Using Frameworks For GRC Productivityc.ymcdn.com/sites/€¦ · · 2011-11-11Using Frameworks For...

Using Frameworks For GRC Productivity

Presented By:Gary Sheehan, CISSP, HISP

Advanced Server Management Group, Inc.

2

Introduction

Gary Sheehan, CISSP, HISP

Director, GRC Services

Advanced Server Management Group, Inc.

925 Euclid Avenue

Suite 1510

Copyright © 2010 Advanced Server Management Group, Inc.

Suite 1510

Cleveland, Ohio

[email protected]

216.255.3056

3

Abstract

Regulations, compliance requirements, internal controls , contractual requirements and risk put pressure on an organization from every direction. Even more confusing, governance , risk management, compliance and security are all terms used by various departments and at various levels within an organization. Though their meanings are somewhat consistent across an organization, the communication and


consistent across an organization, the communication and implementation of solutions that address these specific concerns are often inconsistent and incomplete.

Failure to implement efficient and effective policies, processes and technologies can threaten the reputation of your corporate brand and the overall success of your organization.

4

Agenda

� Why?

� What is GRC

“The most efficient and

effective way to deal with

the ever-growing array of

regulations and compliance



� What is GRC

� Using Frameworks

� Summary

� Q/A

regulations and compliance

requirements is to establish

a framework of consistent

internal controls.”

The Association for Accountants & Financial

Professionals in Business 2009

5

Definitions

� Governance — The process by which policies are set and decision making is executed.

� Risk Management — The process for addressing risk with a balance of mitigation through the application of controls, transfer through insurance and acceptance through governance mechanisms.


� Compliance — The process of adherence to policies, requirements and decisions. Includes both voluntary and mandatory requirements

� Internal Controls - Policies, procedures, practices and organizational structures put in place to reduce risks and provide reasonable assurance that an organization’s business objectives will be achieved and undesired events will be prevented, or detected and corrected

6

Why?

� Today’s Top Issues for IT

– Providing Value to the Organization

– Next-Gen / Mobile / Smart Devices and

Tablets

– Social Media / Social Business


– Social Media / Social Business

– Cloud Computing

– Consumerization of IT

– Dealing with Big Data (Variety, Volume and

Velocity)

2011 CIO Magazine

7

Why?

“IT must either start partnering with business

leaders to lead the organization and evolve the

organization, or become a commoditized utility while

the business figures out the moves on their own.”


the business figures out the moves on their own.”

10/02/2011 - http://www.zdnet.com/blog/hinchcliffe/the-big-five-it-trends-of-the-

next-half-decade-mobile-social-cloud-consumerization-and-big-data/1811

8

Why?

“There's a sizable gap between what IT

departments are doing and what companies -- and

presumably the CIOs who participated in this survey

-- think they ought to be doing.”


-- think they ought to be doing.”

07/2010 Survey – Deloitte – 1,000 IT Executives

9

Why?

� 33% viewed as stewards

� Over 50% enabling growth & enhancing

productivity

� 33% should offer a competitive advantage

� Only 10% responded that the CIO should be a


� Only 10% responded that the CIO should be a

“revolutionary”

� Over 50% IT executives want to be viewed a

strategists or revolutionaries.


10

Why?

IT Strategist IT Revolutionary

Identifies a problem

and comes up with a

technological solution

Understands the

goals of the

organization and

uses technology to

create new revenue


Matt Law and Suketu Gandhi

Deloitte Principals


create new revenue

streams or radical

new ways to deliver

services

11

Why?

IT Strategist IT Revolutionary

Saves money on paper

and ink by using

electronic receipts

instead of printed ones.

electronic receipts

tied to company's

customer loyalty

program, analyze

their buying behavior,


Matt Law and Suketu Gandhi

Deloitte Principals


their buying behavior,

emails savings, &

lures customers into

the company's social

media networks.

12

Why?

� www.securitynewsportal.com

� www.ssnbreach.org

� www.adamdodge.com/esi/

� www.attrition.org


� www.infosecnews.org

� www.privacyrights.org

� www.darkreading.com/index.jhtml

478 reported breaches affecting over 30,301,437 records.

13

Why?


40% of the reported breaches could not estimate

how many personal records were compromised!

14

Why

Key Business Benefits Include:

� Supports organizational integration of executive

and staff agendas through effective governance

� Promotes the understanding of enterprise risk in

terms of dollar-value and corporate brand impact


terms of dollar-value and corporate brand impact

� Facilitates prioritizing IT initiatives based on risk

level and business value

� Can reduce costs

� Can help create additional revenue opportunities

Aberdeen Group

15

Why – Five Years Ago

� Business recognizes little value from IT

investments

� Too much risk for the return we are getting

� Slow decision making

� Project overruns and delays


� Lack of stability, availability, protection and

recoverability

� Compliance surprises

� Resource waste - inefficient

� Working within silos

16

What is GRC?

Compliance

Risk Governance


Where does one begin?

PerformanceSecurity

17

GRC is system of people, processes and technology that enables an organization to:

� use an integrated approach to complete activities related to governance, risk management and compliance -- and --

What is GRC?


management and compliance -- and --

� achieve business objectives while minimizing risk and protecting asset

value.

Based on a 2010 Open Compliance & Ethics Group (OCEG) definition of GRC

18

What is GRC

There two ways to describe GRC.

IT: Governance, Risk and Compliance


Business: Guard Assets

Revenue Enhancement

Cost Reductions

19

What is GRC?

Phases:

� Education

� Communication

� Documentation

� Platform / Application

� Measurement


� Measurement

WHAT HAVE YOU DONE

LATELY TO ENHANCE

OUR STRATEGY INTO

THE NEXT ADJACENCY

AND INCREASE OUR

COMPETITIVE ADVANTAGE

EXCELLENT!I DON’T

KNOW WHAT

THAT MEANS

EVERYTHING!

20

What is GRC?

� Education breeds Documentation

� Documentation breeds Awareness

� Awareness breeds Interest

� Interest breeds Confidence

� Confidence breeds Action

Education:


� Confidence breeds Action

� Action breeds Ownership

� Ownership breeds Accountability

� Accountability breeds Governance

� Governance breeds Compliance

� Compliance breeds Risk Reduction

� Less Risk breeds Better Security

21

What is GRC?

Keys to Success� Cultural change� Top down approach� Integration & collaboration� Concentrate on

Communication:


� Concentrate on– People

… then

– Process

…then

– Technology

It’s Not Impossible

22

What is GRC?

� Assemble an IT GRC Steering Committee� Define what IT GRC means to your

organization.� Survey your organization's compliance

Communication:


landscape, governance posture and risk environment.

� Determine the most logical entry point and develop a phased approach.

� Establish a clear business case, considering both short-term and long-term value.

� Determine how success will be measured.

23

What is GRC?

Documentation


24

What is GRC?

Documentation is considered to be a critical

business asset in a GRC environment.

� Breeds awareness

� Provides direction

Documentation


� Provides direction

� Provides proof

� Connects strategy to tactical

� Subject to PDCA (continuous improvement)

25

What is GRC?

Automation Opportunity

� e-GRC and focus on business process workflow

� IT-GRC and focus on business process integration

Platform & Measurement


Measurement � Metrics are key

elements in either

purchase.

26

Using Frameworks for GRC

Compliance

Risk Governance

Security


Where does one begin

PerformanceSecurity

27

A framework is a structure for

documenting, implementing and

improving a set of concepts,



improving a set of concepts,

processes, methods, technologies,

standards, procedures and cultural

changes necessary for a complete

product.

28


Business Governance:Compliance & Governance

Business Performance: Performance & Governance


Information Technology GovernanceCompliance, Governance, Business Alignment

Information Technology ServicesBusiness Alignment, Performance, Governance

Security ServicesBusiness Alignment, Security, Compliance

29


Business GoalsBusiness Goals

SOX, GLBA, PCI, HIPAA, FISMA…

Growth, Cost Reductions, Efficiency, Productivity, Quality, Accountability…

Frameworks help achieve your business objectives by improving

your governance of IT services, infrastructure, and security.

Compliance Voluntary Mandatory

Compliance Voluntary Mandatory

Policies, Contracts


Corporate GovernanceCorporate Governance

Systems, Applications, Infrastructure, Data ManagementSystems, Applications, Infrastructure, Data Management

IT Governance IT Governance

30

The Value Of Frameworks

Corporate GovernanceCorporate Governance

Business GoalsBusiness Goals

SOX, GLBA, PCI, HIPAA, FISMA…

Growth, Cost Reductions, Efficiency, Productivity, Quality, Accountability…

Compliance Compliance Voluntary MandatoryVoluntary Mandatory

Policies, Contracts

Frameworks help achieve your business objectives by improving

your governance of IT services, infrastructure, and security.


Corporate GovernanceCorporate GovernanceCOSO COSO Balanced ScorecardBalanced Scorecard

Security Management Security Management ISO27001ISO27001--2 / NIST2 / NIST

IT Service Management IT Service Management ISO 20000 / ITILISO 20000 / ITIL

Systems, Applications, Infrastructure, Data ManagementSystems, Applications, Infrastructure, Data Management

COBIT COBIT IT GovernanceIT Governance COBIT COBIT

31


� Initiating, implementing,

maintaining, and improving

information security

management in an

organization.

ISO/IEC27002

ISO 27001-2


organization.

� Risk-based assessments.

� Focuses on implementing

internal controls to reduce risk

and enable an organization to

meet its business goals and

objectives.

32


� Mapping (voluntary & mandatory requirements)

� Helps to establish governance & compliance

� Can be partnered with an established risk

methodology

ISO 27001-2


� Plays well with Cobit, COSO, ITIL and

performance frameworks

� Promotes best practices

� Internationally tested & accepted

� Holistic approach to security that promotes

business efficiencies and/or improvements

33


� Internationally recognized Service

Management certification and standard– ISO 20000 Part 1 – Formal Specification

– ISO 20000 Part2 - Code of Practice

ISO 20001-2


– ISO 20000 Part2 - Code of Practice

� Only concerns itself with the processes,

policies, documentation, roles and

responsibilities associated with service

delivery and service support.

34


� Represents an industry consensus

on quality standards for IT service

management processes.

� Designed to ensure professional

and cost-effective customer

ISO 20001-2


and cost-effective customer

service where risks are

understood and managed.

� The best possible service to meet

a customer’s business needs

within agreed resource levels

� Focuses on IT governance and

compliance

35


COBIT

� COBIT is a widely accepted IT governance

framework that emphasizes IT regulatory

compliance,

� Helps organizations to increase the value attained

from IT


from IT

� Enables business alignment to IT resources by

allowing managers a means to associate control

requirements, technical issues, value and

business risks.

36


� Provides a toolset that allows managers to bridge

the gap between control requirements, technical

issues and business risks.

� The business orientation of COBIT consists of

COBIT


� The business orientation of COBIT consists of

linking business goals to IT goals.

� COBIT provides metrics and maturity models to

measure achievement.

� COBIT identifies the related responsibilities of

business and IT process owners.

37


� Why?


� What is GRC

� Using Frameworks

38

Summary


39

Summary


40

Summary


41

Summary


42

Summary


43

Questions & Answers

GetReplies or


Replies or Confirmation

[email protected]

Using Frameworks For GRC Productivityc.ymcdn.com/sites/€¦ · · 2011-11-11Using Frameworks For...

Documents

Transcript of Using Frameworks For GRC Productivityc.ymcdn.com/sites/€¦ · · 2011-11-11Using Frameworks For...