SlideShare a Scribd company logo

Webinar: Getting a grip on application risk

Iceberg Networks Corporation
Iceberg Networks Corporation

Slides from a webinar presented by Steve Schlarman (RSA) and Kirk Hogan (Iceberg). An overview of a large financial institution's journey to improve their application risk management process, from spreadsheets to a centralized inventory of risk data, allowing for more confident, informed and effective decisions.

Technology
1 of 31
Download to read offline
APPLICATION RISK MANAGEMENT G E T T I N G A G R I P O N A P P L I C A T I O N R I S K
2 PANELISTS Kirk Hogan khogan@icebergnetworks.com Steve Schlarman Steve.schlarman@rsa.com APPLICATION RISK
3 RISK INTELLIGENCE APPLICATION RISK Trusted, Transparent, Aggregated Risk Data Delivered to Stakeholders & Senior Leaders Informed Confident, Effective Decisions
4 ICEBERG PILLARS APPLICATION RISK Management Consulting Implementation & Integration Application Production Support Risk Intelligence Academy GRC Innovation Workshops: Visioning CMO/FMO KRI/KPI Solution Lifecycle Management (SLM) 20+ Certified Archer Engineers Quality Management Custom End-User & Admin Courses Mentoring Archer 101 Configuration & Change Management Performance & Availability Monitoring Insight (BI) Connect (data) Archer Utilities 6.1 Migration
5 APPLICATIONS ARE THE PATH TO DATA APPLICATION RISK DATA Employees Consumers Suppliers On-Premise MobileCloud APPLICATIONS
6 APPLICATIONS IN THE ENTERPRISE 508Average # of applications per enterprise (Netskope 2014) 22%Percentage of cloud business-critical apps invisible to IT department (Netskope 2014) >2,000Average # of unsafe mobile apps installed on employee devices (Veracode 2015) APPLICATION RISK
7 POLL #1 APPLICATION RISK How many applications are deployed in your organization?
8 KEY QUESTIONS APPLICATION RISK •  How many commercial vs. custom applications deployed? •  Where are the applications installed? On-premise? Cloud? Network? Laptop? Mobile? •  What products/services does the application support? •  How recently has a security assessment been done on each application? •  How often should you re-assess? •  How long does it take to do an assessment? •  How accurate (or how trusted) is your assessment data?
9 SO WHAT? Why is it crucial to have clear answers on application risk? Potential impacts: •  Infrastructure failures •  Compliance failures •  Security breaches •  Privacy breaches •  Reduced performance •  Inability to deliver products & services APPLICATION RISK
10 CHALLENGES Fragmentation •  Different assessment processes across enterprise (silos) •  Untrained employees assessing risk •  Varied focus Cyber Focus •  Digital shift (incl. cloud + mobile) •  Increased cyber security scrutiny from management & board •  Focus from audit, regulators, etc. Prioritization •  Where do I focus my resources? •  What applications are the most critical to our business? APPLICATION RISK
11 THE CHALLENGE APPLICATION RISK •  Large North American bank •  Over 2,000 applications deployed •  Business units own risk management process •  No centralized inventory & inconsistent risk management processes OBJECTIVES •  Move from spreadsheets to centralized automated tool •  Harmonize risk management process across Lines of Business (LOBs) •  Improve use of resources for managing risk •  Provide better reporting to executive management
12 INVENTORY APPLICATION RISK •  Baseline: Over 2,000 applications •  Rough inventory in several spreadsheets (no centralized inventory) •  First step was categorization: “Apps that support core businesses processes” •  Identified 1,800 business-critical applications •  30 business technology risk managers, 6 LOBs, tasked with initial assessments •  Assessments all done using spreadsheets, with different questionnaires and risk frameworks for each LOB. Inventory Harmonization Automation Prioritization Measure & Improve
13 HARMONIZATION APPLICATION RISK •  “AHA” moment: LOBs realize they are all asking similar questions! •  “Consolidate and co-ordinate” •  Reduce dozens of assessment spreadsheets to one common set of questions; asses based on one common risk framework •  Eventually: One assessment template & one risk “language” Inventory Harmonization Automation Prioritization Measure & Improve
14 IMPORTANCE OF LEADERSHIP APPLICATION RISK •  “Thou shalt”: Strong support from executive leadership •  Strong leadership = crucial to get alignment between LOBs •  LOBs still own risk, and have autonomy to make decisions; goal is simply to harmonize the process & framework they’re working under
15 POLL #2 APPLICATION RISK Are you confident that your organization has aligned leadership support?
16 AUTOMATION APPLICATION RISK •  Deriving meaning from 100’s of spreadsheets is incredibly difficult. •  Bank essentially had “professional linkers” – resources spending most of their time cross-referencing spreadsheets! •  RSA Archer deployed to centralize an inventory of applications + controls + evidence/documents. •  First step was simply to convert the excel spreadsheet to a standardized online questionnaire. •  Result: Faster assessments + useable data Inventory Harmonization Automation Prioritization Measure & Improve
17 PRIORITIZATION APPLICATION RISK • Automation + centralization resulted in a clean inventory of information: applications, controls, assessments. • Each application rated for risk: 1 to 5 (low to high) plus a weighted risk score • Now each LOB can prioritize resources to target most critical risks, based on the most critical business processes. • Decisions are based on quantitative data, instead of gut feeling Inventory Harmonization Automation Prioritization Measure & Improve
18 PRIORITIZATION APPLICATION RISK LIKELIHOOD IMPACTRISK Assessments determine likelihood: the fewer controls met, the more likely an event User expectations for confidentiality, integrity, availability determines impact
19 BETTER DATA = BETTER REPORTING APPLICATION RISK Photo by Julien Haler / used under creative commons license https://www.flickr.com/photos/titlap/2297090390 •  Don’t overwhelm the pilot with everything that’s going on, only the crucial info •  Most managers: “What are the top 10 items that I need to deal with this week?” •  “Actionable Metrics”: Ability to drill down to see remediation action plan. •  Drill-down transparency was impossible with spreadsheets
20 DATA PYRAMID APPLICATION RISK
21 REPORTING APPLICATION RISK Actionable Metrics Every dashboard or report designed and configured had a defined purpose
22 REPORTING APPLICATION RISK
23 REPORTING APPLICATION RISK
24 REPORTING APPLICATION RISK
25 POLL #3 APPLICATION RISK How confident is your management team in the reporting they receive?
26 MEASURE & IMPROVE APPLICATION RISK Inventory Harmonization Automation Prioritization Measure & Improve Implementation / Roll-Out: •  Don’t strive for 100% perfection •  Get it about 80% right, listen to users, tweak it from there Risk Management: •  Original strategy was “remediate all the risks” / over-compensate •  Shifting now to analyzing data collected to truly prioritize risk remediation •  Future: Performance metrics – how can we improve resource efficiency?
27 ACHIEVING VALUE APPLICATION RISK •  100 active users on the platform •  Gut feeling / guess work replaced by decisions based on trusted & transparent risk data •  Silo’d risk assessment process now centralized & integrated between LOBs •  Management can now make more informed, confident and effective decisions on where to focus resources. •  Ultimately: This project has helped build & maintain trust from application users. Thousands of employees rely on business-critical apps.
28 RSA Archer: Inspire Everyone to Own RiskResults Reach Compliance Risk Opportunity Risk management is the key to protecting your competitive advantage. Transform Harness Exploit The Maturity Journey APPLICATION RISK
29 From Compliance to OpportunityResults Reach Resource overload High rate of change Lack of resources Lack of business context Compliance Risk Opportunity APPLICATION RISK
30 Q&A APPLICATION RISK Questions?
31 THANK YOU APPLICATION RISK icebergnetworks.com/application-risk info@icebergnetworks.com Kirk Hogan khogan@icebergnetworks.com Steve Schlarman Steve.schlarman@rsa.com

Recommended

Petronas Project Oversight and Corporate Governance System Requirements
Petronas Project Oversight and Corporate Governance System RequirementsPetronas Project Oversight and Corporate Governance System Requirements
Petronas Project Oversight and Corporate Governance System RequirementsDarren Surin, BSc, MBA, PMP, ITIL
 
Alliance session 4373 risk management from on premise to the cloud – a foc...
Alliance session 4373 risk management from on premise to the cloud – a foc...Alliance session 4373 risk management from on premise to the cloud – a foc...
Alliance session 4373 risk management from on premise to the cloud – a foc...Smart ERP Solutions, Inc.
 
Sage Solutions Brief.Mjo
Sage Solutions Brief.MjoSage Solutions Brief.Mjo
Sage Solutions Brief.Mjomjo57
 
V center application discovery manager customer facing technical presentation
V center application discovery manager customer facing technical presentationV center application discovery manager customer facing technical presentation
V center application discovery manager customer facing technical presentationsolarisyourep
 
Spur Infrastructure Performance With Proactive IT Monitoring
Spur Infrastructure Performance With Proactive IT MonitoringSpur Infrastructure Performance With Proactive IT Monitoring
Spur Infrastructure Performance With Proactive IT MonitoringCA Technologies
 
How Application Discovery and Dependency Mapping can stop you from losing cus...
How Application Discovery and Dependency Mapping can stop you from losing cus...How Application Discovery and Dependency Mapping can stop you from losing cus...
How Application Discovery and Dependency Mapping can stop you from losing cus...ManageEngine
 
Allgress Brochure
Allgress BrochureAllgress Brochure
Allgress Brochurelinkedinlion11
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard Jim Robins
 

Recommended

Petronas Project Oversight and Corporate Governance System Requirements
Petronas Project Oversight and Corporate Governance System RequirementsPetronas Project Oversight and Corporate Governance System Requirements
Petronas Project Oversight and Corporate Governance System RequirementsDarren Surin, BSc, MBA, PMP, ITIL
 
Alliance session 4373 risk management from on premise to the cloud – a foc...
Alliance session 4373 risk management from on premise to the cloud – a foc...Alliance session 4373 risk management from on premise to the cloud – a foc...
Alliance session 4373 risk management from on premise to the cloud – a foc...Smart ERP Solutions, Inc.
 
Sage Solutions Brief.Mjo
Sage Solutions Brief.MjoSage Solutions Brief.Mjo
Sage Solutions Brief.Mjomjo57
 
V center application discovery manager customer facing technical presentation
V center application discovery manager customer facing technical presentationV center application discovery manager customer facing technical presentation
V center application discovery manager customer facing technical presentationsolarisyourep
 
Spur Infrastructure Performance With Proactive IT Monitoring
Spur Infrastructure Performance With Proactive IT MonitoringSpur Infrastructure Performance With Proactive IT Monitoring
Spur Infrastructure Performance With Proactive IT MonitoringCA Technologies
 
How Application Discovery and Dependency Mapping can stop you from losing cus...
How Application Discovery and Dependency Mapping can stop you from losing cus...How Application Discovery and Dependency Mapping can stop you from losing cus...
How Application Discovery and Dependency Mapping can stop you from losing cus...ManageEngine
 
Allgress Brochure
Allgress BrochureAllgress Brochure
Allgress Brochurelinkedinlion11
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard Jim Robins
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Sun Managed Operations Customer Presentation,09 20 2006
Sun Managed Operations Customer Presentation,09 20 2006Sun Managed Operations Customer Presentation,09 20 2006
Sun Managed Operations Customer Presentation,09 20 2006guest879489
 
Ndh group+intacct cloud-financial-management-you-can-count-on
Ndh group+intacct cloud-financial-management-you-can-count-onNdh group+intacct cloud-financial-management-you-can-count-on
Ndh group+intacct cloud-financial-management-you-can-count-onndhsshare1
 
Trak eye intro
Trak eye introTrak eye intro
Trak eye introTresbu Technologies
 
Compliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCompliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCorporater
 
Unified Monitoring Webinar with Dustin Whittle
Unified Monitoring Webinar with Dustin WhittleUnified Monitoring Webinar with Dustin Whittle
Unified Monitoring Webinar with Dustin WhittleAppDynamics
 
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Perficient
 
Transforming to Managed Services with ALT ASM for Large pharmaceutical
Transforming to Managed Services with ALT ASM for Large pharmaceuticalTransforming to Managed Services with ALT ASM for Large pharmaceutical
Transforming to Managed Services with ALT ASM for Large pharmaceuticalChristian T
 
AdaptiveGRC_Solution_Overview
AdaptiveGRC_Solution_OverviewAdaptiveGRC_Solution_Overview
AdaptiveGRC_Solution_OverviewRob Johnston, MBA
 
Altran Financial Services
Altran Financial ServicesAltran Financial Services
Altran Financial Servicesianthm
 
An Identity Governance and Administration (IGA) quick start to help you prepa...
An Identity Governance and Administration (IGA) quick start to help you prepa...An Identity Governance and Administration (IGA) quick start to help you prepa...
An Identity Governance and Administration (IGA) quick start to help you prepa...Aldo Pietropaolo
 
TalaTek Enterprise Compliance Management Solution
TalaTek Enterprise Compliance Management SolutionTalaTek Enterprise Compliance Management Solution
TalaTek Enterprise Compliance Management SolutionBaan
 
Fluke Connect Condition Based Maintenance
Fluke Connect Condition Based MaintenanceFluke Connect Condition Based Maintenance
Fluke Connect Condition Based MaintenanceFrederic Baudart, CMRP
 
Introducing Ironstream Support for ServiceNow Event Management
Introducing Ironstream Support for ServiceNow Event Management Introducing Ironstream Support for ServiceNow Event Management
Introducing Ironstream Support for ServiceNow Event Management Precisely
 
Fusion - BMC Service Assurance & Automation
Fusion - BMC Service Assurance & AutomationFusion - BMC Service Assurance & Automation
Fusion - BMC Service Assurance & Automationjegasu
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3aGene Kim
 
The security sdlc
The security sdlcThe security sdlc
The security sdlcMohamed Siraj
 
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery ToolsAntonio Rolle
 
Presentation to MHF Regulator on RiskView Risk Management Solutions
Presentation to MHF Regulator on RiskView Risk Management SolutionsPresentation to MHF Regulator on RiskView Risk Management Solutions
Presentation to MHF Regulator on RiskView Risk Management SolutionsPeter Lacey
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersDenim Group
 
Aplication data security compliances
Aplication data security compliancesAplication data security compliances
Aplication data security compliancesAhmadi Madi
 

More Related Content

What's hot

Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Sun Managed Operations Customer Presentation,09 20 2006
Sun Managed Operations Customer Presentation,09 20 2006Sun Managed Operations Customer Presentation,09 20 2006
Sun Managed Operations Customer Presentation,09 20 2006guest879489
 
Ndh group+intacct cloud-financial-management-you-can-count-on
Ndh group+intacct cloud-financial-management-you-can-count-onNdh group+intacct cloud-financial-management-you-can-count-on
Ndh group+intacct cloud-financial-management-you-can-count-onndhsshare1
 
Compliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCompliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCorporater
 
Unified Monitoring Webinar with Dustin Whittle
Unified Monitoring Webinar with Dustin WhittleUnified Monitoring Webinar with Dustin Whittle
Unified Monitoring Webinar with Dustin WhittleAppDynamics
 
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Perficient
 
Transforming to Managed Services with ALT ASM for Large pharmaceutical
Transforming to Managed Services with ALT ASM for Large pharmaceuticalTransforming to Managed Services with ALT ASM for Large pharmaceutical
Transforming to Managed Services with ALT ASM for Large pharmaceuticalChristian T
 
AdaptiveGRC_Solution_Overview
AdaptiveGRC_Solution_OverviewAdaptiveGRC_Solution_Overview
AdaptiveGRC_Solution_OverviewRob Johnston, MBA
 
Altran Financial Services
Altran Financial ServicesAltran Financial Services
Altran Financial Servicesianthm
 
An Identity Governance and Administration (IGA) quick start to help you prepa...
An Identity Governance and Administration (IGA) quick start to help you prepa...An Identity Governance and Administration (IGA) quick start to help you prepa...
An Identity Governance and Administration (IGA) quick start to help you prepa...Aldo Pietropaolo
 
TalaTek Enterprise Compliance Management Solution
TalaTek Enterprise Compliance Management SolutionTalaTek Enterprise Compliance Management Solution
TalaTek Enterprise Compliance Management SolutionBaan
 
Fluke Connect Condition Based Maintenance
Fluke Connect Condition Based MaintenanceFluke Connect Condition Based Maintenance
Fluke Connect Condition Based MaintenanceFrederic Baudart, CMRP
 
Introducing Ironstream Support for ServiceNow Event Management
Introducing Ironstream Support for ServiceNow Event Management Introducing Ironstream Support for ServiceNow Event Management
Introducing Ironstream Support for ServiceNow Event Management Precisely
 
Fusion - BMC Service Assurance & Automation
Fusion - BMC Service Assurance & AutomationFusion - BMC Service Assurance & Automation
Fusion - BMC Service Assurance & Automationjegasu
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3aGene Kim
 
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery ToolsAntonio Rolle
 
Presentation to MHF Regulator on RiskView Risk Management Solutions
Presentation to MHF Regulator on RiskView Risk Management SolutionsPresentation to MHF Regulator on RiskView Risk Management Solutions
Presentation to MHF Regulator on RiskView Risk Management SolutionsPeter Lacey
 

What's hot (20)

Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Sun Managed Operations Customer Presentation,09 20 2006
Sun Managed Operations Customer Presentation,09 20 2006Sun Managed Operations Customer Presentation,09 20 2006
Sun Managed Operations Customer Presentation,09 20 2006
 
Ndh group+intacct cloud-financial-management-you-can-count-on
Ndh group+intacct cloud-financial-management-you-can-count-onNdh group+intacct cloud-financial-management-you-can-count-on
Ndh group+intacct cloud-financial-management-you-can-count-on
 
Trak eye intro
Trak eye introTrak eye intro
Trak eye intro
 
Compliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCompliance Management Software | Corporate Compliance
Compliance Management Software | Corporate Compliance
 
Unified Monitoring Webinar with Dustin Whittle
Unified Monitoring Webinar with Dustin WhittleUnified Monitoring Webinar with Dustin Whittle
Unified Monitoring Webinar with Dustin Whittle
 
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
 
Transforming to Managed Services with ALT ASM for Large pharmaceutical
Transforming to Managed Services with ALT ASM for Large pharmaceuticalTransforming to Managed Services with ALT ASM for Large pharmaceutical
Transforming to Managed Services with ALT ASM for Large pharmaceutical
 
AdaptiveGRC_Solution_Overview
AdaptiveGRC_Solution_OverviewAdaptiveGRC_Solution_Overview
AdaptiveGRC_Solution_Overview
 
Altran Financial Services
Altran Financial ServicesAltran Financial Services
Altran Financial Services
 
An Identity Governance and Administration (IGA) quick start to help you prepa...
An Identity Governance and Administration (IGA) quick start to help you prepa...An Identity Governance and Administration (IGA) quick start to help you prepa...
An Identity Governance and Administration (IGA) quick start to help you prepa...
 
TalaTek Enterprise Compliance Management Solution
TalaTek Enterprise Compliance Management SolutionTalaTek Enterprise Compliance Management Solution
TalaTek Enterprise Compliance Management Solution
 
Fluke Connect Condition Based Maintenance
Fluke Connect Condition Based MaintenanceFluke Connect Condition Based Maintenance
Fluke Connect Condition Based Maintenance
 
Introducing Ironstream Support for ServiceNow Event Management
Introducing Ironstream Support for ServiceNow Event Management Introducing Ironstream Support for ServiceNow Event Management
Introducing Ironstream Support for ServiceNow Event Management
 
Fusion - BMC Service Assurance & Automation
Fusion - BMC Service Assurance & AutomationFusion - BMC Service Assurance & Automation
Fusion - BMC Service Assurance & Automation
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a
 
The security sdlc
The security sdlcThe security sdlc
The security sdlc
 
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
 
Presentation to MHF Regulator on RiskView Risk Management Solutions
Presentation to MHF Regulator on RiskView Risk Management SolutionsPresentation to MHF Regulator on RiskView Risk Management Solutions
Presentation to MHF Regulator on RiskView Risk Management Solutions
 

Similar to Webinar: Getting a grip on application risk

Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersDenim Group
 
Aplication data security compliances
Aplication data security compliancesAplication data security compliances
Aplication data security compliancesAhmadi Madi
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsOracle
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Oracle
 
2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation finalAlgoSec
 
The path to a Modern Data Architecture in Financial Services
The path to a Modern Data Architecture in Financial ServicesThe path to a Modern Data Architecture in Financial Services
The path to a Modern Data Architecture in Financial ServicesHortonworks
 
La Importancia del Análisis de la Información
La Importancia del Análisis de la InformaciónLa Importancia del Análisis de la Información
La Importancia del Análisis de la InformaciónNexolution
 
Keynote 2 - The 20% of software engineering practices that contribute to 80% ...
Keynote 2 - The 20% of software engineering practices that contribute to 80% ...Keynote 2 - The 20% of software engineering practices that contribute to 80% ...
Keynote 2 - The 20% of software engineering practices that contribute to 80% ...ESEM 2014
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Marlabs Capabilities Overview: DWBI, Analytics and Big Data Services
Marlabs Capabilities Overview: DWBI, Analytics and Big Data ServicesMarlabs Capabilities Overview: DWBI, Analytics and Big Data Services
Marlabs Capabilities Overview: DWBI, Analytics and Big Data ServicesMarlabs
 
Breached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseBreached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseResilient Systems
 
Presentation managing the virtual environment
Presentation managing the virtual environmentPresentation managing the virtual environment
Presentation managing the virtual environmentsolarisyourep
 
Advanced Analytics to Attain Risk Insights and Reduce Threat
Advanced Analytics to Attain Risk Insights and Reduce ThreatAdvanced Analytics to Attain Risk Insights and Reduce Threat
Advanced Analytics to Attain Risk Insights and Reduce ThreatTripwire
 
Chase Cooper Overview
Chase Cooper OverviewChase Cooper Overview
Chase Cooper OverviewAoife Brennan
 
Marlabs Capabilities Overview: Infrastructure Services
Marlabs Capabilities Overview: Infrastructure ServicesMarlabs Capabilities Overview: Infrastructure Services
Marlabs Capabilities Overview: Infrastructure ServicesMarlabs
 
Marlabs Capability Overview: Insurance
Marlabs Capability Overview: Insurance Marlabs Capability Overview: Insurance
Marlabs Capability Overview: Insurance Marlabs
 
SafepaaS AuditPaaS
SafepaaS AuditPaaSSafepaaS AuditPaaS
SafepaaS AuditPaaSJane Jones
 
SafePaaS AuditPaaS
SafePaaS AuditPaaS SafePaaS AuditPaaS
SafePaaS AuditPaaS Jane Jones
 
AuditPaas by SafePaaS
AuditPaas by SafePaaSAuditPaas by SafePaaS
AuditPaas by SafePaaSJane Jones
 

Similar to Webinar: Getting a grip on application risk (20)

Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Aplication data security compliances
Aplication data security compliancesAplication data security compliances
Aplication data security compliances
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
 
2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final
 
The path to a Modern Data Architecture in Financial Services
The path to a Modern Data Architecture in Financial ServicesThe path to a Modern Data Architecture in Financial Services
The path to a Modern Data Architecture in Financial Services
 
Case study: Getting a grip on application risk
Case study: Getting a grip on application riskCase study: Getting a grip on application risk
Case study: Getting a grip on application risk
 
La Importancia del Análisis de la Información
La Importancia del Análisis de la InformaciónLa Importancia del Análisis de la Información
La Importancia del Análisis de la Información
 
Keynote 2 - The 20% of software engineering practices that contribute to 80% ...
Keynote 2 - The 20% of software engineering practices that contribute to 80% ...Keynote 2 - The 20% of software engineering practices that contribute to 80% ...
Keynote 2 - The 20% of software engineering practices that contribute to 80% ...
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
Marlabs Capabilities Overview: DWBI, Analytics and Big Data Services
Marlabs Capabilities Overview: DWBI, Analytics and Big Data ServicesMarlabs Capabilities Overview: DWBI, Analytics and Big Data Services
Marlabs Capabilities Overview: DWBI, Analytics and Big Data Services
 
Breached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseBreached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident Response
 
Presentation managing the virtual environment
Presentation managing the virtual environmentPresentation managing the virtual environment
Presentation managing the virtual environment
 
Advanced Analytics to Attain Risk Insights and Reduce Threat
Advanced Analytics to Attain Risk Insights and Reduce ThreatAdvanced Analytics to Attain Risk Insights and Reduce Threat
Advanced Analytics to Attain Risk Insights and Reduce Threat
 
Chase Cooper Overview
Chase Cooper OverviewChase Cooper Overview
Chase Cooper Overview
 
Marlabs Capabilities Overview: Infrastructure Services
Marlabs Capabilities Overview: Infrastructure ServicesMarlabs Capabilities Overview: Infrastructure Services
Marlabs Capabilities Overview: Infrastructure Services
 
Marlabs Capability Overview: Insurance
Marlabs Capability Overview: Insurance Marlabs Capability Overview: Insurance
Marlabs Capability Overview: Insurance
 
SafepaaS AuditPaaS
SafepaaS AuditPaaSSafepaaS AuditPaaS
SafepaaS AuditPaaS
 
SafePaaS AuditPaaS
SafePaaS AuditPaaS SafePaaS AuditPaaS
SafePaaS AuditPaaS
 
AuditPaas by SafePaaS
AuditPaas by SafePaaSAuditPaas by SafePaaS
AuditPaas by SafePaaS
 

More from Iceberg Networks Corporation

Yes, there is a better way to do vendor risk assessments!
Yes, there is a better way to do vendor risk assessments!Yes, there is a better way to do vendor risk assessments!
Yes, there is a better way to do vendor risk assessments!Iceberg Networks Corporation
 
How Archer users are leveraging Iceberg APS for a stronger GRC program
How Archer users are leveraging Iceberg APS for a stronger GRC programHow Archer users are leveraging Iceberg APS for a stronger GRC program
How Archer users are leveraging Iceberg APS for a stronger GRC programIceberg Networks Corporation
 
Transforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNowTransforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNowIceberg Networks Corporation
 
WEBINAR: Enhance your perspective of vendor risk with ServiceNow
WEBINAR: Enhance your perspective of vendor risk with ServiceNowWEBINAR: Enhance your perspective of vendor risk with ServiceNow
WEBINAR: Enhance your perspective of vendor risk with ServiceNowIceberg Networks Corporation
 
Iceberg Webinar: Adding relevant financial context to your BCM program
Iceberg Webinar: Adding relevant financial context to your BCM program Iceberg Webinar: Adding relevant financial context to your BCM program
Iceberg Webinar: Adding relevant financial context to your BCM program Iceberg Networks Corporation
 
Webinar: Vulnerability Management IT can fix it, but the business needs to ow...
Webinar: Vulnerability Management IT can fix it, but the business needs to ow...Webinar: Vulnerability Management IT can fix it, but the business needs to ow...
Webinar: Vulnerability Management IT can fix it, but the business needs to ow...Iceberg Networks Corporation
 
Solution Brief: Helping prepare for risk & compliance challenges for GDPR
Solution Brief: Helping prepare for risk & compliance challenges for GDPRSolution Brief: Helping prepare for risk & compliance challenges for GDPR
Solution Brief: Helping prepare for risk & compliance challenges for GDPRIceberg Networks Corporation
 
RSA-Iceberg Seminar: Building an effective supplier risk management program
RSA-Iceberg Seminar: Building an effective supplier risk management programRSA-Iceberg Seminar: Building an effective supplier risk management program
RSA-Iceberg Seminar: Building an effective supplier risk management programIceberg Networks Corporation
 
Solving data publication challenges for even better rsa archer reporting
Solving data publication challenges for even better rsa archer reportingSolving data publication challenges for even better rsa archer reporting
Solving data publication challenges for even better rsa archer reportingIceberg Networks Corporation
 

More from Iceberg Networks Corporation (10)

Yes, there is a better way to do vendor risk assessments!
Yes, there is a better way to do vendor risk assessments!Yes, there is a better way to do vendor risk assessments!
Yes, there is a better way to do vendor risk assessments!
 
How Archer users are leveraging Iceberg APS for a stronger GRC program
How Archer users are leveraging Iceberg APS for a stronger GRC programHow Archer users are leveraging Iceberg APS for a stronger GRC program
How Archer users are leveraging Iceberg APS for a stronger GRC program
 
Transforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNowTransforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNow
 
WEBINAR: Enhance your perspective of vendor risk with ServiceNow
WEBINAR: Enhance your perspective of vendor risk with ServiceNowWEBINAR: Enhance your perspective of vendor risk with ServiceNow
WEBINAR: Enhance your perspective of vendor risk with ServiceNow
 
Iceberg Webinar: Adding relevant financial context to your BCM program
Iceberg Webinar: Adding relevant financial context to your BCM program Iceberg Webinar: Adding relevant financial context to your BCM program
Iceberg Webinar: Adding relevant financial context to your BCM program
 
Webinar: Evolve Beyond the Third Line
Webinar: Evolve Beyond the Third LineWebinar: Evolve Beyond the Third Line
Webinar: Evolve Beyond the Third Line
 
Webinar: Vulnerability Management IT can fix it, but the business needs to ow...
Webinar: Vulnerability Management IT can fix it, but the business needs to ow...Webinar: Vulnerability Management IT can fix it, but the business needs to ow...
Webinar: Vulnerability Management IT can fix it, but the business needs to ow...
 
Solution Brief: Helping prepare for risk & compliance challenges for GDPR
Solution Brief: Helping prepare for risk & compliance challenges for GDPRSolution Brief: Helping prepare for risk & compliance challenges for GDPR
Solution Brief: Helping prepare for risk & compliance challenges for GDPR
 
RSA-Iceberg Seminar: Building an effective supplier risk management program
RSA-Iceberg Seminar: Building an effective supplier risk management programRSA-Iceberg Seminar: Building an effective supplier risk management program
RSA-Iceberg Seminar: Building an effective supplier risk management program
 
Solving data publication challenges for even better rsa archer reporting
Solving data publication challenges for even better rsa archer reportingSolving data publication challenges for even better rsa archer reporting
Solving data publication challenges for even better rsa archer reporting
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

Webinar: Getting a grip on application risk

  • 1. APPLICATION RISK MANAGEMENT G E T T I N G A G R I P O N A P P L I C A T I O N R I S K
  • 3. 3 RISK INTELLIGENCE APPLICATION RISK Trusted, Transparent, Aggregated Risk Data Delivered to Stakeholders & Senior Leaders Informed Confident, Effective Decisions
  • 4. 4 ICEBERG PILLARS APPLICATION RISK Management Consulting Implementation & Integration Application Production Support Risk Intelligence Academy GRC Innovation Workshops: Visioning CMO/FMO KRI/KPI Solution Lifecycle Management (SLM) 20+ Certified Archer Engineers Quality Management Custom End-User & Admin Courses Mentoring Archer 101 Configuration & Change Management Performance & Availability Monitoring Insight (BI) Connect (data) Archer Utilities 6.1 Migration
  • 5. 5 APPLICATIONS ARE THE PATH TO DATA APPLICATION RISK DATA Employees Consumers Suppliers On-Premise MobileCloud APPLICATIONS
  • 6. 6 APPLICATIONS IN THE ENTERPRISE 508Average # of applications per enterprise (Netskope 2014) 22%Percentage of cloud business-critical apps invisible to IT department (Netskope 2014) >2,000Average # of unsafe mobile apps installed on employee devices (Veracode 2015) APPLICATION RISK
  • 7. 7 POLL #1 APPLICATION RISK How many applications are deployed in your organization?
  • 8. 8 KEY QUESTIONS APPLICATION RISK •  How many commercial vs. custom applications deployed? •  Where are the applications installed? On-premise? Cloud? Network? Laptop? Mobile? •  What products/services does the application support? •  How recently has a security assessment been done on each application? •  How often should you re-assess? •  How long does it take to do an assessment? •  How accurate (or how trusted) is your assessment data?
  • 9. 9 SO WHAT? Why is it crucial to have clear answers on application risk? Potential impacts: •  Infrastructure failures •  Compliance failures •  Security breaches •  Privacy breaches •  Reduced performance •  Inability to deliver products & services APPLICATION RISK
  • 10. 10 CHALLENGES Fragmentation •  Different assessment processes across enterprise (silos) •  Untrained employees assessing risk •  Varied focus Cyber Focus •  Digital shift (incl. cloud + mobile) •  Increased cyber security scrutiny from management & board •  Focus from audit, regulators, etc. Prioritization •  Where do I focus my resources? •  What applications are the most critical to our business? APPLICATION RISK
  • 11. 11 THE CHALLENGE APPLICATION RISK •  Large North American bank •  Over 2,000 applications deployed •  Business units own risk management process •  No centralized inventory & inconsistent risk management processes OBJECTIVES •  Move from spreadsheets to centralized automated tool •  Harmonize risk management process across Lines of Business (LOBs) •  Improve use of resources for managing risk •  Provide better reporting to executive management
  • 12. 12 INVENTORY APPLICATION RISK •  Baseline: Over 2,000 applications •  Rough inventory in several spreadsheets (no centralized inventory) •  First step was categorization: “Apps that support core businesses processes” •  Identified 1,800 business-critical applications •  30 business technology risk managers, 6 LOBs, tasked with initial assessments •  Assessments all done using spreadsheets, with different questionnaires and risk frameworks for each LOB. Inventory Harmonization Automation Prioritization Measure & Improve
  • 13. 13 HARMONIZATION APPLICATION RISK •  “AHA” moment: LOBs realize they are all asking similar questions! •  “Consolidate and co-ordinate” •  Reduce dozens of assessment spreadsheets to one common set of questions; asses based on one common risk framework •  Eventually: One assessment template & one risk “language” Inventory Harmonization Automation Prioritization Measure & Improve
  • 14. 14 IMPORTANCE OF LEADERSHIP APPLICATION RISK •  “Thou shalt”: Strong support from executive leadership •  Strong leadership = crucial to get alignment between LOBs •  LOBs still own risk, and have autonomy to make decisions; goal is simply to harmonize the process & framework they’re working under
  • 15. 15 POLL #2 APPLICATION RISK Are you confident that your organization has aligned leadership support?
  • 16. 16 AUTOMATION APPLICATION RISK •  Deriving meaning from 100’s of spreadsheets is incredibly difficult. •  Bank essentially had “professional linkers” – resources spending most of their time cross-referencing spreadsheets! •  RSA Archer deployed to centralize an inventory of applications + controls + evidence/documents. •  First step was simply to convert the excel spreadsheet to a standardized online questionnaire. •  Result: Faster assessments + useable data Inventory Harmonization Automation Prioritization Measure & Improve
  • 17. 17 PRIORITIZATION APPLICATION RISK • Automation + centralization resulted in a clean inventory of information: applications, controls, assessments. • Each application rated for risk: 1 to 5 (low to high) plus a weighted risk score • Now each LOB can prioritize resources to target most critical risks, based on the most critical business processes. • Decisions are based on quantitative data, instead of gut feeling Inventory Harmonization Automation Prioritization Measure & Improve
  • 18. 18 PRIORITIZATION APPLICATION RISK LIKELIHOOD IMPACTRISK Assessments determine likelihood: the fewer controls met, the more likely an event User expectations for confidentiality, integrity, availability determines impact
  • 19. 19 BETTER DATA = BETTER REPORTING APPLICATION RISK Photo by Julien Haler / used under creative commons license https://www.flickr.com/photos/titlap/2297090390 •  Don’t overwhelm the pilot with everything that’s going on, only the crucial info •  Most managers: “What are the top 10 items that I need to deal with this week?” •  “Actionable Metrics”: Ability to drill down to see remediation action plan. •  Drill-down transparency was impossible with spreadsheets
  • 21. 21 REPORTING APPLICATION RISK Actionable Metrics Every dashboard or report designed and configured had a defined purpose
  • 25. 25 POLL #3 APPLICATION RISK How confident is your management team in the reporting they receive?
  • 26. 26 MEASURE & IMPROVE APPLICATION RISK Inventory Harmonization Automation Prioritization Measure & Improve Implementation / Roll-Out: •  Don’t strive for 100% perfection •  Get it about 80% right, listen to users, tweak it from there Risk Management: •  Original strategy was “remediate all the risks” / over-compensate •  Shifting now to analyzing data collected to truly prioritize risk remediation •  Future: Performance metrics – how can we improve resource efficiency?
  • 27. 27 ACHIEVING VALUE APPLICATION RISK •  100 active users on the platform •  Gut feeling / guess work replaced by decisions based on trusted & transparent risk data •  Silo’d risk assessment process now centralized & integrated between LOBs •  Management can now make more informed, confident and effective decisions on where to focus resources. •  Ultimately: This project has helped build & maintain trust from application users. Thousands of employees rely on business-critical apps.
  • 28. 28 RSA Archer: Inspire Everyone to Own RiskResults Reach Compliance Risk Opportunity Risk management is the key to protecting your competitive advantage. Transform Harness Exploit The Maturity Journey APPLICATION RISK
  • 29. 29 From Compliance to OpportunityResults Reach Resource overload High rate of change Lack of resources Lack of business context Compliance Risk Opportunity APPLICATION RISK
  • 31. 31 THANK YOU APPLICATION RISK icebergnetworks.com/application-risk info@icebergnetworks.com Kirk Hogan khogan@icebergnetworks.com Steve Schlarman Steve.schlarman@rsa.com