Using Frameworks For GRC Productivity
Presented By:Gary Sheehan, CISSP, HISP
Advanced Server Management Group, Inc.
2
Introduction
Gary Sheehan, CISSP, HISP
Director, GRC Services
Advanced Server Management Group, Inc.
925 Euclid Avenue
Suite 1510
Copyright © 2010 Advanced Server Management Group, Inc.
Suite 1510
Cleveland, Ohio
216.255.3056
3
Abstract
Regulations, compliance requirements, internal controls , contractual requirements and risk put pressure on an organization from every direction. Even more confusing, governance , risk management, compliance and security are all terms used by various departments and at various levels within an organization. Though their meanings are somewhat consistent across an organization, the communication and
Copyright © 2010 Advanced Server Management Group, Inc.
consistent across an organization, the communication and implementation of solutions that address these specific concerns are often inconsistent and incomplete.
Failure to implement efficient and effective policies, processes and technologies can threaten the reputation of your corporate brand and the overall success of your organization.
4
Agenda
� Why?
� What is GRC
“The most efficient and
effective way to deal with
the ever-growing array of
regulations and compliance
Using Frameworks For GRC Productivity
Copyright © 2010 Advanced Server Management Group, Inc.
� What is GRC
� Using Frameworks
� Summary
� Q/A
regulations and compliance
requirements is to establish
a framework of consistent
internal controls.”
The Association for Accountants & Financial
Professionals in Business 2009
5
Definitions
� Governance — The process by which policies are set and decision making is executed.
� Risk Management — The process for addressing risk with a balance of mitigation through the application of controls, transfer through insurance and acceptance through governance mechanisms.
Copyright © 2010 Advanced Server Management Group, Inc.
� Compliance — The process of adherence to policies, requirements and decisions. Includes both voluntary and mandatory requirements
� Internal Controls - Policies, procedures, practices and organizational structures put in place to reduce risks and provide reasonable assurance that an organization’s business objectives will be achieved and undesired events will be prevented, or detected and corrected
6
Why?
� Today’s Top Issues for IT
– Providing Value to the Organization
– Next-Gen / Mobile / Smart Devices and
Tablets
– Social Media / Social Business
Copyright © 2010 Advanced Server Management Group, Inc.
– Social Media / Social Business
– Cloud Computing
– Consumerization of IT
– Dealing with Big Data (Variety, Volume and
Velocity)
2011 CIO Magazine
7
Why?
“IT must either start partnering with business
leaders to lead the organization and evolve the
organization, or become a commoditized utility while
the business figures out the moves on their own.”
Copyright © 2010 Advanced Server Management Group, Inc.
the business figures out the moves on their own.”
10/02/2011 - http://www.zdnet.com/blog/hinchcliffe/the-big-five-it-trends-of-the-
next-half-decade-mobile-social-cloud-consumerization-and-big-data/1811
8
Why?
“There's a sizable gap between what IT
departments are doing and what companies -- and
presumably the CIOs who participated in this survey
-- think they ought to be doing.”
Copyright © 2010 Advanced Server Management Group, Inc.
-- think they ought to be doing.”
07/2010 Survey – Deloitte – 1,000 IT Executives
9
Why?
� 33% viewed as stewards
� Over 50% enabling growth & enhancing
productivity
� 33% should offer a competitive advantage
� Only 10% responded that the CIO should be a
Copyright © 2010 Advanced Server Management Group, Inc.
� Only 10% responded that the CIO should be a
“revolutionary”
� Over 50% IT executives want to be viewed a
strategists or revolutionaries.
07/2010 Survey – Deloitte – 1,000 IT Executives
10
Why?
IT Strategist IT Revolutionary
Identifies a problem
and comes up with a
technological solution
Understands the
goals of the
organization and
uses technology to
create new revenue
Copyright © 2010 Advanced Server Management Group, Inc.
Matt Law and Suketu Gandhi
Deloitte Principals
07/2010 Survey – Deloitte – 1,000 IT Executives
create new revenue
streams or radical
new ways to deliver
services
11
Why?
IT Strategist IT Revolutionary
Saves money on paper
and ink by using
electronic receipts
instead of printed ones.
electronic receipts
tied to company's
customer loyalty
program, analyze
their buying behavior,
Copyright © 2010 Advanced Server Management Group, Inc.
Matt Law and Suketu Gandhi
Deloitte Principals
07/2010 Survey – Deloitte – 1,000 IT Executives
their buying behavior,
emails savings, &
lures customers into
the company's social
media networks.
12
Why?
� www.securitynewsportal.com
� www.ssnbreach.org
� www.adamdodge.com/esi/
� www.attrition.org
Copyright © 2010 Advanced Server Management Group, Inc.
� www.infosecnews.org
� www.privacyrights.org
� www.darkreading.com/index.jhtml
478 reported breaches affecting over 30,301,437 records.
13
Why?
Copyright © 2010 Advanced Server Management Group, Inc.
40% of the reported breaches could not estimate
how many personal records were compromised!
14
Why
Key Business Benefits Include:
� Supports organizational integration of executive
and staff agendas through effective governance
� Promotes the understanding of enterprise risk in
terms of dollar-value and corporate brand impact
Copyright © 2010 Advanced Server Management Group, Inc.
terms of dollar-value and corporate brand impact
� Facilitates prioritizing IT initiatives based on risk
level and business value
� Can reduce costs
� Can help create additional revenue opportunities
Aberdeen Group
15
Why – Five Years Ago
� Business recognizes little value from IT
investments
� Too much risk for the return we are getting
� Slow decision making
� Project overruns and delays
Copyright © 2010 Advanced Server Management Group, Inc.
� Lack of stability, availability, protection and
recoverability
� Compliance surprises
� Resource waste - inefficient
� Working within silos
16
What is GRC?
Compliance
Risk Governance
Copyright © 2010 Advanced Server Management Group, Inc.
Where does one begin?
PerformanceSecurity
17
GRC is system of people, processes and technology that enables an organization to:
� use an integrated approach to complete activities related to governance, risk management and compliance -- and --
What is GRC?
Copyright © 2010 Advanced Server Management Group, Inc.
management and compliance -- and --
� achieve business objectives while minimizing risk and protecting asset
value.
Based on a 2010 Open Compliance & Ethics Group (OCEG) definition of GRC
18
What is GRC
There two ways to describe GRC.
IT: Governance, Risk and Compliance
Copyright © 2010 Advanced Server Management Group, Inc.
Business: Guard Assets
Revenue Enhancement
Cost Reductions
19
What is GRC?
Phases:
� Education
� Communication
� Documentation
� Platform / Application
� Measurement
Copyright © 2010 Advanced Server Management Group, Inc.
� Measurement
WHAT HAVE YOU DONE
LATELY TO ENHANCE
OUR STRATEGY INTO
THE NEXT ADJACENCY
AND INCREASE OUR
COMPETITIVE ADVANTAGE
EXCELLENT!I DON’T
KNOW WHAT
THAT MEANS
EVERYTHING!
20
What is GRC?
� Education breeds Documentation
� Documentation breeds Awareness
� Awareness breeds Interest
� Interest breeds Confidence
� Confidence breeds Action
Education:
Copyright © 2010 Advanced Server Management Group, Inc.
� Confidence breeds Action
� Action breeds Ownership
� Ownership breeds Accountability
� Accountability breeds Governance
� Governance breeds Compliance
� Compliance breeds Risk Reduction
� Less Risk breeds Better Security
21
What is GRC?
Keys to Success� Cultural change� Top down approach� Integration & collaboration� Concentrate on
Communication:
Copyright © 2010 Advanced Server Management Group, Inc.
� Concentrate on– People
… then
– Process
…then
– Technology
It’s Not Impossible
22
What is GRC?
� Assemble an IT GRC Steering Committee� Define what IT GRC means to your
organization.� Survey your organization's compliance
Communication:
Copyright © 2010 Advanced Server Management Group, Inc.
landscape, governance posture and risk environment.
� Determine the most logical entry point and develop a phased approach.
� Establish a clear business case, considering both short-term and long-term value.
� Determine how success will be measured.
23
What is GRC?
Documentation
Copyright © 2010 Advanced Server Management Group, Inc.
24
What is GRC?
Documentation is considered to be a critical
business asset in a GRC environment.
� Breeds awareness
� Provides direction
Documentation
Copyright © 2010 Advanced Server Management Group, Inc.
� Provides direction
� Provides proof
� Connects strategy to tactical
� Subject to PDCA (continuous improvement)
25
What is GRC?
Automation Opportunity
� e-GRC and focus on business process workflow
� IT-GRC and focus on business process integration
Platform & Measurement
Copyright © 2010 Advanced Server Management Group, Inc.
Measurement � Metrics are key
elements in either
purchase.
26
Using Frameworks for GRC
Compliance
Risk Governance
Security
Copyright © 2010 Advanced Server Management Group, Inc.
Where does one begin
PerformanceSecurity
27
A framework is a structure for
documenting, implementing and
improving a set of concepts,
Using Frameworks for GRC
Copyright © 2010 Advanced Server Management Group, Inc.
improving a set of concepts,
processes, methods, technologies,
standards, procedures and cultural
changes necessary for a complete
product.
28
Using Frameworks for GRC
Business Governance:Compliance & Governance
Business Performance: Performance & Governance
Copyright © 2010 Advanced Server Management Group, Inc.
Information Technology GovernanceCompliance, Governance, Business Alignment
Information Technology ServicesBusiness Alignment, Performance, Governance
Security ServicesBusiness Alignment, Security, Compliance
29
Using Frameworks for GRC
Business GoalsBusiness Goals
SOX, GLBA, PCI, HIPAA, FISMA…
Growth, Cost Reductions, Efficiency, Productivity, Quality, Accountability…
Frameworks help achieve your business objectives by improving
your governance of IT services, infrastructure, and security.
Compliance Voluntary Mandatory
Compliance Voluntary Mandatory
Policies, Contracts
Copyright © 2010 Advanced Server Management Group, Inc.
Corporate GovernanceCorporate Governance
Systems, Applications, Infrastructure, Data ManagementSystems, Applications, Infrastructure, Data Management
IT Governance IT Governance
30
The Value Of Frameworks
Corporate GovernanceCorporate Governance
Business GoalsBusiness Goals
SOX, GLBA, PCI, HIPAA, FISMA…
Growth, Cost Reductions, Efficiency, Productivity, Quality, Accountability…
Compliance Compliance Voluntary MandatoryVoluntary Mandatory
Policies, Contracts
Frameworks help achieve your business objectives by improving
your governance of IT services, infrastructure, and security.
Copyright © 2010 Advanced Server Management Group, Inc.
Corporate GovernanceCorporate GovernanceCOSO COSO Balanced ScorecardBalanced Scorecard
Security Management Security Management ISO27001ISO27001--2 / NIST2 / NIST
IT Service Management IT Service Management ISO 20000 / ITILISO 20000 / ITIL
Systems, Applications, Infrastructure, Data ManagementSystems, Applications, Infrastructure, Data Management
COBIT COBIT IT GovernanceIT Governance COBIT COBIT
31
The Value Of Frameworks
� Initiating, implementing,
maintaining, and improving
information security
management in an
organization.
ISO/IEC27002
ISO 27001-2
Copyright © 2010 Advanced Server Management Group, Inc.
organization.
� Risk-based assessments.
� Focuses on implementing
internal controls to reduce risk
and enable an organization to
meet its business goals and
objectives.
32
The Value Of Frameworks
� Mapping (voluntary & mandatory requirements)
� Helps to establish governance & compliance
� Can be partnered with an established risk
methodology
ISO 27001-2
Copyright © 2010 Advanced Server Management Group, Inc.
� Plays well with Cobit, COSO, ITIL and
performance frameworks
� Promotes best practices
� Internationally tested & accepted
� Holistic approach to security that promotes
business efficiencies and/or improvements
33
The Value Of Frameworks
� Internationally recognized Service
Management certification and standard– ISO 20000 Part 1 – Formal Specification
– ISO 20000 Part2 - Code of Practice
ISO 20001-2
Copyright © 2010 Advanced Server Management Group, Inc.
– ISO 20000 Part2 - Code of Practice
� Only concerns itself with the processes,
policies, documentation, roles and
responsibilities associated with service
delivery and service support.
34
The Value Of Frameworks
� Represents an industry consensus
on quality standards for IT service
management processes.
� Designed to ensure professional
and cost-effective customer
ISO 20001-2
Copyright © 2010 Advanced Server Management Group, Inc.
and cost-effective customer
service where risks are
understood and managed.
� The best possible service to meet
a customer’s business needs
within agreed resource levels
� Focuses on IT governance and
compliance
35
The Value Of Frameworks
COBIT
� COBIT is a widely accepted IT governance
framework that emphasizes IT regulatory
compliance,
� Helps organizations to increase the value attained
from IT
Copyright © 2010 Advanced Server Management Group, Inc.
from IT
� Enables business alignment to IT resources by
allowing managers a means to associate control
requirements, technical issues, value and
business risks.
36
The Value Of Frameworks
� Provides a toolset that allows managers to bridge
the gap between control requirements, technical
issues and business risks.
� The business orientation of COBIT consists of
COBIT
Copyright © 2010 Advanced Server Management Group, Inc.
� The business orientation of COBIT consists of
linking business goals to IT goals.
� COBIT provides metrics and maturity models to
measure achievement.
� COBIT identifies the related responsibilities of
business and IT process owners.
37
Using Frameworks For GRC Productivity
� Why?
Copyright © 2010 Advanced Server Management Group, Inc.
� What is GRC
� Using Frameworks
38
Summary
Copyright © 2010 Advanced Server Management Group, Inc.
39
Summary
Copyright © 2010 Advanced Server Management Group, Inc.
40
Summary
Copyright © 2010 Advanced Server Management Group, Inc.
41
Summary
Copyright © 2010 Advanced Server Management Group, Inc.
42
Summary
Copyright © 2010 Advanced Server Management Group, Inc.
43
Questions & Answers
GetReplies or
Copyright © 2010 Advanced Server Management Group, Inc.
Replies or Confirmation