Downloaded 94 times
Uploaded byanand choudhary
Simplifying IT GRC
This document summarizes information about simplifying IT governance, risk management, and compliance (GRC). It discusses how GRC has become central to organizational strategies and how investment in GRC platforms and tools in the US reached $32 billion in 2008. It provides definitions for governance, risk management, and compliance. It also outlines some key areas of concern for GRC and how Microsoft's System Center Service Manager 2010 and IT Compliance Management Library products can help organizations address GRC requirements and regulations.
Simplifying IT GRC
- 1. Simplifying IT Governance,Risk Management & Compliance Anand Choudhary
- 2. IT & ITES IndianIT & ITES industry Economy is Strong export consistently demand growing 2011 2020F Market Size: Market Size: $76 Billion $225 Billion Indian IT firms IT industry is have delivery well diversified centres across to BFSI, the globe Telecom, Retail 2
- 3. Unidentified Risks impactPerformance Impact Performance in the market Increases business costs Results in closer scrutiny Reduces investor & market confidence Impairs customer service Disrupts major operations Failure in operational control Source: SAP Labs 3
- 4. About GRC • Governance,Risk Management and Compliance (GRC) issues around information have become central to organizational strategies. • Investment in this area in US is highest in 2008 at $32 billion (7.4% growth) • GRC platforms provide a single, federated framework that integrates organizational processes and tools, supporting those processes for the purpose of defining, maintaining and monitoring GRC. An appropriately chosen GRC platform can lead to reduced complexities and increased efficiencies. 4
- 5. What’s GRC? • Governance: The IT Governance Institute (ITGI) defines governance as “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that the objectives are achieved, ascertaining that the risks are managed appropriately and verifying that the enterprise’s resources are being used responsibly. • Risk Management: This is an activity directed toward assessing, mitigating (to an acceptable level) and monitoring risk. The principle goal of an organization’s risk management process should be to protect the organization and its ability to perform its mission, not just its IT assets. • Compliance: It is an increasingly complex task given the global footprints of organizations, the increase in regulatory environment (which is likely to become even more stringent given the opportunities exposed by the current economic crises) and local regulations. 5
- 6. A Systems viewof Compliance – Translating Regulations to Action Compliance SOX PCI EUDPP Board of Dir./CEO Audit Committee Requirements COBIT ISO Internal Policies Board of Dir./CEO Audit Committee IT GRC Process Management Business Pack Objectives Microsoft Control library CIO/CSO & Policies Control Objectives CIO/CSO Control Activities Compliance Control Testing Status Procedures ITDM ITDM System Operational Systems Management CMDB Comply/ Incident/ Residual Authority Issue Active Risk Reports Reports Directory DW Audit (Authority Document IT Pro IT Pro View) Microsoft (Partner) System Non- Available Operations Roadmap Partner Source: Microsoft
- 7. GRC: Area ofconcern • What compliance regulations are applicable to your area? • Have you failed any areas of compliance audits in the past? If so, what were the findings? • What improvements would you like to see in your current mechanism for prioritizing the security budget? • How do you rate the effectiveness of your security controls? • What would you like to see in the reports indicating the current status of compliance? • How do you evaluate your risk currently? What are possible areas of improvement? • What are critical threats to your area? • How many times have you experienced these threats in the past 12 months? • What area are you more concerned about, insider abuse or external threat? Please provide specifics. • Have any of your end users expressed dissatisfaction with the extra steps they have to go through because of the security controls? • Do you have a good data classification mechanism? 7
- 8. Microsoft: System CenterService Manager 2010 • System Center Service Manager 2010 delivers an integrated platform for automating and adapting IT Service Management best practices to your organization's requirements. • One of the benefit is: IT governance, risk and compliance (IT GRC) – The IT GRC Process Management Pack (PMP) for System Center Service Manager 2010 provides end-to-end compliance management and automation for desktop and datacenter computers. The IT GRC PMP translates complex regulations and standards into authoritative control objectives and control activities for the IT organization’s compliance program. – The IT Compliance Management Series—which comprises multiple IT Compliance Management Library (IT CML) products—helps you configure Microsoft products to address specific IT GRC requirements. 8
- 9. Thank you! Disclaimer: This presentationis prepared with the purpose to share knowledge instead to advertise any product. 9
Editor's Notes
- #7 Slide: Scenario: Round Trip Compliance (systems)Purpose: To insure that the audience understand the full value of our IT Process and Compliance features in helping to support the needs of the many people in an organization who have a vested interest in compliance. Round Trip Compliance is key to our value proposition and is shown here. Key Points:FOCUS HERE IS ON THE SYSTEMSTHAT ARE TOUCHED IN THE ROUND TRIPOne of our key values and a core differentiator from our competitions of our solution is Round Trip Compliance– taking advantage of our integration and automation capabilities. With System Center, Forefront, and the Solution Accelerators we integrate process and knowledge of the process and compliance environments by: Mapping from Regulatory Standards (Ex: HIPPA) and Internal IT Policies (Ex: Rules to provision a new server) Integrating the aforementioned processes and knowledge into automated configuration management solutions (Ex: System Center Configuration Manager)Then having the ability to monitoring this (Ex: System Center Operations Manager)Finally, go back to reporting on compliance and process activities (System Center Service Manager)This “Round Trip” execution helps the IT organization:Increase their compliance visibility. Based on the different roles people have they see the relevant information – a report, an incident message, a change request - they need for their roleReducing wasted time due to tedious tasksLowered manual labor costs as automation with System Center and Forefront helps to eliminate needLowering audit and reporting costs with built in reporting with System Center and ForefrontReduced risk as the IT GRC Process Pack includes key control objective for compliance management on Microsoft platforms.Facilitating business change in a consistent, accurate, quality fashion.Next Slide: Always Ready for an IT Audit End-to-end IT compliance management. A round-trip IT compliance management and monitoring capability integrates process data and learned knowledge by mapping from regulatory standards down to automated configuration management and monitoring, and back to audit reporting.Automated orchestration of IT operational tasks, such as server deployment, user provisioning, across multiple systems results in consistent, documented, and compliant IT activityEnterprise Connectivity. Integrating System Center and Forefront solutions with non-Microsoft tools enable interoperability for service delivery and identity management across the heterogeneous entire datacenter.Management of identities, credentials, and other sensitive resources helps organizations to integrate policies consistently across the organization and secure the enterprise.