simplifying it grc
TRANSCRIPT
Simplifying IT Governance, Risk Management & Compliance
Anand Choudhary
2
IT & ITES
Indian IT & ITES industry
2011Market Size: $76 Billion
2020FMarket Size: $225 Billion
Strong export demand
Economy is consistently
growing
Indian IT firms have delivery centres across
the globe
IT industry is well
diversified to BFSI, Telecom,
Retail
3
Unidentified Risks impact PerformanceImpact Performance in the market
Results in closer scrutiny
Impairs customer service
Failure in operational control
Increases business costs
Reduces investor & market confidence
Disrupts major operations
Source: SAP Labs
4
About GRC• Governance, Risk Management and Compliance (GRC) issues around
information have become central to organizational strategies.• Investment in this area in US is highest in 2008 at $32 billion (7.4% growth)
• GRC platforms provide a single, federated framework that integrates organizational processes and tools, supporting those processes for the purpose of defining, maintaining and monitoring GRC. An appropriately chosen GRC platform can lead to reduced complexities and increased efficiencies.
5
What’s GRC?• Governance: The IT Governance Institute (ITGI) defines governance as “the set of
responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that the objectives are achieved, ascertaining that the risks are managed appropriately and verifying that the enterprise’s resources are being used responsibly.
• Risk Management: This is an activity directed toward assessing, mitigating (to an acceptable level) and monitoring risk. The principle goal of an organization’s risk management process should be to protect the organization and its ability to perform its mission, not just its IT assets.
• Compliance: It is an increasingly complex task given the global footprints of organizations, the increase in regulatory environment (which is likely to become even more stringent given the opportunities exposed by the current economic crises) and local regulations.
IT GRC Process Management Pack
Microsoft Control library
Operational Systems
Business Objectives
& Policies
System Operation
s
System Manageme
nt
A Systems view of Compliance – Translating Regulations to Action
Non
-M
icro
soft
(P
art
ner)
Compliance
Status
Audit (Authority
Document View)
Control Objectives
Compliance Requirements
SOX PCI
COBIT
EUDPP
InternalPoliciesISO
Comply/
Authority
Reports
Incident/
Issue Report
s
Residual RiskActive
Directory
Partner
Roadmap
IT Pro
ITDM
CIO/CSO
Board of Dir./CEO
Audit Committ
ee
CIO/CSO
ITDM
IT Pro
Control Activities
Control Testing Procedures
Audit Committ
ee
CMDB
DW
Available
Board of Dir./CEO
Source: Microsoft
7
GRC: Area of concern• What compliance regulations are applicable to your area?• Have you failed any areas of compliance audits in the past? If so, what were the findings?• What improvements would you like to see in your current mechanism for prioritizing the
security budget?• How do you rate the effectiveness of your security controls?• What would you like to see in the reports indicating the current status of compliance?• How do you evaluate your risk currently? What are possible areas of improvement?• What are critical threats to your area?• How many times have you experienced these threats in the past 12 months?• What area are you more concerned about, insider abuse or external threat? Please
provide specifics.• Have any of your end users expressed dissatisfaction with the extra steps they have to go
through because of the security controls?• Do you have a good data classification mechanism?
8
Microsoft: System Center Service Manager 2010• System Center Service Manager 2010 delivers an integrated platform for automating and
adapting IT Service Management best practices to your organization's requirements.
• One of the benefit is: IT governance, risk and compliance (IT GRC) – The IT GRC Process Management Pack (PMP) for System Center Service Manager 2010 provides
end-to-end compliance management and automation for desktop and datacenter computers. The IT GRC PMP translates complex regulations and standards into authoritative control objectives and control activities for the IT organization’s compliance program.
– The IT Compliance Management Series—which comprises multiple IT Compliance Management Library (IT CML) products—helps you configure Microsoft products to address specific IT GRC requirements.
9
Thank you!
Disclaimer:This presentation is prepared with the purpose to share knowledge instead to advertise any product.