INTELLIGENCE DRIVEN GRC FOR SECURITY

Transcription

1 INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to run a profitable business, but because a variety of governance, security, and compliance needs demand it. Every effort to keep things in harmony is tested by the increasing complexities in the types and volume of data required to effectively run a company; the chaotic changes in regulations, laws, and policies; and the addition of vendors, partners, and consumers who need access in the face of an ever-growing landscape of unpredictable threats and system attacks. Many companies have, over time, tried to address the issues in governance, risk management, and compliance (GRC), as they occur, with a siloed approach that address tactical requirements on an ad hoc basis. This leaves IT staff struggling to implement solutions for point problems and management with an inadequate overview of the information required to make the best business decisions. Organizations are operating at an unacceptable level of uncertainty on both the business and technology aspects of their business. Implementing a GRC strategy in today s competitive landscape must go far beyond quick fixes like adding software or introducing new polices. By enabling an Intelligence Driven GRC model, an organization can prioritize its assets in an informed manner; understand the relationships, interconnections, and accountability of business and IT staff; and incorporate the unpredictable behaviors of third parties that will inevitably need access to the organization s infrastructure. RSA Whitepaper

2 CONTENTS Overview... 1 Comprehensive GRC Strategy Strengthens Enterprise Ties... 3 Improving Visibility... 3 Think Outside the Infrastructure... 4 Revealing Insights... 4 Putting Plans into Action... 5 Conclusion...6 Intelligence Driven GRC Solutions from RSA... 6 page 2

3 COMPREHENSIVE GRC STRATEGY STRENGTHENS ENTERPRISE TIES The goal of Intelligence Driven GRC is to create an efficient, collaborative enterprise governance, risk, and compliance strategy across IT, finance, operations, and legal areas. This holistic approach provides the ability to manage risks, demonstrate compliance, and automate business processes, while directing the ongoing lifecycle of corporate policies, assessing and responding to risks, and reporting compliance with internal controls and regulatory requirements across the enterprise. Intelligence Driven GRC provides a model that layers the prioritization of assets, the streamlining of processes and the automating of reporting on top of an organization s essential security functions. This model is based on three fundamentals that enable businesses to balance risk, costs, and third-party access. First, Intelligence Driven GRC provides immediate external visibility and context across all online digital channels bolstered by the prioritization of assets, processes, and accountabilities. Second, this increased visibility extends analysis capabilities to quickly assess risk tolerances and appetites of business units and address which issues are most damaging. Finally, an Intelligence Driven GRC strategy designates the corrective action to mitigate any specific concerns at hand, quickly and efficiently. IMPROVING VISIBILITY With the enormous amount of digital assets that need to be monitored, safeguarded, and reported on, security teams can find more risks than can practically be remediated. Traditionally, security teams react as quickly as possible to potential intrusions without an understanding of which risks have the greatest possibility of having a negative business impact. Lack of visibility into where business risks exist means spending time and money on security, governance, and compliance without seeing results. An Intelligence Driven GRC model is able to increase visibility into which security threats or compliance issues can be most damaging because risks have been prioritized ahead of time based on an estimate of their severity and the impact on the business. This increased priority-enabled visibility lets security teams handle attacks in a balanced manner that reflects their organization s risk tolerance and ensures they limit damage from significant threats without wasting time and resources putting out unnecessary fires. Creating a single repository with prioritized assets within an Intelligence Driven GRC framework simplifies the process of identifying digital assets and building relationships between those assets and the people, processes, applications, and infrastructure that surround them. It becomes easy to tie data to the business units that own it, the processes that use the data, the facilities and devices that store it, the applications that apply it, and the people accountable for it. This gives an organization the ability to track risk and compliance of products, services, and business processes; assign accountability to facilitate distribution of compliance assessments and tasks; and report on compliance activities at company, division, or business unit level to support informed decision making. page 3

4 A consolidated look into activities provides efficiencies by demonstrating compliance with multiple regulations at the same time THINK OUTSIDE THE INFRASTRUCTURE Increased visibility extends beyond internal assets with an Intelligence Driven GRC strategy. Managing relationships outside of the enterprise requires the same prioritization as internal assets. For example, prospective partners need to be evaluated for unnecessary risk and managed along metrics that are important to the specific organization such as vendor profiles, contacts, financial and insurance statements, and contracts. Within an Intelligence Driven GRC framework, visibility into compliance obligations and their scope is transformed by automating a large part of the evidence-gathering process. As compliance regulations often overlap, eliminating redundant data and process information and providing consistent, repeatable definitions reduces effort and cost and remediates areas of non-compliance. REVEALING INSIGHTS Collecting data in real time and prioritizing it across all the metrics that are important to the business is vital, but the ability to quickly and efficiently analyze this information is key to delivering business insights. Communicating security and compliance issues among teams is often difficult; Intelligence Driven GRC transforms data into information that is accessible and understandable to both security and business professionals. An Intelligence Driven GRC model holds best practices, reports, and polices that are tailored to specific compliance requirements. When incidents happen they must be detected and analyzed quickly and action taken to resolve them and limit damage. As records are collected, correlated, analyzed, and retained from systems across an organization, incidents are identified and prioritized in real time. This process shows not only data that has been compromised, but also the seriousness of the incident and how critical it is to the overall business. Analyzing a single organization s volumes of data is already big job, but today companies operate in an extended enterprise that includes vendors, suppliers, partners, and customers using devices that are not under the organization s direct control. With an Intelligence Driven GRC model, vendor risk assessments are streamlined to evaluate inherent and residual risk across compliance, security, financial, sustainability, and resiliency metrics. Automating risk assessments and page 4

5 compliance ratings provides the ability to determine the type and status of any findings including vendor responses as well as track the status of remediation. This analysis can be extended to include key performance indicators, SLA objectives, and the status of deliverables. By comparing performance with pre-defined metrics, an Intelligence Driven GRC strategy helps an organization understand vendor-based risk exposure and quickly deliver real-time information to other staff. An Intelligence Driven GRC framework provides effective policies and policy management that allows distinctions to be made for specific departments, people, applications, and accountability. These distinctions are initiated during the policy management set up process, which outlines who needs to approve, review or change risk assessment levels. This approach allows expansion to other parts of the organization because it contains content-like digital assets, third parties, regulatory requirements, and knowledge of structure, i.e., user roles, and hierarchy in the organization. This results in simplified sharing of already-created process descriptors or critical system items, saving time and money. Enabling users in different parts of an organization s operations, IT, and finance infrastructure to collaborate and align across common information PUTTING PLANS INTO ACTION Identifying and prioritizing incidents is only part of a GRC process. Without an Intelligence Driven GRC strategy, communicating incidents to those best qualified and authorized to handle needs to be done efficiently. The common process of manually updating spreadsheets and s to track and inform are time consuming, and they ultimately are an ineffective way to address business risk in a timely fashion. Intelligence Driven GRC is set up to document incidents and assign response teams based on business impact and compliance requirements. Built-in dashboards and reports provide insight and help report on trends, losses, and recovery efforts and provide an incident history and audit trail. This eliminates the data and process silos that prevent necessary communication between groups and allows quick and easy reporting with an automated rollup of risk and compliance information across the entire business hierarchy and operational infrastructure. page 5

6 An Intelligence Driven GRC strategy works across all components of the compliance process. For example, companies have audit plans to address frequent audit-related activities. By having control of the complete audit lifecycle, the entire process can be streamlined allowing teams to focus on prioritized issues while integrating with risk and control functions. This approach maximizes efficiency based on a dynamic view of risk. For example, compliance management is often handled by two different groups, the IT team and compliance officers at the business level. Eliminating the disconnect between the tools and processes used by these two groups, Intelligence Driven GRC maps compliance reports generated by the security team to GRC workflows that give auditors the ability to easily manage compliance reports and track findings. To further support actionable responses, tailoring a GRC system to unique business parameters is an efficient way to deal with continual and fast-moving changes. Both IT and non-technical users should be able to automate processes, streamline workflows, control user access, tailor user interfaces, and report in real-time with an easy to use point-and-click interface. Business continuity is a critical component of an Intelligence Driven GRC strategy and allows a centralized, automated approach to business continuity and disaster recovery planning that enables quick responses in a crisis situations. As with compliance and risk issues, this model assesses which business processes are most critical and builds business continuity and disaster recovery plans using automated workflow for testing and approval. It also manages plan execution and communication in a crisis to minimize damage to an organization s employees, customers, reputation, and operations. CONCLUSION A comprehensive Intelligence Driven GRC model extends visibility into data and processes, provides in-depth analysis of risks and compliance issues, and provides a clear path of action and accountability for companies that need to balance corporate risk appetites with the responsibilities of risk oversight and ownership. Aligning data and process prioritization, infrastructure, people, and business performance measurement provides the ability to anticipate, respond, and continuously adapt in a rapidly changing landscape. INTELLIGENCE DRIVEN GRC SOLUTIONS FROM RSA RSA IT Security Risk Management solution enables security teams to develop a framework for Information Security Risk by managing security policies, establishing business context of IT assets, and effectively investigating and responding to threats posed by security incidents and vulnerabilities. By leveraging out-of-the-box content from RSA Archer, security teams can measure compliance risk against IT security frameworks as COBIT, NIST, and ISO as well as regulatory authoritative sources as SOX, PCI, and HIPAA. Additionally, with real-time visibility into vulnerabilities through RSA Vulnerability Risk Management (VRM) and security incidents through Security Operations Management (SecOps), security teams can prioritize with business context and effectively investigate, respond, and remediate threats that pose the biggest risk to their organization. RSA IT Security Risk Management solution helps the CISO and their security teams to proactively put in place effective security policies, prevent issues with vulnerabilities, and effectively respond to security incidents to protect the IT assets of an organization and minimize information security risk. page 6

7 Intelligence Driven Identity and Access Management RSA Archer Third Party Governance solution automates and streamlines the oversight of vendor relationships. This supplier management software facilitates risk-based vendor selection, relationship management, and compliance monitoring as part of a governance, risk management, and compliance (GRC) program. With RSA Archer Third Party Governance, you can establish a vendor management process by centralizing third-party data, reporting on activities related to vendor risk and performance, and consistently and repeatedly assessing suppliers. RSA Archer Operational Risk Management solution brings together data from siloed risk repositories to identify, assess, decision, treat, and monitor risks consistently across your organization. RSA Archer serves as a central aggregation, visualization, and governance point for your organization s operational risk management program. It enables you to better understand, prioritize and manage your risk, and reinforce desired risk management accountabilities and culture. This allows you to extend your program across all business lines and activities that introduce operational risk. With RSA Archer Operational Risk Management, your organization can harness risk intelligence, reducing the likelihood of negative events, lost opportunities and surprises so that your organization is able to maximize performance. The RSA Archer GRC Platform supports business-level management of enterprise governance, risk, and compliance. As the foundation for all RSA Archer GRC Solutions, the Platform allows you to adapt the solutions to your requirements, build new applications, and integrate with external systems without touching a single line of code. RSA Archer s flexible strategy has won over some of the most demanding Fortune 500 companies. These businesses have seized the power of the Platform to make RSA Archer Solutions their own, modeling additional business processes in a fraction of the time it would take to develop traditional custom applications. RSA Archer facilitates the industry s largest risk and compliance Community with the participation of RSA Archer GRC experts and more than 11,500 risk and compliance practitioners like you. Engaging with the RSA Archer Community enables you to collaborate to solve problems, build best practices, establish peer connections, and engage with RSA Archer GRC Thought Leaders. In addition, RSA Archer has an extensive Partner ecosystem that includes technology integration experts for deep security system integration to business system integration, content providers for risk and compliance content, and advisory and implementation partners for business process expertise. ABOUT RSA RSA s Intelligence Driven Security solutions help organizations reduce the risks of operating in a digital world. Through visibility, analysis, and action, RSA solutions give customers the ability to detect, investigate and respond to advanced threats; confirm and manage identities; and ultimately, prevent IP theft, fraud and cybercrime. For more information on RSA, please visit EMC 2, EMC, the EMC logo, RSA, Archer, FraudAction, NetWitness and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other products or services mentioned are trademarks of their respective companies. Copyright 2014 EMC Corporation. All rights reserved. H13749