SlideShare a Scribd company logo

GRC Software Implementation Strategy

Download as PPTX, PDF
Patrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
Patrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)

A high level guide on practical suggestions on how to best implement a GRC (governance / Risk / Compliance) software package and have it adopted by the Company. Includes Worfklows, screen-shots, Training samples, RACI Matrix, Use-Cases, Migration-Plan content advice, etc.

TechnologyBusiness
1 of 25
Strategy to Implement a GRC Software Solution (Governance, Risk, and Compliance)
Keys to Success in Implementing a GRC Software Solution  Identify VP Level Sponsor & local Department Champions  Implement in Phases – guarantee some ‘WINs’  Develop and Publish a RACI Matrix – explain who does what…?  Identify Minimum Workflows and Decision-points  Data-Migration – identify key-data to import and ‘cleanse’ before usage  Normalize (Key) Roles based on importance, build-in SoD Security  Leverage the 80/20 Rule – ok to have exceptions  Develop a ‘Virtual Org-Chart’ for system  Use/ Leverage the ‘SandBox’ Environment – to ‘Test-Drive’ the system and ‘get your feet wet…’  Create ‘simple’ End-user Documentation / Training Guides  Implementation Plan – validate the right-people are free for ‘Go-Live’  Document decisions and Configuration values as you go…  Communicate Goals and ‘sell’ Benefits / ROI to company “we didn’t Plan to Fail…. we Failed to Plan…” For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Identify Sponsor / Champions Reason for Most-Common Failure – Lack of Support & ‘Buy-in’… • Enterprise-Level Projects (like GRC rollouts) will fail without CxO Sponsorship, • GRC Projects will require a ‘champion’ from every key Dept / Line-function to serve as liaison and assist in implementation, training • Regular Communication is essential with all the Stakeholders, throughout the Project’s life • Weekly Communication should include – Status, % Complete, Issues/Risks, and Key Dates For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Implement the GRC system in ‘Phases’ Guaranteeing some ‘Wins’ will guarantee overall ‘Success’ • Grab the ‘low-hanging fruit’ (simple functions like SURVEYs) to show progress, quick ‘wins’ and results, begin to engage the users, • Phased approach is the ‘safest’ and progress is easily measured, • Engage the end-user to review (and sign-off) on all Major changes / updates to GRC System, • Engage Line-Management to review / assist in developing Training Material and format (e.g. CBT vs Live/In-person), & take ownership For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Create a RACI Matrix during Design Give all Users some guidance on ‘who does what’… • R – responsible • A – Accountable • C – Consulted • I - Informed For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA® RequestExecutionM anageScanning Schedule CollectData & Analysis docs/Upload forTesting ConductSurveys /Execute Scan Collects/Review s Output M eeting -Review Results Address/Rem ediate /ResolveIssues Subm itDocs,Update/ cleanse,ReIssue Report ReTest/ValidateFixes perRem ediation CxO / Executive R C I I C Business Owner R R C R R/A Program Mgr (Angel) I R / A R R/A C Developer / Tech SME C I C R R/A Process Owner C R R R C Department SME I C R/A -- -- Line Manager I C R/A -- --
Data-Migration and ‘Cleansing’ If you don’t need it… don’t pack it up and take it with you. • Identify Core-Data and plan to migrate only ‘Key Data’ to the new system • Take this as an opportunity to ‘cleanse’ your data / formats – don’t move your old Dirt… • Focus on the ‘minimum necessary data’ to integrate into your GRC System (you can add more later) • Plan to have your data ‘cleansed’ and ready to migrate 1 month before ‘Go-Live’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Workflows and Required Use-Cases (minimum) Implement ‘most-needed’ / Common Functions 1st – biggest ‘bang’ • Self-Service User – Password Reset / Change • Login (access) as Manager • View (staff) Reports, by Manager • View Assigned Roles and Available Roles, • Request basic (minimum) account –Email, Active Dir, etc. • Provision / Request access to Role – Add (new) user • Update / Change user access to (role) • De-Provision – Remove (delete/terminate) user • Route Approval-Request • Approve Request(s) • Reject Request(s) • Request additional info on Request Integrate Separation-of-Duties (SoD) into design of (New) Roles For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Use standard Workflows Success in GRC depends on – People / Process / Technology You are in charge of your People… and You acquired the Technology… but is your Process documented … before you Automate it?… For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Leverage the “80/20” Rule It’s ok to have ‘exceptions’ as long as they don’t become the Rule • Should be able to Normalize 80% of the Roles using only 20% of the overall ‘effort’ • Remaining 20% of the Roles will require the balance (80%) of the ‘effort’ to standardize… • Pick your Battles – what Roles are important to have as ‘exceptions’ – Mgmt / Oversight…? – Require Line-Mgmt to ‘defend’ need for exceptions • GRC will always have ‘exceptions’ – which ones are important to you / company….? For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Develop a Virtual Org-Chart Who is Important in the Company (to use the GRC System) ? • CxO’s and Legal Dept • Line-Management • Audit / Compliance • SME’s (subject-matter experts) • I/T Support – but …not everybody needs to be included.. For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Create / use the ‘SandBox’ Environment Let the Users / Mgmt get a feel for the system in a ‘safe’ place… • Allows for Real-Time Feedback on system, • Provide Logins for all SME’s and Key Stakeholders to explore the system, • Safe-Environment permits faster adoption of system • Allow end-users way to identify problems and updates required before Go-Live, • Create Action-List for system-updates / fixes, For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Make it easy to Read / Understand / Follow – using R-SAM For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Use screen-shots of system’s actual screens to help users navigate and use the software Make it easy to Read / Understand / Follow – using R-SAM For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Make it easy to Read / Understand / Follow- MetricStream For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Make it easy to Read / Understand / Follow- MetricStream For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Make it easy to Read / Understand / Follow- MetricStream For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Make it easy to Read / Understand / Follow – AVATIER / AIMS For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Create a CBT (computer) version for the Remote office / Country staff For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Integrate Risk-Analysis Process Automate the Manual Process of Analyzing Risk For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Document Config-Values and Decisions Ensure you meet Regulatory / Compliance Requirements as you go… • Document all Configuration / setup Values ‘as you go’ when setting up GRC System, – At minimum, use screen-prints in a Word file to track entries and values, will need it later on • Document all (Key) Decisions by both Tech Staff and CxO / Management (including Emails), • Save, backup, and store in duplicate, and • Will be required for Maintenance / Support / Regulatory and Compliance-discussions. For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Implementation Plan for ‘Go-Live’ A Migration-Plan will keep the ship heading in the right direction • Verify your Key people will be available during the ‘Go-Live’ period (e.g. vacation / holidays) • Sync up the GRC Migration with the current Maintenance Windows calendar • Confirm Dependency-Milestone-dates will be completed prior to Migration (critical-path) • Conduct Desk-walkthrough of the Migration Plan to avoid obvious mistakes / oversights, • Validate that the Target-Environment is set up the same as the Test / Sandbox Environment For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Sell Benefits / ROI and Communicate Facilitate acceptance by selling benefits / communicating Goals to company / Staff • Leverage Status Reports to ‘spread the word’… • Document efficiency gained via Usage by SME’s, • Communicate to all Stakeholders about new Functionality and Milestones completed, • Create Login ID’s for all major Stakeholders so they can ‘see and touch’ the system, • Use Vendor WhitePapers to impress the overall Benefits of using the new GRC System, • Hold company-wide ‘Kick-Off’ Announcement For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Role-Management Governance (and Review) Process Start Provisioning Security-Mgmt / Network-Mgmt Bi-Annual / QTR Review Exceptions Consider Creation of a New Role Document Mgmt-Approval and Signoff END Send Request for New Role to IdM Roles-Admin ROLE-GOVERNANCE BOARD • C I S O / Director of Security • Information Security • Provisioning Staff / Supv • I/T Service-Desk • Human Resources • Dept Head (s) Evaluate Individual Cases and Compare Exceptions to Existing Roles How Frequently are New Roles Requested ? How Close is New Role to Existing Roles ? How Important is New Role to Org ? Add New Role to Roles List and Distribute REPORT Exceptions & Problems Develop a Process to (regularly) Review / Maintain Key Roles For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Patrick Angel Roles: Asst CISO / GRC-Implementation Prog Mgr Director PMO / Enterprise I/T Security-Architect Areas: R-SAM / MetricStream / AVATIER (AIMS), COBIT Framework / ISO-27002 Controls Testing Education Bachelors in Information Systems (MIS) Masters Business Administration (MBA) Years of Experience 20+ years in Information Systems 15+ years of SDLC and Governance, Risk and Compliance Hands-on Software Developer, Application-Testing, I-T Auditing Certifications and Associations include - (In-progress)
Get Started Now… ‘…Chance favors the prepared Mind’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA® www.RandomAccessTechnology.com (214) 826-3812

Recommended

Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
John Arnold
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
Maganathin Veeraragaloo
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
Priyanka Aash
 
ISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition Arragements
ISONIKELtd
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organization
VISTA InfoSec
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
timmcguinness
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 

Recommended

Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
John Arnold
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
Maganathin Veeraragaloo
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
Priyanka Aash
 
ISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition Arragements
ISONIKELtd
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organization
VISTA InfoSec
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
timmcguinness
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
narenvivek
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
Priyanka Aash
 
CRISC Exam Questions
CRISC Exam QuestionsCRISC Exam Questions
CRISC Exam Questions
Certifications
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity Governance
Arijan Horvat
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & compliance
HR Globe Consulting
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes Profiling
SABSAcourses
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
GRC
GRCGRC
GRC
Maryam Hidayatallah CPFA,MIPA,MA,CICA
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
Mukesh Pant
 
Csslp
CsslpCsslp
Csslp
Sushil Shakya
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 
La gestion des actifs, ISACA Québec Multiforce
La gestion des actifs, ISACA Québec MultiforceLa gestion des actifs, ISACA Québec Multiforce
La gestion des actifs, ISACA Québec Multiforce
Claude Gagnon, Expert processus & ITIL
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk Management
Deepak Bansal, CPA CISSP
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
MichaelSadeghiPhDABD
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
khushboo
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
Arul Nambi
 
Strategy to Design / Implement a GRC Sys
Strategy to Design / Implement a GRC SysStrategy to Design / Implement a GRC Sys
Strategy to Design / Implement a GRC Sys
pangel4
 
Elite mindz introduction
Elite mindz introductionElite mindz introduction
Elite mindz introduction
Simerjeet Singh
 

More Related Content

What's hot

Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
narenvivek
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & compliance
HR Globe Consulting
 

What's hot (20)

Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
CRISC Exam Questions
CRISC Exam QuestionsCRISC Exam Questions
CRISC Exam Questions
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity Governance
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & compliance
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes Profiling
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
GRC
GRCGRC
GRC
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
 
Csslp
CsslpCsslp
Csslp
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
 
La gestion des actifs, ISACA Québec Multiforce
La gestion des actifs, ISACA Québec MultiforceLa gestion des actifs, ISACA Québec Multiforce
La gestion des actifs, ISACA Québec Multiforce
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk Management
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 

Similar to GRC Software Implementation Strategy

Cloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST HighlightCloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST Highlight
CAST
 
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptxS4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
ITAdmin28
 
Impact 2012 1640 - BPM Design considerations when optimizing business process...
Impact 2012 1640 - BPM Design considerations when optimizing business process...Impact 2012 1640 - BPM Design considerations when optimizing business process...
Impact 2012 1640 - BPM Design considerations when optimizing business process...
Brian Petrini
 
WSO2Con USA 2015: The Needs of Next Generation Giants
WSO2Con USA 2015: The Needs of Next Generation GiantsWSO2Con USA 2015: The Needs of Next Generation Giants
WSO2Con USA 2015: The Needs of Next Generation Giants
WSO2
 
DCE - IBM Blueworks LIVE
DCE - IBM Blueworks LIVEDCE - IBM Blueworks LIVE
DCE - IBM Blueworks LIVE
Kellton Tech Solutions Ltd
 
Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...
Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...
Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...
eG Innovations
 
Case Study: Learn How Expeditors Uses APM as Both a Technology and Process T...
Case Study: Learn How Expeditors Uses APM as Both a Technology and Process T...Case Study: Learn How Expeditors Uses APM as Both a Technology and Process T...
Case Study: Learn How Expeditors Uses APM as Both a Technology and Process T...
CA Technologies
 

Similar to GRC Software Implementation Strategy (20)

Strategy to Design / Implement a GRC Sys
Strategy to Design / Implement a GRC SysStrategy to Design / Implement a GRC Sys
Strategy to Design / Implement a GRC Sys
 
Elite mindz introduction
Elite mindz introductionElite mindz introduction
Elite mindz introduction
 
EliteMindz: Who are we? Where do we serve ? What are our products & services?
EliteMindz: Who are we? Where do we serve ? What are our products & services?EliteMindz: Who are we? Where do we serve ? What are our products & services?
EliteMindz: Who are we? Where do we serve ? What are our products & services?
 
Cloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST HighlightCloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST Highlight
 
Espion and SureSkills Presentation - Your Journey To A Secure Cloud
Espion and SureSkills Presentation - Your Journey To A Secure CloudEspion and SureSkills Presentation - Your Journey To A Secure Cloud
Espion and SureSkills Presentation - Your Journey To A Secure Cloud
 
EAC Hunter Fan Presentation
EAC Hunter Fan PresentationEAC Hunter Fan Presentation
EAC Hunter Fan Presentation
 
Hunter Fan + EAC Presentation
Hunter Fan + EAC PresentationHunter Fan + EAC Presentation
Hunter Fan + EAC Presentation
 
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptxS4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
 
Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...
Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...
Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...
 
ClearCase Version Importer - a migration tool to Rational Team Concert SCM
ClearCase Version Importer - a migration tool to Rational Team Concert SCMClearCase Version Importer - a migration tool to Rational Team Concert SCM
ClearCase Version Importer - a migration tool to Rational Team Concert SCM
 
Saas challenges and solutions
Saas challenges and solutionsSaas challenges and solutions
Saas challenges and solutions
 
Impact 2012 1640 - BPM Design considerations when optimizing business process...
Impact 2012 1640 - BPM Design considerations when optimizing business process...Impact 2012 1640 - BPM Design considerations when optimizing business process...
Impact 2012 1640 - BPM Design considerations when optimizing business process...
 
WSO2Con USA 2015: The Needs of Next Generation Giants
WSO2Con USA 2015: The Needs of Next Generation GiantsWSO2Con USA 2015: The Needs of Next Generation Giants
WSO2Con USA 2015: The Needs of Next Generation Giants
 
DCE - IBM Blueworks LIVE
DCE - IBM Blueworks LIVEDCE - IBM Blueworks LIVE
DCE - IBM Blueworks LIVE
 
AJC Brochure
AJC BrochureAJC Brochure
AJC Brochure
 
Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...
Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...
Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
 
Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...
Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...
Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...
 
ITAM Tools Day, November 2015 - Concorde
ITAM Tools Day, November 2015 - ConcordeITAM Tools Day, November 2015 - Concorde
ITAM Tools Day, November 2015 - Concorde
 
Case Study: Learn How Expeditors Uses APM as Both a Technology and Process T...
Case Study: Learn How Expeditors Uses APM as Both a Technology and Process T...Case Study: Learn How Expeditors Uses APM as Both a Technology and Process T...
Case Study: Learn How Expeditors Uses APM as Both a Technology and Process T...
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 

GRC Software Implementation Strategy

  • 1. Strategy to Implement a GRC Software Solution (Governance, Risk, and Compliance)
  • 2. Keys to Success in Implementing a GRC Software Solution  Identify VP Level Sponsor & local Department Champions  Implement in Phases – guarantee some ‘WINs’  Develop and Publish a RACI Matrix – explain who does what…?  Identify Minimum Workflows and Decision-points  Data-Migration – identify key-data to import and ‘cleanse’ before usage  Normalize (Key) Roles based on importance, build-in SoD Security  Leverage the 80/20 Rule – ok to have exceptions  Develop a ‘Virtual Org-Chart’ for system  Use/ Leverage the ‘SandBox’ Environment – to ‘Test-Drive’ the system and ‘get your feet wet…’  Create ‘simple’ End-user Documentation / Training Guides  Implementation Plan – validate the right-people are free for ‘Go-Live’  Document decisions and Configuration values as you go…  Communicate Goals and ‘sell’ Benefits / ROI to company “we didn’t Plan to Fail…. we Failed to Plan…” For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 3. Identify Sponsor / Champions Reason for Most-Common Failure – Lack of Support & ‘Buy-in’… • Enterprise-Level Projects (like GRC rollouts) will fail without CxO Sponsorship, • GRC Projects will require a ‘champion’ from every key Dept / Line-function to serve as liaison and assist in implementation, training • Regular Communication is essential with all the Stakeholders, throughout the Project’s life • Weekly Communication should include – Status, % Complete, Issues/Risks, and Key Dates For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 4. Implement the GRC system in ‘Phases’ Guaranteeing some ‘Wins’ will guarantee overall ‘Success’ • Grab the ‘low-hanging fruit’ (simple functions like SURVEYs) to show progress, quick ‘wins’ and results, begin to engage the users, • Phased approach is the ‘safest’ and progress is easily measured, • Engage the end-user to review (and sign-off) on all Major changes / updates to GRC System, • Engage Line-Management to review / assist in developing Training Material and format (e.g. CBT vs Live/In-person), & take ownership For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 5. Create a RACI Matrix during Design Give all Users some guidance on ‘who does what’… • R – responsible • A – Accountable • C – Consulted • I - Informed For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA® RequestExecutionM anageScanning Schedule CollectData & Analysis docs/Upload forTesting ConductSurveys /Execute Scan Collects/Review s Output M eeting -Review Results Address/Rem ediate /ResolveIssues Subm itDocs,Update/ cleanse,ReIssue Report ReTest/ValidateFixes perRem ediation CxO / Executive R C I I C Business Owner R R C R R/A Program Mgr (Angel) I R / A R R/A C Developer / Tech SME C I C R R/A Process Owner C R R R C Department SME I C R/A -- -- Line Manager I C R/A -- --
  • 6. Data-Migration and ‘Cleansing’ If you don’t need it… don’t pack it up and take it with you. • Identify Core-Data and plan to migrate only ‘Key Data’ to the new system • Take this as an opportunity to ‘cleanse’ your data / formats – don’t move your old Dirt… • Focus on the ‘minimum necessary data’ to integrate into your GRC System (you can add more later) • Plan to have your data ‘cleansed’ and ready to migrate 1 month before ‘Go-Live’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 7. Workflows and Required Use-Cases (minimum) Implement ‘most-needed’ / Common Functions 1st – biggest ‘bang’ • Self-Service User – Password Reset / Change • Login (access) as Manager • View (staff) Reports, by Manager • View Assigned Roles and Available Roles, • Request basic (minimum) account –Email, Active Dir, etc. • Provision / Request access to Role – Add (new) user • Update / Change user access to (role) • De-Provision – Remove (delete/terminate) user • Route Approval-Request • Approve Request(s) • Reject Request(s) • Request additional info on Request Integrate Separation-of-Duties (SoD) into design of (New) Roles For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 8. Use standard Workflows Success in GRC depends on – People / Process / Technology You are in charge of your People… and You acquired the Technology… but is your Process documented … before you Automate it?… For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 9. Leverage the “80/20” Rule It’s ok to have ‘exceptions’ as long as they don’t become the Rule • Should be able to Normalize 80% of the Roles using only 20% of the overall ‘effort’ • Remaining 20% of the Roles will require the balance (80%) of the ‘effort’ to standardize… • Pick your Battles – what Roles are important to have as ‘exceptions’ – Mgmt / Oversight…? – Require Line-Mgmt to ‘defend’ need for exceptions • GRC will always have ‘exceptions’ – which ones are important to you / company….? For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 10. Develop a Virtual Org-Chart Who is Important in the Company (to use the GRC System) ? • CxO’s and Legal Dept • Line-Management • Audit / Compliance • SME’s (subject-matter experts) • I/T Support – but …not everybody needs to be included.. For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 11. Create / use the ‘SandBox’ Environment Let the Users / Mgmt get a feel for the system in a ‘safe’ place… • Allows for Real-Time Feedback on system, • Provide Logins for all SME’s and Key Stakeholders to explore the system, • Safe-Environment permits faster adoption of system • Allow end-users way to identify problems and updates required before Go-Live, • Create Action-List for system-updates / fixes, For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 12. Documentation / Training Guide Make it easy to Read / Understand / Follow – using R-SAM For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 13. Documentation / Training Guide Use screen-shots of system’s actual screens to help users navigate and use the software Make it easy to Read / Understand / Follow – using R-SAM For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 14. Documentation / Training Guide Make it easy to Read / Understand / Follow- MetricStream For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 15. Documentation / Training Guide Make it easy to Read / Understand / Follow- MetricStream For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 16. Documentation / Training Guide Make it easy to Read / Understand / Follow- MetricStream For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 17. Documentation / Training Guide Make it easy to Read / Understand / Follow – AVATIER / AIMS For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 18. Documentation / Training Guide Create a CBT (computer) version for the Remote office / Country staff For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 19. Integrate Risk-Analysis Process Automate the Manual Process of Analyzing Risk For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 20. Document Config-Values and Decisions Ensure you meet Regulatory / Compliance Requirements as you go… • Document all Configuration / setup Values ‘as you go’ when setting up GRC System, – At minimum, use screen-prints in a Word file to track entries and values, will need it later on • Document all (Key) Decisions by both Tech Staff and CxO / Management (including Emails), • Save, backup, and store in duplicate, and • Will be required for Maintenance / Support / Regulatory and Compliance-discussions. For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 21. Implementation Plan for ‘Go-Live’ A Migration-Plan will keep the ship heading in the right direction • Verify your Key people will be available during the ‘Go-Live’ period (e.g. vacation / holidays) • Sync up the GRC Migration with the current Maintenance Windows calendar • Confirm Dependency-Milestone-dates will be completed prior to Migration (critical-path) • Conduct Desk-walkthrough of the Migration Plan to avoid obvious mistakes / oversights, • Validate that the Target-Environment is set up the same as the Test / Sandbox Environment For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 22. Sell Benefits / ROI and Communicate Facilitate acceptance by selling benefits / communicating Goals to company / Staff • Leverage Status Reports to ‘spread the word’… • Document efficiency gained via Usage by SME’s, • Communicate to all Stakeholders about new Functionality and Milestones completed, • Create Login ID’s for all major Stakeholders so they can ‘see and touch’ the system, • Use Vendor WhitePapers to impress the overall Benefits of using the new GRC System, • Hold company-wide ‘Kick-Off’ Announcement For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 23. Role-Management Governance (and Review) Process Start Provisioning Security-Mgmt / Network-Mgmt Bi-Annual / QTR Review Exceptions Consider Creation of a New Role Document Mgmt-Approval and Signoff END Send Request for New Role to IdM Roles-Admin ROLE-GOVERNANCE BOARD • C I S O / Director of Security • Information Security • Provisioning Staff / Supv • I/T Service-Desk • Human Resources • Dept Head (s) Evaluate Individual Cases and Compare Exceptions to Existing Roles How Frequently are New Roles Requested ? How Close is New Role to Existing Roles ? How Important is New Role to Org ? Add New Role to Roles List and Distribute REPORT Exceptions & Problems Develop a Process to (regularly) Review / Maintain Key Roles For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
  • 24. Patrick Angel Roles: Asst CISO / GRC-Implementation Prog Mgr Director PMO / Enterprise I/T Security-Architect Areas: R-SAM / MetricStream / AVATIER (AIMS), COBIT Framework / ISO-27002 Controls Testing Education Bachelors in Information Systems (MIS) Masters Business Administration (MBA) Years of Experience 20+ years in Information Systems 15+ years of SDLC and Governance, Risk and Compliance Hands-on Software Developer, Application-Testing, I-T Auditing Certifications and Associations include - (In-progress)
  • 25. Get Started Now… ‘…Chance favors the prepared Mind’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA® www.RandomAccessTechnology.com (214) 826-3812