LEADING WITH GRC - MetricStream
Transcript of LEADING WITH GRC - MetricStream
LEADINGWITHGRC
CommonControlsFramework
SundarVenkat,Sr.DirectorTechnologyComplianceSalesforce
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
Forward-LookingStatements
StatementunderthePrivateSecuritiesLitigationReformActof1995:
Thispresentationmaycontainforward-lookingstatementsthatinvolverisks,uncertainties,andassumptions.Ifanysuchuncertaintiesmaterializeorifanyoftheassumptionsprovesincorrect,theresultsofsalesforce.com,inc.coulddiffermateriallyfromtheresultsexpressedorimpliedbytheforward-lookingstatementswemake.Allstatementsotherthanstatementsofhistoricalfactcouldbedeemedforward-looking,includinganyprojectionsofproductorserviceavailability,subscribergrowth,earnings,revenues,orotherfinancial itemsandanystatementsregardingstrategiesorplansofmanagementforfutureoperations,statementsofbelief,anystatementsconcerning new,planned,orupgradedservicesortechnologydevelopmentsandcustomercontractsoruseofourservices.
Therisksanduncertaintiesreferredtoaboveinclude– butarenotlimitedto– risksassociatedwithdevelopinganddelivering newfunctionalityforourservice,newproductsandservices,ournewbusinessmodel,ourpastoperatinglosses,possiblefluctuationsinouroperatingresultsandrateofgrowth,interruptionsordelaysinourWebhosting,breachofoursecuritymeasures,theoutcomeofanylitigation,risksassociatedwithcompletedandanypossiblemergersandacquisitions,theimmaturemarketinwhichweoperate,ourrelativelylimitedoperatinghistory,ourabilitytoexpand,retain,andmotivateouremployeesandmanageourgrowth,newreleasesofourserviceandsuccessfulcustomerdeployment,ourlimitedhistoryresellingnon-salesforce.comproducts,andutilizationandsellingtolarger enterprisecustomers.Furtherinformationonpotentialfactorsthatcouldaffectthefinancialresultsofsalesforce.com,inc.isincludedinourannualreportonForm10-KforthemostrecentfiscalyearandinourquarterlyreportonForm10-Qforthemostrecentfiscalquarter. ThesedocumentsandotherscontainingimportantdisclosuresareavailableontheSECFilingssectionoftheInvestorInformationsectionofourWebsite.
Anyunreleasedservicesorfeaturesreferencedinthisorotherpresentations,pressreleasesorpublicstatementsarenotcurrentlyavailableandmaynotbedeliveredontimeoratall.Customerswhopurchaseourservicesshouldmakethepurchasedecisionsbasedupon featuresthatarecurrentlyavailable.Salesforce.com,inc.assumesnoobligationanddoesnotintendtoupdatetheseforward-lookingstatements.
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
Together, We’re Building a Path Forward
2009 • 2010 • 20112012 • 2013 • 20142015 • 2016 • 2017
September 2016
2011 • 2012 • 20132014 • 2015 • 2016
The world’s most innovative companies
in GDP impact by 2020$389B
$2.39B Q1 FY18 revenue
25K employees“Innovator of the Decade”
IDC White Paper, sponsored by Salesforce, "The Salesforce Economy," August 2016
2M jobs created by 2020
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
TheAgeoftheCustomer
Connecttoyourcustomersinawholenewway
ConversationalService
ActionableAnalytics
UnifiedCommerce
IntelligentCommunities
PredictiveMarketing
SmartApps
A Single View of the Customer
GuidedSales
ConnectedProducts
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
Who we are. What we do. How we do it.
ProtectCustomers
ProtectBrand
EnableGrowth Our
Mission
ComplianceTrustedSecurity
Always OnAvailability
Global DataCenters
Performanceat Scale
Elementsof Trust
Certifications
OurValues
PeopleEnablementGrowthTrust
Compliancefor
Core Certs
Partnershipswith the Business
Design for 2020
(Maturity & Efficiency)
Intake Processfor New
Certs
OurDeliverables
Partner
Sustain
ExecuteImproveBusinessPartners
TECHNOLOGY COMPLIANCE
SOX SOC PCI ISOFedRAMP JapanPmark
CJIS DoDAustralia
iRAPHIPAA GermanyTUV
UK CyberEssentials
Infrastructure Trust
IT
LegalCorp Dev
GBO
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
ComplianceScalabilityChallenges• Salesforcecontinuestogrowrapidlyacrossvariousindustriesandgeographies.Thenumberofcomplianceframeworks,regulatoryrequirementsandstringencycontinuestoincrease.WedidnothaveastandardizedbaselineacrosscomplianceframeworksacrossvariousSalesforceservices
• Certifications/Auditsoccurthroughouttheyear,causingauditfatiguetoBusinessPartners
• Lackofconsistencyinevidencecollection
• Inefficientcontroltestingwithnoreuseofauditevidence
• Intakeofnewcomplianceframeworkscumbersome
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
CommonControlsFramework(CCF)- Vision
2. Streamline Audits 3. Develop & OptimizeCompliance Content
5. Implement EffectiveGRC & Tooling
4. Transform Risk & Compliance Processes
1. Strengthen Governance
Compliance Center “We are the global standard of excellence in internal audit, compliance and risk services.
We enable the company’s success.”
Consolidate Auditors
Align Audit Schedules Develop CCF Approach
Complete Mapping & Develop Content
Internal Controls Monitoring
Process Maturity Assessment
Consolidate Remediation Asks
Secure Executive Commitments Define Requirements
Evaluate & SelectVendor
✔
Training & Awareness
✔
Streamline Evidence Gathering
▲
✔Activity Completed▲Activity Underway •Planning /
Integrate Risks into Framework
▲
✔
Continuous Surveillance& Content Refresh
Implement & ExecuteGovernance Model
Drive Adoption & EnableChange Management
Mature Technology RiskManagement Function
Continuous ProcessImprovements
•Implement System
Ongoing Maintenance▲▲ ▲
✔
✔ ▲
▲
▲
▲
✔
▲▲
✔
✔
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
CCFAccomplishmentsHighlights
● CCFmaintainedonMetricStream● Internalstakeholders involved:Tech
Compliance,Engineering,Infrastructure,InformationTechnology,Security
● Scope:17frameworks;5,128requirements
● Finalconsolidatedcontrolcount:326● %consolidationtoSalesforcecontrols:
93%
Accomplishments● Createdbaselineofcontrolsacross
complianceframeworks● Minimizedtouchpointswithbusiness
partnersandreduced auditfatigue● Streamlinedprocessandre-useof
evidenceacrossframeworks● Optimizedintakefornewrequirements● Enabledembedcomplianceacrossthe
company andmoreefficient complianceexecution
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
CCFChangeManagement&Sustainability
3.0 Content Refresh
Revisions or additions to existing
framework requirements
Changed business context
Changes during audit cycles
(TC or External)
Changed CCF data attributes
PwC TC BP TC/BP
New, changed, or retired
requirements
New or updated common controls (Control and Audit
Attributes)
e.g. ISO, NIST GDPR
i.e. new acquisitions, frameworks, products & services
e.g. PCI 3.1 to 3.2, or a new
framework source
Determine applicability and impact to CCF content library
1.0 Authoritative Source Monitoring Identify changes to compliance landscape
i.e. Test Procedures, Evidence,
Control Owners
Offline reviews
TC SignoffBP Signoff
e.g. Control ID, Integrated Requirement, Control
Implementation Statement
MetricStream
2.0 Change Operations
Yes
No
Content refresh process
required? TC Signoff
Refresh CCF Content Library
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
MetricStreamJourneyandTimeline
2016 2017
Oct 2015 -Jan 2016
Jun 2016 -Aug 2016
Nov 2016 - May 2017
May 2017 - Oct 2017
May 2017 -Jul 2017
2015
May 2017 -Jun 2017
Completed Active
SystemSelectionSolutionDesignBuildvs.BuyVendorSelection:MetricStream
ProcessandDataReadinessRefineRequirementsProcessAlignmentDataHarmonization
ImplementationPhase1- SOX&ITComplianceModulesPhase2- IAandERMModulesPhase3- SOX&ITComplianceEnhancementsPhase4 - SOX3.0SubCerts
Phase1
Phase2
Phase3
Phase4
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
Libraries
SingleSignOn
HRSystemIntegration
AuditPlanning/Scoping
InternalAudit
EnterpriseRiskManagement
SOXCertifications
Testing
EvidenceGathering
Findings/Remediation
OtherSystemIntegrations
EmailEscalations
ThankYou!
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
Continuetheconversationonline#GRCSummit