GRC
The Way Forward
James Finn
MODULO
james.finn@modulo.com
Agenda
• GRC Current State
• Business Risk
• Risk Management Evolution
• GRC Maturity Goals
• Your Risk Management
• Busin...
GRC Current State
• A reactive and siloed approach to GRC is a recipe for disaster and leads to . . .
• Lack of visibility...
Risk Management Challenges
• Multiple standards to choose from
• Technology focused, not business centric
• Control identi...
Risks
• Your Brand
• Stakeholders (e.g., board, management, employees)
• Contractual Relationships (e.g., supply-chain,
ve...
Risk Management Evolution
Current State
• Fragmented silos
• Mostly reactionary
• Individual projects
• Separate from
main...
GRC Maturity Goals
• Achieve business objectives
• Enhance organizational culture
• Increase stakeholder confidence
• Prep...
• Automate the manual siloed approach to GRC management
– Solution Required: Distributed database driven platform with
com...
Business Risk
• Where risk is understood and evaluated as part of corporate strategy and
performance, it is set in a busin...
Effective GRC Solution
Comprehensive GRC Solution
• Enterprise and IT Risk
Management
• Compliance Management
• Policy Man...
Today's Fragmented Approach
Inventory
Evaluation
Remediation
Policies
This requires an automated GRC Management
approach t...
Risk Management Process
• Sound risk-based decision making is critical to the
success of any risk management program
• ..e...
Best Practices
GRC Automation
GRC Tool Manager modules
Basic Modules Service Modules GRC Portal
Knowledge Management
Organization
Policy
Management
Gove...
Risk Management
Cycle
• Inventory
• People, Process,
Technology.
Environment
• Relevance Levels
Inventory
• Knowledge Base...
SYSTEMS
BUSINESS
PROCESSES
ASSETS
Top-Down “Governance” Approach
Eliminate Compliance Silos
Laws & Regulations
SOX
FISMA
BASEL II NIST
Frameworks
17799
COBIT
Evidence
DOC
BKP
PASSWORD
Con...
GRC tools provides comprehensive support for the most commonly
faced regulations, standards & frameworks, and more
• A130
...
Comprehensive Knowledge Base,
including…Technologies
Cisco Router w/IOS 12
Oracle 8 and 9i
Microsoft SQL Server 7.0, 2000,...
WebServer
Windows
Router
Oracle
Unix
Access
Control
Change
Management
Physical
Controls
SOX GLBA HIPAA PCI
Basel
II
The Me...
Contains Knowledge
about Controls
Why is the
control
important?
How to
implement?
If NOT
implemented
to which
threats am I...
Why is the
control
important?
How to
implement?
If NOT
implemented
to which
threats am I
susceptible?
Where to
learn more?...
Using Automatic Collectors
Risk Acceptance and
Treatment
People TechnologyProcessFacility
ERP
Order
Entry
Financial
IT
Department
Sales
Order
Entry
F...
Final Results -
Samples
Dashboard
Detailed Risk Report
Benefits in using GRC Automation
• Saves up to 25% project time due to automatic collectors, evidence storage
and automati...
GRC Benefits
GRC SHOULD SERVE YOU
YOU SHOULD NOT SERVE GRC
QUESTIONS ?
GRC
The Way Forward
James Finn
MODULO
james.finn@modulo.com
Rochester
703 336 3058
GRC– The Way Forward
Upcoming SlideShare
Loading in...5
×

GRC– The Way Forward

1,048

Published on

Are you managing GRC in the most effective manner? Is it contributing to business governance or becoming a burden ? We will discuss the current state of GRC and recognized business drivers as well as supportive risk management infrastructures. Strategies for the alignment of business interests with enterprise GRC programs to establish a complete, auditable, less time consuming program which benefits from management visibility and compliance readiness will additionally be presented. Utilize GRC to manage your business, not to burden it.

James P Finn, Modulo

James has twenty five years experience in security and disaster recovery consulting, managing and delivering enterprise solutions to more than 200 worldwide commercial and government clients.

He has held various management and consulting positions in the information security field including as a worldwide IBM Corporate Auditor for Information Security reporting to the Corporation’s Board of Directors and the as the founding Principal of both the IBM and Unisys Security Consulting Practices and as Vice President of Risk Management for Modulo.

He has consulted in more than 38 countries (U.S., Asia, Europe, South America) on business, technical security and recovery solutions to assist clients to achieve and maintain effective goverance across the full spectrum of security and business recovery disciplines. James is a Microsoft MSRA trained assessor, a KPMG trained SOX auditor and also holds Business Continuity certifications.

He is frequently requested as a speaker at international industry conferences, live webcasts and TV and radio news shows and is the author of over 50 media articles on computer security

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,048
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
79
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • will to be changed!
  • GRC– The Way Forward

    1. 1. GRC The Way Forward James Finn MODULO james.finn@modulo.com
    2. 2. Agenda • GRC Current State • Business Risk • Risk Management Evolution • GRC Maturity Goals • Your Risk Management • Business Challenges • GRC Automation Best Practices • Questions ?
    3. 3. GRC Current State • A reactive and siloed approach to GRC is a recipe for disaster and leads to . . . • Lack of visibility. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture. • Wasted and/or inefficient use of resources. Silos of risk and compliance lead to wasted resources. • Unnecessary complexity. Varying risk and compliance approaches introduce greater complexity to the business environment. • Lack of flexibility. Complexity drives inflexibility -the organization is not agile to the dynamic business environment it operates in. • Vulnerability and exposure. A reactive approach leads to greater exposure and vulnerability
    4. 4. Risk Management Challenges • Multiple standards to choose from • Technology focused, not business centric • Control identification required for each standard • Lack of skilled auditors across all platforms • No documented, thorough, consistent methodology • Proper, effective, repeatable analysis not in place • Detailed recommendations not complete • No definable return on investment • No knowledgebase for additional assessments • Management visibility not faciliatated • This can all be automated using GRC software
    5. 5. Risks • Your Brand • Stakeholders (e.g., board, management, employees) • Contractual Relationships (e.g., supply-chain, vendors, contractors) • Informal Relationships (e.g., NGOs, media) • Your business information security and privacy Are you trying to manage a problem or leverage business information ?
    6. 6. Risk Management Evolution Current State • Fragmented silos • Mostly reactionary • Individual projects • Separate from mainstream processes and decision-making • Spreadsheets, spreadsheets, spreadsheets • Limited and fragmented use of technology Future State • Integrated management & performance • Proactive planning & execution • Integrated capability • Embedded within mainstream processes and decision-making • Coordinated transactions & shared data • Architected solutions
    7. 7. GRC Maturity Goals • Achieve business objectives • Enhance organizational culture • Increase stakeholder confidence • Prepare & protect the organization • Prevent, detect & reduce adversity • Motivate /inspire desired conduct • Improve responsiveness & efficiency • Optimize economic & social value
    8. 8. • Automate the manual siloed approach to GRC management – Solution Required: Distributed database driven platform with common policy, asset, reporting and incident repository • Comply with multiple regulations – Solution Required : Effectively manage the policy lifecycle and map multiple policies to common controls • Lower IT and enterprise risk – Solution Required : Consistently measure and communicate risk posture across enterprise • Reduce cost of people resources and IT infrastructure overhead – Solution Required : Automate common tasks and leverage technology in place without adding the complexity of agents Customer Challenges
    9. 9. Business Risk • Where risk is understood and evaluated as part of corporate strategy and performance, it is set in a business context and mapped to corresponding KPI. • Risk management aligned to business strategy results in: – Risk aligned in the context of the business • Risk does not operate as an island unto itself, but is defined and managed in the context of where the business is heading –its goals and objectives • Executives and management should clearly be able to see how risk supports or hinders execution of business strategy – Risk managed within the context of business cycles. – Findings influence strategic planning and investments • Risk management supports and enables the business to execute a strategic plan and maximize return on investments
    10. 10. Effective GRC Solution Comprehensive GRC Solution • Enterprise and IT Risk Management • Compliance Management • Policy Management • Vendor Risk Management • Remediation/Incident/ Exception Management • Security Reporting & Remediation • Business Continuity Management • Audit Management Management Integrated GRC Platform • Multi-language web based platform • Integrated database driven distributed architecture • Extensive knowledge base of frameworks, regulations and best practices • Intelligent dashboard & reporting • Ready to implement with the flexibility to configure • Integration services API • Role based access control • Encrypted
    11. 11. Today's Fragmented Approach Inventory Evaluation Remediation Policies This requires an automated GRC Management approach that brings together silos of risk and compliance into a comprehensive management platform Analysis
    12. 12. Risk Management Process • Sound risk-based decision making is critical to the success of any risk management program • ..enterprises must move toward the formalization of risk management processes with appropriate accountability, transparency and measurability • Risk management must be undertaken as a new approach to addressing business threats Gartner, April 2009 • Business risk is more than operational and financial • Total enterprise risk management includes enterprise IT risk
    13. 13. Best Practices GRC Automation
    14. 14. GRC Tool Manager modules Basic Modules Service Modules GRC Portal Knowledge Management Organization Policy Management Governance Compliance Management Continuity Workflow Home Administration Dashboard Risk Management ERM
    15. 15. Risk Management Cycle • Inventory • People, Process, Technology. Environment • Relevance Levels Inventory • Knowledge Base • Automated Collectors • Web Interviews • In person Interviews Analyze • Reports • Indexes • Charts • Tables Evaluate • Recommendation follow-up • Workflow Manager Treat
    16. 16. SYSTEMS BUSINESS PROCESSES ASSETS Top-Down “Governance” Approach
    17. 17. Eliminate Compliance Silos Laws & Regulations SOX FISMA BASEL II NIST Frameworks 17799 COBIT Evidence DOC BKP PASSWORD Controls PEOPLE POLICY SERVER
    18. 18. GRC tools provides comprehensive support for the most commonly faced regulations, standards & frameworks, and more • A130 • Basel II • BS25999 • COBIT • DIACAP • DOD 8500.2 • FFIEC • FIPS 199 • FISAP • FISMA Sample Frameworks • GLBA • HIPAA • ISO27001 • ISO27002 • ITIL • NERC-CIP • NIST 800-53a • OSHA • PCI DSS • SOX
    19. 19. Comprehensive Knowledge Base, including…Technologies Cisco Router w/IOS 12 Oracle 8 and 9i Microsoft SQL Server 7.0, 2000, 2005. Unix Solaris 8 and 9 Microsoft Exchange 5.5, 2000, 2003 Microsoft IIS 4.0, 5.0, 6.0 SAP AG R/3 4.0B, 4.6D Apache 1.3.27 Windows XP, 2000, 2003, Vista Linux Access Point - WLAN Application System in Production Check Point VPN 1/Firewall 1 NG IBM Lotus Notes R5 Microsoft ISA Server 2000, 2004 PDA Firewalls People IT Technician Senior Manager Security Officers Area or Process Manager End User Processes Developed Application System (15408) Change Management Data and System Backup Systems Continuity Management Contracts with Vendors Business Process Information Flow IT Security Organization ISO 27001 ISO 17799:2005 CobiT 4.0 - IT Process Maturity FISMA PCI Data Security Standard HIPAA – NIST 800-66 BITs - FISAP – AUP and SIG Physical Controls Datacenter Office 350 Knowledge Bases 20,000 Controls 5000 Data Collectors
    20. 20. WebServer Windows Router Oracle Unix Access Control Change Management Physical Controls SOX GLBA HIPAA PCI Basel II The MetaFramework Cobit Automatic Collectors Web Interview or Off-line Collector  Regulations  Standards & Frameworks mapped into ISO 27001 FISAPPCI-DSS GRC METAFRAMEWORK  350 Checklists with 20,000+ Controls  5000 Automatic Evidence Collectors  1200 “Atomic” Control Objective Packets mapped
    21. 21. Contains Knowledge about Controls Why is the control important? How to implement? If NOT implemented to which threats am I susceptible? Where to learn more?
    22. 22. Why is the control important? How to implement? If NOT implemented to which threats am I susceptible? Where to learn more? Knowledge Base
    23. 23. Using Automatic Collectors
    24. 24. Risk Acceptance and Treatment People TechnologyProcessFacility ERP Order Entry Financial IT Department Sales Order Entry Financial IT Department Sales ERP Accept risk and communicate Unacceptable risk send to treatment
    25. 25. Final Results - Samples
    26. 26. Dashboard
    27. 27. Detailed Risk Report
    28. 28. Benefits in using GRC Automation • Saves up to 25% project time due to automatic collectors, evidence storage and automatic report generation • Evidence repository stores artifacts such as access permissions, cryptography and audit logs • Management based on progress indicators • Operational Risk Report that details each non-implemented control’s associated risk level • Role based access control • Ease of common implementation across all GRC responsibilities • Facilitates on-going compliance management • Auditable repository • Perpetual, Leased, Appliance or SaaS licenses
    29. 29. GRC Benefits
    30. 30. GRC SHOULD SERVE YOU YOU SHOULD NOT SERVE GRC
    31. 31. QUESTIONS ?
    32. 32. GRC The Way Forward James Finn MODULO james.finn@modulo.com Rochester 703 336 3058
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×