic
al
Co
ntr
ols
SOXSOX GLBA
GLBA
HIPAA
HIPAA PCIPCI Basel
IIBasel
II
The MetaFramework
Cobit
Automatic CollectorsWeb Interview
or Off-line
Collector
Regulations Standards &
Frameworks mapped into
ISO 27001
FISAPPCI-DSS
GRC METAFRAMEWORK
350 Checklists with 20,000+ Controls
5000 Automatic Evidence Collectors
1200 “Atomic” Control Objective Packets mapped
Contains Knowledge about Controls
Why is the control
important?
How to implement?
If NOT implemented
to which threats am I susceptible?
Where to learn more?
Why is the control
important?
How to implement?
If NOT implemented
to which threats am I susceptible?
Where to learn more?
Knowledge Base
Using Automatic Collectors
Risk Acceptance and Treatment
People TechnologyProcessFacility
ERP Order Entry
Financial IT Department Sales
Order Entry
Financial IT Department Sales
ERP
Accept risk and communicate
Unacceptable risk send to treatment
Final Results - Samples
Workflow Manager allows monitoring risk treatment
actions through the Internet
Real-time Scorecard (allows viewing events in real time)
Dashboard
Detailed Risk Report
Benefits in using GRC Automation
• Saves up to 25% project time due to automatic collectors, evidence storage and
automatic report generation
• Evidence repository stores artifacts such as access permissions, cryptography and
audit logs
• Management based on progress indicators
• Operational Risk Report that details each non-implemented control’s associated risk
level
• Role based access control
• Ease of common implementation across all GRC responsibilities
• Facilitates on-going compliance management
• Auditable repository
• Perpetual, Leased, Appliance or SaaS licenses
GRC Benefits
Better results through low
investment costs and high value
Integration between IT and business views
IT Risk Assessment metrics and indexes
Productivity improvements
through analysis automation
Compliance evaluation with COBIT, ISO/IEC27002
and PCI-DSS and more
Quicker results Recommendations and workflow for treating identified
risks
Supports decisions
GRC SHOULD SERVE YOU
YOU SHOULD NOT SERVE GRC
QUESTIONS ?