XeroRisk provides a web-based corporate risk governance solution. It offers a flexible deployment model including on-premise, hosted, and software as a service options. The software provides risk identification, assessment, monitoring and reporting capabilities. It supports risk management standards and allows integration with other business systems. Upcoming releases will include additional visualization, mobile access, and integration with a shared services hub.
Symantec Control Compliance Suite 10.0 is a holistic, fully-automated solution to manage all aspects of IT risk and compliance. It is expected to provide even greater visibility into an organization’s security and compliance posture while still lowering compliance cost and complexity.
Symantec Control Compliance Suite 11, February 2012Symantec
Symantec Control Compliance Suite 11 is the latest version of its enterprise-class IT governance, risk and compliance (GRC) solution. It will feature the new Control Compliance Suite Risk Manager module which enables security leaders to better understand and communicate risks to the business environment from their IT infrastructure. Risk Manager translates technical issues into risks relevant to business processes, delivers customized views of IT risk for different stakeholders, and helps prioritize remediation efforts based on business criticality rather than technical severity.
This presentation was given at the BSidesMemphis 2012 and DerbyCon 2012 information security conferences. It lays out the process that a person should follow to implement a database security program specific to their organization.
Symantec Control Compliance Suite 10.0 is a holistic, fully-automated solution to manage all aspects of IT risk and compliance. It is expected to provide even greater visibility into an organization’s security and compliance posture while still lowering compliance cost and complexity.
Symantec Control Compliance Suite 11, February 2012Symantec
Symantec Control Compliance Suite 11 is the latest version of its enterprise-class IT governance, risk and compliance (GRC) solution. It will feature the new Control Compliance Suite Risk Manager module which enables security leaders to better understand and communicate risks to the business environment from their IT infrastructure. Risk Manager translates technical issues into risks relevant to business processes, delivers customized views of IT risk for different stakeholders, and helps prioritize remediation efforts based on business criticality rather than technical severity.
This presentation was given at the BSidesMemphis 2012 and DerbyCon 2012 information security conferences. It lays out the process that a person should follow to implement a database security program specific to their organization.
To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organization’s security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...DFLABS SRL
Supervised Active Intelligence: an innovative approach to Automated Incident Response based on Machine Learning, leveraging orchestration, automated playbooks and integration with existing Security Ecosystem
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
This presentation was given at ISRM Conference in Las Vegas (September 2010) and shows the shift in perception from Technology Risk to Enterprise Risk and how businesses and TI need to embrace that new frontier
Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organization’s security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...DFLABS SRL
Supervised Active Intelligence: an innovative approach to Automated Incident Response based on Machine Learning, leveraging orchestration, automated playbooks and integration with existing Security Ecosystem
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
This presentation was given at ISRM Conference in Las Vegas (September 2010) and shows the shift in perception from Technology Risk to Enterprise Risk and how businesses and TI need to embrace that new frontier
Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking
IBM automation systems, such as e-discovery and auto-classification, help financial firms achieve transparency and meet compliance requirements while maximizing the value of your existing content management architecture.
Governance, Risk, and Compliance ServicesCapgemini
Capgemini’s integrated and centralized approach to Governance, Risk, and Compliance (GRC) breaks through traditional functional silos to deliver effective enterprise risk management and compliance as a continuous process. We help organizations manage a range of enterprise risks in the areas of IT, finance and accounting, operations, and regulatory compliance with flexible solutions comprised of a highly qualified CPA and CISA talent pool, innovative tools, and our unique collection of GPM best practice processes and controls.
Mindtree's managed firewall service has been carefully designed to fit the diverse requirements of today's connected enterprises. From large scale global deployments to small and remote offices, Mindtree has a managed firewall service designed to align with each individual organization's security initiatives and budgetary requirements.
NEMEA Compliance Center - the most powerful survey creation, management, and reporting solution available. It intuitively collects responses, writes, and produces standardized regulatory compliance reports. In fact, it even supports the use of many different standards at once. Our compliance software has a fully featured user-interface that lets you rapidly compare the laws and regulations that govern your industry and business.
ProcessGene develops forward-thinking GRC software solutions, designed to serve multi-subsidiary organizations. The company has been acknowledged as a market leader and innovator by the most important analyst firms. Businesses and governments worldwide use ProcessGene solutions to manage and control risks, assure compliance to policies and regulations, manage corporate governance programs, and perform internal audits.
ProcessGene’s Multi-Org technology enables synchronized management of several business process models (e.g per subsidiary), all linked to a centrally controlled, global business process baseline.
ProcessGene also offers a full range of Multi-Org Business Process Management (BPM) solutions. For more information, visit www.processgene.com.
http://www.processgene.com//index.php?pageIndex=grc-solutions
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
This presentation will bring insights into how the Zero Trust framework can help organizations improve their cybersecurity posture and resilience and what the organizational challenges are.
RedLegg's unique approach to Security Program Development is based on a solid Risk Management Foundation. The Risk Management approach considers the business needs while navigating the complexities of legal, regulatory and security requirements.
3. Why manage risks ?
“A company's objectives, its internal organisation and the environment in which it operates
are continually evolving and as a result, the risks it faces are continually changing. A
sound system of internal control therefore depends on a thorough and regular evaluation
of the nature and extent of the risks to which the company is exposed. Since profits are,
in part, the reward for successful risk-taking in business, the purpose of internal control is
to help manage and control risk appropriately rather than to eliminate it.”
“The guidance is based on the adoption by a company's board of a risk-based approach to
establishing a sound system of internal control and reviewing its effectiveness. This
should be incorporated by the company within its normal management and governance
processes. It should not be treated as a separate exercise undertaken to meet regulatory
requirements.”
Turnbull Report, September 1999
4. The Evolution of Risk Management
Previously Now
Historical risks only Non-traditional risks
Expert management Causes of risk
Statistical analysis Organisation-wide involvement
Senior management buy-in
Risk indicators
5. Risk Governance Maturity
Maturing
• Simplistic framework
• Departmental
• Limited corporate visibility
• Risk exposure may be inaccurate
• Mitigation plans may be used
to identify priorities
Mature
• Flexible governance framework
• Whole of company
• Corporate visibility & control
• Risk appetite known & monitored
• Use of risk data to drive
Immature investments & priorities
• Risk management is ad-hoc
• Individuals or small teams
• No corporate visibility
• Appetite & exposure unknown
• Risk data not used to drive strategy
6. Integrated risk management
Risk management must be a “whole of company” process
Requires board level buy-in to objectives and methods of risk management
Risks are controlled at the appropriate level within the business, by the most
appropriate people
Control & management of risks must be part of the normal business process – not an
add-on or afterthought
Risks must be balanced at the corporate level
Without risk co-ordination, perceived risks may be blown out of proportion
There must be mechanisms to escalate risks to the appropriate level.
The risk management system needs to support the risk process without being
intrusive
Intrusion usually results in non-use
Risk co-ordination & challenge processes become “big stick” exercises.
8. Line Xero : Company Overview
Formed in 1990 as an IT strategy consultancy
Provides IT Design Authority services to a number of FTSE-100
companies
Created XeroRisk as a product in 2004
Originally built for United Utilities
Strong take up in asset intensive & regulated businesses
Operates e-commerce web application facilities on behalf of
several Internet based businesses
9. Line Xero: XeroRisk Overview
Simplicity
Licensing
Easy & flexible licensing schemes
Trust based
Clear commercials
Support
Dedicated support team
Dedicated support telephone number & self-service portal
Development
Clear roadmap
Zero cost upgrades & functional improvements
10. Line Xero: Hosting Services
Operate two datacentres
Melton Mowbray – Production
Maidenhead – Disaster Recovery
1 DR failover in 2006 (for 3 hours) – network
outage
Mirrored database services – 15min recovery
Clustered in-centre d/b services
Tape backups & tape shipping
11. XeroRisk: A risk management solution
Fully web based application
Integrates with existing business
Application Risk processes
of Actions Assessment Simple to deploy
& Controls
Very intuitive to use
Risks identified, managed &
Assignment controlled “on the ground”
of
Corporate exposure valued &
ownership monitored through escalation and
& monitoring aggregation
13. Standards Based Compliance
Supports the core requirements of AS/NZS 4360:1999
The only recognised risk management standard approved by ISO
Ensures the full traceability of risk management and mitigation actions
Supports elements of Basel II
A risk management process for banking & financial environments
Requires the risk process and associated systems to support both
Board & Senior Management oversight of risk exposure.
14. XeroRisk Features
Full organisation model support
Role based security
Fully configurable risk assessment
categories & levels
Email escalation & notification
Full audit trail of all user risk
management activities
Built in reporting functions include
Excel export, graphs etc
Support for unlimited users, risks,
organisation units, hierarchy levels
15. A flexible deployment solution
Quick Implementation
XeroRisk doesn’t require installation on each client
Generic branded product available “off the shelf”
Branding to follow corporate styles can be quickly developed
Reduced support costs
New releases & updates are installed on central servers
Does not impact corporate desktop builds or current security policies
True Thin-Client
There are no ActiveX or Java components downloaded to the client
Partners or contractors can be quickly added without IS intervention
Low client hardware demands
Only a standard web browser is required for access
Integrates with standard or thin client desktops (e.g. Citrix)
Industry leading components
Windows 2003 Server or higher (Windows 2003 server recommended)
Microsoft SQL Server 2000 (Microsoft SQL Server 2005 SP2 recommended)
16. Deployment: Delivery mechanisms
Intranet
Installed on your hardware
Managed by in-house team
Internet
Installed on your hardware
Managed by your existing service provider
Hosted (ASP) Dedicated Solution
Installed on dedicated Line Xero hardware
All system resources dedicated to you, with bespoke control over security, DR,
backup regimes etc.
Managed by Line Xero support personnel
Hosted (ASP) Shared Solution
Installed on Line Xero hardware
You share the application server & database resources with other clients
Managed by Line Xero support personnel
17. Deployment: Choosing the model
Intranet Internet Hosted
Shared Dedicated
Do you need absolute control of your data ?
using 128-bit SSL using 128-bit SSL
or VPN or VPN
Will you allow contractors or partners access ?
/
Do you need XeroRisk to follow your corporate style ?
Will you need bespoke functionality developing to
meet your risk management process ?
Do you require a system availability of 24 x 7 ?
Can your in-house IS support team manage the
technical environment used by XeroRisk ?
Do you need to integrate XeroRisk data with other
business systems ?
18. Deployment: Professional Services
Implementation management & consultancy
Project management of end-to-end solution
Customisation of base product to support client requirements.
Definition of process and training needs
Product branding (“skinning”) to follow corporate styles
Technical Support
Definition of deployment architecture
Hardware & infrastructure definition
Capacity planning and hardware sizing
CD Backups
Applicable for hosted deployments
Includes production & delivery of regular database archives
Training
Training solutions including train-the-trainer, group training etc.
19. Deployment: Security Architecture
External Web Browser Web Browser Internal
Users Users
Optional 128-bit SSL
Firewall
Login and Authentication
Access control & permissions
Role based permissions Administrator functions Security applied on per-
To functional areas for account/system maintenance object basis
Demilitarised Zone
DR Primary Secondary
Database Mirroring Database Log shipping Database
20. Deployment: Technical Architecture
Microsoft Windows 2003 Server
Microsoft Windows 2003 Server
Stored
Web Browser COM+ Procedures
(Java Script)
Web
Components
SQL Server
LAN/WAN 2005
or IIS (.Net)
Internet
SMTP
21. Integration with Collaborative Products
Business Process Management
Integration with Business Objects Management suite
Currently integrated at the portal level
Reporting & Analytical tools
Published database schema
Accessible with most reporting toolkits e.g. Business Objects, Forest & Trees
22. Industry Positioning
UK markets
Example Water Clients
Utilities
Gas
Communications
Postal Services
Water
Electricity
Public Services
Transport Police
Local Authorities
Rail Operators
Rail Maintenance
Airlines
International markets
Utilities
Water
Electricity
23. Development Roadmap
October 2007 January 2008 April 2008 July 2008
Development Release 5.3 Release 6.0
Release 5.3
Production
Release 6.0
Promotion of client installations from R5.2.1 to R5.3 will be agreed through normal change control
processes.
Promotion to R6.0 will be a longer process due to extensive re-engineering of the underlying
presentation technology. Hub installations will require additional cross-business testing.
24. Release Features
Release 6.0
Hierarchical configuration Pie & 3D Charting
Specific ordering (Organisation units) ASP.Net Re-code
On-screen calendaring Opportunities
“Active indicator” for picklist items Web Services/The Hub
User groups & Teams improvements
Action list tick boxes
Straight to Action Plan tab
Scheduled reporting improvements
Flag high impact/low likelihood risks
Integrated SMS notification
Mobile XeroRisk
Running commentary
“My “Home” page
XeroRisk Dashboard
25. Web Services
Business
Application
Web Service
1. User logs onto the business
application XeroRisk v6.0
2. The user is authenticated by the
security services 4. The security object provided by
the business application is
3. A request is made to access risk
checked
data
XeroRisk 5. If the user has appropriate
V6.0
privileges, the risk data is
retrieved
6. The data is transferred through an
XML schema
26. The Hub
The Hub
Object permissions
Security objects
Authority to link
Link requests
Object views
Message updates
Company Company
A B
External
Finance Asset Mgmt HR Finance
services
Link data
Risk updates Internal risks