The document discusses governance, risk, and compliance (GRC) and integrated GRC (iGRC). It defines GRC, risk management, and compliance. It outlines challenges with current GRC approaches like complexity, duplication, and silos. The goals of iGRC are outlined as awareness, alignment, responsiveness, agility, resilience, and learning. iGRC frameworks like OCEG are presented, as well as how technology can support iGRC. Universal outcomes of improved objectives, culture, confidence, adversity handling, and value optimization are reviewed.
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
Governance, Risk, and Compliance ServicesCapgemini
Capgemini’s integrated and centralized approach to Governance, Risk, and Compliance (GRC) breaks through traditional functional silos to deliver effective enterprise risk management and compliance as a continuous process. We help organizations manage a range of enterprise risks in the areas of IT, finance and accounting, operations, and regulatory compliance with flexible solutions comprised of a highly qualified CPA and CISA talent pool, innovative tools, and our unique collection of GPM best practice processes and controls.
A corporation must have social acceptance to survive and grow.
The society’s expectations change through:
1.- Changing population mix.
2.- Changing values and orientations.
Business performance changes through
1.-Economic, competitive, and structural conditions.
2.- Regulatory constraints.
3.- Futuristic, Long Term orientation.
4.- Leadership style
Presentation från GRC 2014 den 15 maj. Kontakta gärna talaren om du har några frågor. Hela schemat för eventet hittar du här: http://www.transcendentgroup.com/sv/har-har-du-hela-schemat-for-grc-2014/
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
Governance, Risk, and Compliance ServicesCapgemini
Capgemini’s integrated and centralized approach to Governance, Risk, and Compliance (GRC) breaks through traditional functional silos to deliver effective enterprise risk management and compliance as a continuous process. We help organizations manage a range of enterprise risks in the areas of IT, finance and accounting, operations, and regulatory compliance with flexible solutions comprised of a highly qualified CPA and CISA talent pool, innovative tools, and our unique collection of GPM best practice processes and controls.
A corporation must have social acceptance to survive and grow.
The society’s expectations change through:
1.- Changing population mix.
2.- Changing values and orientations.
Business performance changes through
1.-Economic, competitive, and structural conditions.
2.- Regulatory constraints.
3.- Futuristic, Long Term orientation.
4.- Leadership style
Presentation från GRC 2014 den 15 maj. Kontakta gärna talaren om du har några frågor. Hela schemat för eventet hittar du här: http://www.transcendentgroup.com/sv/har-har-du-hela-schemat-for-grc-2014/
A fragmented governance, risk, and compliance (GRC) landscape leaves organizations to sort through a multitude of visions. Blue Hill identifies basic defining characteristics of GRC and how the changing business environment is leading organizations to pay more attention.
Just created a slideshare presentation giving a basic introduction to ISO27001 and its Scope, Implementation & Application. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
Significant opportunities remain for organizations to continue to strengthen their approaches to identifying and assessing key risks. This program will provide an overview of Enterprise Risk Management (ERM) best practices and current emerging risks that should be on your radar for 2018.
Watch the complete webinar here: https://aronsonllc.com/c-suites-guide-to-enterprise-risk-management-and-emerging-risks/?sf_data=all&_sft_insight-type=on-demand-webinar
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
COSO, which has provided global thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence for over three decades, recently released a draft update to the original COSO ERM Framework. This framework is widely used by organizations to enhance their ability to manage uncertainty, gauge risk, and increase stakeholder value. However, significant new risks have emerged since the Framework was released, demanding heightened board awareness and oversight of risk management, as well as improved risk reporting. For those organizations exploring ESRM – these themes will be strikingly familiar and the lessons learned, highly relevant.
Presentation by: Bob Hirth, Global Chairman of COSO.
2022 Webinar - ISO 27001 Certification.pdfControlCase
ControlCase Introduction
What is ISO 27001?
What is ISO 27002?
What is ISO 27701, ISO 27017, & ISO 27018?
What is an ISMS?
What is ISO 27001 Certification?
Who Needs ISO 27001?
What is Covered in ISO 27001?
How Many Controls in ISO 27001?
What is the ISO 27001 Certification Process?
How Often Do You Need ISO 27001 Certification?
What are the Challenges to ISO 27001 Compliance?
Why ControlCase?
The underlying premise of enterprise risk management is that the Company exists to provide value for its stakeholders – customers, employees, and shareholders. Like any business, every Company faces some uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables senior management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. These capabilities inherent in enterprise risk management help management achieve the Company’s performance and profitability targets, and minimize loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the Company’s reputation and associated consequences. In sum, enterprise risk management helps the Company get to where it wants to go and avoid pitfalls and surprises along the way. Enterprise risk management encompasses:
• Aligning Risk Appetite and Strategy
• Enhancing Risk Response Decisions
• Reducing Operational Surprises and Losses
• Identifying and Managing Multiple and Cross-Enterprise Risks
• Seizing Opportunities
• Improving Deployment of Capital
• Leveraging Talent, Structure, Process, and Capital
Here are some small steps to achieve ISO 27001 implementation.
I believe ISO 27001/2 is a key to establish security in the organizations and help the companies to keep the whole ISMS program running aligned with continues improvement.
As ISO 27001 has been identified by ICO and recognized by GCHQ/NCSC in the past as the key standard to support GDPR.
Third-Party Risk Management: Implementing a StrategyNICSA
Two Part Series: Part I of II
Third-Party Risk Management: Implementing a Strategy
Sleep Better at Night: Learn techniques to manage risks associated with third-party relationships.
Achieving GRC Excellence White Paper.pdfinfosecTrain
This comprehensive PDF outlines the journey to a successful career in Governance, Risk, and Compliance (GRC). Explore the key components of GRC, such as regulatory compliance, risk management, and corporate governance. Learn how to build the necessary skills, gain experience, and acquire relevant certifications to excel in this dynamic field. This roadmap equips individuals with the knowledge and strategies to achieve excellence in GRC roles.
Free GRC Archer Masterclass - https://www.infosectrain.com/events/grc-archer-masterclass/
Achieving GRC Excellence White Paper (6).pdfInfosec train
Ready to navigate the complex world of GRC like a pro? Introducing our guide book curated by industry expert Prabh Nair on 𝐀𝐜𝐡𝐢𝐞𝐯𝐢𝐧𝐠 𝐆𝐑𝐂 𝐄𝐱𝐜𝐞𝐥𝐥𝐞𝐧𝐜𝐞: The Roadmap to a Career in Governance, Risk Management, and Compliance. Whether you're a GRC novice or a seasoned pro, this comprehensive guide is your pathway to success, helping you achieve greater efficiency, compliance, and resilience.
A fragmented governance, risk, and compliance (GRC) landscape leaves organizations to sort through a multitude of visions. Blue Hill identifies basic defining characteristics of GRC and how the changing business environment is leading organizations to pay more attention.
Just created a slideshare presentation giving a basic introduction to ISO27001 and its Scope, Implementation & Application. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
Significant opportunities remain for organizations to continue to strengthen their approaches to identifying and assessing key risks. This program will provide an overview of Enterprise Risk Management (ERM) best practices and current emerging risks that should be on your radar for 2018.
Watch the complete webinar here: https://aronsonllc.com/c-suites-guide-to-enterprise-risk-management-and-emerging-risks/?sf_data=all&_sft_insight-type=on-demand-webinar
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
COSO, which has provided global thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence for over three decades, recently released a draft update to the original COSO ERM Framework. This framework is widely used by organizations to enhance their ability to manage uncertainty, gauge risk, and increase stakeholder value. However, significant new risks have emerged since the Framework was released, demanding heightened board awareness and oversight of risk management, as well as improved risk reporting. For those organizations exploring ESRM – these themes will be strikingly familiar and the lessons learned, highly relevant.
Presentation by: Bob Hirth, Global Chairman of COSO.
2022 Webinar - ISO 27001 Certification.pdfControlCase
ControlCase Introduction
What is ISO 27001?
What is ISO 27002?
What is ISO 27701, ISO 27017, & ISO 27018?
What is an ISMS?
What is ISO 27001 Certification?
Who Needs ISO 27001?
What is Covered in ISO 27001?
How Many Controls in ISO 27001?
What is the ISO 27001 Certification Process?
How Often Do You Need ISO 27001 Certification?
What are the Challenges to ISO 27001 Compliance?
Why ControlCase?
The underlying premise of enterprise risk management is that the Company exists to provide value for its stakeholders – customers, employees, and shareholders. Like any business, every Company faces some uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables senior management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. These capabilities inherent in enterprise risk management help management achieve the Company’s performance and profitability targets, and minimize loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the Company’s reputation and associated consequences. In sum, enterprise risk management helps the Company get to where it wants to go and avoid pitfalls and surprises along the way. Enterprise risk management encompasses:
• Aligning Risk Appetite and Strategy
• Enhancing Risk Response Decisions
• Reducing Operational Surprises and Losses
• Identifying and Managing Multiple and Cross-Enterprise Risks
• Seizing Opportunities
• Improving Deployment of Capital
• Leveraging Talent, Structure, Process, and Capital
Here are some small steps to achieve ISO 27001 implementation.
I believe ISO 27001/2 is a key to establish security in the organizations and help the companies to keep the whole ISMS program running aligned with continues improvement.
As ISO 27001 has been identified by ICO and recognized by GCHQ/NCSC in the past as the key standard to support GDPR.
Third-Party Risk Management: Implementing a StrategyNICSA
Two Part Series: Part I of II
Third-Party Risk Management: Implementing a Strategy
Sleep Better at Night: Learn techniques to manage risks associated with third-party relationships.
Achieving GRC Excellence White Paper.pdfinfosecTrain
This comprehensive PDF outlines the journey to a successful career in Governance, Risk, and Compliance (GRC). Explore the key components of GRC, such as regulatory compliance, risk management, and corporate governance. Learn how to build the necessary skills, gain experience, and acquire relevant certifications to excel in this dynamic field. This roadmap equips individuals with the knowledge and strategies to achieve excellence in GRC roles.
Free GRC Archer Masterclass - https://www.infosectrain.com/events/grc-archer-masterclass/
Achieving GRC Excellence White Paper (6).pdfInfosec train
Ready to navigate the complex world of GRC like a pro? Introducing our guide book curated by industry expert Prabh Nair on 𝐀𝐜𝐡𝐢𝐞𝐯𝐢𝐧𝐠 𝐆𝐑𝐂 𝐄𝐱𝐜𝐞𝐥𝐥𝐞𝐧𝐜𝐞: The Roadmap to a Career in Governance, Risk Management, and Compliance. Whether you're a GRC novice or a seasoned pro, this comprehensive guide is your pathway to success, helping you achieve greater efficiency, compliance, and resilience.
From Cave Man to Business Man, the Evolution of the CISO to CIROPriyanka Aash
The CISO is evolving to CIRO. Successful IT security leaders are transforming their skills to meet the demands for today and future needs of their organization. A CIRO understands how to prepare board presentations, information risk management, third-party risk and regulatory requirements, and how to balance those with the needs of the business. Earn your seat at the table by becoming a CIRO!
(Source: RSA USA 2016-San Francisco)
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
Maclear specializes in enterprise governance, risk and compliance (eGRC) solutions. The IT GRC Solution integrates various business functions such as IT governance, policy management, risk management, compliance management, audit management, and incident management. Enables an automated and workflow driven approach to managing, communicating and implementing IT policies and procedures across the enterprise
Read More at: http://www.maclear-grc.com/
The Journey to Integrated Risk Management: Lessons from the Field Resolver Inc.
In a rapidly changing world, companies struggle to keep up with constantly shifting compliance and risk exposure, both external and internal. Regulatory pressure and increasing executive demand for risk insight present evolving challenges for risk, audit, and compliance professionals who are being asked to do more with less. Governance, Risk, and Compliance (GRC) tools help organizations integrate their assurance activities across the three lines of defense, enable more efficient and effective assurance programs, and ultimately sustain the programs. Companies at the beginning of the GRC technology implementation lifecycle often fail to think through all of the components and key activities necessary to ensure a successful initiative. Those that forge ahead without analysis and planning may find that they missed opportunities to converge their risk and compliance programs, their business processes were not ready for automation, the new technology doesn’t work as anticipated, and timelines for completion can’t be met. In fact, without proper planning, companies may not be using GRC tools to their full potential and realizing the value promised to management and key stakeholders.
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.
On-demand recording link:https://info.trustarc.com/WB-2019-06-19-GDPR-Compliance-Convince-Customers-Partners-Board.html?utm_source=slideshare
Many companies have invested significant time and resources trying to design and implement GDPR compliance programs. Internally, they may have generated hundreds or thousands of pages of project plans, policies, processes and reports – including records of processing, DPIA reports and much more. But how can you demonstrate to internal stakeholders, clients and partners that you have a comprehensive program and that your processes and products are GDPR-compliant?
This webinar will provide these key takeaways:
-The current state of an official GDPR certification and codes of conduct
-Case studies of how companies are demonstrating compliance
-The benefits of an external third party GDPR validation
CHAPTER 6
INFORMATION GOVERNANCE
Information Governance Policy Development
ITS 833
Dr. Mia Simmons
Chapter Overview
■ This chapter will cover pages 71-94 in your book.
■ This chapter will cover how to develop an Information
Governance Policy.
– Inform and frame the policy with internal and external
frameworks, models, best practices, and standards—
those that apply to your organization and the scope of its
planned IG program.
2
Review of Record Keeping
■ Chapter 3 - ARMA International’s eight Generally Accepted
Recordkeeping Principles
1. Accountability
2. Transparency
3. Integrity
4. Protection
5. Compliance
6. Availability
7. Retention
8. Disposition
3
IG
REFERENCE
MODEL
4
IG Reference Model
■ Outer Ring
– An understanding of the business imperatives of the enterprise,
– Knowledge of the appropriate tools and infrastructure for managing
information, and
– Sensitivity to the legal and regulatory obligations with which the
enterprise must comply
For any piece of information you hope to manage, the primary
stakeholder is the business user of that information
■ Center
– Life-cycle or Work-Flow - information management is important
at all stages of the information life cycle—from its creation through
its ultimate disposition.
5
Best Practice Considerations
■ IG best practices are evolving & expanding, therefore it should also be
considered in policy formulation
■ 25 Best practices review in Chapter 5
1. IG is a key underpinning for a successful ERM program.
2. IG is not a project but rather an ongoing program.
3. .
4. .
5. .
6. .
24. Some digital information assets must be preserved permanently as
part of an organization’s documentary heritage.
25. Executive sponsorship is crucial
6
Standards Consideration
■ Two Types of standards should be included in policy :
1. De jure (“the law”)
■ published by recognized standards-setting bodies, such as the
International Organization for Standardization (ISO), American
National Standards Institute (ANSI), National Institute of Standards
and Technology (NIST—this is how most people refer to it, as they do
not know what the acronym stands for), British Standards Institute
(BSI), Standards Council of Canada, and Standards Australia.
2. De facto (“the fact”)
■ not formal standards but are regarded by many as if they were.
They may arise though popular use (e.g., Windows at the busi-ness
desktop in the 2001–2010 decade) or may be published by other
bodies, such as the U.S. National Archives and Records
Administration (NARA) or Department of Defense (DoD) for the U.S.
military sector.
7
Benefits and Risks of Standards
■ Quality assurance support. If a product meets a standard, you can be
confident of a certain level of quality.
■ Interoperability support. Some standards are detailed and mature enough
to allow for system interoperability between different vendor platforms.
■ Implementation frameworks a.
Implementing Asset Management System with ISO 55001PECB
Over the past several years, the asset management industry has fundamentally changed shape, it is critically more important than ever before. ISO 55000 defines Asset management as the "coordinated activity of an organization to realize value from assets". In turn, Assets are defined as follows: "An asset is an item, thing or entity that has potential or actual value to an organization". This webinar explores ISO 55001 and Asset Lifecycle Management. Moreover, the webinars gives a brief introduction of the six elements into which ISO 55001 divides asset management system.
Main points covered:
• Explore ISO 55001
• Asset Lifecycle Management
• Explore the concept behind information Assets
• Who is an Asset Manager and what the responsibilities of an Asset Manager are
Presenter:
Orlando Olumide Odejide is a PECB Certified Trainer. He is an experienced Enterprise Architect and Programme Director working on various technology solutions for client in the Financial Services, Manufacturing and Public Sectors.
Link of the recorded session published on YouTube: https://youtu.be/hYaNNwQK1Ns
BKA renginio "Kaip tapti lyderiais IT valdymo, saugos ir audito srityje?" pranešimas apie CISM (Certified Information Security Manager) sertifikaciją. Renginys vyko balandžio 18 d., 2013.
3. Governance
…….setting business strategy & objectives,
determining risks appetite, establishing
culture and values, developing policies
and monitoring performance……
Introduction
4. Risk Management
…….identifying and assessing risks that
may affect ability to achieve business
objectives, applying risks management to
obtain competitive advantage, and
determine response strategies and control
activities……
Introduction….cont
5. Compliance
…..Operating in accordance with
objectives and ensuring adherence with
laws and regulations, internal policies &
procedures and stakeholder
commitments…..
Introduction…cont
7. • Control Objectives for Information and Related
Technology - CoBIT Framework provides guidance for
executive management to govern IT within the enterprise.
It is an IT governance framework that bridges the gap
between control requirements, technical issues and
business risks
• Sarbanes–Oxley Act of 2002 - An Act to protect
investors by improving the accuracy and reliability of
corporate disclosures made pursuant to the securities laws,
and for other purposes
Governance - Examples
8. • Information Technology Infrastructure Library -
ITIL is the most widely adopted approach for IT
Service Management in the world. It is a practical
framework for identifying, planning, delivering and
supporting IT services to the business.
Governance - Examples
9. The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) - A framework dedicated
to providing thought leadership through the development of
frameworks and guidance on enterprise risk management,
internal control and fraud deterrence)
Risk Management - Examples
10. • ISO 31000 -Provides principles and generic guidelines
on principles and implementation of risk management.
Can be applied to any kind of organization, risk type and
is not specific to any industry or sector.
• ISO 31000:2009 is intended to be used by a wide range
of stakeholders including those responsible for
• Implementing risk management,
• those who need to manage risk for the organization
as a whole or within a specific area or activity;
• those needing to evaluate an organization's practices
in managing risk;
• and developers of standards
Risk Management - Examples
11. Organizations Policies and Procedures
IFRSs
Legal & Regulatory Framework in Kenya
Company’s Act
Capital Markets Authority
Nairobi Stock Exchange
Communications Authority of Kenya
Central Bank Regulations
Public Procurement Act
Occupational Safety and Health Administration
Act 2007 (OSHA)
etc
Compliance - Examples
12. • Basel Standards i.e. I, II and III – An
international standard for Banking Regulators
developed by the Basel Committee on Banking
Supervision, to strengthen the regulation, supervision
and risk management of the banking sector.
• Total Quality Management (TQM)- Management
methods used to enhance quality and productivity in
business organizations
Compliance - Examples
16. • iGRC - synchronize information
and activity across governance,
risk management and compliance
in order to create efficiency,
effective information sharing and
reporting, reduce cost and
enhance performance.
ERM
ICT
iGRC Approach
17. Large, forward-thinking organizations believe that
effective iGRC is a value driver and a source of
competitive advantage.
Organizations that embrace effective iGRC are
realizing significant value in the areas of
reputation and brand, employee retention and
profitability.
iGRC Trends
18. Significant improvements in the areas of accuracy,
decision-making quality, timeliness and reductions
in task redundancies as organization's move to an
integrated iGRC environment.
Inclusion of iGRC in Corporate Performance
Management
Increased Leverage on Technology
iGRC Trends
19. iGRC Goals
1. Awareness
• Changes in internal & external environment,
• Turn data into information that be analyzed.
• Share information
2.Alignment
• Support and inform business objectives
• Strategic consideration to GRC information
20. iGRC Goals
3. Responsiveness
• You cant react to something you
don’t sense
• Greater awareness and
understanding of info that drives
decisions and actions
21. iGRC Goals
4. Agile
• Decisions and actions that are quick,
coordinated and well thought out.
• Allow an entity to use risk to its
advantages, grasp strategic opportunities
and be confident in its ability to stay on
course
22. iGRC Goals
5. Resilient
• Ability to bounce back from changes in
the environment e.g. threats
• Confidence to rapidly adopt and respond
to opportunities
6.Learn
• Get rid of unnecessary duplication,
redundancies, misallocation of resources
within GRC capability
23. • Examples of iGRC - OCEG-iGRC
• iGRC - synchronize information
and activity across governance,
risk management and compliance
in order to create efficiency,
enable more effective information
sharing and reporting and avoid
wasteful overlaps
ERM
ICT
iGRC Models
24. iGRC – OCEG Model
ORGANIZE AND OVERSEE
O1 – Outcomes and Commitment
O2 – Roles and Responsibilities
O3 – Approach and Accountability
INFORM AND INTEGRATE
I1 – Information Management and
Documentation
I2 – Internal and External Communication
I3 – Technology and Infrastructure
ASSESS AND ALIGN
A1 – Risk Identification
A2 – Risk Analysis
A3 – Risk Optimization
PREVENT AND PROMOTE
P1 – Codes of Conduct
P2 – Policies
P3 – Preventive Process Controls
P4 – Awareness and Education
P5 – Human Capital Incentives
P6 – Human Capital Controls
P7 – Stakeholder Relations and
Requirements
P8 – Preventive Technology Controls
P9 – Preventive Physical Controls
P10 – Risk Financing/Insurance
DETECT AND DISCERN
D1 – Hotline and Notification
D2 – Inquiry and Survey
D3 – Detective Controls
MONITOR AND MEASURE
M1 – Context Monitoring
M2 – Performance Monitoring and Evaluation
M3 – Systemic Improvement
M4 – Assurance
CONTEXT AND CULTURE
C1 – External Business Context
C2 – Internal Business Context
C3 – Culture
C4 – Values and Objectives
RESPOND AND RESOLVE
R1 – Internal Review and Investigation
R2 – Third-Party Inquiries and Investigations
R3 – Crisis Response and Recovery
R4 – Remediation and Discipline
25. GRC & Technology Solutions -Examples
Solution Modules
1 SAP GRC Suit Process Control
Access Control
Risk Management
Fraud Management
Audit Management
2 ACL GRC Packages Data Analytics
Compliance & Monitoring
Dashboards Reporting
3 MetricStream GRC
Platform
A Web-based platform built on J2EE
architecture with Governance, Risk,
Compliance and Quality programs.
26. Strategic Plan
Charter
Mission, vision statement
Responsibilities
Performance Measurement
Organization chart
Human capital
Financial plan
Technology plan
Assurance plan
Implementation plan