Complex Process - The current process is very complex to track and manage, as they are mostly done manually, and are prone to errors. The current workflow is also inconsistent between business units, creating a challenge in harmonizing IT risk management activities at an enterprise level. Timely and accurate reporting (which is required to support informed decisions), especially for audit purposes is more challenging and inaccurate; Inefficient Process - As current processes are mostly manual, makes it difficult to Gather, Analyze, and Report against Risk and Control activities. This increases the time required to complete IT risk management and compliance activities, especially when an external party (assessment) is involved. With many overlaps between different regulations and standards, it is important to cross reference the compliance areas, minimizing redundancy and maximizing efficiency;Poor Quality - The existing process lacks the capability to prioritize risk across mandates, which is important in applying controls where it really matters the most. Since the current process, is mostly done manually, consolidation of IT risk and compliance management activities is also a challenge, which creates complexity in comparing and reporting activities between business unitsHigh Cost – duplication of efforts and inconsistencies in processes. Manual method takes more time to complete assessments and prone to errors. Consolidation of information challenging! Manual efforts for ITRM compliance activities (interviews, IA, documentation, TRA, Remediation, VA, VA Remediation can add up! FRAGMENTED APPROACH is EXPENSIVE. Relying on what people tell you. Inability to get evidence. Some were doing IA against assets and some were not. Lack of Visibility – Timely Reporting or trending capabilities non-existent or challenging. No idea where you stand at a given point in time.
People, Process, TechnologyCreate Roles and ResponsibilitiesImplement in PHASES. Phase 1 (Plan and Purchase, Assets Selection ,Self Assessment), Phase II (Assessment validation, TRA, Exception tracking, Reporting) Phase III ( Leverage with other compliance mandates, expand functionality, etc).Established and adopted a common framework – What framework must be adopted for compliance management??? We adopted our ISO based ITRM policy. We started out asking for evidence for only critical assets.Scope – Break project into reasonable chunks. Start with basic functionality (automation of questionnaires, reporting, etc). Asset data is contained in a variety of repositories across a wide set of network, system and security management products.
Communication Awareness – Early communication and awareness of critical stakeholders in the process (Compliance Specialists, control Owners, and Audit Services.). We utilized Lunch and Learns, desk drops, Training, etc.Align Methodologies - We aligned our RM strategies with auditing methodology. Get on AS ‘s Audit Plan. Its impossible to assess each component. NOW we are looking at controls AND risk. Audit Services role is to provide ASSURANCE on all significant aspects of GRC.We provide guidelines on what evidence to provide.Start with basic self assessment functionalities – Use Web based questionnaires to Automate assessment. Capture pertinent evidence. Basic reporting. We utilized IT control self-assessment survey functions to help measure its compliance with our established policies.
Overwhelming Control Owners – Provide sufficient training and advanced awareness otherwise COs can be overwhelmed. We have just added more work to their already busy schedule.Enable CO by using automation where possible to help them conduct their jobs more efficiently.Quality Control of first assessment – Human Judgment Reqd. AQ will be required to determine if adequate evidence was submitted and ensure the CO answered all the questions correctly. Garbage IN = Garbage Out. Compliance Specialist needs to be familiar with types of risks.Audit is an enabler– work with them to build RM/Compliance QA work into their workplan. Bring to the table ‘Monitoring and Auditing” controls + Improvement opportunitiesAsset Repository– Most companies don’t have a list of their assets. We started with what WE KNOW. Start with Critical assets and try to cover all in a year.
Improved quality – consistent process less prone to errors since questionnaires are automated, Capturing evidence possible.Increased Efficiency – cost savings associated with All CO and Compliance Specialists using consistent process common tools=less errors, less duplication, more meaningful reporting = Single Source of Truth = SINGLE PLATFORM ENTERPRISE WIDEAdoption by Control Owners – ask questions, complete questionnaires, and provide valuable feedback for improvement.Compliance Reporting – immediate visual representation of compliance status helps satisfy effective decision making
Integration with other areas – AS, Physical Security, IC, Operational Security Best practises - – Break SilosIntegration with other IT compliance mandates (SOX, TSA PSG, API 1164, etc) – Transportation Security Adm – Pipelines Security Guidelines, Pipeline SCADA Security. OFTEN an overlap of Assets, People, CONSIDER using a GRC solution for everything…Familiar with ONE platform to satisfy multiple mandatesRemediation and exception management - Tracks the life cycle of identified gaps and authorized policy exceptionsLeverage Integration with 3rd party tools (VA Tools – Qualys, Remedy, EFS, etc). UTILIZE workflow capabilities with other integrated solutions.Improved Reporting – Customized for our ITRM policy.