• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

GRC– The Way Forward

on

  • 1,157 views

Are you managing GRC in the most effective manner? Is it contributing to business governance or becoming a burden ? We will discuss the current state of GRC and recognized business drivers as well as ...

Are you managing GRC in the most effective manner? Is it contributing to business governance or becoming a burden ? We will discuss the current state of GRC and recognized business drivers as well as supportive risk management infrastructures. Strategies for the alignment of business interests with enterprise GRC programs to establish a complete, auditable, less time consuming program which benefits from management visibility and compliance readiness will additionally be presented. Utilize GRC to manage your business, not to burden it.

James P Finn, Modulo

James has twenty five years experience in security and disaster recovery consulting, managing and delivering enterprise solutions to more than 200 worldwide commercial and government clients.

He has held various management and consulting positions in the information security field including as a worldwide IBM Corporate Auditor for Information Security reporting to the Corporation’s Board of Directors and the as the founding Principal of both the IBM and Unisys Security Consulting Practices and as Vice President of Risk Management for Modulo.

He has consulted in more than 38 countries (U.S., Asia, Europe, South America) on business, technical security and recovery solutions to assist clients to achieve and maintain effective goverance across the full spectrum of security and business recovery disciplines. James is a Microsoft MSRA trained assessor, a KPMG trained SOX auditor and also holds Business Continuity certifications.

He is frequently requested as a speaker at international industry conferences, live webcasts and TV and radio news shows and is the author of over 50 media articles on computer security

Statistics

Views

Total Views
1,157
Views on SlideShare
1,157
Embed Views
0

Actions

Likes
0
Downloads
69
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • will to be changed!

GRC– The Way Forward GRC– The Way Forward Presentation Transcript

  • GRC The Way Forward
    James Finn
    MODULO
    james.finn@modulo.com
  • Agenda
    GRC Current State
    Business Risk
    Risk Management Evolution
    GRC Maturity Goals
    Your Risk Management
    Business Challenges
    GRC Automation Best Practices
    Questions ?
  • GRC Current State
    A reactive and siloed approach to GRC is a recipe for disaster and leads to . . .
    Lack of visibility. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture.
    Wasted and/or inefficient use of resources. Silos of risk and compliance lead to wasted resources.
    Unnecessary complexity. Varying risk and compliance approaches introduce greater complexity to the business environment.
    Lack of flexibility. Complexity drives inflexibility -the organization is not agile to the dynamic business environment it operates in.
    Vulnerability and exposure. A reactive approach leads to greater exposure and vulnerability
  • Risk Management Challenges
    Multiple standards to choose from
    Technology focused, not business centric
    Control identification required for each standard
    Lack of skilled auditors across all platforms
    No documented, thorough, consistent methodology
    Proper, effective, repeatable analysis not in place
    Detailed recommendations not complete
    No definable return on investment
    No knowledgebase for additional assessments
    Management visibility not faciliatated
    This can all be automated using GRC software
  • Risks
    Your Brand
    Stakeholders (e.g., board, management, employees)
    Contractual Relationships (e.g., supply-chain, vendors, contractors)
    Informal Relationships (e.g., NGOs, media)
    Your business information security and privacy
    Are you trying to manage a problem or leverage
    business information ?
  • Risk Management Evolution
    Current State
    Fragmented silos
    Mostly reactionary
    Individual projects
    Separate from mainstream processes and decision-making
    Spreadsheets, spreadsheets, spreadsheets
    Limited and fragmented use of technology
    Future State
    Integrated management & performance
    Proactive planning & execution
    Integrated capability
    Embedded within mainstream processes and decision-making
    Coordinated transactions & shared data
    Architected solutions
  • GRC Maturity Goals
    Achieve business objectives
    Enhance organizational culture
    Increase stakeholder confidence
    Prepare & protect the organization
    Prevent, detect & reduce adversity
    Motivate /inspire desired conduct
    Improve responsiveness & efficiency
    Optimize economic & social value
  • Your Risk Management
    Design Effectiveness
    Understanding if the GRC system of internal control is effectively designed
    Determine this, an organization documents controls and processes
    Ultimately, the organization must judge if all of these controls and incentives and the system as a whole are designed such that it will satisfy stakeholders and regulators while managing risk and requirements
    Operating Effectiveness
    An effectively operating GRC system is one that considers how GRC is being managed within business and its impact on the business
    The organization should determine if the system actually operates as designed
    Is supporting the needs of a dynamic business in a way that increases business agility while minimizing use of financial and human capital resources
  • Customer Challenges
    Automate the manual siloed approach to GRC management
    Solution Required: Distributed database driven platform with common policy, asset, reporting and incident repository
    Comply with multiple regulations
    Solution Required : Effectively manage the policy lifecycle and map multiple policies to common controls
    Lower IT and enterprise risk
    Solution Required : Consistently measure and communicate risk posture across enterprise
    Reduce cost of people resources and IT infrastructure overhead
    Solution Required : Automate common tasks and leverage technology in place without adding the complexity of agents
  • Business Risk
    Where risk is understood and evaluated as part of corporate strategy and performance, it is set in a business context and mapped to corresponding KPI.
    Risk management aligned to business strategy results in:
    Risk aligned in the context of the business
    Risk does not operate as an island unto itself, but is defined and managed in the context of where the business is heading –its goals and objectives
    Executives and management should clearly be able to see how risk supports or hinders execution of business strategy
    Risk managed within the context of business cycles.
    Findings influence strategic planning and investments
    Risk management supports and enables the business to execute a strategic plan and maximize return on investments
  • Effective GRC Solution
    Comprehensive GRC Solution
    Enterprise and IT Risk Management
    Compliance Management
    Policy Management
    Vendor Risk Management
    Remediation/Incident/ Exception Management
    Security Reporting & Remediation
    Business Continuity Management
    Audit Management
    Management Integrated GRC Platform
    Multi-language web based platform
    Integrated database driven distributed architecture
    Extensive knowledge base of frameworks, regulations and best practices
    Intelligent dashboard & reporting
    Ready to implement with the flexibility to configure
    Integration services API
    Role based access control
    Encrypted
  • Today's Fragmented Approach
    Inventory
    Analysis
    This requires an automated GRC Management approach that brings together silos of risk and compliance into a comprehensive management platform
    Remediation
    Policies
    Evaluation
  • Risk Management Process
    • Sound risk-based decision making is critical to the success of any risk management program
    • ..enterprises must move toward the formalization of risk management processes with appropriate accountability, transparency and measurability
    • Risk management must be undertaken as a new approach to addressing business threats
    Gartner, April 2009
    • Business risk is more than operational and financial
    • Total enterprise risk management includes enterprise IT risk
  • Best Practices
    GRC Automation
  • GRC Tool Manager modules
    Home
    Organization
    Workflow
    Dashboard
    Risk Management
    Compliance Management
    ERM
    Policy Management
    Governance
    Continuity
    Knowledge Management
    Administration
    Basic Modules
    Service Modules
    GRC Portal
  • Risk Management Cycle
  • Top-Down “Governance” Approach
    BUSINESS
    PROCESSES
    SYSTEMS
    Documentation
    Analysis
    Technical
    Analyses
    Interviews
    ASSETS
    Risk &
    Compliance
    Index
  • Frameworks
    Evidence
    Controls
    Eliminate Compliance Silos
    Laws & Regulations
  • Sample Frameworks
    GRC toolsprovides comprehensive support for the most commonly faced regulations, standards & frameworks, and more
    A130
    Basel II
    BS25999
    COBIT
    DIACAP
    DOD 8500.2
    FFIEC
    FIPS 199
    FISAP
    FISMA
    • GLBA
    • HIPAA
    • ISO27001
    • ISO27002
    • ITIL
    • NERC-CIP
    • NIST 800-53a
    • OSHA
    • PCI DSS
    • SOX
  • Live Update
    Comprehensive Knowledge Base,including…
    Technologies
    Cisco Router w/IOS 12
    Oracle 8 and 9i
    Microsoft SQL Server 7.0, 2000, 2005.
    Unix Solaris 8 and 9
    Microsoft Exchange 5.5, 2000, 2003
    Microsoft IIS 4.0, 5.0, 6.0
    SAP AG R/3 4.0B, 4.6D
    Apache 1.3.27
    Windows XP, 2000, 2003, Vista
    Linux
    Access Point - WLAN
    Application System in Production
    Check Point VPN 1/Firewall 1 NG
    IBM Lotus Notes R5
    Microsoft ISA Server 2000, 2004
    PDA
    Firewalls
    Processes
    Developed Application System (15408)
    Change Management
    Data and System Backup
    Systems Continuity Management
    Contracts with Vendors
    Business Process Information Flow
    IT Security Organization
    ISO 27001
    ISO 17799:2005
    CobiT 4.0 - IT Process Maturity
    FISMA
    PCI Data Security Standard
    HIPAA – NIST 800-66
    BITs - FISAP – AUP and SIG
    People
    IT Technician
    Senior Manager
    Security Officers
    Area or Process Manager
    End User
    Physical Controls
    Datacenter
    Office
  • Analyze
    Evaluate
    Treat
    People
    Technology
    Process
    Facility
    Risk Management Cycle
    Inventory
  • The MetaFramework
    SOX
    GLBA
    HIPAA
    PCI
    Basel II
    • Regulations
    • Standards & Frameworks mapped into
    GRC METAFRAMEWORK
    Cobit
    ISO 27001
    FISAP
    PCI-DSS
    • 1200 “Atomic” Control Objective Packets mapped
    Web Server
    Windows
    Router
    Oracle
    Unix
    Access Control
    Change Management
    Physical Controls
    • 350 Checklists with 20,000+ Controls
    Automatic Collectors
    Web Interview or
    Off-line Collector
    • 5000 Automatic Evidence Collectors
  • Contains Knowledge about Controls
    Why is the control important?
    How to implement?
    Where to learn more?
    If NOT implemented to which threats am I susceptible?
  • Why is the control important?
    How to implement?
    If NOT implemented to which threats am I susceptible?
    Where to learn more?
    Knowledge Base
  • Using Automatic Collectors
  • Risk Acceptance and Treatment
    Financial
    IT Department
    Sales
    Financial
    IT Department
    Sales
    ERP
    Order Entry
    ERP
    Order Entry
    Process
    Facility
    People
    Technology
  • Final Results - Samples
    Workflow Manager allows monitoring risk treatment actions through the Internet
    Real-time Scorecard (allows viewing events in real time)
  • Dashboard
  • Detailed Risk Report
  • Benefits in using GRC Automation
    Saves up to 25% project time due to automatic collectors, evidence storage and automatic report generation
    Evidence repository stores artifacts such as access permissions, cryptography and audit logs
    Management based on progress indicators
    Operational Risk Report that details each non-implemented control’s associated risk level
    Role based access control
    Ease of common implementation across all GRC responsibilities
    Facilitates on-going compliance management
    Auditable repository
    Perpetual, Leased, Appliance or SaaS licenses
  • GRC Benefits
  • GRC SHOULD SERVE YOU
    YOU SHOULD NOT SERVE GRC
  • QUESTIONS ?
  • GRC The Way Forward
    James Finn
    MODULO
    james.finn@modulo.com
    Rochester
    703 336 3058