Best Practices & Lesson Learned from 100+ ITGRC Implementations

Agenda Overview & Background Pillars of Successful IT-GRC Implementation Methodology (Practical Compliance & Risk Management Methodologies) Content (What type of Control frameworks to adopt) Organization (Selection of Use-cases based on Resources) Technology (Key Elements of GRC tools) 2

Customers by Size and Industry Technology 4% Telecom 3% Consulting 4% Education 5% Retail 9% Less than $1b Greater than $5b Financial 22% Healthcare 39% Government 14% $1b to $5b 3

Market Recognition & Awards One of only three companies to receive a Strong Positive in the Gartner 2010 MarketScope for IT GRC Management. The highest possible rating awarded to the 12 companies evaluated The Rsam Product is a strong IT GRCM offering Organizations seeking to automate operational risk assessment, audit automation and IT control management should consider Rsam. Rsam is the most capable and well-rounded IT Risk and Compliance Software Product Achieving the top score in the current offering - Forrester Wave IT Risk and Compliance Software Report, Q2 2008 Rsam Rated: Strong Positive -IT GRC MarketScope Report, 2010 4

Practical Risk Assessment & Compliance Management Methodologies Business Criticality vs. Threat-based Business Criticality Simpler Distributable Highly Scalable Works well with mature technologies (e.g., Applications, Servers, Data Centers etc.) Not driven by Quantitative numbers Threat-based Complicated Not easy to distribute Limited Scalability Works well for new technologies (e.g., New Technology ipad, Blackberry, Kiosk, etc.) Quantitative numbers are mere guesses 6

Practical Risk Assessment & Compliance Management Methodologies Top-down vs. Bottom-up [or Both] Top-down IT-GRC is one of the categories (operational, financial) Usually requires lessdetailed requirements (i.e., less focus around GCC) Places a premium on higher-level reporting to Executives More frequently used in EGRC Implementations Bottom-up IT-GRC centric Greater detail in IT controls for an IT-centric audience Places a premium on ITcentric audience More frequently used in IT-GRC Implementations 7

Top-Down / Bottom-UP Approach This approach investigates from the bottom-up and evaluates from the top-down. The organization is defined from the top. Assessment data is gathered from the bottom. Risk Management shows where and how the bottom should change to reflect the top.

Deriving Criticality Executive and Management staff work to define global, constant, and fact-based assessment factors and assessment policies. Factors and Policies are translated for each facet of the organization. Interviews and investigations are conducted to pair assets with their proper translated factors.

Elements of Metrics & Reporting Key Considerations for Selecting a Risk Scoring System Need to have a scoring system Low-Moderate-High-Severe scale alone is not sufficient Select a scoring system that you are comfortable explaining to both senior management and end users Keep it simple 10

Scoring System Advantage A single object score reflects its complete risk control picture, including: Criticality Level & Compliance Triggers Direct security controls Relational controls And can represent: Control Violations Weighted Violations Weighted Violations & Weighted Risk/Compliance

Scoring System Advantage Scores are brought to higher levels for: Understanding the state of security within a specific area Prioritizing and accurately distributing efforts across departments, sites, and regions

Scoring System Advantage Graphs show trends in : Control Allocation Policy Deviation Risk Distributions Compliance And much more

Scoring System Advantage Provide the right information to the right people in a highly consistent manner Reports help you understand and focus your risk & compliance efforts

Risk-Based Vulnerability Management & Reporting (example) 15

Control Frameworks Selection criteria based-on Industry standards adopted by the organizations ISO, NIST, CobIT, etc. Regulatory Compliance PCI, NERC, HIPAA, GLB, SOX etc. 17

Control Frameworks InfoSec ISO NIST Control Details IT Governance SOX, GLB, HIPAA, NERC, PCI, FISMA Low Implementation Guidance High 18

Other Control Frameworks UCF Focused on mapping to 100 s of regulations and standards BITS-FISAP Focused on Vendor assessments ISF Focused on benchmarking of standard of good practice across many organizations HiTrust CSF Focused on Healthcare organizations 19

Common & Sustainable IT-GRC processes IT-GRC Process / Use Cases Application Security Ease of Implementation Moderate to Complex Buy-in Highly coordinated Compliance-specific Assessments Easy Easy to Moderate Policy Exception Tracking Easy Easy Risk Register Easy Easy Threat & Vulnerability Management Moderate Easy to Moderate 21

Organization Factors Organization Factors Executive Sponsorship Clear picture of GRC use-cases GRC Tool Administrator is key! Culture Scope Red Flags Your C-level Executive does not know about this initiative Not sure of your workflows Using an Intern or Senior Security architect as your administrator Users don t respond to emails Enterprise GRC roll-out within 6 months 22

Key Takeaways Avoid Paralysis through Analysis Too many people are afraid to start something with the fear of having to change it later. But its better to start with something... No matter how hard you try, you are always going to change it later Pick analysis methodologies that are scalable Use threat analysis where required, but self assessments are critical for scalability. Self assessment in context of risk, of course Cross-Mapping is vital for efficiency & scalability However, when you try to map too many things to too many other things, you eventually loose the efficiency you were looking for by making it too complex Make everything Risk Driven Establish consistent rules to drive reporting, remediation, metrics, etc. But keep in mind that risk driven methodologies are not going to be exact Build a program based on available resources Establish realistic goals and scope based on resources (executive support, available staff, time and money) 23

Common Customer Pain Points Automation Accountability Coordinated Approach Visibility & Metrics Ever Changing Requirements How to manage the data gathering and analysis process? How to track, manage & document remediation & risk management activities? How to efficiently relate risk & control data to multiple standards and regulations? How to get useful metrics, roll-ups & other analysis reports? How to keep the system flexible without reengineering? 25

GRC Elements Reporting, Tracking & Analysis Online Questionnaire General Tracking, Audit & Incidents Other Tools, Vulnerability Scanners & Inventories Findings from Questionnaire Findings from Audits Imported Findings Risk Treatment Options Action Plans & Tracking Risk-Based Workflow Automation, Notification, Escalation, Tracking

Assessment Framework Control Levels (degrees of control) Objects: Standard, Container & Entity Criticality Factors Standards

Findings Framework Findings module allows you to capture data that does not conform to a survey or questionnaire. This module is highly configurable and fully integrated into RSAM reporting, workflow, e-mail notification. Findings Structure Root Finding Attribute Example Implementation Incident Example Implementation Control Objective Child Finding Description Initial Response Planning Audit Objective Child Finding Child Finding Investigation Step Impact Discovery Owner Scope of Impact Audit Test Attribute... Attribute Target Date Resolution Validation Effectiveness Validation

GRC Solution Concept 29 29

Thank you If you would like a copy of this presentation, please email avalente@rsam.com 30