BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Similar documents
INTELLIGENCE DRIVEN GRC FOR SECURITY

Enterprise GRC Implementation

Accelerate Your Enterprise Private Cloud Initiative

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

MetricStream GRC Summit 2013: Case Study

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

locuz.com SOC Services

OVERVIEW BROCHURE GRC. When you have to be right

Next Generation Policy & Compliance

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

MITIGATE CYBER ATTACK RISK

COSO Enterprise Risk Management

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

MNsure Privacy Program Strategic Plan FY

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

The NIST Cybersecurity Framework

Big data privacy in Australia

Quality Assurance and IT Risk Management

11/14/2018. Istanbul Governance, risk, and compliance (GRC)

Sustainable Security Operations

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

LEADING WITH GRC. Approaching Integrated GRC. Knute Ohman, VP, GRC Program Manager. GRC Summit 2017 All Rights Reserved

GDPR: An Opportunity to Transform Your Security Operations

Implementing ITIL v3 Service Lifecycle

TEL2813/IS2820 Security Management

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Table of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3

CCISO Blueprint v1. EC-Council

Overview. Business value

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

The Value of Data Governance for the Data-Driven Enterprise

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

TSC Business Continuity & Disaster Recovery Session

Data Governance Central to Data Management Success

How to get the Enterprise to Understand the Value of Security

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Demystifying GRC. Abstract

Addressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting

Governance, Risk & Compliance - Management Commitment; Building a GRC Aware Culture.

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

McAfee Total Protection for Data Loss Prevention

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Security and Architecture SUZANNE GRAHAM

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Certified Information Systems Auditor (CISA)

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

A company built on security

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

IT Attestation in the Cloud Era

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Government IT Modernization and the Adoption of Hybrid Cloud

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

GRC SURVEY RESULT Please indicate your profession

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

itsmf ITIL V3: Accelerate Success with Tools Maria A Medvedeva, PMP, ITIL Regional Director CA, Inc. itsmf Middle East Board of Directors

STRATEGIC PLAN. USF Emergency Management

SIEM Solutions from McAfee

FISMAand the Risk Management Framework

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Introduction to ISO/IEC 27001:2005

Framework for Improving Critical Infrastructure Cybersecurity

POSITION DESCRIPTION

WHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Why you should adopt the NIST Cybersecurity Framework

Advanced Security Tester Course Outline

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

Oracle Buys Automated Applications Controls Leader LogicalApps

Security Management Models And Practices Feb 5, 2008

COBIT 5 With COSO 2013

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

ISAO SO Product Outline

ACL Strategy Module. Technology Innovator in Strategy Management SOLUTIONPERSPECTIVE INNOVATOR. March 2018

Microsoft SharePoint Server 2013 Plan, Configure & Manage

Enabling efficiency through Data Governance: a phased approach

The Value of Force.com as a GRC Platform

INFORMATION ASSURANCE DIRECTORATE

STRATEGY STATEMENT OF QUALIFICATIONS

General Framework for Secure IoT Systems

Protecting your data. EY s approach to data privacy and information security

Turning Risk into Advantage

Achieving effective risk management and continuous compliance with Deloitte and SAP

SECURITY & PRIVACY DOCUMENTATION

Cyber Secure Dashboard Cyber Insurance Portfolio Analysis of Risk (CIPAR) Cyber insurance Legal Analytics Database (CLAD)

Transcription:

BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS

Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC... 3 The OCEG Framework Practices and Components... 4 Culture and Context... 4 Organize and Oversee... 4 Assess and Align... 5 Prevent and Promote... 5 Detect and Discern... 6 Respond and Resolve... 6 Monitor and Measure... 7 Inform and Integrate... 7 The BPS Suite supports:... 7 Conclusion... 8 About BPS... 8 INTRODUCTION This white paper focuses on the practices and objectives for an integrated GRC (Governance Risk and Compliance) system and the BPS technology that helps achieve this integration. This article is organized around the central concepts presented in the OCEG (Open Compliance & Ethics Group) Red Book 1 which describes the GRC Capability Model and also provides a basic understanding of the principles and structure of the OCEG Framework. GRC ACTIVITIES When examining the approach to GRC, many companies have concluded that there are significant overlapping considerations, best practices, and internal and external forces. Most also agree that correctly addressing the sum of these parts is more effective and ultimately more valuable to the 1 OCEG is a non-profit think tank that helps organizations drive principled performance by providing standard tool and resources that enhance corporate culture and integrate governance, risk management, compliance, internal controls and ethics processes. The GRC Capability Model and the OCEG Framework are registered trade marks of OCEG. BPS Inc. 2009, www.bpsinc.com, Page 2 of 8

organization than any singular focus. Integrating GRC activities and strategies that are currently siloed within a company prevents duplication and potentially contradictory outcomes. For many enterprises these activities when viewed separately form an expansive list which includes: Audit and assurance Global trade compliance, supply chain, vendor and 3 rd party compliance Corporate social responsibility Financial controls management, filing and transaction monitoring Insurance and claims management Quality Planning, strategy and performance management Financial risk and operational risk Fraud Legal Business continuity (including change management, crisis management, and disaster recovery) Corporate compliance and ethics Environmental health and safety IT risk and compliance (including change management, access management and security) Privacy Business enterprises and organizations can no longer afford to view these GRC activities separately. Instead they must clearly define what they plan to achieve and how they will achieve objectives, while limiting risk and staying within their boundaries and policies, using one unified and holistic approach. BPS AND THE CAPABILITY MODEL FOR GRC One of the most commonly accepted frameworks to achieve a unified GRC approach is the GRC Capability Model (OCEG Red Book). The model views GRC as a single activity with a set of detailed practices and components, identified in Fig.1 2. The BPS Integrated GRC platform provides the technology to support many key elements of the GRC Capability Model and helps organizations achieve a common language and collaborative. Each of the practices and components in the Capability Model represent a critical aspect of a complete approach to GRC. These and their underlying components are described in detail in the OCEG Red Book. The following section offers a brief overview of the OCEG practices and how the BPS suite Figure 1: OCEG GRC Capability Model Elements View 2 Figure 1 OCEG Redbook 2.0, April 2009, Open Compliance & Ethics Group. BPS Inc. 2009, www.bpsinc.com, Page 3 of 8

of products helps its users address each one at a high level. THE OCEG FRAMEWORK PRACTICES AND COMPONENTS CULTURE AND CONTEXT Culture plays an integral role in GRC performance within an organization. GRC is no longer being viewed as an add-on to normal business activities but rather as a business philosophy that is infused into the culture and its operations. The BPS Suite allows the organization to focus on defining a balanced set of measurable business objectives that are aligned with vision and values: Powerful tools to identify and document key organizational structures, cross functional teams, key human capital and technology assets, as well as business processes, products and physical assets. The ability to cascade high-level business objectives, policies and requirements to assurance roles such as internal audit. Analytical reporting and assessment tools that support tone at the top rollups of the overall risk environment. The ability to set various indicators within the platform and help establish targets to ensure business objectives are met within defined tolerances. ORGANIZE AND OVERSEE For an organization to have a successful integrated GRC program it must communicate clear mission and objectives, define organizational roles and determine the implementation scope of the GRC system. BPS recognizes the importance of this practice and features a number of product capabilities that help promote GRC program transparency and accountability: A leading organizational modeling facility allows users to develop templates for communicating organization s objectives, vision and values. A single application with configurable modules fits the organization s implementation scope phased vs. enterprise wide while providing embedded project management and reporting and logging facilities. Key roles benefit from features such as: risk analysis and aggregation, compliance risk assessment, controls and internal application management and all related assurance activities such as Internal Audit. BPS Inc. 2009, www.bpsinc.com, Page 4 of 8

ASSESS AND ALIGN Assessing risks and aligning the GRC program with business processes is a central component of any GRC initiative. Defining a GRC process model and ensuring that it integrates with the existing business planning activities can accomplish this. The GRC system should offer a portfolio of initiatives, tactics and activities that relate to organization s moving parts and operational model. BPS Supports assessment and alignment through a number of features: Activities can be balanced and prioritized against corporate goals and regulatory requirements. Definition and categorization of risks and their impacts, as well as interrelationships across multiple aspects of the organization. Cross reference assessment programs to any part of the risk management or GRC framework. Define, schedule and link key risk data collection and assessment activities. Each set of activities can be rolled up into projects or initiatives that are tracked and visualized as a portfolio. Remediation and change management tools that are integrated to ensure that findings are actionable and that change is driven in an organized and prioritized fashion PREVENT AND PROMOTE By developing an integrated implementation and management plan GRC activities can be optimized to promote and motivate desirable conduct. These can also prevent undesirable events and activities using a mix of controls and incentives. Prevention and promotion in the BPS Suite: Create multiple planning templates that promote best practices and awareness, as well as aligning risks and controls with business policies and resources. The system provides a clear mapping of controls and risk coverage and how they relate to operational processes. Review, revisit and expire old policies and promote ones that address current risks and objectives. Link information to existing and proposed standards and guidance that affect the company s GRC requirements and track the activities related to these requirements. BPS Inc. 2009, www.bpsinc.com, Page 5 of 8

DETECT AND DISCERN Being proactive in detecting potential risks, losses and undesirable conduct is key for any organization. By providing streamlined methods of gathering data and analysis techniques, organizations can detect and diffuse potential concerns. BPS Suite support: Consolidate and visualize various many types of enterprise data. Analyze control and assessment findings, loss incidents and more through a rich library of reports and dashboards. Enterprise workflow technology ensures optimal information delivery and real-time notification capabilities helping maintain and prioritize focus. Integrated survey capability and self assessment tools. Create and manage information about detective controls across the company. RESPOND AND RESOLVE Process failures and loss events can occur in any organization. Having a nimble process, data, and the tools to analyze and understand root causes is crucial in order to resolve and prevent similar issues in the future. Users need to have confidence in the GRC system and process so that they can easily report and respond to issues effectively while ensuring the privacy and confidentiality of the data during the investigation and analysis phases. Strong process and project management functionality within BPS Suite support this practice: Capture and categorizes compliance exceptions, audit findings, control failures, risk indicators, incidents and loss events based on the client s specific set of corporate taxonomies. Streamline and manages the creation of action plans with full issue tracking capabilities while ensuring appropriate confidentiality of information through the use of a sophisticated roles and user privileges manager. Audit trails and detailed reporting provides the analytical insight to aid the organization in refining processes and corrective controls in order to resolve and mitigate future concerns. BPS is built to aid both internal investigations and those conducted by regulators and external auditors. Templates to support crisis response and disaster recovery scenarios. BPS Inc. 2009, www.bpsinc.com, Page 6 of 8

MONITOR AND MEASURE Organizations need to periodically evaluate and modify the GRC system to ensure it contributes to evolving business objectives while remaining effective, efficient and responsive to the changing environment. The architecture of the BPS product promotes rapid responses to changes in the context in which it operates, ensuring that risk exposure is minimized and key controls provide proper coverage: Assessment capability is used to survey business stakeholders providing feedback on the effectiveness of the GRC program as it relates to them. Standardized reports that help identify areas that have too heavy or too light a control paradigm. Facilities that enable test of design workflows. Support for advanced Extract, Transfer and Load (ETL) technology capable of importing and synchronizing external data (such as regulatory changes and new policy and guidelines) into the GRC framework. The most comprehensive internal assurance (internal audit management) and reporting tools available to enable feedback to the board and management on the effectiveness of the GRC program. Support for the principals and procedures available in the OCEG Burgundy Book. INFORM AND INTEGRATE At the center of the Capability Model is the ability to capture, document and manage information accurately across the organization as well as external stakeholders. The flow of information needs to efficiently cross functional areas and provide value to its targeted audience. The BPS Suite supports: A consolidated repository linking templates, risks, controls, assessments, and key artifacts across the organization. Flexible and secure workflow, notifications and data views promotes transparent flow of the data while ensuring that the appropriate stakeholders have access to the information they need. Organization modeling facilities that ensure the right person gets the right information at the right time. Comprehensive, time-proven reports that are the result of man-years of GRC implementation experience. BPS Inc. 2009, www.bpsinc.com, Page 7 of 8

CONCLUSION The increasing demand on organizations to meet their objectives while managing risks and staying within their regulatory boundaries is tremendous. GRC activities are fundamentally interconnected and integration is more than a process, it s a business philosophy. To stay ahead of the curve, GRC needs to be part of the organization s culture and processes. Encouraging transparency and collaboration among stakeholders within the organization and promoting a unified framework and common language throughout the organization can achieve this. Drawing from OCEG s Capability Model and using the BPS integrated GRC software, clients are achieving many of the mission critical elements of a successful GRC program. ABOUT BPS BPS is a leading provider of enterprise GRC and internal audit software solutions to the world s top organizations. BPS provides enterprise governance, risk & compliance software to many of the world s bestmanaged companies. BPS is the vendor of choice for internal audit, compliance and operational risk management systems. Each product in the award-winning BPS Suite has proven itself best-in-class in terms of completeness, functional depth, ease of use and technology quality. For more information about BPS and its products, visit www.bpsinc.com or contact us at info@bpsinc.com BPS Inc. 2009, www.bpsinc.com, Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback