Randy Moeller - Mitigating Application Risk Upfront (Without Increased Hair Loss)

•Download as PPTX, PDF•

0 likes•93 views

Companies run on a lot of applications that contain every imaginable type of information. All of them are developed with the intent of helping their company win in their marketplace. However, there are many issues related to privacy, security, regulations, etc., and a project manager doesn't have time to dissect them all. In the zeal to win, the applications are launched and consequences follow. Besides the data disasters in the news, companies spend extra funds to make their applications compliant. To help our various brands win in the market, we developed a compliance review team and application that works with the project manager in developing their application with the proper controls to avoid the numerous pitfalls that exist today.

Business

Mitigating Application Risk
Upfront
Without increased hair loss Randy Moeller

Randy Moeller - Bio
• Global Records & Information Governance Manager
• 35 years in RIM
• Usual responsibilities (policy, certification, RRS etc.)
• RRS online since 1985
• 70% time on iRisk/IT consulting

Governance in P&G – brief history
• 2008 – First Team; Ethics, RIM, Information Security
• 2009 – Launched combined training, saved work 80k hrs.
• 2010 – Governance, Risk & Compliance formed
• RIM included in Business Conduct
• 2013 – iRisk launched (application compliance review)
• 2015 – iRisk2 launched (self assessment added)
• 2018 – iRisk3 launched (concierge service added)

iRisk?
• Application risk review/mitigate process
• Built on RSA’s Archer platform
• Use of workflow stages
• Upfront Concierge Service
• Questionnaire determines compliance groups
• Enterprise Architecture & InfoSec next
• Rest of compliance groups

Why? Data wreck.
Security not properly designed
Use of ‘free’ apps
Questionable cloud/SaaS sites
Piles of useless information
Bleeding information = money
publicdomainpictures.net

Compliance Groups
• Employee Relations
• Global Security
• IT Continuity
• Labor Relations
• Network Capacity
• Privacy
• Germany IT
• Payment Card
• Rec & Info Governance
• Reg Computer Validation
• Tax
• 3rd Party Risk Management
• Legal/IP

Create Assessment
Title, geography, etc.
MEGA – application about applications
- Regulated
- PII
- Sox
- Vendor
- Business impact assessment
- Data classification

Records & Information Governance
• Database Name
• System or Application Name
• Type of Data
• Legal Entities
• Data Age Range
• Record Series & Record Name
• Company official or copy records
• Retention time
• Records Review & Disposal Process, Auto,
Semi-auto, Manual
• Outline disposal logic to identify records
to be destroyed
• Title of document that contains the
Record Review & Disposal process
• Downstream system(s) that receive feeds
from this application
• Upstream systems(s) that sends data to
this application

Compliance Area
Status
Awaiting Review = my Inbox to review
Rest represents it will be, has been and will
be again

The hook?
Incorporated into two development
processes
• SIMPL – Standard development process
for project not led by IT
• IT Stewardship Checklist – Used by IT
when they lead a project
No iRisk = no further funding
Internal Audit ding
This Photo by Unknown Author is licensed under CC BY

The Good
• Apps are compliant
• Process flow is right
• Concierge
• No fixed meetings with unprepared folks
• Architecture and InfoSec consulting
• Reminder emails to assessment owners
• Past assessments as a foundation

The Bad
• Concierge, Architecture & InfoSec staff availability
• No fixed meeting with well prepared folks
• More investigating, questions
• Email intensive
• No automated ‘on hold’ process
• Reporting needs work

The Ugly
• Be careful of what you ask for
• 2015/16 – 479 assessments
• 2017/18 – 750 assessments
• 30-60% first time users
• The lazy few

Starting Point
• Don’t have $$$?
• See posted Excel file

Thank You
• Randy Moeller
• moeller.rj@pg.com
• @RJMrim – Twitter
• www.linkedin.com/in/rjmpg

MSuite is an OCR based mortgage automation platform that has machine learning and AI capabilities to automate simple as well as complex back-office tasks for mortgage lenders. Whether you wish to automate document indexing or auto population of data from various mortgage documents to your LOS, MSuite can do that with an ease. This demo video gives you an insight on how mortgage lenders and brokers can leverage Msuite to cut down on the time and effort required to assess and Underwrite Credit, Income and Asset of a borrower.

Intelligent Protocol Content Analysis - Efficient Data Extraction

Bialogics

CNIT 160 4b: Security Program Management (Part 2)

Sam Bowne

This document provides an overview of topics covered in Part 2 of a lecture on information security program development, including risk management, the risk management process, audits and reviews. Key points discussed are the purpose and components of a risk management program, the risk management lifecycle including identifying assets, threats, vulnerabilities, analyzing risk impact and probability, and treating risk through mitigation, transfer, avoidance or acceptance. The document also summarizes security audit objectives and types, as well as the audit methodology, evidence and reporting process.

Presentation1_Modified

Corey Green

This document provides information on a proposed private school computer lab setup project. It includes details on the project team members and their roles. Floor plans are presented for the administration building, elementary school, middle school, and high school. The budget is estimated to total $319,470.47, divided among parts & labor, hardware, and software categories. Thanks are given to supporting organizations and individuals.

CNIT 160 4e Security Program Management (Part 5)

Sam Bowne

This document provides an overview of topics related to information security program development and management, including security program operations, secure engineering and development, network protection, endpoint protection and management, and identity and access management. It discusses key concepts for each topic such as firewalls, intrusion prevention systems, malware prevention techniques, and centralized identity and access management. The document also outlines processes for managing access governance, conducting privileged account audits, and performing user behavior analytics.

1. Security and Risk Management

Sam Bowne

This document provides an overview of chapter 1 of the CNIT 125 course on information security and CISSP preparation. It covers key security terms like confidentiality, integrity, and availability that make up the CIA triad. It also discusses security governance principles such as strategic planning, change management, data classification, and defining security roles and responsibilities. Finally, it introduces several common security control frameworks and standards like ISO 27000, NIST 800 series, and COSO that are used to implement controls and ensure compliance.

SIEM & IAM

Getting value from IoT, Integration and Data Analytics

Deze presentatie gaat over de integratie van SIEM (Security Incident en Event Management) en IAM (Identity en Access Management). SIEM geeft inzicht in de activiteiten van gebruikers, maar ontbeert de kennis van access en entitlement policies om beveiligingsincidenten in hun context te kunnen plaatsen. IAM heeft juist veel kennis van access en entitlement policies maar biedt geen goed inzicht in de daadwerkelijke activiteiten van gebruikers. Een goede integratie van deze twee technologieën stelt SIEM in staat de juiste exception monitoring te doen en IAM om op basis van handelingen van gebruikers Access en Entitlement Policies scherper bij te stellen en af te dwingen.

Creating a Security Plan for Your Agency - Laird Rixford

Insurance Technologies Corporation (ITC)

Protect What Matters Most: Business Critical Apps and Data : Hackers and malicious insiders steal your data by exploiting the gaps left by traditional endpoint and network security. As many companies have painfully discovered, a breach goes far beyond the loss of data. It results in financial losses, regulatory fines, and damage to a company’s reputation. The Imperva SecureSphere, Incapsula and Skyfence product lines enable organizations to discover assets and vulnerabilities, protect information wherever it lives – in the cloud and on-premises – and comply with regulations. check this out and thanks

Real world IoT for enterprises

IndicThreads

Why_ERM

Mariel Fox

The document discusses the benefits and challenges of implementing an electronic records management (ERM) system. ERM is important because most records are now born digitally. It provides a solution to problems organizations face with unmanaged electronic records and helps ensure compliance with governance, risk management, and compliance (GRC) requirements. However, ERM implementation presents challenges such as changing work habits and justifying costs. If an organization experiences issues with electronic records, the document recommends implementing ERM.

Differential learning SnowFROC 2017

Frank Victory

AMB410: ITxM: The ITAM, ITSM, and Security Crossroads

Ivanti

This document discusses the value of integrating IT service management (ITSM), IT asset management (ITAM), and security. It notes that bringing these domains together can provide benefits like a consolidated view of events, adaptive architectures, continuous response, and enabling DevOps, ITAMOps and SecOps. The document outlines the process involved, such as addressing staffing cultural differences, defining process overlaps and synergies, and configuring process automation. It presents an attainment model showing levels from initial to optimized integration of ITSM, ITAM and security.

Five biggest secrets to an it audit webinar slides

Michelle

This document discusses the biggest secrets to a successful IT audit. It notes that focusing on getting and staying compliant is key. It also discusses the challenges of IT audits, including increased system complexity, process documentation pressures, distributed teams, and varied audit standards. Maintaining end-to-end change management and workflow from incident reporting to solution delivery is presented as one of the biggest secrets. Automated application lifecycle tools that provide approval histories and activity tracking are suggested as a solution.

RHMR_Consultant_Profile_RRHarris07232016

Ronald (RON) Ray Harris

Ron Harris is an experienced IT leader with over 20 years of experience across multiple industries. He has expertise in IT security, audit, compliance, and project management. Some of his roles include managing IT security programs and teams of over 40 professionals at large companies. He has experience ensuring regulatory compliance, performing risk assessments, and developing security policies, procedures, and plans around areas like disaster recovery and access controls. His technical skills include network architecture, vulnerability analysis, and software engineering.

IoT Integration in the Air conditioning, Heating and Refrigeration industry ...

Art Garcia

Products throughout air conditioning, heating and refrigeration industry are preparing for the new connected home and commercial space with real time monitoring, remote diagnostics, predictive maintenance, adaptive performance and increased efficiency. Ciqada offers a turnkey IoT solution for product developers and engineers while Mars International provides both electrical and mechanical engineering expertise to help bring new products to market as well as retrofit existing products.

Agile AppSec DevOps

Robert Grupe, CSSLP CISSP PE PMP

This document discusses integrating application security (AppSec) into agile development processes like DevOps. It begins with an overview of moving from traditional waterfall development with separate AppSec to integrating AppSec into agile feature-driven development (FDD) and test-driven development (TDD). The rest of the document details a two-phase approach: first, implementing security FDD by adding AppSec activities to each stage of FDD; second, implementing DevSecOps by adding automated security testing and monitoring throughout TDD. Key aspects covered include threat modeling, static/dynamic testing, monitoring and response.

Government Agencies Using Splunk: Is Your Critical Data Missing?

Precisely

Mainframes continue to run many critical applications for Government agencies, and if you’re a government agency using Splunk, the Mainframe is often a major blind spot. Ironstream is the industry’s leading high-performance, cost-effective solution for forwarding critical security and operational machine data from the mainframe to Splunk. View this 20 minute demo to learn how Ironstream can deliver: • Healthier IT operations by correlating events across all your IT Infrastructure – increasing efficiency, insight and cost-savings • Clearer, more precise security information with complete visibility into enterprise wide security alerts and risks for all systems, including mainframes • Less complexity by breaking down silos and seamlessly integrating with Splunk for a single view of all your systems, with no mainframe expertise required We also share how one federal law-enforcement agency used Ironstream to meet the ever-changing reporting requests from its auditors in order to prove compliance with information-security requirements.

A Study in Borderless Over Perimeter

ForgeRock

How to leverage Enterprise Architecture in a regulated environment

LeanIX GmbH

This document summarizes an expert presentation on using enterprise architecture tools like leanIX to manage applications and ensure compliance in regulated industries. It discusses how leanIX can be used to identify missing information, cross-check data across different views, initiate governance reviews, and find inconsistencies. Tools like leanIX allow mapping information to standards like COBIT, GDPR, and creating structured views to more effectively manage portfolios in regulated environments.

Fisher Practice Areas 2012

fish1960

Thomas Fisher is an experienced IT consultant with over 20 years of experience leading IT organizations in various industries such as healthcare, contact centers, manufacturing, and telecommunications. He has expertise in areas such as IT audit, ITIL implementation, data management, IT governance, program/project management, supply chain management, and serving as an interim CIO. His background includes positions as SVP of IT, CIO, and VP of IT and he has worked with large global organizations.

GDPR | Cyber security process resilience

Rishi Kant

CNIT 121: 2 IR Management Handbook

Sam Bowne

This document discusses the roles and responsibilities involved in incident response (IR). It describes the incident manager who leads the investigation team, and the remediation team leader who coordinates remediation activities. It outlines the IR process including initial response, investigation, and remediation phases. It provides guidance on hiring IR talent, preserving evidence, analyzing data, developing indicators of compromise, and creating reports.

Professional Designations IT Assurance

a3virani

This document provides an overview of the roles and certifications available for assurance professionals working with information systems. It discusses why IS auditing is important given regulations like Sarbanes-Oxley that require verifying system controls. Common certifications include CISA, CISM, and CGEIT from ISACA, which focus on auditing, security management, and IT governance respectively. The CISSP from (ISC)2 demonstrates broad security knowledge, while the GIAC GSNA tests systems and network auditing skills. Obtaining certifications provides credibility, ensures competence, and allows professionals to efficiently add value through activities like risk assessments, security evaluations, and enhancing audit effectiveness.

IT security consultancy company profile

HK IT solutions... unlimited...

Web Application Security: Beyond PEN Testing

Robert Grupe, CSSLP CISSP PE PMP

The document discusses establishing foundational security practices for web applications before conducting penetration testing. It recommends selecting an information security management system framework, creating a matrix of critical legal and regulatory data, defining potential threat agents and misuse cases, and establishing a library of standard security requirements. This foundational work involves non-coding team members and helps minimize vulnerabilities early in the development process.

CNIT 160: Ch 2a: Introduction to Information Security Governance

Sam Bowne

CHIME LEAD New York 2014 "Case Studies from the Field: Putting Cyber Security...

Health IT Conference – iHT2

CHIME LEAD New York 2014 "Case Studies from the Field: Putting Cyber Security Strategies into Action" Learn from those in the trenches who have deployed effective cyber strategies in their organizations, foiled attacks and managed breach situations. Learn approaches for success and pitfalls to avoid by exploring the experience of others with deployment and management of cyber security strategies and plans. Learning Objectives: Identify successes, challenges and lessons learned with implementation of cyber strategies Identify success strategies for gaining the C Suite support and ways cyber security can be integrated into the organization's culture and work processes. Identify best practices with anticipating new and emerging threats and ways to maintain a proactive position instead of reactive Identify approaches for breach preparation and breach management Featured Speakers: Neal Ganguly, MBA, FCHIME, FHIMSS, CHCIO VP & CIO JFK Health System Miroslav Belote Director of IT – Infrastructure and Information Security Officer JFK Health System Nassar Nizami CISO Yale-New Haven Health System

BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...

Ray Mcglew

This document discusses the importance of data governance and quality for business intelligence systems. It notes that 70-80% of BI projects fail due to issues like poor quality data. The life cycle of data is outlined as creation, operational use, analytical use, and destruction. Both business and IT have responsibilities for data as a corporate resource. The document advocates establishing data governance practices like data stewardship, a data dictionary, and master data management to standardize, cleanse, and manage data across the organization. Strong management promotion and treating governance as a cultural change rather than just a program are also recommended.

What's hot

CNIT 160 Ch 4a: Information Security Programs

Sam Bowne

Aplication data security compliances

Ahmadi Madi

Real world IoT for enterprises

IndicThreads

Why_ERM

Mariel Fox

Differential learning SnowFROC 2017

Frank Victory

AMB410: ITxM: The ITAM, ITSM, and Security Crossroads

Ivanti

Five biggest secrets to an it audit webinar slides

Michelle

RHMR_Consultant_Profile_RRHarris07232016

Ronald (RON) Ray Harris

IoT Integration in the Air conditioning, Heating and Refrigeration industry ...

Art Garcia

Agile AppSec DevOps

Robert Grupe, CSSLP CISSP PE PMP

Government Agencies Using Splunk: Is Your Critical Data Missing?

Precisely

What's hot (11)

CNIT 160 Ch 4a: Information Security Programs

Aplication data security compliances

Real world IoT for enterprises

Why_ERM

Differential learning SnowFROC 2017

AMB410: ITxM: The ITAM, ITSM, and Security Crossroads

Five biggest secrets to an it audit webinar slides

RHMR_Consultant_Profile_RRHarris07232016

IoT Integration in the Air conditioning, Heating and Refrigeration industry ...

Agile AppSec DevOps

Government Agencies Using Splunk: Is Your Critical Data Missing?

Similar to Randy Moeller - Mitigating Application Risk Upfront (Without Increased Hair Loss)

A Study in Borderless Over Perimeter

ForgeRock

How to leverage Enterprise Architecture in a regulated environment

LeanIX GmbH

Fisher Practice Areas 2012

fish1960

GDPR | Cyber security process resilience

Rishi Kant

CNIT 121: 2 IR Management Handbook

Sam Bowne

Professional Designations IT Assurance

a3virani

IT security consultancy company profile

HK IT solutions... unlimited...

Web Application Security: Beyond PEN Testing

Robert Grupe, CSSLP CISSP PE PMP

CNIT 160: Ch 2a: Introduction to Information Security Governance

Sam Bowne

CHIME LEAD New York 2014 "Case Studies from the Field: Putting Cyber Security...

Health IT Conference – iHT2

BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...

Ray Mcglew

CNIT 160 Ch 4a: Information Security Programs

Sam Bowne

The SharePoint Migration Playbook

JoAnna Cheshire

This document discusses governance, security, and compliance considerations for SharePoint including: 1) Identifying stakeholders to ensure technology ROI, security, and compliance as well as outlining change management processes and controlling unauthorized applications. 2) The need for industry-specific compliance adherence related to items like HIPAA, PII, SEC, FINRA, and document retention policies. 3) Conducting internal security audits, managing access levels and permissions, addressing vulnerabilities, and having breach identification and response protocols.

Heureka Webinar – Security, the Growth Engine for eDiscovery Professionals

Heureka Software

Cybersecurity threats and data breaches cost companies millions of dollars in lost intellectual property, trade secrets and fines from mishandled privacy information. Even worse, hackers increasingly see law firms as an easy target to acquire valuable data on clients. And yet, many security folks still need the expertise gained from the legal/ediscovery world. Heureka and special guest Donald A. Wochna, Esq. discuss the shift from eDiscovery to Security and back again!

ACEDS-Zylab 4-3-15 Webcast

Logikcull.com

This document summarizes a presentation on bridging the gap between legal and IT through information governance. The presentation discusses how data conceals both risk and value for organizations, noting regulatory, compliance, security, and disclosure risks as well as faster decision making, improved profitability, and other benefits. It outlines common problems general counsels face around demonstrating value, limited budgets, and being too busy firefighting daily tasks. The presentation then discusses how poor information governance can lead to litigation risks, problems with regulatory requests and investigations, and issues with internal policies. It stresses that information governance is a cross-disciplinary issue involving multiple departments. The presentation provides requirements for successful information governance programs and stresses focusing on specific quantifiable benefits to obtain support and resources

Splunk at Aaron's Inc

Splunk

This document summarizes a presentation given by David Craigen and Jeff Meyers of Aaron's Inc. about how they use Splunk. It discusses Aaron's background as a lease-to-own retailer with over 2,100 stores. It then describes the security team and their challenges with limited visibility and slow response times prior to Splunk. With Splunk, they have gained flexibility, fast time to value through security incident correlation and continuous monitoring across various data sources. Their roadmap includes adding more data sources and automation while expanding Splunk use for applications. Key lessons included showing quick value, taking a holistic view of security data, and attending Splunk conferences for best practices.

SharePoint 2013 ECM & Methodology

Sonny Thai

Getting to Know Enterprise Content Management (ECM) and How It Can Help You

InnoTech

This document provides an overview of Enterprise Content Management (ECM) including what it is, the benefits it provides, key aspects of an ECM methodology, and common ECM tools. ECM is defined as strategies, methods and tools used to capture, manage, store, preserve, and deliver content and documents related to organizational processes. The ECM methodology involves capturing content from various sources, managing the content through collaboration and versioning tools, processing the content using workflows and auditing, and delivering the content securely to users. Common ECM tools include information architecture tools to organize content, file plans to manage retention, and site taxonomies and governance policies.

Nist 800 53 deep dive 20210813

Kinetic Potential

This document discusses strategies for implementing the National Institute of Standards and Technology's (NIST) cybersecurity control families. It recommends prioritizing the top six critical control families in Phase 1, which include configuration management, access control, awareness and training, media protection, and risk assessment. Phase 2 involves following up on the remaining NIST control families. The document also discusses balancing cybersecurity with business goals, gaining cross-organizational buy-in, and juggling priorities by leveraging different organizational teams.

IBM i Security SIEM Integration

Precisely

This document discusses integrating IBM i security data with security information and event management (SIEM) solutions. It covers the basics of security monitoring and key areas to monitor on IBM i systems like user access, privileged users, system values and sensitive files. Integration with SIEM solutions provides enterprise-level visibility, advanced analysis capabilities, information sharing across teams and integration with ticketing systems. Precisely solutions can help extract insights from IBM i journal data and send it directly to SIEM platforms to monitor IBM i security alongside other platforms.

Similar to Randy Moeller - Mitigating Application Risk Upfront (Without Increased Hair Loss) (20)

A Study in Borderless Over Perimeter

How to leverage Enterprise Architecture in a regulated environment

Fisher Practice Areas 2012

GDPR | Cyber security process resilience

CNIT 121: 2 IR Management Handbook

Professional Designations IT Assurance

IT security consultancy company profile

Web Application Security: Beyond PEN Testing

CNIT 160: Ch 2a: Introduction to Information Security Governance

CHIME LEAD New York 2014 "Case Studies from the Field: Putting Cyber Security...

BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...

CNIT 160 Ch 4a: Information Security Programs

The SharePoint Migration Playbook

Heureka Webinar – Security, the Growth Engine for eDiscovery Professionals

ACEDS-Zylab 4-3-15 Webcast

Splunk at Aaron's Inc

SharePoint 2013 ECM & Methodology

Getting to Know Enterprise Content Management (ECM) and How It Can Help You

Nist 800 53 deep dive 20210813

IBM i Security SIEM Integration

More from ARMA International

Information Governance in the Cloud: Compare and Contrast (2020 update)

Randy Moeller - Mitigating Application Risk Upfront (Without Increased Hair Loss)

Recommended

Recommended

More Related Content

What's hot

What's hot (11)

Similar to Randy Moeller - Mitigating Application Risk Upfront (Without Increased Hair Loss)

Similar to Randy Moeller - Mitigating Application Risk Upfront (Without Increased Hair Loss) (20)

More from ARMA International

More from ARMA International (20)

Recently uploaded

Recently uploaded (20)

Randy Moeller - Mitigating Application Risk Upfront (Without Increased Hair Loss)