SlideShare a Scribd company logo

Security Governance by Risknavigator 2010

Lennart Bredberg
Lennart Bredberg
1 of 3
Download to read offline
© Risknavigator™ Lennart Bredberg 2010 RISKNAVIGATOR tor Security Governance September 2010  Risknavigator Solutions; Security Governance Risknavigators model for Security Governance is built on the true understanding of three important prerequisites needed to build an integrated security governance solution where security and risk management are treated and managed as any other basic business process within the organization.  Management systems and process orientation  Security Convergence  GRC (Governance, Risk and Compliance) Cost How can I leverage my existing security infrastructure? How can I reduce manual processes that can be labor intensive, repetitive and may have many potential errors? How do I optimize resources, technologies and security operations? Governance and Compliance How can I keep up with government, organizational and industry regulations? How can I easily monitor infractions and proactively enforce my security policies and rules? How do I ensure that security governance and compliance constantly are on the Board Agenda? Risk How can I implement best practices and standardize security organization? How can I lower liability and maximize asset protection? How do I future-proof any security investment?  Security as a business process Security should naturally be seen as a business process that manages a security function, a process that is very closely connected with the principles of quality assurance and quality control. Management of the risk inherent in an organization used to be seen upon as a function embedded within individual roles of the C-level. Traditionally the approach was to treat risks separately and assign responsibility to individuals or small teams. To manage a singular type of risk became a distinct job and to be successful in the job you had to focus on only one particular area. The big problem with this “stove piped” approach was that it ignored the interdependence of many risks and that it sub- optimized the financing of total risk for an organization. Breaking stovepipes and seeing risk management and security programs more like processes means that we need to bring different stakeholders in the problem together and set them to solve the problem – together.  Security convergence © AESRM 2008 A major trend in the security arena today is security convergence. ASIS International defines security convergence as; “The identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies.”
© Risknavigator™ Lennart Bredberg 2010 Imperatives driving convergence are;  Rapid expansion of the Enterprise Ecosystem  Value migration from physical to information-based and intangible assets  New protective technologies blurring functional boundaries  New compliance and regulatory regimes  Continuing pressure to reduce cost The convergence of IT and Physical Security is now a fact and as IT has become a very important part of most organizations, new international standards for physical security now also include IT considerations for electronic documents. Security convergence forces organizations to see beyond security as a function and instead something that consists of people, processes and strategies, being part of the overall business life-cycle as a system. Furthermore, organizations now start to appreciate the cost and competitive advantages that can be leveraged when viewing security not as a cost center but one of a value add - lowering costs and providing cost efficiencies. Risknavigator has identified the top convergence goals for an organization to reach in order to converge with greatest positive effect;  Aligning security with corporate business goals  Recruiting and retaining security staff  Measuring security organization efficiency  Using security for competitive breakthroughs  Reducing security costs  Demonstrating business value of security  Developing a long term security architecture  Improving security delivery The issue of security convergence must work in conjunction with the Business drivers of the organization. These business drivers may be different for each organization but there are some drivers that are shared and also common ground in both logical security (IT) and physical security management. These are;  Compliance  Cost control and productivity  Shareholder value  Asset and staff protection  Business continuity To each business driver there are tightly connected activities on different levels; Strategic, Tactical and Operational activities, that are critical and fundamental to the success of the security operations and the process of convergence. Let us look at the business driver; Compliance and some example of the activities on different levels that are connected to it. Strategic activities Governance – e.g. a process to develop, implement and monitor the security plan covering awareness, policies and standards. The way to measure it is by direct response to critical breaches, operational delays and unauthorized access. Tactical activities Audits – e.g. a process to audit logical and physical access controls to IT and data to ensure only authorized people have access. It can be measured by the number of access change requests, time before acting on incidents and number of security awareness training days. Operational activities Authentication and authorization – e.g. a process to safeguard against unauthorized use, disclosure, modification or loss of assets. This can measured by the number of employees in the company, number of active access cards and the number of lost badges still active.  GRC (Governance, Risk and Compliance) GRC, an acronym for Governance, Risk Management, and Compliance, is covering an organization's approach across these three areas. Being closely related issues, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, overlaps and gaps. While interpreted differently in some organizations, GRC typically involves activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations. Governance is the overall management approach through which the C-level direct and control an organization, using a mix of information and hierarchical management controls. Governance activities ensure that strategies, directions and instructions from management are carried out systematically and effectively. Risk management is a process to determine what controls are necessary to protect sensitive or critical assets both adequately and cost-effectively. Two very important elements in a risk assessment process are cost effectiveness and Return on Investment (ROI). Without both these elements present any risk assessment falls short. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Compliance means conforming to e.g. relevant laws, regulations, standards, strategies and policies Widespread interest in GRC was sparked by the US Sarbanes- Oxley Act and the need for US listed companies to design and implement suitable governance controls for SOX compliance, but the focus of GRC has now shifted towards adding business value through improving operational decision making and strategic planning.
© Risknavigator™ Lennart Bredberg 2010  Prerequisites for building a Security Governance model  Implement Quality and Environmental Management systems preferable based on ISO standards and thereby work with Business process orientation.  Identify the operating levers that affect the Security Convergence Roadmap in terms of people, processes and strategy.  Implement an integrated framework to manage (G) Processes and Policies, (R) true and perceived Risk and (C) Compliance with relevant policies, standards and laws.  Risknavigator and RiskWatch® Risknavigator is a Partner and VAR of RiskWatch, the leading Risk Assessment tool for regulatory compliance. For regulatory compliance, RiskWatch is the most accurate, comprehensive way to conduct governance, compliance and risk assessments based on international standards including HIPAA, ISO 17799, ISO 27001, COBIT 4.0 and Sarbanes Oxley (SOX). The RiskWatch software includes an installed Windows application and a simple web-based questionnaire application. This can also be used on an internal server, or hosted, to facilitate the gathering of responses from management and IT system users. Respondents simply answer the questions, and their answers are imported for analysis. RiskWatch™ is the world top-rated provider of innovative security risk assessment and compliance software that automates the risk management process. RiskWatch clients include over 2000 hospitals, health plans, investment banks, business banks, credit unions, state agencies and Federal agencies including the U.S. Federal Reserve Bank, the nuclear Regulatory Commission and the Department of Defense.  The Risk assessment process

Recommended

Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Humberto Bruno Pontes Silva
 
it grc
it grc it grc
it grc 9535814851
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
CMLGroup - What is GRC?
CMLGroup - What is GRC?CMLGroup - What is GRC?
CMLGroup - What is GRC?CML Group
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRCanand choudhary
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014Paul Simidi
 
GRC
GRCGRC
GRCMaryam Hidayatallah CPFA,MIPA,MA,CICA
 

Recommended

Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Humberto Bruno Pontes Silva
 
it grc
it grc it grc
it grc 9535814851
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
CMLGroup - What is GRC?
CMLGroup - What is GRC?CMLGroup - What is GRC?
CMLGroup - What is GRC?CML Group
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRCanand choudhary
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014Paul Simidi
 
GRC
GRCGRC
GRCMaryam Hidayatallah CPFA,MIPA,MA,CICA
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk managementRamana K V
 
CISSPills #3.04
CISSPills #3.04CISSPills #3.04
CISSPills #3.04Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, incFixNix Inc.,
 
Ten Slides in Ten Minutes - Company Realities - GRC
Ten Slides in Ten Minutes - Company Realities - GRCTen Slides in Ten Minutes - Company Realities - GRC
Ten Slides in Ten Minutes - Company Realities - GRCBill Graham CP.APMP
 
task 1
task 1task 1
task 1BIBEKCHAUDHARYBScHon
 
CISSPills #3.03
CISSPills #3.03CISSPills #3.03
CISSPills #3.03Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Risk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Management Institution of Australasia
 
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...PECB
 
Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Risk Management Institution of Australasia
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveMax Neira Schliemann
 
Audit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementAudit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementpeterObakozuwa
 
The Path to Self-Disruption
The Path to Self-DisruptionThe Path to Self-Disruption
The Path to Self-DisruptionHewlett Packard Enterprise Business Value Exchange
 
Enterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceEnterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceAxis Technology, LLC
 
Business case for enterprise continuity planning
Business case for enterprise continuity planningBusiness case for enterprise continuity planning
Business case for enterprise continuity planningWilliam Godwin
 
Governance, Risk, Compliance & Trust (OCEG graphics removed)
Governance, Risk, Compliance & Trust (OCEG graphics removed)Governance, Risk, Compliance & Trust (OCEG graphics removed)
Governance, Risk, Compliance & Trust (OCEG graphics removed)Alex Todd
 
Risk - IT Services
Risk - IT ServicesRisk - IT Services
Risk - IT ServicesNema Chhaya Buch
 
Delivering stronger business security and resilience
Delivering stronger business security and resilienceDelivering stronger business security and resilience
Delivering stronger business security and resiliencezadok001
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & complianceHR Globe Consulting
 
Building an Effective AML Program
Building an Effective AML ProgramBuilding an Effective AML Program
Building an Effective AML ProgramCorporater
 
Miami Herald article
Miami Herald articleMiami Herald article
Miami Herald articleRafael (Rafo) Saldana
 
Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Lennart Bredberg
 

More Related Content

What's hot

Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk managementRamana K V
 
Ten Slides in Ten Minutes - Company Realities - GRC
Ten Slides in Ten Minutes - Company Realities - GRCTen Slides in Ten Minutes - Company Realities - GRC
Ten Slides in Ten Minutes - Company Realities - GRCBill Graham CP.APMP
 
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...PECB
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveMax Neira Schliemann
 
Audit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementAudit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementpeterObakozuwa
 
Enterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceEnterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceAxis Technology, LLC
 
Business case for enterprise continuity planning
Business case for enterprise continuity planningBusiness case for enterprise continuity planning
Business case for enterprise continuity planningWilliam Godwin
 
Governance, Risk, Compliance & Trust (OCEG graphics removed)
Governance, Risk, Compliance & Trust (OCEG graphics removed)Governance, Risk, Compliance & Trust (OCEG graphics removed)
Governance, Risk, Compliance & Trust (OCEG graphics removed)Alex Todd
 
Delivering stronger business security and resilience
Delivering stronger business security and resilienceDelivering stronger business security and resilience
Delivering stronger business security and resiliencezadok001
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & complianceHR Globe Consulting
 
Building an Effective AML Program
Building an Effective AML ProgramBuilding an Effective AML Program
Building an Effective AML ProgramCorporater
 

What's hot (20)

Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance Services
 
Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk management
 
CISSPills #3.04
CISSPills #3.04CISSPills #3.04
CISSPills #3.04
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, inc
 
Ten Slides in Ten Minutes - Company Realities - GRC
Ten Slides in Ten Minutes - Company Realities - GRCTen Slides in Ten Minutes - Company Realities - GRC
Ten Slides in Ten Minutes - Company Realities - GRC
 
task 1
task 1task 1
task 1
 
CISSPills #3.03
CISSPills #3.03CISSPills #3.03
CISSPills #3.03
 
Risk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and Implementation
 
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
 
Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance Executive
 
Audit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementAudit, control and enterprise wide risk management
Audit, control and enterprise wide risk management
 
The Path to Self-Disruption
The Path to Self-DisruptionThe Path to Self-Disruption
The Path to Self-Disruption
 
Enterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceEnterprise Governance, Risk and Compliance
Enterprise Governance, Risk and Compliance
 
Business case for enterprise continuity planning
Business case for enterprise continuity planningBusiness case for enterprise continuity planning
Business case for enterprise continuity planning
 
Governance, Risk, Compliance & Trust (OCEG graphics removed)
Governance, Risk, Compliance & Trust (OCEG graphics removed)Governance, Risk, Compliance & Trust (OCEG graphics removed)
Governance, Risk, Compliance & Trust (OCEG graphics removed)
 
Risk - IT Services
Risk - IT ServicesRisk - IT Services
Risk - IT Services
 
Delivering stronger business security and resilience
Delivering stronger business security and resilienceDelivering stronger business security and resilience
Delivering stronger business security and resilience
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & compliance
 
Building an Effective AML Program
Building an Effective AML ProgramBuilding an Effective AML Program
Building an Effective AML Program
 

Viewers also liked

Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Lennart Bredberg
 
Healthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart BredbergHealthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart BredbergLennart Bredberg
 
gsmoverview-130705013748-phpapp02
gsmoverview-130705013748-phpapp02gsmoverview-130705013748-phpapp02
gsmoverview-130705013748-phpapp02Himank Mittal
 
Top 10 financial officer interview questions and answers
Top 10 financial officer interview questions and answersTop 10 financial officer interview questions and answers
Top 10 financial officer interview questions and answersCharlizeTheron345
 
Top 10 financial manager interview questions and answers
Top 10 financial manager interview questions and answersTop 10 financial manager interview questions and answers
Top 10 financial manager interview questions and answersCharlizeTheron345
 
Phần mềm về bảo vệ môi trường
Phần mềm về bảo vệ môi trườngPhần mềm về bảo vệ môi trường
Phần mềm về bảo vệ môi trườngGiang Thiết Hbl
 
Top 10 front desk officer interview questions and answers
Top 10 front desk officer interview questions and answersTop 10 front desk officer interview questions and answers
Top 10 front desk officer interview questions and answersCharlizeTheron345
 
Top 10 floor manager interview questions and answers
Top 10 floor manager interview questions and answersTop 10 floor manager interview questions and answers
Top 10 floor manager interview questions and answersCharlizeTheron345
 
Top 10 food and beverage manager interview questions and answers
Top 10 food and beverage manager interview questions and answersTop 10 food and beverage manager interview questions and answers
Top 10 food and beverage manager interview questions and answersCharlizeTheron345
 
Analisis Kondisi Lingkungan (AKL)
Analisis Kondisi Lingkungan (AKL)Analisis Kondisi Lingkungan (AKL)
Analisis Kondisi Lingkungan (AKL)Marselinus Richardo
 

Viewers also liked (13)

Miami Herald article
Miami Herald articleMiami Herald article
Miami Herald article
 
Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1
 
Healthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart BredbergHealthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart Bredberg
 
gsmoverview-130705013748-phpapp02
gsmoverview-130705013748-phpapp02gsmoverview-130705013748-phpapp02
gsmoverview-130705013748-phpapp02
 
Top 10 financial officer interview questions and answers
Top 10 financial officer interview questions and answersTop 10 financial officer interview questions and answers
Top 10 financial officer interview questions and answers
 
ENFS
ENFSENFS
ENFS
 
Top 10 financial manager interview questions and answers
Top 10 financial manager interview questions and answersTop 10 financial manager interview questions and answers
Top 10 financial manager interview questions and answers
 
Phần mềm về bảo vệ môi trường
Phần mềm về bảo vệ môi trườngPhần mềm về bảo vệ môi trường
Phần mềm về bảo vệ môi trường
 
Top 10 front desk officer interview questions and answers
Top 10 front desk officer interview questions and answersTop 10 front desk officer interview questions and answers
Top 10 front desk officer interview questions and answers
 
Top 10 floor manager interview questions and answers
Top 10 floor manager interview questions and answersTop 10 floor manager interview questions and answers
Top 10 floor manager interview questions and answers
 
Top 10 food and beverage manager interview questions and answers
Top 10 food and beverage manager interview questions and answersTop 10 food and beverage manager interview questions and answers
Top 10 food and beverage manager interview questions and answers
 
Analisis Kondisi Lingkungan (AKL)
Analisis Kondisi Lingkungan (AKL)Analisis Kondisi Lingkungan (AKL)
Analisis Kondisi Lingkungan (AKL)
 
Sistem perwakilan kepentingan
Sistem perwakilan kepentinganSistem perwakilan kepentingan
Sistem perwakilan kepentingan
 

Similar to Security Governance by Risknavigator 2010

13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance StrategyQuekelsBaro
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
The Vision, Highlights and Implementation Benefits of GRC STACK
The Vision, Highlights and Implementation Benefits of GRC STACKThe Vision, Highlights and Implementation Benefits of GRC STACK
The Vision, Highlights and Implementation Benefits of GRC STACKGRC Stack Pvt. Ltd,
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 
GRC_AStepaheadtomeetgrowingStakeholderExpectations.pptx
GRC_AStepaheadtomeetgrowingStakeholderExpectations.pptxGRC_AStepaheadtomeetgrowingStakeholderExpectations.pptx
GRC_AStepaheadtomeetgrowingStakeholderExpectations.pptxPaulClark519402
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfSALES97
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisionsAlireza Ghahrood
 
Governance Risk Compliance Framework.pptx
Governance Risk Compliance Framework.pptxGovernance Risk Compliance Framework.pptx
Governance Risk Compliance Framework.pptxIsorobot
 
White paper pragmatic safety solutions
White paper pragmatic safety solutionsWhite paper pragmatic safety solutions
White paper pragmatic safety solutionsCraig Tappel
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureSuresh Kanniappan
 
Insights on grc grc technology au1488
Insights on grc grc technology au1488Insights on grc grc technology au1488
Insights on grc grc technology au1488Ashwin Kumar
 

Similar to Security Governance by Risknavigator 2010 (20)

13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
Grc and is audit
Grc and is auditGrc and is audit
Grc and is audit
 
The Vision, Highlights and Implementation Benefits of GRC STACK
The Vision, Highlights and Implementation Benefits of GRC STACKThe Vision, Highlights and Implementation Benefits of GRC STACK
The Vision, Highlights and Implementation Benefits of GRC STACK
 
Allgress_Brochure
Allgress_BrochureAllgress_Brochure
Allgress_Brochure
 
Integrated_GRC
Integrated_GRCIntegrated_GRC
Integrated_GRC
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
 
Agiliance Risk Vision
Agiliance Risk VisionAgiliance Risk Vision
Agiliance Risk Vision
 
Agiliance Risk Vision
Agiliance Risk VisionAgiliance Risk Vision
Agiliance Risk Vision
 
GRC_AStepaheadtomeetgrowingStakeholderExpectations.pptx
GRC_AStepaheadtomeetgrowingStakeholderExpectations.pptxGRC_AStepaheadtomeetgrowingStakeholderExpectations.pptx
GRC_AStepaheadtomeetgrowingStakeholderExpectations.pptx
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdf
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisions
 
Governance Risk Compliance Framework.pptx
Governance Risk Compliance Framework.pptxGovernance Risk Compliance Framework.pptx
Governance Risk Compliance Framework.pptx
 
White paper pragmatic safety solutions
White paper pragmatic safety solutionsWhite paper pragmatic safety solutions
White paper pragmatic safety solutions
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
Insights on grc grc technology au1488
Insights on grc grc technology au1488Insights on grc grc technology au1488
Insights on grc grc technology au1488
 

Security Governance by Risknavigator 2010

  • 1. © Risknavigator™ Lennart Bredberg 2010 RISKNAVIGATOR tor Security Governance September 2010  Risknavigator Solutions; Security Governance Risknavigators model for Security Governance is built on the true understanding of three important prerequisites needed to build an integrated security governance solution where security and risk management are treated and managed as any other basic business process within the organization.  Management systems and process orientation  Security Convergence  GRC (Governance, Risk and Compliance) Cost How can I leverage my existing security infrastructure? How can I reduce manual processes that can be labor intensive, repetitive and may have many potential errors? How do I optimize resources, technologies and security operations? Governance and Compliance How can I keep up with government, organizational and industry regulations? How can I easily monitor infractions and proactively enforce my security policies and rules? How do I ensure that security governance and compliance constantly are on the Board Agenda? Risk How can I implement best practices and standardize security organization? How can I lower liability and maximize asset protection? How do I future-proof any security investment?  Security as a business process Security should naturally be seen as a business process that manages a security function, a process that is very closely connected with the principles of quality assurance and quality control. Management of the risk inherent in an organization used to be seen upon as a function embedded within individual roles of the C-level. Traditionally the approach was to treat risks separately and assign responsibility to individuals or small teams. To manage a singular type of risk became a distinct job and to be successful in the job you had to focus on only one particular area. The big problem with this “stove piped” approach was that it ignored the interdependence of many risks and that it sub- optimized the financing of total risk for an organization. Breaking stovepipes and seeing risk management and security programs more like processes means that we need to bring different stakeholders in the problem together and set them to solve the problem – together.  Security convergence © AESRM 2008 A major trend in the security arena today is security convergence. ASIS International defines security convergence as; “The identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies.”
  • 2. © Risknavigator™ Lennart Bredberg 2010 Imperatives driving convergence are;  Rapid expansion of the Enterprise Ecosystem  Value migration from physical to information-based and intangible assets  New protective technologies blurring functional boundaries  New compliance and regulatory regimes  Continuing pressure to reduce cost The convergence of IT and Physical Security is now a fact and as IT has become a very important part of most organizations, new international standards for physical security now also include IT considerations for electronic documents. Security convergence forces organizations to see beyond security as a function and instead something that consists of people, processes and strategies, being part of the overall business life-cycle as a system. Furthermore, organizations now start to appreciate the cost and competitive advantages that can be leveraged when viewing security not as a cost center but one of a value add - lowering costs and providing cost efficiencies. Risknavigator has identified the top convergence goals for an organization to reach in order to converge with greatest positive effect;  Aligning security with corporate business goals  Recruiting and retaining security staff  Measuring security organization efficiency  Using security for competitive breakthroughs  Reducing security costs  Demonstrating business value of security  Developing a long term security architecture  Improving security delivery The issue of security convergence must work in conjunction with the Business drivers of the organization. These business drivers may be different for each organization but there are some drivers that are shared and also common ground in both logical security (IT) and physical security management. These are;  Compliance  Cost control and productivity  Shareholder value  Asset and staff protection  Business continuity To each business driver there are tightly connected activities on different levels; Strategic, Tactical and Operational activities, that are critical and fundamental to the success of the security operations and the process of convergence. Let us look at the business driver; Compliance and some example of the activities on different levels that are connected to it. Strategic activities Governance – e.g. a process to develop, implement and monitor the security plan covering awareness, policies and standards. The way to measure it is by direct response to critical breaches, operational delays and unauthorized access. Tactical activities Audits – e.g. a process to audit logical and physical access controls to IT and data to ensure only authorized people have access. It can be measured by the number of access change requests, time before acting on incidents and number of security awareness training days. Operational activities Authentication and authorization – e.g. a process to safeguard against unauthorized use, disclosure, modification or loss of assets. This can measured by the number of employees in the company, number of active access cards and the number of lost badges still active.  GRC (Governance, Risk and Compliance) GRC, an acronym for Governance, Risk Management, and Compliance, is covering an organization's approach across these three areas. Being closely related issues, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, overlaps and gaps. While interpreted differently in some organizations, GRC typically involves activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations. Governance is the overall management approach through which the C-level direct and control an organization, using a mix of information and hierarchical management controls. Governance activities ensure that strategies, directions and instructions from management are carried out systematically and effectively. Risk management is a process to determine what controls are necessary to protect sensitive or critical assets both adequately and cost-effectively. Two very important elements in a risk assessment process are cost effectiveness and Return on Investment (ROI). Without both these elements present any risk assessment falls short. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Compliance means conforming to e.g. relevant laws, regulations, standards, strategies and policies Widespread interest in GRC was sparked by the US Sarbanes- Oxley Act and the need for US listed companies to design and implement suitable governance controls for SOX compliance, but the focus of GRC has now shifted towards adding business value through improving operational decision making and strategic planning.
  • 3. © Risknavigator™ Lennart Bredberg 2010  Prerequisites for building a Security Governance model  Implement Quality and Environmental Management systems preferable based on ISO standards and thereby work with Business process orientation.  Identify the operating levers that affect the Security Convergence Roadmap in terms of people, processes and strategy.  Implement an integrated framework to manage (G) Processes and Policies, (R) true and perceived Risk and (C) Compliance with relevant policies, standards and laws.  Risknavigator and RiskWatch® Risknavigator is a Partner and VAR of RiskWatch, the leading Risk Assessment tool for regulatory compliance. For regulatory compliance, RiskWatch is the most accurate, comprehensive way to conduct governance, compliance and risk assessments based on international standards including HIPAA, ISO 17799, ISO 27001, COBIT 4.0 and Sarbanes Oxley (SOX). The RiskWatch software includes an installed Windows application and a simple web-based questionnaire application. This can also be used on an internal server, or hosted, to facilitate the gathering of responses from management and IT system users. Respondents simply answer the questions, and their answers are imported for analysis. RiskWatch™ is the world top-rated provider of innovative security risk assessment and compliance software that automates the risk management process. RiskWatch clients include over 2000 hospitals, health plans, investment banks, business banks, credit unions, state agencies and Federal agencies including the U.S. Federal Reserve Bank, the nuclear Regulatory Commission and the Department of Defense.  The Risk assessment process