SlideShare a Scribd company logo

SLVA - Developing an IT GRC Strategy

Download as PPT, PDF
SLVA Information Security
SLVA Information Security

SLVA - Developing an IT GRC Strategy

Technology
1 of 10
Presentation Title Comes Here Name & Surname Company Developing an IT GRC Strategy Assess once, test once, satisfy many… Kris Budnik MD, SLVA Information Security
What is GRC? An academic definition of the word “mess” – CFO Magazine A prickly tangle of controls and practices buried inside functional or geographic silos with hundreds of isolated activities. Bewildering complexity and duplication, even as it leaves major gaps uncovered and fails to deliver the desired results - Deloitte Isn’t the GRC acronym invented by consulting and technology firms to help sell services and software? – Risk Management Magazine
Current state of GRC activities in IT BIAs Information Risk Assessments Data Classification MaturityAssessments Vulnerability Assessments GCCs SLA/OLA management Configuration Management Policies Standards Application Control and Authorizations (ACR) Penetration Testing Change Control Performance Management Incident Management Access Management ProjectManagement Laws/Regulations
But why is GRC important? While there may be debate about the GRC term, there is near consensus on the following: - Executives and directors are being held to higher standards and levels of accountability - Compliance costs have spiralled amidst the increasing volume and complexity of laws, regulations and rules - Stakeholders are more active and aggressive - More transparency is demanded - The speed and consequence of “risk events” have dramatically increased - Lee Dittmar, Deloitte Consulting
So what is GRC really? A system of people, processes and technology that enables an organisation to: - understand and prioritize stakeholder expectations - set business objectives that are congruent with values and risks - operate within legal, contractual, internal, social and ethical boundaries - provide relevant, reliable and timely information to appropriate stakeholders - enable the measurement of the performance and effectiveness of the system - OCEG “…call it whatever you want. For the sake of argument, throw away the term altogether. Now ask yourself: Did the underlying business issues go away?” - Lee Dittmar, Deloitte Consulting
Fitting the pieces together • Identify all who play part in the process - IT Ops, Security Ops, Information Risk, IT Audit, Information Security, Ops Risk, ERM, executive, etc. • Identify what drives IT GRC in your environment - Laws/Regulations, Industry standards, Common practices, Internal requirements • IMap the key elements of the IT operation that contribute to GRC in the environment • IAlign the elements to remove duplication, identify control gaps and define effective measurement criteria
Integrated IT Governance, Risk and Compliance Policies Standards Procedures Laws/Regulations BIAsInform ation Risk Assessm ents Data Classification MaturityAssessments Vulnerability Assessments GCCs ACRs
Maximising efficiency… Laws & RegulationsLaws & Regulations Industry Standards & Frameworks Industry Standards & Frameworks Internal requirementsInternal requirementsDrivers and Constraints Drivers and Constraints • Eliminating “silo” responses creates opportunities for harmonization and consolidation Harmonised GRC objectives Harmonised GRC objectives Consolidated GRC activities Consolidated GRC activities Assess Once, Test once, Satisfy manyAssess Once, Test once, Satisfy many R1R1 R2R2 R3R3 R4R4 C1C1 C2C2 C3C3 C4C4 C5C5 C6C6 C7C7 C8C8 C9C9 C10 C11C11 C12C12
Does it work? The following is an example of the level of consolidation realized by a global financial services company’s Information Technology division… 139 Authoritative sources that applied to the global Information Technology division at the organisation 4,900 + Over 4,900 individual requirements 276 Reduction by over 17 times from 4,900+ to 276 rationalized requirements 3 to 1 Over 3 million hours of assessment and reporting reduced to 1 million hours across 30,000 employees 5 to 1 Information Security, BCP, FFIEC & FDICIA, PCI, and SOX assessments reduced to a single integrated RCSA Source: Deloitte
Questions? Thank you

Recommended

Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014Paul Simidi
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsSubhajit Bhuiya
 
Need for Action (GDPR Risk Mgmt) Oct'16
Need for Action (GDPR Risk Mgmt) Oct'16Need for Action (GDPR Risk Mgmt) Oct'16
Need for Action (GDPR Risk Mgmt) Oct'16Dr. Sanjeev B Ahuja
 
20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh Shanmughanathan20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh ShanmughanathanSharath Kumar
 
February 2009 Working the IT/RIM Relationship Presentation by Helen Streck
February 2009 Working the IT/RIM Relationship Presentation by Helen StreckFebruary 2009 Working the IT/RIM Relationship Presentation by Helen Streck
February 2009 Working the IT/RIM Relationship Presentation by Helen StreckJohn Wang
 
SirionLabs Webinar Featuring Forrester - Plugging Value Leakage in IT Outsour...
SirionLabs Webinar Featuring Forrester - Plugging Value Leakage in IT Outsour...SirionLabs Webinar Featuring Forrester - Plugging Value Leakage in IT Outsour...
SirionLabs Webinar Featuring Forrester - Plugging Value Leakage in IT Outsour...SirionLabs
 

Recommended

Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014Paul Simidi
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsSubhajit Bhuiya
 
Need for Action (GDPR Risk Mgmt) Oct'16
Need for Action (GDPR Risk Mgmt) Oct'16Need for Action (GDPR Risk Mgmt) Oct'16
Need for Action (GDPR Risk Mgmt) Oct'16Dr. Sanjeev B Ahuja
 
20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh Shanmughanathan20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh ShanmughanathanSharath Kumar
 
February 2009 Working the IT/RIM Relationship Presentation by Helen Streck
February 2009 Working the IT/RIM Relationship Presentation by Helen StreckFebruary 2009 Working the IT/RIM Relationship Presentation by Helen Streck
February 2009 Working the IT/RIM Relationship Presentation by Helen StreckJohn Wang
 
SirionLabs Webinar Featuring Forrester - Plugging Value Leakage in IT Outsour...
SirionLabs Webinar Featuring Forrester - Plugging Value Leakage in IT Outsour...SirionLabs Webinar Featuring Forrester - Plugging Value Leakage in IT Outsour...
SirionLabs Webinar Featuring Forrester - Plugging Value Leakage in IT Outsour...SirionLabs
 
IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliancerhanna11
 
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...DATUM LLC
 
The best of data governance
The best of data governance The best of data governance
The best of data governance Grant Thornton LLP
 
Managing Storage - Cost, Governance, Risk and the Environment
Managing Storage - Cost, Governance, Risk and the EnvironmentManaging Storage - Cost, Governance, Risk and the Environment
Managing Storage - Cost, Governance, Risk and the EnvironmentJon Collins
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance StrategyQuekelsBaro
 
Cyber fraud and Security - What risks does family office's face in today's wo...
Cyber fraud and Security - What risks does family office's face in today's wo...Cyber fraud and Security - What risks does family office's face in today's wo...
Cyber fraud and Security - What risks does family office's face in today's wo...Kannan Subbiah
 
A smarter way to manage identities
A smarter way to manage identitiesA smarter way to manage identities
A smarter way to manage identitiesMatthew Zielinski, CISSP, CBCP
 
Understanding and Implementing Governance for SharePoint 2010 by Bill English...
Understanding and Implementing Governance for SharePoint 2010 by Bill English...Understanding and Implementing Governance for SharePoint 2010 by Bill English...
Understanding and Implementing Governance for SharePoint 2010 by Bill English...SPTechCon
 
Learn How to Create a Seamless Omni-Channel Retail Experience
Learn How to Create a Seamless Omni-Channel Retail ExperienceLearn How to Create a Seamless Omni-Channel Retail Experience
Learn How to Create a Seamless Omni-Channel Retail ExperiencePerficient, Inc.
 
How to Evaluate a Managed Services Firm
How to Evaluate a Managed Services FirmHow to Evaluate a Managed Services Firm
How to Evaluate a Managed Services Firmoneneckitservices
 
La oportunidad de la digitalización y como aprovecharla: Antonio Conde, Digit...
La oportunidad de la digitalización y como aprovecharla: Antonio Conde, Digit...La oportunidad de la digitalización y como aprovecharla: Antonio Conde, Digit...
La oportunidad de la digitalización y como aprovecharla: Antonio Conde, Digit...Funseam - Fundación para la Sostenibilidad Energética y Ambiental
 
Access governance en
Access governance enAccess governance en
Access governance enMaurizio Milazzo
 
IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementRick Lemieux
 
Dit yvol5iss38
Dit yvol5iss38Dit yvol5iss38
Dit yvol5iss38Rick Lemieux
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRCanand choudhary
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governancedigitallibrary
 
Cost benefit analysis vs confidentiality
Cost benefit analysis vs confidentialityCost benefit analysis vs confidentiality
Cost benefit analysis vs confidentialityPrithvi Ghag
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management StrategyNetIQ
 
Assocham conf grc sept 13
Assocham conf grc sept 13Assocham conf grc sept 13
Assocham conf grc sept 13subramanian K
 
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist, LLC
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceSasha Nunke
 

More Related Content

What's hot

IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliancerhanna11
 
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...DATUM LLC
 
Managing Storage - Cost, Governance, Risk and the Environment
Managing Storage - Cost, Governance, Risk and the EnvironmentManaging Storage - Cost, Governance, Risk and the Environment
Managing Storage - Cost, Governance, Risk and the EnvironmentJon Collins
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance StrategyQuekelsBaro
 
Cyber fraud and Security - What risks does family office's face in today's wo...
Cyber fraud and Security - What risks does family office's face in today's wo...Cyber fraud and Security - What risks does family office's face in today's wo...
Cyber fraud and Security - What risks does family office's face in today's wo...Kannan Subbiah
 
Understanding and Implementing Governance for SharePoint 2010 by Bill English...
Understanding and Implementing Governance for SharePoint 2010 by Bill English...Understanding and Implementing Governance for SharePoint 2010 by Bill English...
Understanding and Implementing Governance for SharePoint 2010 by Bill English...SPTechCon
 
Learn How to Create a Seamless Omni-Channel Retail Experience
Learn How to Create a Seamless Omni-Channel Retail ExperienceLearn How to Create a Seamless Omni-Channel Retail Experience
Learn How to Create a Seamless Omni-Channel Retail ExperiencePerficient, Inc.
 
How to Evaluate a Managed Services Firm
How to Evaluate a Managed Services FirmHow to Evaluate a Managed Services Firm
How to Evaluate a Managed Services Firmoneneckitservices
 
IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementRick Lemieux
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governancedigitallibrary
 
Cost benefit analysis vs confidentiality
Cost benefit analysis vs confidentialityCost benefit analysis vs confidentiality
Cost benefit analysis vs confidentialityPrithvi Ghag
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management StrategyNetIQ
 
Assocham conf grc sept 13
Assocham conf grc sept 13Assocham conf grc sept 13
Assocham conf grc sept 13subramanian K
 

What's hot (20)

IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliance
 
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
 
The best of data governance
The best of data governance The best of data governance
The best of data governance
 
Managing Storage - Cost, Governance, Risk and the Environment
Managing Storage - Cost, Governance, Risk and the EnvironmentManaging Storage - Cost, Governance, Risk and the Environment
Managing Storage - Cost, Governance, Risk and the Environment
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
 
Cyber fraud and Security - What risks does family office's face in today's wo...
Cyber fraud and Security - What risks does family office's face in today's wo...Cyber fraud and Security - What risks does family office's face in today's wo...
Cyber fraud and Security - What risks does family office's face in today's wo...
 
A smarter way to manage identities
A smarter way to manage identitiesA smarter way to manage identities
A smarter way to manage identities
 
Understanding and Implementing Governance for SharePoint 2010 by Bill English...
Understanding and Implementing Governance for SharePoint 2010 by Bill English...Understanding and Implementing Governance for SharePoint 2010 by Bill English...
Understanding and Implementing Governance for SharePoint 2010 by Bill English...
 
Learn How to Create a Seamless Omni-Channel Retail Experience
Learn How to Create a Seamless Omni-Channel Retail ExperienceLearn How to Create a Seamless Omni-Channel Retail Experience
Learn How to Create a Seamless Omni-Channel Retail Experience
 
How to Evaluate a Managed Services Firm
How to Evaluate a Managed Services FirmHow to Evaluate a Managed Services Firm
How to Evaluate a Managed Services Firm
 
La oportunidad de la digitalización y como aprovecharla: Antonio Conde, Digit...
La oportunidad de la digitalización y como aprovecharla: Antonio Conde, Digit...La oportunidad de la digitalización y como aprovecharla: Antonio Conde, Digit...
La oportunidad de la digitalización y como aprovecharla: Antonio Conde, Digit...
 
Access governance en
Access governance enAccess governance en
Access governance en
 
IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT Alignement
 
Dit yvol5iss38
Dit yvol5iss38Dit yvol5iss38
Dit yvol5iss38
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRC
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governance
 
Cost benefit analysis vs confidentiality
Cost benefit analysis vs confidentialityCost benefit analysis vs confidentiality
Cost benefit analysis vs confidentiality
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management Strategy
 
Assocham conf grc sept 13
Assocham conf grc sept 13Assocham conf grc sept 13
Assocham conf grc sept 13
 

Similar to SLVA - Developing an IT GRC Strategy

AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist, LLC
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceSasha Nunke
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAPPECB
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera
 
Sunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide shareSunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide shareSunera
 
The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0theonassiokas
 
Indranil Guha - It transformation challenges & choices...
Indranil Guha - It transformation challenges & choices...Indranil Guha - It transformation challenges & choices...
Indranil Guha - It transformation challenges & choices...Global Business Events
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Michael Ofarrell
 
Advantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentAdvantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentIBM Analytics
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?PECB
 
Achieving GRC Excellence White Paper.pdf
Achieving GRC Excellence White Paper.pdfAchieving GRC Excellence White Paper.pdf
Achieving GRC Excellence White Paper.pdfinfosecTrain
 
Achieving GRC Excellence White Paper (6).pdf
Achieving GRC Excellence White Paper (6).pdfAchieving GRC Excellence White Paper (6).pdf
Achieving GRC Excellence White Paper (6).pdfInfosec train
 
CMLGroup - What is GRC?
CMLGroup - What is GRC?CMLGroup - What is GRC?
CMLGroup - What is GRC?CML Group
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 
Big data governance as a corporate governance imperative
Big data governance as a corporate governance imperativeBig data governance as a corporate governance imperative
Big data governance as a corporate governance imperativeGuy Pearce
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySaskSummit
 
How It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For SunHow It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For Sunvijaychn
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 

Similar to SLVA - Developing an IT GRC Strategy (20)

AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT Governance
 
Risk Product.pptx
Risk Product.pptxRisk Product.pptx
Risk Product.pptx
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk Consulting
 
Sunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide shareSunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide share
 
The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0
 
Indranil Guha - It transformation challenges & choices...
Indranil Guha - It transformation challenges & choices...Indranil Guha - It transformation challenges & choices...
Indranil Guha - It transformation challenges & choices...
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
 
task 1
task 1task 1
task 1
 
Advantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentAdvantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environment
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
Achieving GRC Excellence White Paper.pdf
Achieving GRC Excellence White Paper.pdfAchieving GRC Excellence White Paper.pdf
Achieving GRC Excellence White Paper.pdf
 
Achieving GRC Excellence White Paper (6).pdf
Achieving GRC Excellence White Paper (6).pdfAchieving GRC Excellence White Paper (6).pdf
Achieving GRC Excellence White Paper (6).pdf
 
CMLGroup - What is GRC?
CMLGroup - What is GRC?CMLGroup - What is GRC?
CMLGroup - What is GRC?
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
 
Big data governance as a corporate governance imperative
Big data governance as a corporate governance imperativeBig data governance as a corporate governance imperative
Big data governance as a corporate governance imperative
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir Fancy
 
How It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For SunHow It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For Sun
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

SLVA - Developing an IT GRC Strategy

  • 1. Presentation Title Comes Here Name & Surname Company Developing an IT GRC Strategy Assess once, test once, satisfy many… Kris Budnik MD, SLVA Information Security
  • 2. What is GRC? An academic definition of the word “mess” – CFO Magazine A prickly tangle of controls and practices buried inside functional or geographic silos with hundreds of isolated activities. Bewildering complexity and duplication, even as it leaves major gaps uncovered and fails to deliver the desired results - Deloitte Isn’t the GRC acronym invented by consulting and technology firms to help sell services and software? – Risk Management Magazine
  • 3. Current state of GRC activities in IT BIAs Information Risk Assessments Data Classification MaturityAssessments Vulnerability Assessments GCCs SLA/OLA management Configuration Management Policies Standards Application Control and Authorizations (ACR) Penetration Testing Change Control Performance Management Incident Management Access Management ProjectManagement Laws/Regulations
  • 4. But why is GRC important? While there may be debate about the GRC term, there is near consensus on the following: - Executives and directors are being held to higher standards and levels of accountability - Compliance costs have spiralled amidst the increasing volume and complexity of laws, regulations and rules - Stakeholders are more active and aggressive - More transparency is demanded - The speed and consequence of “risk events” have dramatically increased - Lee Dittmar, Deloitte Consulting
  • 5. So what is GRC really? A system of people, processes and technology that enables an organisation to: - understand and prioritize stakeholder expectations - set business objectives that are congruent with values and risks - operate within legal, contractual, internal, social and ethical boundaries - provide relevant, reliable and timely information to appropriate stakeholders - enable the measurement of the performance and effectiveness of the system - OCEG “…call it whatever you want. For the sake of argument, throw away the term altogether. Now ask yourself: Did the underlying business issues go away?” - Lee Dittmar, Deloitte Consulting
  • 6. Fitting the pieces together • Identify all who play part in the process - IT Ops, Security Ops, Information Risk, IT Audit, Information Security, Ops Risk, ERM, executive, etc. • Identify what drives IT GRC in your environment - Laws/Regulations, Industry standards, Common practices, Internal requirements • IMap the key elements of the IT operation that contribute to GRC in the environment • IAlign the elements to remove duplication, identify control gaps and define effective measurement criteria
  • 7. Integrated IT Governance, Risk and Compliance Policies Standards Procedures Laws/Regulations BIAsInform ation Risk Assessm ents Data Classification MaturityAssessments Vulnerability Assessments GCCs ACRs
  • 8. Maximising efficiency… Laws & RegulationsLaws & Regulations Industry Standards & Frameworks Industry Standards & Frameworks Internal requirementsInternal requirementsDrivers and Constraints Drivers and Constraints • Eliminating “silo” responses creates opportunities for harmonization and consolidation Harmonised GRC objectives Harmonised GRC objectives Consolidated GRC activities Consolidated GRC activities Assess Once, Test once, Satisfy manyAssess Once, Test once, Satisfy many R1R1 R2R2 R3R3 R4R4 C1C1 C2C2 C3C3 C4C4 C5C5 C6C6 C7C7 C8C8 C9C9 C10 C11C11 C12C12
  • 9. Does it work? The following is an example of the level of consolidation realized by a global financial services company’s Information Technology division… 139 Authoritative sources that applied to the global Information Technology division at the organisation 4,900 + Over 4,900 individual requirements 276 Reduction by over 17 times from 4,900+ to 276 rationalized requirements 3 to 1 Over 3 million hours of assessment and reporting reduced to 1 million hours across 30,000 employees 5 to 1 Information Security, BCP, FFIEC & FDICIA, PCI, and SOX assessments reduced to a single integrated RCSA Source: Deloitte