SlideShare a Scribd company logo

Reciprocity_Consolidated Objectives eBook v2

J
justinklooster
1 of 13
Download to read offline
CUT THROUGH COMPLIANCE COMPLEXITY WITH CONSOLIDATED OBJECTIVES RECIPROCITY A Publication of www.reciprocitylabs.com
Organizations of all sizes and in all industries are wrestling to stay compliant with a growing number of regulations. Unfortunately, the burden to manage your compliance and penalties for not being compliant only increase as your business expands. The requirements and controls in various regulatory frameworks often overlap, and differing schedules for updates or changes to these frameworks can make meeting all your governance requirements an exercise in duplicative work and wasted resources. Agility in your compliance program can make you more responsive to changes in the regulatory environment, changes in your business, and help maximize your investment in your compliance program. Automated tools can cut through the complexity—or at least make managing the complexity less daunting—but one of the best ways to simplify your compliance program is to implement consolidated objectives. 2 COMPLIANCE IS COMPLEX.
Consolidated objectives are common requirements across regulatory frameworks. While this approach involves a slightly higher up-front investment in time, the rewards win out in the long term—lower management overhead and better utilization of scarce resources more than makes up for your time investment. Consolidating your compliance controls and objectives brings multiple benefits: • Better visibility into your organization’s risk. Duplicate and overlapping controls can make it challenging to identify your compliance posture. A single, rationalized control gives you a better understanding of how well you’re mitigating the risks to your business. • Increased agility and ability to respond to change. If you implement a company-wide change—say converting from single- to multi-factor authentication—you’ll waste time trying to catalog all the authentication- relevant systems, policies, and parts of your business. A consolidated objective dictating user authentication cuts through the confusion and clarifies expectations for everybody in the company. • Stronger justification of your compliance budget. If your compliance program is overly complex and inefficient due to the use of multiple spreadsheets, annual budget discussions with the higher-ups aren’t going to go very well. Being able to highlight your fiduciary aptitude will make your team look better, and makes it easier to justify requests for additional budget when you genuinely need more resources. 3
Many compliance and GRC tools offer a set of consolidated objectives, which help you jumpstart your efforts to meet multiple compliance programs. Rather than trying to figure out how much of your ISO 27001 work overlaps with the PCI requirements, these tools do the work for you. You’ll be able to save time and money up front, and manage your compliance program with less hassle in the long run by being able to better prioritize your work and focus your efforts in areas where you have gaps. The net result is that your compliance program can be a business enabler rather than a roadblock. Take for example password complexity requirements. Virtually all infosecurity compliance frameworks require that you implement measures to authenticate your users, and most mandate some form of password strength and complexity. If you have three compliance programs, why implement three separate password controls? That’s 3X the work for the same outcome! Instead of doing your work in triplicate, you can create and implement a single company-wide control dictating password length and complexity requirements, then map that to the various compliance programs you’ve put in place. Using the consolidated objectives, the work required to design and implement this single control can be multiplied, boosting your efficiency. 4 WHAT ARE CONSOLIDATED OBJECTIVES AND WHY DO YOU NEED THEM?
5 Taking a step back and looking at an organization’s big picture data model is often the difference between a successful and an unsuccessful technology- enabled GRC Program Deployment. The ability to take multiple disparate subsets of compliance requirements, policies, standards and procedures, and integrate them into a centralized and integrated framework - enabled by GRC Technology - is the lynch pin of Compliance Management. In today’s day and age, minimizing cost of compliance is no longer a nice-to-have. The ability to 'test once and apply to many' is now the new standard in Compliance. -- Kevin Berman, Partner - GRC Strategy and Enablement at Edgile
No information security or compliance program ever has a surplus of staff or budget. Doing more with less is both an art and a science, and turning overlapping requirements to your advantage can make your job easier and give you a competitive advantage. Spending time and money creating duplicative controls isn’t anyone’s idea of good business practice—yet it’s easy to fall into that trap. The ability to reuse your efforts in compliance gives you more flexibility and lets you stretch your compliance budget further. This in turn lets you invest your limited compliance resources more intelligently to mitigate and manage your company’s risks. Consolidated objectives can also help you cut through complexity in your business processes, and turn your compliance program into a driver of positive business change. Here’s an example. Most compliance frameworks require you to perform certain HR tasks like background checks. Rather than a messy web of compliance programs driving different HR processes, a single HR-defined background check process can be mapped across multiple compliance objectives. This simplifies the strategic management of your HR efforts, and helps you meet diverse requirements across compliance frameworks such as ISO 27001, PCI, and FedRAMP. 6 HOW CONSOLIDATED CONTENT REDUCES COMPLIANCE COMPLEXITY
A common affliction in the compliance world, “audit fatigue” results when the auditing process becomes so burdensome and repetitive that your team resents it and may even ignore requests for corrective action. Harmonizing an HR process might not seem like an obvious driver of business efficiency, but by understanding how HR processes support multiple compliance programs, you can reduce audit fatigue in the HR department. Gathering evidence of effective background checks can be done once, and that evidence reused when you undergo audits against your various compliance frameworks. Your HR department will thank you when they are asked for evidence only once a year instead of four times when your PCI, ISO, FedRAMP, and SOC 2 auditors come to visit! 7
Many companies spend valuable time and resources struggling with a compliance burden that continues to grow in both complexity and size, using a disjointed combination of spreadsheets, emails, documents, and manual processes. You can manage more efficiently and cut out the complexity by choosing the right compliance software. Look for a tool that makes it easy to identify overlapping content among frameworks. For example, ZenGRC's standardized content hierarchy—the structure of compliance frameworks within the tool— makes it easy to translate between frameworks and leverage work done in one framework to meet other compliance requirements. 8 READY TO TAKE ADVANTAGE OF CONSOLIDATED OBJECTIVES?
Enterprises are shifting more and more IT to the cloud, either by switching to cloud infrastructure and away from data centers, or by directly procuring cloud-based software solution where data and services are more vendor responsibilities. Compliance questionnaires and reports are the vehicles by which vendors satisfy enterprise security requirements. Therefore, new demands are being placed on both vendors and enterprises to manage and communicate their compliance programs. Compliance management has become as important as Agile or DevOps. Modern tools and methodologies are sorely needed. -- David Bernstein, CEO and Founder of Cloud Strategy Partners
THREE THINGS YOU SHOULD LOOK FOR IN A GRC TOOL TO HELP YOU ACHIEVE GREATER EFFICIENCY WITH CONSOLIDATED OBJECTIVES 1. Relational modeling: Your GRC tool needs to make it easy for you to establish and visualize the relationship between your controls and consolidated objectives. Identifying the commonality between frameworks helps you supercharge your compliance efficiency. 2. Reusability: A compliance tool should let you test once, use many times. If you have a single password control that satisfies objectives in multiple compliance frameworks, any testing you do on that control should be reusable in audits of all objectives it satisfies, regardless of the framework. 3. Reduced effort required for compliance: Consolidating objectives across multiple frameworks is part of the work, but writing the controls you need to achieve those objectives is really where your compliance team needs to focus. A tool should give you the ability to highlight those objectives which are not covered by your existing controls, allowing you to focus your resources on these high priority areas. 10
• Attestation – like an audit, except the organization and third-party examiner share the responsibility of an inaccurate examination • Audit – an examination performed by an independent third party that verifies the guidelines outlined by a regulatory body • Audit fatigue - the resentment that occurs when your team is constantly being audited or asked for the same things over and over again as the company gets audited against different frameworks. • Compliance – adherence to a set of rules established by a regulatory body • Consolidated Objectives - Mapping of requirements in one framework to another. We have several common frameworks, including PCI-DSS, NIST/FedRAMP, SOC 2, HIPAA, and ISO 27001/27002. In addition, the Reciprocity GRC Experts can help you create mappings from other programs or your own internal compliance programs. • Control – a step in the process that monitors and mitigates risk • Framework – an approach with risks, controls, and processes to put in place a compliance model • Objective – discrete requirement within a compliance framework • Regulatory body – the organization that defines the rules and methods to verify the rules • Risk – the chance that a negative outcome, financial loss, or error can damage the organization • Scope – the boundaries to examine, which are usually dictated by a regulatory body • Standard – the specific law, rules, or requirements that make up the scope during an examination GLOSSARY OF COMPLIANCE TERMS Governance, risk management and compliance is a complex and challenging business even for the most seasoned of experts. Here are some of the commonly used terms in the compliance world that you need to understand as you embark on a compliance program. 10
COMPLIANCE AGILITY REQUIRES AGILE TOOLS Are you ready to make the transition to a more comprehensive compliance solution? Our GRC experts can help guide you through that journey and recommend the best solution for your organization. Call us at (415) 851-8667 to schedule a consultation, or visit us online at www.reciprocitylabs.com. 12
Reciprocity makes compliance work more engaging and rewarding. Reciprocity’s mission is to turn corporate compliance from a cost center into a valuable strategic asset. We make compliance and risk officers more nimble with lightweight software designed for hot growing companies. Our Governance, Risk, and Compliance (GRC) Software encourages compliance, risk, and audit managers to act more nimbly and stand toe-to-toe with the fast paced world of business. Visit us online at www.reciprocitylabs.com.

Recommended

GRC Essentials for Customers using SAP
GRC Essentials for Customers using SAP GRC Essentials for Customers using SAP
GRC Essentials for Customers using SAP Dudley Cartwright
 
Moving up the Software License Optimization Maturity Curve to Drive Business ...
Moving up the Software License Optimization Maturity Curve to Drive Business ...Moving up the Software License Optimization Maturity Curve to Drive Business ...
Moving up the Software License Optimization Maturity Curve to Drive Business ...Flexera
 
Sarbanes oxley compliance
Sarbanes oxley complianceSarbanes oxley compliance
Sarbanes oxley complianceMetricStream Inc
 
Integrated_GRC
Integrated_GRCIntegrated_GRC
Integrated_GRCMarco Villacorta Olano
 
Benefits of Software Asset Management
Benefits of Software Asset ManagementBenefits of Software Asset Management
Benefits of Software Asset ManagementIskandar Ahmat
 
IT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterIT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 
7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security PlanEnvision Technology Advisors
 
Erp
ErpErp
Erpsuhasan
 

Recommended

GRC Essentials for Customers using SAP
GRC Essentials for Customers using SAP GRC Essentials for Customers using SAP
GRC Essentials for Customers using SAP Dudley Cartwright
 
Moving up the Software License Optimization Maturity Curve to Drive Business ...
Moving up the Software License Optimization Maturity Curve to Drive Business ...Moving up the Software License Optimization Maturity Curve to Drive Business ...
Moving up the Software License Optimization Maturity Curve to Drive Business ...Flexera
 
Sarbanes oxley compliance
Sarbanes oxley complianceSarbanes oxley compliance
Sarbanes oxley complianceMetricStream Inc
 
Integrated_GRC
Integrated_GRCIntegrated_GRC
Integrated_GRCMarco Villacorta Olano
 
Benefits of Software Asset Management
Benefits of Software Asset ManagementBenefits of Software Asset Management
Benefits of Software Asset ManagementIskandar Ahmat
 
IT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterIT Compliance: Shifting from Cost Center to Profit Center
IT Compliance: Shifting from Cost Center to Profit CenterGary Pennington
 
7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security PlanEnvision Technology Advisors
 
Erp
ErpErp
Erpsuhasan
 
Managed It Services
Managed It ServicesManaged It Services
Managed It ServicesGss America
 
5 steps for better risk assessment
5 steps for better risk assessment5 steps for better risk assessment
5 steps for better risk assessmentDrMohammedFarid
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, incFixNix Inc.,
 
A Best Practices Guide to Quality Management
A Best Practices Guide to Quality ManagementA Best Practices Guide to Quality Management
A Best Practices Guide to Quality ManagementVERSE Solutions
 
6 implications of internal audit
6 implications of internal audit6 implications of internal audit
6 implications of internal auditSALIH AHMED ISLAM
 
Optimize Your ERP System: How to Avoid the Implementation Sins
Optimize Your ERP System: How to Avoid the Implementation SinsOptimize Your ERP System: How to Avoid the Implementation Sins
Optimize Your ERP System: How to Avoid the Implementation SinsBurCom Consulting Ltd.
 
UCMDB _Predictive Change Impact Analysis circa 2009
UCMDB _Predictive Change Impact Analysis circa 2009UCMDB _Predictive Change Impact Analysis circa 2009
UCMDB _Predictive Change Impact Analysis circa 2009djasso7494
 
it grc
it grc it grc
it grc 9535814851
 
7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)GBBLUME
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties SolutionsAhmed Abdul Hamed
 
How to Write Good Policies
How to Write Good PoliciesHow to Write Good Policies
How to Write Good PoliciesMurray Security Services
 
Leveraging Open Source for Managing Complex Business Processes
Leveraging Open Source for Managing Complex Business ProcessesLeveraging Open Source for Managing Complex Business Processes
Leveraging Open Source for Managing Complex Business ProcessesNathaniel Palmer
 
Continual Improvement with Status Enterprise
Continual Improvement with Status EnterpriseContinual Improvement with Status Enterprise
Continual Improvement with Status EnterpriseRich Hunzinger
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRCanand choudhary
 
The Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSesThe Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSesWill Kelly
 
Compliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCompliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCorporater
 
Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Aladdin Dandis
 
Introduction to erp
Introduction to erpIntroduction to erp
Introduction to erpSuchita Bhovar
 
Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Tami Flowers
 
João Destro Slide
João Destro SlideJoão Destro Slide
João Destro SlideWebgenium
 
21 c%e1ncer colon mbf
21 c%e1ncer colon mbf21 c%e1ncer colon mbf
21 c%e1ncer colon mbfMocte Salaiza
 

More Related Content

What's hot

Managed It Services
Managed It ServicesManaged It Services
Managed It ServicesGss America
 
5 steps for better risk assessment
5 steps for better risk assessment5 steps for better risk assessment
5 steps for better risk assessmentDrMohammedFarid
 
A Best Practices Guide to Quality Management
A Best Practices Guide to Quality ManagementA Best Practices Guide to Quality Management
A Best Practices Guide to Quality ManagementVERSE Solutions
 
6 implications of internal audit
6 implications of internal audit6 implications of internal audit
6 implications of internal auditSALIH AHMED ISLAM
 
Optimize Your ERP System: How to Avoid the Implementation Sins
Optimize Your ERP System: How to Avoid the Implementation SinsOptimize Your ERP System: How to Avoid the Implementation Sins
Optimize Your ERP System: How to Avoid the Implementation SinsBurCom Consulting Ltd.
 
UCMDB _Predictive Change Impact Analysis circa 2009
UCMDB _Predictive Change Impact Analysis circa 2009UCMDB _Predictive Change Impact Analysis circa 2009
UCMDB _Predictive Change Impact Analysis circa 2009djasso7494
 
7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)GBBLUME
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties SolutionsAhmed Abdul Hamed
 
Leveraging Open Source for Managing Complex Business Processes
Leveraging Open Source for Managing Complex Business ProcessesLeveraging Open Source for Managing Complex Business Processes
Leveraging Open Source for Managing Complex Business ProcessesNathaniel Palmer
 
Continual Improvement with Status Enterprise
Continual Improvement with Status EnterpriseContinual Improvement with Status Enterprise
Continual Improvement with Status EnterpriseRich Hunzinger
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
The Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSesThe Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSesWill Kelly
 
Compliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCompliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCorporater
 
Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Aladdin Dandis
 
Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Tami Flowers
 

What's hot (20)

Managed It Services
Managed It ServicesManaged It Services
Managed It Services
 
5 steps for better risk assessment
5 steps for better risk assessment5 steps for better risk assessment
5 steps for better risk assessment
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, inc
 
A Best Practices Guide to Quality Management
A Best Practices Guide to Quality ManagementA Best Practices Guide to Quality Management
A Best Practices Guide to Quality Management
 
6 implications of internal audit
6 implications of internal audit6 implications of internal audit
6 implications of internal audit
 
Optimize Your ERP System: How to Avoid the Implementation Sins
Optimize Your ERP System: How to Avoid the Implementation SinsOptimize Your ERP System: How to Avoid the Implementation Sins
Optimize Your ERP System: How to Avoid the Implementation Sins
 
UCMDB _Predictive Change Impact Analysis circa 2009
UCMDB _Predictive Change Impact Analysis circa 2009UCMDB _Predictive Change Impact Analysis circa 2009
UCMDB _Predictive Change Impact Analysis circa 2009
 
it grc
it grc it grc
it grc
 
7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties Solutions
 
How to Write Good Policies
How to Write Good PoliciesHow to Write Good Policies
How to Write Good Policies
 
Leveraging Open Source for Managing Complex Business Processes
Leveraging Open Source for Managing Complex Business ProcessesLeveraging Open Source for Managing Complex Business Processes
Leveraging Open Source for Managing Complex Business Processes
 
Continual Improvement with Status Enterprise
Continual Improvement with Status EnterpriseContinual Improvement with Status Enterprise
Continual Improvement with Status Enterprise
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance Services
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRC
 
The Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSesThe Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSes
 
Compliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCompliance Management Software | Corporate Compliance
Compliance Management Software | Corporate Compliance
 
Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0
 
Introduction to erp
Introduction to erpIntroduction to erp
Introduction to erp
 
Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014Agile in a highly regulated organization: part 2 2014
Agile in a highly regulated organization: part 2 2014
 

Viewers also liked

João Destro Slide
João Destro SlideJoão Destro Slide
João Destro SlideWebgenium
 
21 c%e1ncer colon mbf
21 c%e1ncer colon mbf21 c%e1ncer colon mbf
21 c%e1ncer colon mbfMocte Salaiza
 
PV Final Resume with Cover Letter1 2016
PV Final Resume with Cover Letter1 2016PV Final Resume with Cover Letter1 2016
PV Final Resume with Cover Letter1 2016Phil Vandergriff
 
Indicio evidencia y prueba
Indicio evidencia y pruebaIndicio evidencia y prueba
Indicio evidencia y pruebatavo1704
 
Omnichannel-not-omnishambles
Omnichannel-not-omnishamblesOmnichannel-not-omnishambles
Omnichannel-not-omnishamblesRaffaella Bianchi
 
The New York City Financial Services Cluster - Research Paper
The New York City Financial Services Cluster - Research PaperThe New York City Financial Services Cluster - Research Paper
The New York City Financial Services Cluster - Research PaperLoucas Anagnostou
 
Basic Concept of Epidemiology
Basic Concept of EpidemiologyBasic Concept of Epidemiology
Basic Concept of EpidemiologyAminu Kende
 
Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)Basuki Rahmad
 
Miles Davis - 10 Miles Davis Classics
Miles Davis - 10 Miles Davis ClassicsMiles Davis - 10 Miles Davis Classics
Miles Davis - 10 Miles Davis ClassicsPartitura de Banda
 

Viewers also liked (14)

João Destro Slide
João Destro SlideJoão Destro Slide
João Destro Slide
 
21 c%e1ncer colon mbf
21 c%e1ncer colon mbf21 c%e1ncer colon mbf
21 c%e1ncer colon mbf
 
Trabajo de dibujo
Trabajo de dibujoTrabajo de dibujo
Trabajo de dibujo
 
Projects list
Projects listProjects list
Projects list
 
PV Final Resume with Cover Letter1 2016
PV Final Resume with Cover Letter1 2016PV Final Resume with Cover Letter1 2016
PV Final Resume with Cover Letter1 2016
 
Indicio evidencia y prueba
Indicio evidencia y pruebaIndicio evidencia y prueba
Indicio evidencia y prueba
 
Omnichannel-not-omnishambles
Omnichannel-not-omnishamblesOmnichannel-not-omnishambles
Omnichannel-not-omnishambles
 
The New York City Financial Services Cluster - Research Paper
The New York City Financial Services Cluster - Research PaperThe New York City Financial Services Cluster - Research Paper
The New York City Financial Services Cluster - Research Paper
 
Basic Concept of Epidemiology
Basic Concept of EpidemiologyBasic Concept of Epidemiology
Basic Concept of Epidemiology
 
Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)
 
Coronary Spasm
Coronary SpasmCoronary Spasm
Coronary Spasm
 
Hawaii five 0
Hawaii five 0Hawaii five 0
Hawaii five 0
 
Um instante maestro!
Um instante maestro!Um instante maestro!
Um instante maestro!
 
Miles Davis - 10 Miles Davis Classics
Miles Davis - 10 Miles Davis ClassicsMiles Davis - 10 Miles Davis Classics
Miles Davis - 10 Miles Davis Classics
 

Similar to Reciprocity_Consolidated Objectives eBook v2

Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5justinklooster
 
The DevOps promise: IT delivery that’s hot-off-the-catwalk and made-to-last
The DevOps promise: IT delivery that’s hot-off-the-catwalk and made-to-lastThe DevOps promise: IT delivery that’s hot-off-the-catwalk and made-to-last
The DevOps promise: IT delivery that’s hot-off-the-catwalk and made-to-lastPeter Shirley-Quirk
 
In Automated Controls It’s No Longer the Traditional Build vs. Buy
In Automated Controls It’s No Longer the Traditional Build vs. BuyIn Automated Controls It’s No Longer the Traditional Build vs. Buy
In Automated Controls It’s No Longer the Traditional Build vs. BuyMelissa Luongo
 
How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approachAbhishek Sood
 
Ensemble - Process, Strategy and Performance Management
Ensemble - Process, Strategy and Performance ManagementEnsemble - Process, Strategy and Performance Management
Ensemble - Process, Strategy and Performance ManagementRefik Tuncer
 
Assurance Not just about the bugs Pt2
Assurance Not just about the bugs Pt2Assurance Not just about the bugs Pt2
Assurance Not just about the bugs Pt2Tim Freestone
 
Dimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperDimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperJason Cumberland
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfSALES97
 
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCHSAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCHAMITTIWARI620759
 
An Introduction to econsys
An Introduction to econsysAn Introduction to econsys
An Introduction to econsysAndrew Redfern
 
Benefits-led decision making drives value maximisation white paper
Benefits-led decision making drives value maximisation white paperBenefits-led decision making drives value maximisation white paper
Benefits-led decision making drives value maximisation white paperAssociation for Project Management
 
Jile | 5 dimensions on scaling agile
Jile | 5 dimensions on scaling agileJile | 5 dimensions on scaling agile
Jile | 5 dimensions on scaling agileJile
 
Improving Speed to Market in E-commerce
Improving Speed to Market in E-commerceImproving Speed to Market in E-commerce
Improving Speed to Market in E-commerceCognizant
 
SHARE in Boston: z/OS Applications Adapting at the Speed of Business
SHARE in Boston: z/OS Applications Adapting at the Speed of BusinessSHARE in Boston: z/OS Applications Adapting at the Speed of Business
SHARE in Boston: z/OS Applications Adapting at the Speed of BusinessRichard Szulewski
 
34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactiveROMI Associates
 
Ieee sw small_projects
Ieee sw small_projectsIeee sw small_projects
Ieee sw small_projectsmanoharbalu
 
Performance based management in a nut shell (v5)
Performance based management in a nut shell (v5)Performance based management in a nut shell (v5)
Performance based management in a nut shell (v5)Glen Alleman
 

Similar to Reciprocity_Consolidated Objectives eBook v2 (20)

Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5
 
The DevOps promise: IT delivery that’s hot-off-the-catwalk and made-to-last
The DevOps promise: IT delivery that’s hot-off-the-catwalk and made-to-lastThe DevOps promise: IT delivery that’s hot-off-the-catwalk and made-to-last
The DevOps promise: IT delivery that’s hot-off-the-catwalk and made-to-last
 
In Automated Controls It’s No Longer the Traditional Build vs. Buy
In Automated Controls It’s No Longer the Traditional Build vs. BuyIn Automated Controls It’s No Longer the Traditional Build vs. Buy
In Automated Controls It’s No Longer the Traditional Build vs. Buy
 
How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach
 
Ensemble - Process, Strategy and Performance Management
Ensemble - Process, Strategy and Performance ManagementEnsemble - Process, Strategy and Performance Management
Ensemble - Process, Strategy and Performance Management
 
Beating the ERP Implementation Odds
Beating the ERP Implementation OddsBeating the ERP Implementation Odds
Beating the ERP Implementation Odds
 
Assurance Not just about the bugs Pt2
Assurance Not just about the bugs Pt2Assurance Not just about the bugs Pt2
Assurance Not just about the bugs Pt2
 
Dimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperDimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paper
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdf
 
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCHSAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
 
An Introduction to econsys
An Introduction to econsysAn Introduction to econsys
An Introduction to econsys
 
Benefits-led decision making drives value maximisation white paper
Benefits-led decision making drives value maximisation white paperBenefits-led decision making drives value maximisation white paper
Benefits-led decision making drives value maximisation white paper
 
Optimize Your Quality Management System
Optimize Your Quality Management SystemOptimize Your Quality Management System
Optimize Your Quality Management System
 
Jile | 5 dimensions on scaling agile
Jile | 5 dimensions on scaling agileJile | 5 dimensions on scaling agile
Jile | 5 dimensions on scaling agile
 
Improving Speed to Market in E-commerce
Improving Speed to Market in E-commerceImproving Speed to Market in E-commerce
Improving Speed to Market in E-commerce
 
SHARE in Boston: z/OS Applications Adapting at the Speed of Business
SHARE in Boston: z/OS Applications Adapting at the Speed of BusinessSHARE in Boston: z/OS Applications Adapting at the Speed of Business
SHARE in Boston: z/OS Applications Adapting at the Speed of Business
 
34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive
 
Ieee sw small_projects
Ieee sw small_projectsIeee sw small_projects
Ieee sw small_projects
 
FF - Buyers Guidex4
FF - Buyers Guidex4FF - Buyers Guidex4
FF - Buyers Guidex4
 
Performance based management in a nut shell (v5)
Performance based management in a nut shell (v5)Performance based management in a nut shell (v5)
Performance based management in a nut shell (v5)
 

Reciprocity_Consolidated Objectives eBook v2

  • 1. CUT THROUGH COMPLIANCE COMPLEXITY WITH CONSOLIDATED OBJECTIVES RECIPROCITY A Publication of www.reciprocitylabs.com
  • 2. Organizations of all sizes and in all industries are wrestling to stay compliant with a growing number of regulations. Unfortunately, the burden to manage your compliance and penalties for not being compliant only increase as your business expands. The requirements and controls in various regulatory frameworks often overlap, and differing schedules for updates or changes to these frameworks can make meeting all your governance requirements an exercise in duplicative work and wasted resources. Agility in your compliance program can make you more responsive to changes in the regulatory environment, changes in your business, and help maximize your investment in your compliance program. Automated tools can cut through the complexity—or at least make managing the complexity less daunting—but one of the best ways to simplify your compliance program is to implement consolidated objectives. 2 COMPLIANCE IS COMPLEX.
  • 3. Consolidated objectives are common requirements across regulatory frameworks. While this approach involves a slightly higher up-front investment in time, the rewards win out in the long term—lower management overhead and better utilization of scarce resources more than makes up for your time investment. Consolidating your compliance controls and objectives brings multiple benefits: • Better visibility into your organization’s risk. Duplicate and overlapping controls can make it challenging to identify your compliance posture. A single, rationalized control gives you a better understanding of how well you’re mitigating the risks to your business. • Increased agility and ability to respond to change. If you implement a company-wide change—say converting from single- to multi-factor authentication—you’ll waste time trying to catalog all the authentication- relevant systems, policies, and parts of your business. A consolidated objective dictating user authentication cuts through the confusion and clarifies expectations for everybody in the company. • Stronger justification of your compliance budget. If your compliance program is overly complex and inefficient due to the use of multiple spreadsheets, annual budget discussions with the higher-ups aren’t going to go very well. Being able to highlight your fiduciary aptitude will make your team look better, and makes it easier to justify requests for additional budget when you genuinely need more resources. 3
  • 4. Many compliance and GRC tools offer a set of consolidated objectives, which help you jumpstart your efforts to meet multiple compliance programs. Rather than trying to figure out how much of your ISO 27001 work overlaps with the PCI requirements, these tools do the work for you. You’ll be able to save time and money up front, and manage your compliance program with less hassle in the long run by being able to better prioritize your work and focus your efforts in areas where you have gaps. The net result is that your compliance program can be a business enabler rather than a roadblock. Take for example password complexity requirements. Virtually all infosecurity compliance frameworks require that you implement measures to authenticate your users, and most mandate some form of password strength and complexity. If you have three compliance programs, why implement three separate password controls? That’s 3X the work for the same outcome! Instead of doing your work in triplicate, you can create and implement a single company-wide control dictating password length and complexity requirements, then map that to the various compliance programs you’ve put in place. Using the consolidated objectives, the work required to design and implement this single control can be multiplied, boosting your efficiency. 4 WHAT ARE CONSOLIDATED OBJECTIVES AND WHY DO YOU NEED THEM?
  • 5. 5 Taking a step back and looking at an organization’s big picture data model is often the difference between a successful and an unsuccessful technology- enabled GRC Program Deployment. The ability to take multiple disparate subsets of compliance requirements, policies, standards and procedures, and integrate them into a centralized and integrated framework - enabled by GRC Technology - is the lynch pin of Compliance Management. In today’s day and age, minimizing cost of compliance is no longer a nice-to-have. The ability to 'test once and apply to many' is now the new standard in Compliance. -- Kevin Berman, Partner - GRC Strategy and Enablement at Edgile
  • 6. No information security or compliance program ever has a surplus of staff or budget. Doing more with less is both an art and a science, and turning overlapping requirements to your advantage can make your job easier and give you a competitive advantage. Spending time and money creating duplicative controls isn’t anyone’s idea of good business practice—yet it’s easy to fall into that trap. The ability to reuse your efforts in compliance gives you more flexibility and lets you stretch your compliance budget further. This in turn lets you invest your limited compliance resources more intelligently to mitigate and manage your company’s risks. Consolidated objectives can also help you cut through complexity in your business processes, and turn your compliance program into a driver of positive business change. Here’s an example. Most compliance frameworks require you to perform certain HR tasks like background checks. Rather than a messy web of compliance programs driving different HR processes, a single HR-defined background check process can be mapped across multiple compliance objectives. This simplifies the strategic management of your HR efforts, and helps you meet diverse requirements across compliance frameworks such as ISO 27001, PCI, and FedRAMP. 6 HOW CONSOLIDATED CONTENT REDUCES COMPLIANCE COMPLEXITY
  • 7. A common affliction in the compliance world, “audit fatigue” results when the auditing process becomes so burdensome and repetitive that your team resents it and may even ignore requests for corrective action. Harmonizing an HR process might not seem like an obvious driver of business efficiency, but by understanding how HR processes support multiple compliance programs, you can reduce audit fatigue in the HR department. Gathering evidence of effective background checks can be done once, and that evidence reused when you undergo audits against your various compliance frameworks. Your HR department will thank you when they are asked for evidence only once a year instead of four times when your PCI, ISO, FedRAMP, and SOC 2 auditors come to visit! 7
  • 8. Many companies spend valuable time and resources struggling with a compliance burden that continues to grow in both complexity and size, using a disjointed combination of spreadsheets, emails, documents, and manual processes. You can manage more efficiently and cut out the complexity by choosing the right compliance software. Look for a tool that makes it easy to identify overlapping content among frameworks. For example, ZenGRC's standardized content hierarchy—the structure of compliance frameworks within the tool— makes it easy to translate between frameworks and leverage work done in one framework to meet other compliance requirements. 8 READY TO TAKE ADVANTAGE OF CONSOLIDATED OBJECTIVES?
  • 9. Enterprises are shifting more and more IT to the cloud, either by switching to cloud infrastructure and away from data centers, or by directly procuring cloud-based software solution where data and services are more vendor responsibilities. Compliance questionnaires and reports are the vehicles by which vendors satisfy enterprise security requirements. Therefore, new demands are being placed on both vendors and enterprises to manage and communicate their compliance programs. Compliance management has become as important as Agile or DevOps. Modern tools and methodologies are sorely needed. -- David Bernstein, CEO and Founder of Cloud Strategy Partners
  • 10. THREE THINGS YOU SHOULD LOOK FOR IN A GRC TOOL TO HELP YOU ACHIEVE GREATER EFFICIENCY WITH CONSOLIDATED OBJECTIVES 1. Relational modeling: Your GRC tool needs to make it easy for you to establish and visualize the relationship between your controls and consolidated objectives. Identifying the commonality between frameworks helps you supercharge your compliance efficiency. 2. Reusability: A compliance tool should let you test once, use many times. If you have a single password control that satisfies objectives in multiple compliance frameworks, any testing you do on that control should be reusable in audits of all objectives it satisfies, regardless of the framework. 3. Reduced effort required for compliance: Consolidating objectives across multiple frameworks is part of the work, but writing the controls you need to achieve those objectives is really where your compliance team needs to focus. A tool should give you the ability to highlight those objectives which are not covered by your existing controls, allowing you to focus your resources on these high priority areas. 10
  • 11. • Attestation – like an audit, except the organization and third-party examiner share the responsibility of an inaccurate examination • Audit – an examination performed by an independent third party that verifies the guidelines outlined by a regulatory body • Audit fatigue - the resentment that occurs when your team is constantly being audited or asked for the same things over and over again as the company gets audited against different frameworks. • Compliance – adherence to a set of rules established by a regulatory body • Consolidated Objectives - Mapping of requirements in one framework to another. We have several common frameworks, including PCI-DSS, NIST/FedRAMP, SOC 2, HIPAA, and ISO 27001/27002. In addition, the Reciprocity GRC Experts can help you create mappings from other programs or your own internal compliance programs. • Control – a step in the process that monitors and mitigates risk • Framework – an approach with risks, controls, and processes to put in place a compliance model • Objective – discrete requirement within a compliance framework • Regulatory body – the organization that defines the rules and methods to verify the rules • Risk – the chance that a negative outcome, financial loss, or error can damage the organization • Scope – the boundaries to examine, which are usually dictated by a regulatory body • Standard – the specific law, rules, or requirements that make up the scope during an examination GLOSSARY OF COMPLIANCE TERMS Governance, risk management and compliance is a complex and challenging business even for the most seasoned of experts. Here are some of the commonly used terms in the compliance world that you need to understand as you embark on a compliance program. 10
  • 12. COMPLIANCE AGILITY REQUIRES AGILE TOOLS Are you ready to make the transition to a more comprehensive compliance solution? Our GRC experts can help guide you through that journey and recommend the best solution for your organization. Call us at (415) 851-8667 to schedule a consultation, or visit us online at www.reciprocitylabs.com. 12
  • 13. Reciprocity makes compliance work more engaging and rewarding. Reciprocity’s mission is to turn corporate compliance from a cost center into a valuable strategic asset. We make compliance and risk officers more nimble with lightweight software designed for hot growing companies. Our Governance, Risk, and Compliance (GRC) Software encourages compliance, risk, and audit managers to act more nimbly and stand toe-to-toe with the fast paced world of business. Visit us online at www.reciprocitylabs.com.