CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT.

MODERATORMEGAN PHEE BROWN, HEAD OF STRATEGIC ALLIANCES, LOGICGATE

SPEAKERSTOM CORNELIUS, SENIOR PARTNER, COMPLIANCE FORGEGARY ELENS, DIRECTOR OF CUSTOMER SUCCESS, LOGICGATE

2

Housekeeping

• Download slides at https://go.oceg.org/controls-mapping-is-hot-it-s-also-difficult

• Answer all 3 polls

• Certificates of completion (only for OCEG All Access Pass holders)

• Evaluation survey at the close of the webinar

• Find the recording on the OCEG site at https://go.oceg.org/webinar-recordings

Learning Objectives

3

• Discuss an overview of controls and controls mapping

• Understand the drivers behind the recent interest

• Understand reasons why it’s harder than it sounds

• Discuss recommendations for how to adopt controls mapping

• Discuss cautionary tales and what to watch for

a. Yes, I have an All Access Pass and I would like to receive a Certificate of Completion for this event

b. Yes, I have an All Access Pass but I do not need a Certificate of Completion

c. No, I do not have an All Access Pass but I would like to get one and receive CPE credit for this and future webcasts I attend

d. No, I do not have an All Access Pass and I don’t want to buy one at this time (so I won’t get CPE credit for this event)

Poll 1

Do you have an OCEG All Access Pass (a paid membership) and would you like to

receive CPE credit for this event?

4

WEBINAR:

Controls mapping is hot. It’s also difficult.

Today’s Panel of Speakers

Tom CorneliusSenior Partner, Compliance Forge

Founder, Secure Controls

Framework

Gary ElensDirector of Customer Success

LogicGate

6LogicGate, Inc. | Confidential

Megan Phee BrownHead of Strategic Alliances

LogicGate

▪ Introductions

▪ Controls: An Overview

▪ Audience Poll #1

▪ Controls Mapping: In Demand

▪ Why it’s Hard

▪ Recommendations

▪ Audience poll #2

▪ Closing Thoughts

▪ Q&A

Agenda

7LogicGate, Inc. | Confidential

8

Setting the foundation:

▪ What are controls?

▪ What are some common

examples?

▪ How are they different

across companies? Across

industries?

Controls: An Overview

8LogicGate, Inc. | Confidential

9

“Where the rubber meets the road”—where people, processes,

and technology come together to

operationalize a GRC program

May be statutory, regulatory,

contractual, or self-imposed

Controls: An Overview

9LogicGate, Inc. | Confidential

People

ProcessTechnology

Security

Controls are central to managing risks, procedures, and metrics.

Risks, metrics, and procedures map

into the controls, which then map to

standards and policies.

Controls: An Overview

1010LogicGate, Inc. | Confidential

Policies

Standards

ControlsRisks Procedures

Metrics

What are the greater implications of having Controls in place?

▪ Two-sided coin analogy

▪ Consequences

11

Controls: An Overview

11LogicGate, Inc. | Confidential

Well-designed documentation is

hierarchical and builds on

supporting components to enable a

strong governance structure that

utilizes an integrated approach to

managing requirements.

12

Controls: An Overview

12LogicGate, Inc. | Confidential

Policy

Control

Standard

Objective

Procedure

Guideline

Tactical/Individual

Strategic/Enterprise

Why?

What are best practices?

What is the requirement?

What will it accomplish?

What are the steps?

Who needs information?

a. I don’t know

b. We don’t have controls in place

c. We have controls, but don’t always follow through

d. Controls are managed by relevant individuals on a one-off basis

e. With a coherent strategy, framework, and robust mappings

Poll 2

How are you currently managing your controls?

13

What is controls mapping?

What’s driving the interest?

14

Controls Mapping: In Demand

14LogicGate, Inc. | Confidential

Why do more regulations seem to

be cropping up every year?

Are they simply avoiding fines, or

are there more fundamental

reasons?

1515LogicGate, Inc. | Confidential

Controls Mapping: In Demand

Time: evidence collection, assessments

Cost: labor, technology

Effort: requirements, breadth

Why It’s Hard

16LogicGate, Inc. | Confidential | May 1, 2018 16LogicGate, Inc. | Confidential

OBJECTIVES

RISKS

CONTROLS

ISSUES

ROLES

POLICIES

OBLIGATIONS

ORGANIZATION

Strategic

Department

Process

Strategic

Operational

Financial

Preventive

Detective

Corrective

Complaint

Event

Investigation

Owner

SME

Employee

Code of Conduct

Policies & Procedures

Training & Awareness

Regulatory

Contractual

Value

Entity

Process

Asset

What are control frameworks?

▪ NIST 800-53, PCI, HIPPA,

ISO 27002

▪ SCF

▪ Technology as enabler

Frameworks

17LogicGate, Inc. | Confidential | May 1, 2018 17LogicGate, Inc. | Confidential

Not All Are Created Equal

▪ Level of detail (depth)

▪ Scope of coverage (breadth)

▪ Taxonomy (overall arrangement

of requirements & formatting)

▪ Industry-specific terminology

Frameworks

18LogicGate, Inc. | Confidential | May 1, 2018 18LogicGate, Inc. | Confidential

a. Not at this time

b. Yes, just completed

c. Yes, currently in progress

d. Yes, we plan to adopt controls mapping within the next year

e. I don’t know

Poll 3

Is controls mapping on your company’s compliance road map?

19

Thank You!

20LogicGate, Inc. | Confidential

Tom CorneliusSenior Partner, Compliance Forge

Founder, Secure Controls

Framework

Gary ElensDirector of Customer Success

LogicGate

Megan Phee BrownHead of Strategic Alliances

LogicGate

21LogicGate, Inc. | Confidential

Q&A