SlideShare a Scribd company logo
http://www.enterprisegrc.com
EnterpriseGRC Solutions Inc.
A Governance, Risk and
Compliance Company
A Service Oriented Approach
Policy Baseline, RunBook - CMDB,
Control Self Assessment, RiskWatch
http://www.enterprisegrc.com
Functional Teams IT Support – HR Facilities – Drive
SOD and Applications Controls Baseline
2
http://www.enterprisegrc.com
Internal Audit Addresses Dynamic Regulatory
Requirements and Risk Conditions
3
http://www.enterprisegrc.com
4
Every Organization Has Unique Needs
http://www.enterprisegrc.com
Enterprise Security and Compliance Custom Tabs
and Menus
5
http://www.enterprisegrc.com
ISO/IEC 17799:2005 – ISO 270001 Policy Mapping
 Mapping ISO 17799:2005 (270001) to
Finance, Legal, Business and IT
Policies
 Mapping CobiT to ISO allows us to
 Link evidence across Policy, Program,
Process and System
 Updates are evident to all areas in
real-time
6
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com
4Point GRC is A Service Oriented Architecture
7
http://www.enterprisegrc.com
Baseline Configuration Is Critical to Available Service
8
Enterprise ManagementSystems
Opportunitiesfor Workflow and Controls Automation
8
http://www.enterprisegrc.com
Link Configuration Management Database, Policy
Mapping, leveraging a Service Oriented Architecture
9
http://www.enterprisegrc.com
Link Configuration Management Database, Policy
Mapping, Service Oriented Architecture
10
http://www.enterprisegrc.com
Enable Continuous Service
11
http://www.enterprisegrc.com
Define the Control Relationship
12
http://www.enterprisegrc.com
RunBook Reports Satisfy Compliance Requirements
and Enable SOA - GRC
13
RunBooks provide a true CMDB of production services as
governed by Policies and Processes
Controlled Server and Application tables establish the system
inventory of tested items
Producing results in a searchable data format facilitates accurate
controls meta data, verified policy and systems associations, and
the foundation for accurate, complete and valid test design.
http://www.enterprisegrc.com
Automation of Audit Function
 Changes in the risk landscape are rapid, dynamic and cannot be managed by manual
process.
 Corporate audit function costs continue to rise due to increasing threats and events.
 Greater efficiency and cost effectiveness are achieved by:
 Automating audit processes
 Better monitoring tools and techniques
 Training key compliance team members
The R in GRC - Strategic Planning and Risk
Management
14
http://www.enterprisegrc.com
What is the value of implementing Enterprise
Risk Management ERM?
15
Enterprise Risk Management
helps business leadership
achieve the organization’s
performance
and profitability target$.
http://www.enterprisegrc.com
Why Risk Management?
16
•Likelihood of Material Loss Such As: Fraud, Critical
System Failure, Political Damage, Missed Strategic
Milestones or Significant Loss of Revenue.
Minimizes
•Delivery of Risk Information To The Business
Ensures
•Business Decisions By Providing A Management
Process For Capturing, Analyzing, Mitigating and
Monitoring Risks to the Business
Enables
•a Unified Management Process for Risk Response
Provides
http://www.enterprisegrc.com
Risk Management Programs, Guidance and Process
Quarterly
Business Review
Compliance
Hot-Line
IT RiskWatch
Assign Risk
Manager
Board
Reports
Vulnerability
Threat &
Vulnerability
Analysis
Input risk details
and status log
Residual Risk
Program
RiskWatch
Corporate
RiskWatch
Risk Meeting
IT Steering
Committee
http://www.enterprisegrc.com
Risk Watch Components
18
Risk
Identification
Business Risk
Assessment
Scope &
Boundary
Definition
Risk
Measurement
Risk Action
Plan
Risk
Acceptance
Safeguard
Selection
Risk
Assessment
Commitment
http://www.enterprisegrc.com
Risk Tracking
19
Respond
Report
Reduce
http://www.enterprisegrc.com
The Risk Management Process
20
http://www.enterprisegrc.com
Answers Simple Questions
21
What is Likelihood?
Define Likely
Define Relatively
Likelihood
Define Unlikely
Define Never
What is Impact?
Define Minor
Define Major
Define Catastrophic
What is
Significance?
In what
manner will
significance
change?
What were the
criteria we
used for our
interpretation
of significance?
http://www.enterprisegrc.com
Risk Mitigation
22
http://www.enterprisegrc.com
Key Role & Responsibilities
 Chief Financial officer
 Security Manager
 Risk Management Committee
 Risk Mitigation Implementation
Owners
 Stakeholders & Users
23
…Everyone in an entity has some responsibility for enterprise
risk management. The chief executive officer is ultimately
responsible and should assume ownership. Other managers
SUPPORT the entity’s risk management philosophy, promote
compliance with its risk appetite, and manage risks within
their spheres of responsibility consistent with risk tolerances.
A risk officer, financial officer, internal auditor, and others
usually have key SUPPORT responsibilities. Other entity
personnel are responsible for executing enterprise risk
management in accordance with established directives and
protocols. The board of directors provides important
oversight to enterprise risk management, and is aware of and
concurs with the entity’s risk appetite. A number of external
parties, such as customers, vendors, business partners,
external auditors, regulators, and financial analysts often
provide information useful in effecting enterprise risk
management, but they are not responsible for the
effectiveness of, nor are they a part of, the entity’s enterprise
risk management.
Enterprise Risk Management — Integrated Framework Executive Summary Copyright © September 2004 by the Committee of
Sponsoring organizations of the Treadway Commission.
http://www.enterprisegrc.com
Achieve Risk Transparency
24
Communicate -Risk-
Inputs and Agenda
Execute – Program,
Meetings, Risk
Response
Measure – Risk
Measurement & Impact
Analysis, Performance
Record – Meeting
Minutes, Management
Reporting
Archive – Meeting
Minutes, KPI Results
http://www.enterprisegrc.com
Risk Process Maturity
25
Level Maturity Description
3 Defined Process: An organization-wide risk management policy defines when and
how to conduct risk assessments. Risk assessment follows a defined process that
is documented and available to all staff through training. Decisions to follow the
process and to receive training are left to the individual’s discretion. The
methodology is convincing and sound, and ensures that key risks to the business
are likely to be identified. Decisions to follow the process are left to individual IT
managers and there is no procedure to ensure that all projects are covered or
that the ongoing operation is examined for risk on a regular basis.
Risk Management
10 2 543
Non-Existent Initial Repeatable Defined Managed Optimized
http://www.enterprisegrc.com
Risk Process Maturity
26
Level Maturity Description
4 Managed and Measurable: The assessment of risk is a standard procedure and exceptions
to following the procedure would be noticed by IT management. It is likely that IT risk
management is a defined management function with senior level responsibility. The
process is advanced and risk is assessed at the individual project level and also regularly
with regard to the overall IT operation. Management is advised on changes in the IT
environment which could significantly affect the risk scenarios, such as an increased threat
from the network or technical trends that affect the soundness of the IT strategy.
Management is able to monitor the risk position and make informed decisions regarding
the exposure it is willing to accept. Senior management and IT management have
determined the levels of risk that the organization will tolerate and have standard
measures for risk/return ratios. Management budgets for operational risk management
projects to reassess risks on a regular basis. A risk management database is established.
Risk Management
10 2 543
Non-Existent Initial Repeatable Defined Managed Optimized
http://www.enterprisegrc.com
Risk Process Maturity
27
Level Maturity Description
5 Optimized: Risk assessments have developed to the stage where a structured,
organization-wide process is enforced, followed regularly and well managed. Risk
brainstorming and root cause analysis, involving expert individuals, are applied
across the entire organization. The capturing, analysis and reporting of risk
management data are highly automated. Guidance is drawn from leaders in the
field and the IT organization takes part in peer groups to exchange experiences.
Risk management is truly integrated into all business and IT operations, is well
accepted and extensively involves the users of IT services.
Risk Management
10 2 543
Non-Existent Initial Repeatable Defined Managed Optimized
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com
Reap Benefits
http://www.enterprisegrc.com
Moving Through A Risk Cycle Status Codes
29
• Risk will be allowed to remain as described.
Risk is determined to be acceptable, given
business priorities & total vulnerability.
Reviewed &
Accepted
• Team is assigned to determine & implement
compensating controls
Controls
Required
• Exposure is determined to be unacceptable.
Team is to implement compensating controls
as quickly as possible.
Critical Controls
Required
• Emergency risk situation requires immediate
team management & notification.
Emergency –
Immediate
Action Required
http://www.enterprisegrc.com
Project Risk Management Purpose and Scope
 Facilitates The Effective Management of Risk Within An IT
Project
 Enables Project Team To Collaborate In
 Identifying Risk, Analyzing Risk, And Planning Appropriate Actions.
 Risk-related Actions Are Planned, Scheduled And Tracked As
Additional Tasks In The Project Plan
 Risk Tracking Occurs In A Risk Watch List
 On-going Activity Throughout The Project
 Depends On All Project Team Members Being Risk-aware,
Utilizing The Defined Risk Management Process
30
http://www.enterprisegrc.com
Corporate Risk Management Purpose & Scope
 Corporate Level Review of Company Specific Risk
 Roll Up of Individual Company Risks,
 Assignment of Relative Risk Criteria
 Ownership of Communicated Risk To Both
Shareholders And Throughout The Corporate
Enterprise.
 Governs How Corporate Leadership Interprets &
Assigns Weighted Value To Company Specific Risk &
Impact
 Initial Risk Assessment & Accountability Rests At
The Individual Company Level
 Disclosure Committee Reviews & Determines
Disclosure Requirements
31
http://www.enterprisegrc.com
Activity Outputs
32
•A person in the IT domain is made aware by interaction with others or through his/her own doing, of an apparent
technology weakness. This weakness is determined by management to possibly merit risk team consideration. The
risk is not associated with an SDM management effort, and therefore requires isolated entry to the RiskWatch
Apparent IT System or
Technology resource based
Vulnerability
•The significance evaluation is a formal process based in agreed standards for determining the quality
statements associated to an estimated risk. Establishing "RiskWatch COBIT Project Definitions" can be
achieved by implementing a template of criteria definitions
Significance Evaluation and
Risk Criteria Template
•Any IT person can launch the Risk Watch to enter details of a perceived risk. Management reviews the
risk to determine its appropriateness for Risk Watch. The steps to filling out the RiskWatch form are
detailed in the RiskWatch Form Entry Work Instruction
Report Risk
•Occurs weekly. Meeting is preceded by the posting of intended items for review and followed by posted
summary of results. Metrics are gathered and stored in the work products folder as determined by the
RiskWatch team.
RiskWatch Meeting Review
•Used to identify and document the threats and vulnerabilities associated with any asset being evaluated.
Threat & Vulnerability
Analysis
•Responds to identified threat by ensuring the risk response and compensating controls are effectively
enforcedSecurity Management
•The risk is mitigated to significance of 9 or less with acceptable controls in place.Mitigated Risk
•Fair and reasonable discovery and disclosure of risksAttestation of Risk
http://www.enterprisegrc.com
Process Exit Criteria
 Risk Process Continues Until The Process
Response Is Implemented
 Risk Is Mitigated To Acceptable Managed
Residual Risk or Removed
 Mitigated Risk Where Significance Is Less Than
“9” & Appropriate Controls Are Identified For
Ongoing Risk Management
33
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com
Security
Availability &
Contingency
Management
IT Service Design & Management
Service Level Management & Service Level Reporting Capacity
Management
Financial
Management
Resolution Processes
Incident and Problem Management
Control Processes
Asset & Configuration Management
Change Management
Release Processes
Release Management
Supplier Processes
Customer Relationship and
Supplier Management
Automation
Governance in IT Service Management
34
 Culture of change management
 Culture of causality
 Culture of compliance and desire to continually reduce variance
http://www.enterprisegrc.com
Change Management and Governance
35
Change Management’s Relationship to Governance
•Request for
Change RFC,
CMDB, Release
•Implementation
Plans
INPUTS
•Change
Management
Team
•Review Board
•Steering
COMMITTEE
•Implementations
•Meeting Minutes
•Schedules
OUTPUTS
•Reports
•Key Performance
Indicators
•Client Service
Metrics
Audit
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com
Enterprise Change Management
36
•business decisions by
providing a
management system
housing data for
analysis,
implementation and
follow-up
enable
• problem
management to
identify known
errors
support
Goal Of Change Management Goal of Change Management Systems
• the benefits to the business of
making changes to the IT
infrastructure
Maximize
• the risks involved in making
those changesMinimize
• that standardized methods and
procedures are used for efficient and
prompt handling of all changes
Ensure
• impact of change-related incidents
and improving day-to-day functionReduce
http://www.enterprisegrc.com
Business Process Application
Mapping
• Facilitate a walkthrough of each business process
• Identify those applications that support the processing of transactions
• Document the workflow of transactions through the entire process to
ensure complete identification of applications
Application Summary and Scope Development
• Complete list of applications
• Relevance, relation and criticality to the financial reporting
• Significance to the financial reporting process
• Management discretion, applications considered important or high risk
from management’s perspective
Application Technology Support Information
• in-scope for the Sarbanes-Oxley Program, gather complete RunBook
• Source of Application,
• purchased and implemented with and without customization,
• developed and maintained internally, and outsourced to a third-party.
• For Changes -the data of the last major change and next planned change
to each application.
Business Process Management
37
Business
Process
Application
Mapping
Application Scope
Development
Application
Technology
Support
Information
http://www.enterprisegrc.com
ISO/IEC 27001:2005
“ ISO/IEC 27001:2005 implements effective information security management in compliance with organizational
objectives and business requirements. Risk-based specification designed to take care of information security
aspects of corporate governance, protection of information assets, legal and contractual obligations as well
as the wide range of threats to an organization’s information and communications technology (ICT) systems
and business processes.” (re-number ISO/IEC 17799 as ISO/IEC 27002)
Define An
Information
Security Policy
Define scope of
the information
security
management
system
2
Perform A
Security Risk
Assessment
Manage the
identified risk
Select Controls
Implemented
5
Prepare
Statement Of
Applicability
ISO 27001 - This is the
specification for an information
security management system
(an ISMS) which replaced the old
BS7799-2 standard
ISO 27002 - 27000 series
standard number of what was
originally the ISO 17799
standard (which itself was
formerly known as BS7799-1)
ISO 27003 - standard guidance
for the implementation of an
ISMS (IS Management System)
ISO 27004 - information security
system management
measurement and metrics.
ISO 27005 - methodology
independent ISO standard for
information security risk
management
ISO 27006 - guidelines for the
accreditation of organizations
offering ISMS certification
http://www.enterprisegrc.com
ISO27001
Initiate
•Understand
Define
Information
Security
Policy
•Initial
Information
gathering
Define
ISMS
•Security
Manuals
•Procedures
•Guidelines
Templates
Assess
•Risk Analysis
Ranking
•Risk
Management
Develop
• Controls
Identification
&
Development
Readiness
• Statement of
applicability
• Assistance in
Implementation
and
Certification
Process
Plan Do Check Act
http://www.enterprisegrc.com
INTERNATIONAL STANDARD ISO/IEC 38500
 ISO - Performance of the organization
 Proper Corporate Governance of IT assists directors to ensure that IT use
contributes positively to the performance of the organization, through:
 Appropriate Implementation And Operation of IT Assets
 Clarity of Responsibility And Accountability For Both The Use And Provision of IT In
Achieving The Goals of The Organization
 Business Continuity And Sustainability
 Alignment of IT With Business Needs
 Efficient Allocation of Resources
 Innovation In Services, Markets, And Business
 Good Practice In Relationships With Stakeholders
 Reduction In The Costs For An Organization
 Actual Realization of The Approved Benefits From Each IT Investment
INTERNATIONAL STANDARD ISO/IEC 38500
http://www.enterprisegrc.com
Factors for Governance Success
Strong project management across IT (COBIT) and Finance Applications
(COSO)
 Foster a culture of commitment, collaboration and knowledge
transfer
 Regular status meetings (weekly or even daily in some cases)
Intelligent GRC (Governance, Risk, Compliance)
 “OHIO” (only handle it once) means reduce redundant controls. Find
and remove controls that are non essential to the scope of audit. Nail
questions before they come up through evidence of strong
automated and system based policy. Leverage team knowledge to
properly align controls to their rightful owners.
Fail Fast; pass slow
 Escalate non remediated controls (fails) before they become
“findings”
 Remove unnecessary tests
 Retest fails to confirm control design and validate against actual
statement of risk
41
http://www.enterprisegrc.com
Effectiveness
Deals with information being relevant and pertinent to the business process
as well as being delivered in a timely, correct, consistent, and usable
manner.
Efficiency Concerns the provision of information through the optimal ─ most
productive and economical ─ use of resources.
Confidentiality Concerns the protection of sensitive information from
unauthorized disclosure.
Integrity
Relates to the accuracy and completeness of information as well as
to its validity in accordance with business values and expectations.
Availability
Relates to information being available ,when required by the business process, at present and in the
future. It also concerns the safeguarding of necessary resources and associated capabilities.
Compliance Deals with complying with those laws, regulations, and contractual arrangements to which the business
process is subject, that is, externally imposed business criteria as well as internal policies.
Reliability Relates to the provision of appropriate information for the management to operate the entity and to exercise
its fiduciary and governance responsibilities.
Information Criteria
IT Resources
IT Processes
The COBIT Cube: Business Requirements
42© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
IT Audit and
Compliance
Enterprise
Technology Risk
Management
Enterprise
Architecture
Business Continuity
Disaster Recovery
Enterprise GRC
Platforms and
Implementation
ERP Applications
Certification
Readiness
Data Warehousing
Business
Intelligence
Process
Reengineering
http://www.enterprisegrc.com
Some Key Points:
 Control frameworks are designed to reduce operating cost and risk while
optimizing service delivery
 A GRC program should:
 Reduce external dependencies
 Ensure that clients retains proprietary knowledge while reducing volume and time
on testing
 Adeptly tailor proven methodology to meet unique culture and technical and
business environment
 Meet and exceed goals set by leadership and critical industry regulation mandates
EnterpriseGRC Solutions Using Archer as our Audit
Governance Risk and Compliance Platform
44
Policy Management
Using ISO27001
EnterpriseGRC
Solutions maps HR, IT,
Finance, Business and
Legal Policy
Process & Policy
mapping according to
all major standards
Enterprise
Management
Baseline Configuration
Management (CMDB)
Using Asset Inventory
tools, create and
enable real-time
evidence of controls
enabled by service
operations.
Compliance
Management
CSA – (Control Self
Assessment) Based in
each organization’s
custom risk
frameworks, test
scripts and maturity,
Risk Assessments for
initial and continuing
audit phases
Risk Management
Enterprise Risk
Management - Top
Down - Dash boarding
program manages
actual exposures,
relative to real service,
real policy and
changing conditions
across the business &
IT.
4/4/2016

More Related Content

What's hot

Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
PECB
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management    student slides ver 1.0Module 2 information security risk management    student slides ver 1.0
Module 2 information security risk management student slides ver 1.0
Aladdin Dandis
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Corporater
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery   student slides ver 1.0Module 4 disaster recovery   student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0
Aladdin Dandis
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
John Arnold
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
Aladdin Dandis
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
Steve Arnold
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
Aladdin Dandis
 
Aligning Risk Management with ITIL
Aligning Risk Management with ITILAligning Risk Management with ITIL
Aligning Risk Management with ITIL
Austin Songer
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
Zakaria Salah, Ph.D,MBA
 
D1 security and risk management v1.62
D1 security and risk management  v1.62D1 security and risk management  v1.62
D1 security and risk management v1.62
AlliedConSapCourses
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?
Jim Meyer
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Aladdin Dandis
 
S Rod Simpson Resume
S Rod Simpson ResumeS Rod Simpson Resume
S Rod Simpson Resume
Rod Simpson CRISC, CISM, CISA
 
SAMA BCM Framework
SAMA BCM Framework SAMA BCM Framework
SAMA BCM Framework
Continuity and Resilience
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation Slides
SlideTeam
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Resolver Inc.
 

What's hot (20)

Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management    student slides ver 1.0Module 2 information security risk management    student slides ver 1.0
Module 2 information security risk management student slides ver 1.0
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery   student slides ver 1.0Module 4 disaster recovery   student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
Aligning Risk Management with ITIL
Aligning Risk Management with ITILAligning Risk Management with ITIL
Aligning Risk Management with ITIL
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
 
D1 security and risk management v1.62
D1 security and risk management  v1.62D1 security and risk management  v1.62
D1 security and risk management v1.62
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
 
S Rod Simpson Resume
S Rod Simpson ResumeS Rod Simpson Resume
S Rod Simpson Resume
 
SAMA BCM Framework
SAMA BCM Framework SAMA BCM Framework
SAMA BCM Framework
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation Slides
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
 

Viewers also liked

CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
EnterpriseGRC Solutions, Inc.
 
Cryptographic lifecycle security training
Cryptographic lifecycle security trainingCryptographic lifecycle security training
Cryptographic lifecycle security training
EnterpriseGRC Solutions, Inc.
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
EnterpriseGRC Solutions, Inc.
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studies
EnterpriseGRC Solutions, Inc.
 
The Perils of Mount Must Read
The Perils of Mount Must ReadThe Perils of Mount Must Read
The Perils of Mount Must Read
EnterpriseGRC Solutions, Inc.
 
Procedures and Controls Documentation Guidelines
Procedures and Controls Documentation GuidelinesProcedures and Controls Documentation Guidelines
Procedures and Controls Documentation Guidelines
EnterpriseGRC Solutions, Inc.
 
The value of our data
The value of our dataThe value of our data
The value of our data
EnterpriseGRC Solutions, Inc.
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
EnterpriseGRC Solutions, Inc.
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
EnterpriseGRC Solutions, Inc.
 
LinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-PresentedLinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-Presented
SlideShare
 

Viewers also liked (11)

CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
 
Cryptographic lifecycle security training
Cryptographic lifecycle security trainingCryptographic lifecycle security training
Cryptographic lifecycle security training
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studies
 
The Perils of Mount Must Read
The Perils of Mount Must ReadThe Perils of Mount Must Read
The Perils of Mount Must Read
 
Procedures and Controls Documentation Guidelines
Procedures and Controls Documentation GuidelinesProcedures and Controls Documentation Guidelines
Procedures and Controls Documentation Guidelines
 
The value of our data
The value of our dataThe value of our data
The value of our data
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
 
LinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-PresentedLinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-Presented
 

Similar to Enterprise governance risk_compliance_fcm slides

Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
NICSA
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management -  A Gateway to managing the risk profile of your...Operational Risk Management -  A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
Eneni Oduwole
 
GP for Risk Management product sheet
GP for Risk Management product sheetGP for Risk Management product sheet
GP for Risk Management product sheet
Marco Villacorta Olano
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisions
Alireza Ghahrood
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
Stacy Willis
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk management
Infosys
 
GP for Regulatory Management Product Sheet
GP for Regulatory Management Product SheetGP for Regulatory Management Product Sheet
GP for Regulatory Management Product Sheet
Marco Villacorta Olano
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
Absar Husain
 
Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem Risk
Financial Services Innovators
 
It62015 slides
It62015 slidesIt62015 slides
It62015 slides
Jim Kaplan CIA CFE
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard
Jim Robins
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
Prashant Jain
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
Dan Aldridge, ERP Software Evangelist, LION
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
CBIZ, Inc.
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
SathishKumar960827
 
RAP GC 2016
RAP GC 2016RAP GC 2016
How to Drive Value from Operational Risk Data - Part 2
How to Drive Value from Operational Risk Data - Part 2How to Drive Value from Operational Risk Data - Part 2
How to Drive Value from Operational Risk Data - Part 2
Perficient, Inc.
 
Strategic Risk Management - Keys to a Safer Future.pptx
Strategic Risk Management - Keys to a Safer Future.pptxStrategic Risk Management - Keys to a Safer Future.pptx
Strategic Risk Management - Keys to a Safer Future.pptx
elizabethrdusek
 
Strategic Risk Management - Keys to a Safer Future.pdf
Strategic Risk Management - Keys to a Safer Future.pdfStrategic Risk Management - Keys to a Safer Future.pdf
Strategic Risk Management - Keys to a Safer Future.pdf
elizabethrdusek
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_efforts
Subhajit Bhuiya
 

Similar to Enterprise governance risk_compliance_fcm slides (20)

Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management -  A Gateway to managing the risk profile of your...Operational Risk Management -  A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
GP for Risk Management product sheet
GP for Risk Management product sheetGP for Risk Management product sheet
GP for Risk Management product sheet
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisions
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk management
 
GP for Regulatory Management Product Sheet
GP for Regulatory Management Product SheetGP for Regulatory Management Product Sheet
GP for Regulatory Management Product Sheet
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem Risk
 
It62015 slides
It62015 slidesIt62015 slides
It62015 slides
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
 
RAP GC 2016
RAP GC 2016RAP GC 2016
RAP GC 2016
 
How to Drive Value from Operational Risk Data - Part 2
How to Drive Value from Operational Risk Data - Part 2How to Drive Value from Operational Risk Data - Part 2
How to Drive Value from Operational Risk Data - Part 2
 
Strategic Risk Management - Keys to a Safer Future.pptx
Strategic Risk Management - Keys to a Safer Future.pptxStrategic Risk Management - Keys to a Safer Future.pptx
Strategic Risk Management - Keys to a Safer Future.pptx
 
Strategic Risk Management - Keys to a Safer Future.pdf
Strategic Risk Management - Keys to a Safer Future.pdfStrategic Risk Management - Keys to a Safer Future.pdf
Strategic Risk Management - Keys to a Safer Future.pdf
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_efforts
 

Recently uploaded

Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
GDSC PJATK
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 

Recently uploaded (20)

Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 

Enterprise governance risk_compliance_fcm slides

  • 1. http://www.enterprisegrc.com EnterpriseGRC Solutions Inc. A Governance, Risk and Compliance Company A Service Oriented Approach Policy Baseline, RunBook - CMDB, Control Self Assessment, RiskWatch
  • 2. http://www.enterprisegrc.com Functional Teams IT Support – HR Facilities – Drive SOD and Applications Controls Baseline 2
  • 3. http://www.enterprisegrc.com Internal Audit Addresses Dynamic Regulatory Requirements and Risk Conditions 3
  • 5. http://www.enterprisegrc.com Enterprise Security and Compliance Custom Tabs and Menus 5
  • 6. http://www.enterprisegrc.com ISO/IEC 17799:2005 – ISO 270001 Policy Mapping  Mapping ISO 17799:2005 (270001) to Finance, Legal, Business and IT Policies  Mapping CobiT to ISO allows us to  Link evidence across Policy, Program, Process and System  Updates are evident to all areas in real-time 6
  • 7. http://www.enterprisegrc.com © EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com 4Point GRC is A Service Oriented Architecture 7
  • 8. http://www.enterprisegrc.com Baseline Configuration Is Critical to Available Service 8 Enterprise ManagementSystems Opportunitiesfor Workflow and Controls Automation 8
  • 9. http://www.enterprisegrc.com Link Configuration Management Database, Policy Mapping, leveraging a Service Oriented Architecture 9
  • 10. http://www.enterprisegrc.com Link Configuration Management Database, Policy Mapping, Service Oriented Architecture 10
  • 13. http://www.enterprisegrc.com RunBook Reports Satisfy Compliance Requirements and Enable SOA - GRC 13 RunBooks provide a true CMDB of production services as governed by Policies and Processes Controlled Server and Application tables establish the system inventory of tested items Producing results in a searchable data format facilitates accurate controls meta data, verified policy and systems associations, and the foundation for accurate, complete and valid test design.
  • 14. http://www.enterprisegrc.com Automation of Audit Function  Changes in the risk landscape are rapid, dynamic and cannot be managed by manual process.  Corporate audit function costs continue to rise due to increasing threats and events.  Greater efficiency and cost effectiveness are achieved by:  Automating audit processes  Better monitoring tools and techniques  Training key compliance team members The R in GRC - Strategic Planning and Risk Management 14
  • 15. http://www.enterprisegrc.com What is the value of implementing Enterprise Risk Management ERM? 15 Enterprise Risk Management helps business leadership achieve the organization’s performance and profitability target$.
  • 16. http://www.enterprisegrc.com Why Risk Management? 16 •Likelihood of Material Loss Such As: Fraud, Critical System Failure, Political Damage, Missed Strategic Milestones or Significant Loss of Revenue. Minimizes •Delivery of Risk Information To The Business Ensures •Business Decisions By Providing A Management Process For Capturing, Analyzing, Mitigating and Monitoring Risks to the Business Enables •a Unified Management Process for Risk Response Provides
  • 17. http://www.enterprisegrc.com Risk Management Programs, Guidance and Process Quarterly Business Review Compliance Hot-Line IT RiskWatch Assign Risk Manager Board Reports Vulnerability Threat & Vulnerability Analysis Input risk details and status log Residual Risk Program RiskWatch Corporate RiskWatch Risk Meeting IT Steering Committee
  • 18. http://www.enterprisegrc.com Risk Watch Components 18 Risk Identification Business Risk Assessment Scope & Boundary Definition Risk Measurement Risk Action Plan Risk Acceptance Safeguard Selection Risk Assessment Commitment
  • 21. http://www.enterprisegrc.com Answers Simple Questions 21 What is Likelihood? Define Likely Define Relatively Likelihood Define Unlikely Define Never What is Impact? Define Minor Define Major Define Catastrophic What is Significance? In what manner will significance change? What were the criteria we used for our interpretation of significance?
  • 23. http://www.enterprisegrc.com Key Role & Responsibilities  Chief Financial officer  Security Manager  Risk Management Committee  Risk Mitigation Implementation Owners  Stakeholders & Users 23 …Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume ownership. Other managers SUPPORT the entity’s risk management philosophy, promote compliance with its risk appetite, and manage risks within their spheres of responsibility consistent with risk tolerances. A risk officer, financial officer, internal auditor, and others usually have key SUPPORT responsibilities. Other entity personnel are responsible for executing enterprise risk management in accordance with established directives and protocols. The board of directors provides important oversight to enterprise risk management, and is aware of and concurs with the entity’s risk appetite. A number of external parties, such as customers, vendors, business partners, external auditors, regulators, and financial analysts often provide information useful in effecting enterprise risk management, but they are not responsible for the effectiveness of, nor are they a part of, the entity’s enterprise risk management. Enterprise Risk Management — Integrated Framework Executive Summary Copyright © September 2004 by the Committee of Sponsoring organizations of the Treadway Commission.
  • 24. http://www.enterprisegrc.com Achieve Risk Transparency 24 Communicate -Risk- Inputs and Agenda Execute – Program, Meetings, Risk Response Measure – Risk Measurement & Impact Analysis, Performance Record – Meeting Minutes, Management Reporting Archive – Meeting Minutes, KPI Results
  • 25. http://www.enterprisegrc.com Risk Process Maturity 25 Level Maturity Description 3 Defined Process: An organization-wide risk management policy defines when and how to conduct risk assessments. Risk assessment follows a defined process that is documented and available to all staff through training. Decisions to follow the process and to receive training are left to the individual’s discretion. The methodology is convincing and sound, and ensures that key risks to the business are likely to be identified. Decisions to follow the process are left to individual IT managers and there is no procedure to ensure that all projects are covered or that the ongoing operation is examined for risk on a regular basis. Risk Management 10 2 543 Non-Existent Initial Repeatable Defined Managed Optimized
  • 26. http://www.enterprisegrc.com Risk Process Maturity 26 Level Maturity Description 4 Managed and Measurable: The assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. The process is advanced and risk is assessed at the individual project level and also regularly with regard to the overall IT operation. Management is advised on changes in the IT environment which could significantly affect the risk scenarios, such as an increased threat from the network or technical trends that affect the soundness of the IT strategy. Management is able to monitor the risk position and make informed decisions regarding the exposure it is willing to accept. Senior management and IT management have determined the levels of risk that the organization will tolerate and have standard measures for risk/return ratios. Management budgets for operational risk management projects to reassess risks on a regular basis. A risk management database is established. Risk Management 10 2 543 Non-Existent Initial Repeatable Defined Managed Optimized
  • 27. http://www.enterprisegrc.com Risk Process Maturity 27 Level Maturity Description 5 Optimized: Risk assessments have developed to the stage where a structured, organization-wide process is enforced, followed regularly and well managed. Risk brainstorming and root cause analysis, involving expert individuals, are applied across the entire organization. The capturing, analysis and reporting of risk management data are highly automated. Guidance is drawn from leaders in the field and the IT organization takes part in peer groups to exchange experiences. Risk management is truly integrated into all business and IT operations, is well accepted and extensively involves the users of IT services. Risk Management 10 2 543 Non-Existent Initial Repeatable Defined Managed Optimized
  • 28. http://www.enterprisegrc.com © EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com Reap Benefits
  • 29. http://www.enterprisegrc.com Moving Through A Risk Cycle Status Codes 29 • Risk will be allowed to remain as described. Risk is determined to be acceptable, given business priorities & total vulnerability. Reviewed & Accepted • Team is assigned to determine & implement compensating controls Controls Required • Exposure is determined to be unacceptable. Team is to implement compensating controls as quickly as possible. Critical Controls Required • Emergency risk situation requires immediate team management & notification. Emergency – Immediate Action Required
  • 30. http://www.enterprisegrc.com Project Risk Management Purpose and Scope  Facilitates The Effective Management of Risk Within An IT Project  Enables Project Team To Collaborate In  Identifying Risk, Analyzing Risk, And Planning Appropriate Actions.  Risk-related Actions Are Planned, Scheduled And Tracked As Additional Tasks In The Project Plan  Risk Tracking Occurs In A Risk Watch List  On-going Activity Throughout The Project  Depends On All Project Team Members Being Risk-aware, Utilizing The Defined Risk Management Process 30
  • 31. http://www.enterprisegrc.com Corporate Risk Management Purpose & Scope  Corporate Level Review of Company Specific Risk  Roll Up of Individual Company Risks,  Assignment of Relative Risk Criteria  Ownership of Communicated Risk To Both Shareholders And Throughout The Corporate Enterprise.  Governs How Corporate Leadership Interprets & Assigns Weighted Value To Company Specific Risk & Impact  Initial Risk Assessment & Accountability Rests At The Individual Company Level  Disclosure Committee Reviews & Determines Disclosure Requirements 31
  • 32. http://www.enterprisegrc.com Activity Outputs 32 •A person in the IT domain is made aware by interaction with others or through his/her own doing, of an apparent technology weakness. This weakness is determined by management to possibly merit risk team consideration. The risk is not associated with an SDM management effort, and therefore requires isolated entry to the RiskWatch Apparent IT System or Technology resource based Vulnerability •The significance evaluation is a formal process based in agreed standards for determining the quality statements associated to an estimated risk. Establishing "RiskWatch COBIT Project Definitions" can be achieved by implementing a template of criteria definitions Significance Evaluation and Risk Criteria Template •Any IT person can launch the Risk Watch to enter details of a perceived risk. Management reviews the risk to determine its appropriateness for Risk Watch. The steps to filling out the RiskWatch form are detailed in the RiskWatch Form Entry Work Instruction Report Risk •Occurs weekly. Meeting is preceded by the posting of intended items for review and followed by posted summary of results. Metrics are gathered and stored in the work products folder as determined by the RiskWatch team. RiskWatch Meeting Review •Used to identify and document the threats and vulnerabilities associated with any asset being evaluated. Threat & Vulnerability Analysis •Responds to identified threat by ensuring the risk response and compensating controls are effectively enforcedSecurity Management •The risk is mitigated to significance of 9 or less with acceptable controls in place.Mitigated Risk •Fair and reasonable discovery and disclosure of risksAttestation of Risk
  • 33. http://www.enterprisegrc.com Process Exit Criteria  Risk Process Continues Until The Process Response Is Implemented  Risk Is Mitigated To Acceptable Managed Residual Risk or Removed  Mitigated Risk Where Significance Is Less Than “9” & Appropriate Controls Are Identified For Ongoing Risk Management 33
  • 34. http://www.enterprisegrc.com © EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com Security Availability & Contingency Management IT Service Design & Management Service Level Management & Service Level Reporting Capacity Management Financial Management Resolution Processes Incident and Problem Management Control Processes Asset & Configuration Management Change Management Release Processes Release Management Supplier Processes Customer Relationship and Supplier Management Automation Governance in IT Service Management 34  Culture of change management  Culture of causality  Culture of compliance and desire to continually reduce variance
  • 35. http://www.enterprisegrc.com Change Management and Governance 35 Change Management’s Relationship to Governance •Request for Change RFC, CMDB, Release •Implementation Plans INPUTS •Change Management Team •Review Board •Steering COMMITTEE •Implementations •Meeting Minutes •Schedules OUTPUTS •Reports •Key Performance Indicators •Client Service Metrics Audit
  • 36. http://www.enterprisegrc.com © EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com Enterprise Change Management 36 •business decisions by providing a management system housing data for analysis, implementation and follow-up enable • problem management to identify known errors support Goal Of Change Management Goal of Change Management Systems • the benefits to the business of making changes to the IT infrastructure Maximize • the risks involved in making those changesMinimize • that standardized methods and procedures are used for efficient and prompt handling of all changes Ensure • impact of change-related incidents and improving day-to-day functionReduce
  • 37. http://www.enterprisegrc.com Business Process Application Mapping • Facilitate a walkthrough of each business process • Identify those applications that support the processing of transactions • Document the workflow of transactions through the entire process to ensure complete identification of applications Application Summary and Scope Development • Complete list of applications • Relevance, relation and criticality to the financial reporting • Significance to the financial reporting process • Management discretion, applications considered important or high risk from management’s perspective Application Technology Support Information • in-scope for the Sarbanes-Oxley Program, gather complete RunBook • Source of Application, • purchased and implemented with and without customization, • developed and maintained internally, and outsourced to a third-party. • For Changes -the data of the last major change and next planned change to each application. Business Process Management 37 Business Process Application Mapping Application Scope Development Application Technology Support Information
  • 38. http://www.enterprisegrc.com ISO/IEC 27001:2005 “ ISO/IEC 27001:2005 implements effective information security management in compliance with organizational objectives and business requirements. Risk-based specification designed to take care of information security aspects of corporate governance, protection of information assets, legal and contractual obligations as well as the wide range of threats to an organization’s information and communications technology (ICT) systems and business processes.” (re-number ISO/IEC 17799 as ISO/IEC 27002) Define An Information Security Policy Define scope of the information security management system 2 Perform A Security Risk Assessment Manage the identified risk Select Controls Implemented 5 Prepare Statement Of Applicability ISO 27001 - This is the specification for an information security management system (an ISMS) which replaced the old BS7799-2 standard ISO 27002 - 27000 series standard number of what was originally the ISO 17799 standard (which itself was formerly known as BS7799-1) ISO 27003 - standard guidance for the implementation of an ISMS (IS Management System) ISO 27004 - information security system management measurement and metrics. ISO 27005 - methodology independent ISO standard for information security risk management ISO 27006 - guidelines for the accreditation of organizations offering ISMS certification
  • 40. http://www.enterprisegrc.com INTERNATIONAL STANDARD ISO/IEC 38500  ISO - Performance of the organization  Proper Corporate Governance of IT assists directors to ensure that IT use contributes positively to the performance of the organization, through:  Appropriate Implementation And Operation of IT Assets  Clarity of Responsibility And Accountability For Both The Use And Provision of IT In Achieving The Goals of The Organization  Business Continuity And Sustainability  Alignment of IT With Business Needs  Efficient Allocation of Resources  Innovation In Services, Markets, And Business  Good Practice In Relationships With Stakeholders  Reduction In The Costs For An Organization  Actual Realization of The Approved Benefits From Each IT Investment INTERNATIONAL STANDARD ISO/IEC 38500
  • 41. http://www.enterprisegrc.com Factors for Governance Success Strong project management across IT (COBIT) and Finance Applications (COSO)  Foster a culture of commitment, collaboration and knowledge transfer  Regular status meetings (weekly or even daily in some cases) Intelligent GRC (Governance, Risk, Compliance)  “OHIO” (only handle it once) means reduce redundant controls. Find and remove controls that are non essential to the scope of audit. Nail questions before they come up through evidence of strong automated and system based policy. Leverage team knowledge to properly align controls to their rightful owners. Fail Fast; pass slow  Escalate non remediated controls (fails) before they become “findings”  Remove unnecessary tests  Retest fails to confirm control design and validate against actual statement of risk 41
  • 42. http://www.enterprisegrc.com Effectiveness Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, and usable manner. Efficiency Concerns the provision of information through the optimal ─ most productive and economical ─ use of resources. Confidentiality Concerns the protection of sensitive information from unauthorized disclosure. Integrity Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. Availability Relates to information being available ,when required by the business process, at present and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. Compliance Deals with complying with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria as well as internal policies. Reliability Relates to the provision of appropriate information for the management to operate the entity and to exercise its fiduciary and governance responsibilities. Information Criteria IT Resources IT Processes The COBIT Cube: Business Requirements 42© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
  • 43. http://www.enterprisegrc.com IT Audit and Compliance Enterprise Technology Risk Management Enterprise Architecture Business Continuity Disaster Recovery Enterprise GRC Platforms and Implementation ERP Applications Certification Readiness Data Warehousing Business Intelligence Process Reengineering
  • 44. http://www.enterprisegrc.com Some Key Points:  Control frameworks are designed to reduce operating cost and risk while optimizing service delivery  A GRC program should:  Reduce external dependencies  Ensure that clients retains proprietary knowledge while reducing volume and time on testing  Adeptly tailor proven methodology to meet unique culture and technical and business environment  Meet and exceed goals set by leadership and critical industry regulation mandates EnterpriseGRC Solutions Using Archer as our Audit Governance Risk and Compliance Platform 44 Policy Management Using ISO27001 EnterpriseGRC Solutions maps HR, IT, Finance, Business and Legal Policy Process & Policy mapping according to all major standards Enterprise Management Baseline Configuration Management (CMDB) Using Asset Inventory tools, create and enable real-time evidence of controls enabled by service operations. Compliance Management CSA – (Control Self Assessment) Based in each organization’s custom risk frameworks, test scripts and maturity, Risk Assessments for initial and continuing audit phases Risk Management Enterprise Risk Management - Top Down - Dash boarding program manages actual exposures, relative to real service, real policy and changing conditions across the business & IT. 4/4/2016