LEADING WITH GRC - MetricStream

LEADINGWITHGRC

CommonControlsFramework

SundarVenkat,Sr.DirectorTechnologyComplianceSalesforce

©GRCSummit2017|AllRightsReservedGRCforHighPerformers

Forward-LookingStatements

StatementunderthePrivateSecuritiesLitigationReformActof1995:

Thispresentationmaycontainforward-lookingstatementsthatinvolverisks,uncertainties,andassumptions.Ifanysuchuncertaintiesmaterializeorifanyoftheassumptionsprovesincorrect,theresultsofsalesforce.com,inc.coulddiffermateriallyfromtheresultsexpressedorimpliedbytheforward-lookingstatementswemake.Allstatementsotherthanstatementsofhistoricalfactcouldbedeemedforward-looking,includinganyprojectionsofproductorserviceavailability,subscribergrowth,earnings,revenues,orotherfinancial itemsandanystatementsregardingstrategiesorplansofmanagementforfutureoperations,statementsofbelief,anystatementsconcerning new,planned,orupgradedservicesortechnologydevelopmentsandcustomercontractsoruseofourservices.

Therisksanduncertaintiesreferredtoaboveinclude– butarenotlimitedto– risksassociatedwithdevelopinganddelivering newfunctionalityforourservice,newproductsandservices,ournewbusinessmodel,ourpastoperatinglosses,possiblefluctuationsinouroperatingresultsandrateofgrowth,interruptionsordelaysinourWebhosting,breachofoursecuritymeasures,theoutcomeofanylitigation,risksassociatedwithcompletedandanypossiblemergersandacquisitions,theimmaturemarketinwhichweoperate,ourrelativelylimitedoperatinghistory,ourabilitytoexpand,retain,andmotivateouremployeesandmanageourgrowth,newreleasesofourserviceandsuccessfulcustomerdeployment,ourlimitedhistoryresellingnon-salesforce.comproducts,andutilizationandsellingtolarger enterprisecustomers.Furtherinformationonpotentialfactorsthatcouldaffectthefinancialresultsofsalesforce.com,inc.isincludedinourannualreportonForm10-KforthemostrecentfiscalyearandinourquarterlyreportonForm10-Qforthemostrecentfiscalquarter. ThesedocumentsandotherscontainingimportantdisclosuresareavailableontheSECFilingssectionoftheInvestorInformationsectionofourWebsite.

Anyunreleasedservicesorfeaturesreferencedinthisorotherpresentations,pressreleasesorpublicstatementsarenotcurrentlyavailableandmaynotbedeliveredontimeoratall.Customerswhopurchaseourservicesshouldmakethepurchasedecisionsbasedupon featuresthatarecurrentlyavailable.Salesforce.com,inc.assumesnoobligationanddoesnotintendtoupdatetheseforward-lookingstatements.


Together, We’re Building a Path Forward

2009 • 2010 • 20112012 • 2013 • 20142015 • 2016 • 2017

September 2016

2011 • 2012 • 20132014 • 2015 • 2016

The world’s most innovative companies

in GDP impact by 2020$389B

$2.39B Q1 FY18 revenue

25K employees“Innovator of the Decade”

IDC White Paper, sponsored by Salesforce, "The Salesforce Economy," August 2016

2M jobs created by 2020


TheAgeoftheCustomer

Connecttoyourcustomersinawholenewway

ConversationalService

ActionableAnalytics

UnifiedCommerce

IntelligentCommunities

PredictiveMarketing

SmartApps

A Single View of the Customer

GuidedSales

ConnectedProducts


Who we are. What we do. How we do it.

ProtectCustomers

ProtectBrand

EnableGrowth Our

Mission

ComplianceTrustedSecurity

Always OnAvailability

Global DataCenters

Performanceat Scale

Elementsof Trust

Certifications

OurValues

PeopleEnablementGrowthTrust

Compliancefor

Core Certs

Partnershipswith the Business

Design for 2020

(Maturity & Efficiency)

Intake Processfor New

Certs

OurDeliverables

Partner

Sustain

ExecuteImproveBusinessPartners

TECHNOLOGY COMPLIANCE

SOX SOC PCI ISOFedRAMP JapanPmark

CJIS DoDAustralia

iRAPHIPAA GermanyTUV

UK CyberEssentials

Infrastructure Trust

IT

LegalCorp Dev

GBO


ComplianceScalabilityChallenges• Salesforcecontinuestogrowrapidlyacrossvariousindustriesandgeographies.Thenumberofcomplianceframeworks,regulatoryrequirementsandstringencycontinuestoincrease.WedidnothaveastandardizedbaselineacrosscomplianceframeworksacrossvariousSalesforceservices

• Certifications/Auditsoccurthroughouttheyear,causingauditfatiguetoBusinessPartners

• Lackofconsistencyinevidencecollection

• Inefficientcontroltestingwithnoreuseofauditevidence

• Intakeofnewcomplianceframeworkscumbersome


CommonControlsFramework(CCF)- Vision

2. Streamline Audits 3. Develop & OptimizeCompliance Content

5. Implement EffectiveGRC & Tooling

4. Transform Risk & Compliance Processes

1. Strengthen Governance

Compliance Center “We are the global standard of excellence in internal audit, compliance and risk services.

We enable the company’s success.”

Consolidate Auditors

Align Audit Schedules Develop CCF Approach

Complete Mapping & Develop Content

Internal Controls Monitoring

Process Maturity Assessment

Consolidate Remediation Asks

Secure Executive Commitments Define Requirements

Evaluate & SelectVendor

✔

Training & Awareness

✔

Streamline Evidence Gathering

▲

✔Activity Completed▲Activity Underway •Planning /

Integrate Risks into Framework

▲

✔

Continuous Surveillance& Content Refresh

Implement & ExecuteGovernance Model

Drive Adoption & EnableChange Management

Mature Technology RiskManagement Function

Continuous ProcessImprovements

•Implement System

Ongoing Maintenance▲▲ ▲

✔

✔ ▲

▲

▲

▲

✔

▲▲

✔

✔


CCFAccomplishmentsHighlights

● CCFmaintainedonMetricStream● Internalstakeholders involved:Tech

Compliance,Engineering,Infrastructure,InformationTechnology,Security

● Scope:17frameworks;5,128requirements

● Finalconsolidatedcontrolcount:326● %consolidationtoSalesforcecontrols:

93%

Accomplishments● Createdbaselineofcontrolsacross

complianceframeworks● Minimizedtouchpointswithbusiness

partnersandreduced auditfatigue● Streamlinedprocessandre-useof

evidenceacrossframeworks● Optimizedintakefornewrequirements● Enabledembedcomplianceacrossthe

company andmoreefficient complianceexecution


CCFChangeManagement&Sustainability

3.0 Content Refresh

Revisions or additions to existing

framework requirements

Changed business context

Changes during audit cycles

(TC or External)

Changed CCF data attributes

PwC TC BP TC/BP

New, changed, or retired

requirements

New or updated common controls (Control and Audit

Attributes)

e.g. ISO, NIST GDPR

i.e. new acquisitions, frameworks, products & services

e.g. PCI 3.1 to 3.2, or a new

framework source

Determine applicability and impact to CCF content library

1.0 Authoritative Source Monitoring Identify changes to compliance landscape

i.e. Test Procedures, Evidence,

Control Owners

Offline reviews

TC SignoffBP Signoff

e.g. Control ID, Integrated Requirement, Control

Implementation Statement

MetricStream

2.0 Change Operations

Yes

No

Content refresh process

required? TC Signoff

Refresh CCF Content Library


MetricStreamJourneyandTimeline

2016 2017

Oct 2015 -Jan 2016

Jun 2016 -Aug 2016

Nov 2016 - May 2017

May 2017 - Oct 2017

May 2017 -Jul 2017

2015

May 2017 -Jun 2017

Completed Active

SystemSelectionSolutionDesignBuildvs.BuyVendorSelection:MetricStream

ProcessandDataReadinessRefineRequirementsProcessAlignmentDataHarmonization

ImplementationPhase1- SOX&ITComplianceModulesPhase2- IAandERMModulesPhase3- SOX&ITComplianceEnhancementsPhase4 - SOX3.0SubCerts

Phase1

Phase2

Phase3

Phase4


Libraries

SingleSignOn

HRSystemIntegration

AuditPlanning/Scoping

InternalAudit

EnterpriseRiskManagement

SOXCertifications

Testing

EvidenceGathering

Findings/Remediation

OtherSystemIntegrations

EmailEscalations

ThankYou!


Continuetheconversationonline#GRCSummit

LEADING WITH GRC - MetricStream

Documents

Transcript of LEADING WITH GRC - MetricStream