2. IT & ITES
Indian IT & ITES industry
Economy is
Strong export
consistently
demand
growing
2011 2020F
Market Size: Market Size:
$76 Billion $225 Billion
Indian IT firms IT industry is
have delivery well diversified
centres across to BFSI,
the globe Telecom, Retail
2
3. Unidentified Risks impact Performance
Impact Performance in the market
Increases business costs
Results in closer scrutiny
Reduces investor &
market confidence
Impairs customer service
Disrupts major operations
Failure in operational
control
Source: SAP Labs
3
4. About GRC
• Governance, Risk Management and Compliance (GRC) issues around
information have become central to organizational strategies.
• Investment in this area in US is highest in 2008 at $32 billion (7.4% growth)
• GRC platforms provide a single, federated framework that integrates
organizational processes and tools, supporting those processes for the purpose
of defining, maintaining and monitoring GRC. An appropriately chosen GRC
platform can lead to reduced complexities and increased efficiencies.
4
5. What’s GRC?
• Governance: The IT Governance Institute (ITGI) defines governance as “the set of
responsibilities and practices exercised by the board and executive management with the
goal of providing strategic direction, ensuring that the objectives are achieved,
ascertaining that the risks are managed appropriately and verifying that the enterprise’s
resources are being used responsibly.
• Risk Management: This is an activity directed toward assessing, mitigating (to an
acceptable level) and monitoring risk. The principle goal of an organization’s risk
management process should be to protect the organization and its ability to perform its
mission, not just its IT assets.
• Compliance: It is an increasingly complex task given the global footprints of
organizations, the increase in regulatory environment (which is likely to become even
more stringent given the opportunities exposed by the current economic crises) and local
regulations.
5
6. A Systems view of Compliance – Translating Regulations to Action
Compliance
SOX PCI EUDPP
Board of
Dir./CEO
Audit
Committee
Requirements
COBIT ISO
Internal
Policies
Board of
Dir./CEO
Audit
Committee
IT GRC Process Management
Business Pack
Objectives Microsoft Control library
CIO/CSO & Policies
Control Objectives CIO/CSO
Control Activities
Compliance
Control Testing Status
Procedures
ITDM ITDM
System Operational Systems
Management
CMDB Comply/ Incident/
Residual
Authority Issue
Active Risk
Reports Reports
Directory
DW Audit (Authority Document IT Pro
IT Pro
View)
Microsoft
(Partner)
System
Non-
Available
Operations Roadmap
Partner
Source: Microsoft
7. GRC: Area of concern
• What compliance regulations are applicable to your area?
• Have you failed any areas of compliance audits in the past? If so, what were the findings?
• What improvements would you like to see in your current mechanism for prioritizing the
security budget?
• How do you rate the effectiveness of your security controls?
• What would you like to see in the reports indicating the current status of compliance?
• How do you evaluate your risk currently? What are possible areas of improvement?
• What are critical threats to your area?
• How many times have you experienced these threats in the past 12 months?
• What area are you more concerned about, insider abuse or external threat? Please
provide specifics.
• Have any of your end users expressed dissatisfaction with the extra steps they have to go
through because of the security controls?
• Do you have a good data classification mechanism?
7
8. Microsoft: System Center Service Manager 2010
• System Center Service Manager 2010 delivers an integrated platform for automating and
adapting IT Service Management best practices to your organization's requirements.
• One of the benefit is: IT governance, risk and compliance (IT GRC)
– The IT GRC Process Management Pack (PMP) for System Center Service Manager 2010
provides end-to-end compliance management and automation for desktop and datacenter
computers. The IT GRC PMP translates complex regulations and standards into authoritative
control objectives and control activities for the IT organization’s compliance program.
– The IT Compliance Management Series—which comprises multiple IT Compliance Management
Library (IT CML) products—helps you configure Microsoft products to address specific IT GRC
requirements.
8
Slide: Scenario: Round Trip Compliance (systems)Purpose: To insure that the audience understand the full value of our IT Process and Compliance features in helping to support the needs of the many people in an organization who have a vested interest in compliance. Round Trip Compliance is key to our value proposition and is shown here. Key Points:FOCUS HERE IS ON THE SYSTEMSTHAT ARE TOUCHED IN THE ROUND TRIPOne of our key values and a core differentiator from our competitions of our solution is Round Trip Compliance– taking advantage of our integration and automation capabilities. With System Center, Forefront, and the Solution Accelerators we integrate process and knowledge of the process and compliance environments by: Mapping from Regulatory Standards (Ex: HIPPA) and Internal IT Policies (Ex: Rules to provision a new server) Integrating the aforementioned processes and knowledge into automated configuration management solutions (Ex: System Center Configuration Manager)Then having the ability to monitoring this (Ex: System Center Operations Manager)Finally, go back to reporting on compliance and process activities (System Center Service Manager)This “Round Trip” execution helps the IT organization:Increase their compliance visibility. Based on the different roles people have they see the relevant information – a report, an incident message, a change request - they need for their roleReducing wasted time due to tedious tasksLowered manual labor costs as automation with System Center and Forefront helps to eliminate needLowering audit and reporting costs with built in reporting with System Center and ForefrontReduced risk as the IT GRC Process Pack includes key control objective for compliance management on Microsoft platforms.Facilitating business change in a consistent, accurate, quality fashion.Next Slide: Always Ready for an IT Audit End-to-end IT compliance management. A round-trip IT compliance management and monitoring capability integrates process data and learned knowledge by mapping from regulatory standards down to automated configuration management and monitoring, and back to audit reporting.Automated orchestration of IT operational tasks, such as server deployment, user provisioning, across multiple systems results in consistent, documented, and compliant IT activityEnterprise Connectivity. Integrating System Center and Forefront solutions with non-Microsoft tools enable interoperability for service delivery and identity management across the heterogeneous entire datacenter.Management of identities, credentials, and other sensitive resources helps organizations to integrate policies consistently across the organization and secure the enterprise.