Inv306 going social in a world of grc v.1.1

903 views

Published on

Lotusphere 2012 INV306 -- Going Social In A World of GRC

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
903
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Inv306 going social in a world of grc v.1.1

  1. 1. INV306 Going Social in a world ofGovernance, Risk Management, and Compliance (GRC)Arthur Fontaine | Program Director |IBM Collaboration Solutions© 2012 IBM Corporation
  2. 2. IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawalwithout notice at IBM’s sole discretion.Information regarding potential future products is intended to outline our general product directionand it should not be relied on in making a purchasing decision.The information mentioned regarding potential future products is not a commitment, promise, orlegal obligation to deliver any material, code or functionality. Information about potential futureproducts may not be incorporated into any contract. The development, release, and timing of anyfuture features or functionality described for our products remains at our sole discretion. 2 | © 2012 IBM Corporation
  3. 3. Agenda■ GRC – What is it, and why is it important?■ Collaboration in a GRC world■ Functional perspectives to GRC 3 | © 2012 IBM Corporation
  4. 4. Governance Setting policies for risk in the organization Focus ● Regulations ● Contractual Duties ● Business Strategy Risk Management Limiting actions to within risk toleranceCompliance Focus Confirming adherence ● Education/certification to policies ● Security and Defense ● Information Lifecycle Focus ● Audit ● Ediscovery ● Documentation | © 2012 IBM Corporation
  5. 5. A role-based approach to GRC Chief Chief Chief Chief Chief Information Chief Legal Risk Financial Information Security ComplianceRole Officer Officer Officer Officer Officer OfficerGoal Reduce legal Quantify and Manage Risk- Reduce IT expense Reduce IT risk Ensure regulatory exposure reduce risk adjusted exposure compliance exposure forecasting and allocationConcerns ● Identifying legal risks ● Integrated view of ● Financial risk ● Guarding against ● Anticipating and ● Adherence to policy ● Reducing exposure risk across financial, management intrusions and avoiding threats and and procedures from retention of operational and other ● Regulatory malware breaches ● Managing regulatory unnecessary domains requirements ● Reducing storage ● Managing records exams, audits and information ● Anticipating and ● Financial reporting and admin costs lifecycles in IT requests ● Anticipating and avoiding unexpected (e.g. SOX) ● Ensure business systems ● Reducing cost for managing discovery loss continuity ● Driving content compliance tasks policies management | © 2012 IBM Corporation
  6. 6. GRC Framework | © 2012 IBM Corporation
  7. 7. Information Lifecycle Governance Data Credit Risk Consolidated Risk Market Risk Trusted Risk Results Datamart Information Warehouse CRO ALM & Liquidity Risk KRI Mgmt Loss Event Data Operational Risk Applications Database IT Risk GRC – IBM Reference Architecture Network Endpoint IT Security Risk Access and IM CIO GRC Analytics* GRC Execution Industry Content Business GRC Management* Continuity Operational Systems Records Mgmt Training Vendor Risk Legal case Mgmt Policy & Whistle Blower CCO Compliance Asset Mgmt Financial AML Reporting CFO Fraud Monitoring Internal Audit Seg of Duties Cntll Monitoring Operations Lifecycle Management| ation GRC GRC Mgmt Change Services Services Strategic Consulting Implement- Operational GTS,GBS SWG-Lab GBS/BAO Services© 2012 IBM Corporation
  8. 8. Agenda■ GRC – What is it, and why is it important?■ Collaboration in a GRC world■ Functional perspectives to GRC 8 | © 2012 IBM Corporation
  9. 9. IBM Social Business Capabilities Envision Enable Adopt Optimize Social Networking Social Content Social Analytics Owned social networks Engagement apps & svcs. Analytics Discover Engage Reach Identity systems Social network connectors Monitoring Communication channels Content services Optimization Process Management Information Management Governance and Lifecycle Integrate Social BPM Rules Information integration Info. lifecycle gov. Security Connectors ESB MDM Data warehousing Community gov. Mobile Open Standards Workload-Optimized Systems | © 2012 IBM Corporation
  10. 10. “Dynamic Tension”Social Business and GRC impactsBenefits of Social Impacts on Governance, Risk, and C-level rolesBusiness Compliance impactedInstant access to professional ● Directly conflicts with regulatory “internal firewall” CFO, CRO, CCO,experts and networks requirements CISO ● Multiplies the channels, volume, and velocity that have toMulti-modal communications be monitored, logged, audited, discovered. CIO, CISO, CLO ● Complicates identity and access management ● Creates risk of releasing or procuring informationAccess to public data sources and CLO, CRO, CCO, improperlyapplications ● Adds threat exposures CIOMobile access to enterprise big ● Places core enterprise IP in uncontrolled environments CIO, CISOdataRich information about people and ● Allows better targeted threats CISO, CCO, CROprojects ● Updates can be studied to reveal patterns and cluesCommon customer request:“How can you help us deploy your social business solutions in a way that doesnt break the GRCregime weve constructed over the years?” 10 | © 2012 IBM Corporation
  11. 11. Enterprises understand unique GRC issues Issue Mitigation Representative IBM Customer statements Offerings ● Atlas Policy Federation FrameworkWe lack an overall social business Develop an enterprise-wide social ● Atlas Global Retention Policy andpolicy for our enterprise business policy & governance model Schedule ManagementExpands the universe of things I need Expanded policy management and ●Actiance Vantage for Connections andenforce policy on (monitor, retain, enforcement tools to modify behaviors, Sametime ● IBM Content Collector, IBM eDiscoverydiscover, and dispose) raise risk awareness Manager ● Atlas Governance for ITRaises challenges of managing within Identity/access management tools need ●Atlas Governance for ITregulated industries to be extended to social applications ●Tivoli Identity Manager ● Tivoli Content Manager ● Qradar SIEM/Risk ManagerRaises risk and velocity of content Content inspection solutions must ● Lotus Protectorleaks prevent leaks, flag inappropriate ● InfoSphere Guardium db Security behaviors ● Infosphere Optim Data MaskingBreaks existing security / compliance Tools must reuse and extend existing ● Atlas Policy Federation Frameworkregimes such as internal firewalls security/compliance regimes for social ● IBM Information Lifecycle Governance content ● Lotus Protector ICAPICreates new vectors of attack andraises risk of social engineering Security systems must identify, andexploits protect against, social business attacks ● Tivoli Network Intrusion Prevention ● Tivoli Endpoint Manager and exploits | © 2012 IBM Corporation
  12. 12. IBM Information Lifecycle Governance (ILG) The ILG solution portfolio enables customers to: effectively retain and archive information efficiently meet eDiscovery obligations defensibly dispose of information to lower both cost and risk. | © 2012 IBM Corporation12
  13. 13. Information Lifecycle – it is a process...Of all the information and content generated in any organization only the rightinformation has to be retained. But which is the right one? Risk: Cost of storage Create Collect Analyze Archive Discover Dispose Risk: Cost of lost evidence Inability to comply with regulatory requirements | © 2012 IBM Corporation
  14. 14. Agenda■ GRC – What is it, and why is it important?■ Collaboration in a GRC world■ Functional perspectives to GRC 14 | © 2012 IBM Corporation
  15. 15. Use Case: Chief Legal Officer Chief Legal Officer GOAL: REDUCE LEGAL EXPOSURE KEY OBJECTIVES ● Identifying legal risks ● Reducing exposure from retention of unnecessary information ● Anticipating and managing legal discovery tasks Impacts of Social Business ● Increased opportunities for legal risks, due to new communication modes and unlimited ad hoc interactions ● New data sources and types that constitute business records (must be discoverable per FRCP) ● Greater complexity of business records, including data hosted on external applications/platforms Strategies / Tools / Services from IBM ● Actiance Vantage for Connections and Sametime – Brings Connections/Sametime content into enterprise data corpus ● IBM Content Collector, IBM eDiscovery Manager – Enables cross-enterprise legal discovery of data and content ●Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to reduce expense and exposure in legal cases ●Atlas Retention for Employees – Brings business knowledge into the retention process, to inform system of data that contains (or does not contain) business value or duty ● Atlas eDiscovery Process Management – Helps automate the workflows in legal discovery activities | © 2012 IBM Corporation
  16. 16. Use Case: Chief Risk Officer Chief Risk Officer GOAL: QUANTIFY AND REDUCE RISK EXPOSURE KEY OBJECTIVES ● Integrated view of risk across financial, operational and other domains ● Anticipating and avoiding unexpected loss Impacts of Social Business ● Increased opportunities for financial or IP disclosure ● New entry vectors for attacks, including social engineering exploits ● Frictionless collaboration with attendant information velocity Strategies / Tools / Services from IBM ● GBS Social Business GRC offering – Identify risks and apply mitigation strategies ●Atlas Policy Federation Framework and Connectors – Brings business knowledge into the retention process, to inform system of data that contains (or does not contain) business value or duty ● IBM Content Collector, IBM eDiscovery Manager – Enables cross-enterprise legal discovery of data and content ● IBM Content Analytics and Classification – Provides enhanced view of information and content, for improved risk awareness | © 2012 IBM Corporation
  17. 17. Use Case: Chief Financial Officer Chief Financial Officer GOAL: RISK-ADJUSTED FORECASTING AND ALLOCATION KEY OBJECTIVES ● Financial risk management ● Regulatory requirements ● Financial reporting (e.g. SOX) Impacts of Social Business ● Increased opportunities for financial disclosure (e.g., “ Quarter looks great!”) ● Rapid and unconstrained data growth may impact IT budget Strategies / Tools / Services from IBM ● GBS Social Business GRC offering – Design policies based on role or identity, content, and mode ● Actiance Vantage for Connections and Sametime – Brings Connections/Sametime content into enterprise data corpus for ● IBM Content Analytics, IBM Classification Module – Enables analysis ● Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to reduce IT expense | © 2012 IBM Corporation
  18. 18. Use Case: Chief Information / Security Officer Chief Information / Security Officer GOAL: REDUCING IT EXPENSE AND RISK EXPOSURE KEY OBJECTIVES ● Ensuring regulatory compliance in IT systems ● Reducing storage and admin costs ● Business continuity risk ● Vendor risk Impacts of Social Business ● Increased opportunities for noncompliance in IT systems, with greater complexity of user/role access management ● Data growth thats difficult to apply lifecycle controls against, due to ad hoc/unstructured nature of data ● New vectors for attack, including social engineering and public social platform vulnerabilities Strategies / Tools / Services from IBM ● Actiance Vantage for Connections and Sametime – Brings Connections content into enterprise data corpus ●Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to minimize IT expense ● Atlas Retention for Employees – Brings business knowledge into the retention process, to inform system of data that contains (or does not contain) business value or duty ● IBM Security Services components/controls (Tivoli, Q1) – Protects against intrusions and threats originating from social vectors | © 2012 IBM Corporation
  19. 19. Use Case: Chief Compliance Officer Chief Compliance Officer GOAL: ENSURING REGULATORY COMPLIANCE KEY OBJECTIVES ● Adherence to policy and procedures ● Managing regulatory exams, audits and requests ● Reducing cost for policy and control management Impacts of Social Business ● Increased opportunities for noncompliance, with new modalities and unlimited ad hoc interactions ● New data sources and types that constitute business records, applicable to regulatory activities ● Greater complexity of business records, including data hosted on external applications Strategies / Tools / Services from IBM ● Actiance Vantage for Connections and Sametime – Brings Connections content into enterprise data corpus ●Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to minimize expense and exposure in compliance actions ● IBM Content Collector, IBM eDiscovery Manager – Enables cross-enterprise discovery of data and content for compliance actions ● Atlas eDiscovery Process Management – Helps automate the workflows in discovery activities for compliance actions ●Atlas Retention for Employees – Brings business knowledge into the retention process, to inform system of data that contains (or does not contain) business value or duty | © 2012 IBM Corporation
  20. 20. Summary■ GRC is a cross-functional imperative that addresses risks through policy, active management, and audit■ Social Business offers unique challenges to GRC, but ultimately must be addressed within the larger GRC framework■ Roles-based GRC analysis is needed to design comprehensive, lasting GRC programs | © 2012 IBM Corporation
  21. 21. Arthur Fontaine afontaine@us.ibm.comThank you! 720-395-5676 Please remember to fill out your evaluations | © 2012 IBM Corporation
  22. 22. Legal disclaimer© IBM Corporation 2012. All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. 22 | © 2012 IBM Corporation

×