The automated fusion and correlation of the data produced by the multiple technologies forming the technical control framework will allow COM to maximize the return on investment for the technology. Additionally, an automated solution serves as a force multiplier that does not require the typical headcount associated with the manual collection, correlation and analysis of the data gathered during an average assessment and/or monitoring window. The automated solution is able to determine enterprise risk and compliance status while providing a comprehensive dashboard and reporting capability to ensure that stakeholders at every level are provided a means to monitor and measure what matters most to them.
In the beginning, people use existing general purpose tools to built semi-automated GRC solutions. Not scalable, not integrated Not a big issue when you only need 1 to 2 solutions
Solution Overview National Continuity Solutions Platform Michael J. O’Dell CBCP – Sage Management
Compliance Solution Market Trends Manual Processes Automation Compliance Driven Business & Risk Driven Custom Controls Standard Controls Compliance and Risk Silos Common Control Framework Fragmented Tools Integrated Solution Periodic Audits Continuous Monitoring Internally Developed Tools Purpose-Built Platform Consulting Engagements Software Solutions Cylinder of Excellence View Enterprise Wide Visibility Past Present
Custom & Manual Solutions Help Desk Leverage existing technologies Tools not suite to purpose Poor data integrity and quality Limited point-to-point integration Heavily relying on scripting, macros, kron jobs Fragile integrations Mostly manual processes Heavily relying on Excel and Word Use Help Desk tool to route workflows Document Management Excel Word Reporting Tools Data Warehouse
Purpose-Built GRC Platform Open technology stack Hot pluggable with open sourced, Oracle, IBM, ... Consistent with corporate technology strategy Purpose-built GRC platform Optimized for GRC, SOA platform vision Predefined GRC business objects / entities Simple upgrade and extension Single-point integration Simple upgrade and extension No point integration Feature-rich applications Integrated functionality, no redundancy Cross-regulation scalability Open content Global community and localized support Partner and customer friendly IT GRC Platform Dashboards, Reports, Indicators Automation & Collaboration Engines Common Control Framework Integrated GRC Data Model Open Connector Architecture Workflow Reporting Data Integration NIST 800-53 ISO SOX
Limited protection of operational security as well as the war fighter’s PII
Static view of security posture and performance of the network
Isolated tool sets creating redundancy and operational inefficiency with manual correlation
Security incidents and data breaches going undetected for long periods of time
Provides a comprehensive technical control framework for enhanced automated monitoring capabilities as well as assessment and correlation of attributes used to develop key compliance and risk indicators as an effective force multiplier to allow the command level program office to constantly maintain the pulse of the security posture and risk across the global infrastructure
Real time visibility on risk and compliance status against 8500.2 and PII Risk Management requirements
Provides a comprehensive IA program through threat analysis and technology risk assessments in order to leverage the most appropriate technologies and cost effective solutions for the network.