controls mapping is hot. it’s also difficult
TRANSCRIPT
CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT.
MODERATORMEGAN PHEE BROWN, HEAD OF STRATEGIC ALLIANCES, LOGICGATE
SPEAKERSTOM CORNELIUS, SENIOR PARTNER, COMPLIANCE FORGEGARY ELENS, DIRECTOR OF CUSTOMER SUCCESS, LOGICGATE
2
Housekeeping
• Download slides at https://go.oceg.org/controls-mapping-is-hot-it-s-also-difficult
• Answer all 3 polls
• Certificates of completion (only for OCEG All Access Pass holders)
• Evaluation survey at the close of the webinar
• Find the recording on the OCEG site at https://go.oceg.org/webinar-recordings
Learning Objectives
3
• Discuss an overview of controls and controls mapping
• Understand the drivers behind the recent interest
• Understand reasons why it’s harder than it sounds
• Discuss recommendations for how to adopt controls mapping
• Discuss cautionary tales and what to watch for
a. Yes, I have an All Access Pass and I would like to receive a Certificate of Completion for this event
b. Yes, I have an All Access Pass but I do not need a Certificate of Completion
c. No, I do not have an All Access Pass but I would like to get one and receive CPE credit for this and future webcasts I attend
d. No, I do not have an All Access Pass and I don’t want to buy one at this time (so I won’t get CPE credit for this event)
Poll 1
Do you have an OCEG All Access Pass (a paid membership) and would you like to
receive CPE credit for this event?
4
WEBINAR:
Controls mapping is hot. It’s also difficult.
Today’s Panel of Speakers
Tom CorneliusSenior Partner, Compliance Forge
Founder, Secure Controls
Framework
Gary ElensDirector of Customer Success
LogicGate
6LogicGate, Inc. | Confidential
Megan Phee BrownHead of Strategic Alliances
LogicGate
▪ Introductions
▪ Controls: An Overview
▪ Audience Poll #1
▪ Controls Mapping: In Demand
▪ Why it’s Hard
▪ Recommendations
▪ Audience poll #2
▪ Closing Thoughts
▪ Q&A
Agenda
7LogicGate, Inc. | Confidential
8
Setting the foundation:
▪ What are controls?
▪ What are some common
examples?
▪ How are they different
across companies? Across
industries?
Controls: An Overview
8LogicGate, Inc. | Confidential
9
“Where the rubber meets the road”—where people, processes,
and technology come together to
operationalize a GRC program
May be statutory, regulatory,
contractual, or self-imposed
Controls: An Overview
9LogicGate, Inc. | Confidential
People
ProcessTechnology
Security
Controls are central to managing risks, procedures, and metrics.
Risks, metrics, and procedures map
into the controls, which then map to
standards and policies.
Controls: An Overview
1010LogicGate, Inc. | Confidential
Policies
Standards
ControlsRisks Procedures
Metrics
What are the greater implications of having Controls in place?
▪ Two-sided coin analogy
▪ Consequences
11
Controls: An Overview
11LogicGate, Inc. | Confidential
Well-designed documentation is
hierarchical and builds on
supporting components to enable a
strong governance structure that
utilizes an integrated approach to
managing requirements.
12
Controls: An Overview
12LogicGate, Inc. | Confidential
Policy
Control
Standard
Objective
Procedure
Guideline
Tactical/Individual
Strategic/Enterprise
Why?
What are best practices?
What is the requirement?
What will it accomplish?
What are the steps?
Who needs information?
a. I don’t know
b. We don’t have controls in place
c. We have controls, but don’t always follow through
d. Controls are managed by relevant individuals on a one-off basis
e. With a coherent strategy, framework, and robust mappings
Poll 2
How are you currently managing your controls?
13
What is controls mapping?
What’s driving the interest?
14
Controls Mapping: In Demand
14LogicGate, Inc. | Confidential
Why do more regulations seem to
be cropping up every year?
Are they simply avoiding fines, or
are there more fundamental
reasons?
1515LogicGate, Inc. | Confidential
Controls Mapping: In Demand
Time: evidence collection, assessments
Cost: labor, technology
Effort: requirements, breadth
Why It’s Hard
16LogicGate, Inc. | Confidential | May 1, 2018 16LogicGate, Inc. | Confidential
OBJECTIVES
RISKS
CONTROLS
ISSUES
ROLES
POLICIES
OBLIGATIONS
ORGANIZATION
Strategic
Department
Process
Strategic
Operational
Financial
Preventive
Detective
Corrective
Complaint
Event
Investigation
Owner
SME
Employee
Code of Conduct
Policies & Procedures
Training & Awareness
Regulatory
Contractual
Value
Entity
Process
Asset
What are control frameworks?
▪ NIST 800-53, PCI, HIPPA,
ISO 27002
▪ SCF
▪ Technology as enabler
Frameworks
17LogicGate, Inc. | Confidential | May 1, 2018 17LogicGate, Inc. | Confidential
Not All Are Created Equal
▪ Level of detail (depth)
▪ Scope of coverage (breadth)
▪ Taxonomy (overall arrangement
of requirements & formatting)
▪ Industry-specific terminology
Frameworks
18LogicGate, Inc. | Confidential | May 1, 2018 18LogicGate, Inc. | Confidential
a. Not at this time
b. Yes, just completed
c. Yes, currently in progress
d. Yes, we plan to adopt controls mapping within the next year
e. I don’t know
Poll 3
Is controls mapping on your company’s compliance road map?
19
Thank You!
20LogicGate, Inc. | Confidential
Tom CorneliusSenior Partner, Compliance Forge
Founder, Secure Controls
Framework
Gary ElensDirector of Customer Success
LogicGate
Megan Phee BrownHead of Strategic Alliances
LogicGate
21LogicGate, Inc. | Confidential
Q&A