LEADING WITH GRC Common Controls Framework Sundar Venkat, Sr. Director Technology Compliance Salesforce
Forward-Looking Statements Statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forwardlooking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include but are not limited to risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Together, We re Building a Path Forward $ 2.39B Q1 FY18 revenue Innovator of the Decade September 2016 2009 2010 2011 2012 2013 2014 2015 2016 2017 The world s most innovative companies 2011 2012 2013 2014 2015 2016 25K employees $ 389B 2M in GDP impact by 2020 jobs created by 2020 IDC White Paper, sponsored by Salesforce, "The Salesforce Economy," August 2016
The Age of the Customer Connect to your customers in a whole new way Unified Commerce Intelligent Communities Actionable Analytics Predictive Marketing Smart Apps Conversational Service A Single View of the Customer Connected Products Guided Sales
Who we are. What we do. How we do it. TECHNOLOGY COMPLIANCE Protect Customers Protect Brand Enable Growth Our Mission Our Values Trust Growth Enablement People Partner Infrastructure GBO Corp Dev Trust Legal IT Business Partners Improve Execute Our Deliverables Compliance for Core Certs Design for 2020 (Maturity & Efficiency) Partnerships with the Business Intake Process for New Certs Sustain Elements of Trust Certifications SOX SOC PCI FedRAMP ISO Japan Pmark Trusted Security Always On Availability Performance at Scale Global Data Centers Compliance HIPAA CJIS Australia UK Cyber Germany DoD GRC Summit TUV 2017 irap All Rights Essentials Reserved
Compliance Scalability Challenges Salesforce continues to grow rapidly across various industries and geographies. The number of compliance frameworks, regulatory requirements and stringency continues to increase. We did not have a standardized baseline across compliance frameworks across various Salesforce services Certifications/Audits occur throughout the year, causing audit fatigue to Business Partners Lack of consistency in evidence collection Inefficient control testing with no reuse of audit evidence Intake of new compliance frameworks cumbersome
Common Controls Framework (CCF) - Vision Compliance Center We are the global standard of excellence in internal audit, compliance and risk services. We enable the company s success. 1. Strengthen Governance Secure Executive Commitments Implement & Execute Governance Model Drive Adoption & Enable Change Management 2. Streamline Audits 3. Develop & Optimize Compliance Content Align Audit Schedules Consolidate Auditors Streamline Evidence Gathering Develop CCF Approach Integrate Risks into Framework Complete Mapping & Develop Content 4. Transform Risk & Compliance Processes Internal Controls Monitoring Process Maturity Assessment Mature Technology Risk Management Function 5. Implement Effective GRC & Tooling Define Requirements Evaluate & Select Vendor Implement System Training & Awareness Consolidate Remediation Asks Continuous Surveillance & Content Refresh Continuous Process Improvements Ongoing Maintenance Activity CompletedActivity Underway Planning /
CCF Accomplishments Highlights CCF maintained on MetricStream Internal stake holders involved: Tech Compliance, Engineering, Infrastructure, Information Technology, Security Scope: 17 frameworks; 5,128 requirements Final consolidated control count: 326 % consolidation to Salesforce controls: 93% Accomplishments Created baseline of controls across compliance frameworks Minimized touch points with business partners and reduced audit fatigue Streamlined process and re-use of evidence across frameworks Optimized intake for new requirements Enabled embed compliance across the company and more efficient compliance execution
CCF Change Management & Sustainability PwC TC BP TC/BP 1.0 Authoritative Source Monitoring Identify changes to compliance landscape 3.0 Content Refresh Refresh CCF Content Library Revisions or additions to existing framework requirements e.g. PCI 3.1 to 3.2, or a new framework source New or updated common controls (Control and Audit Attributes) e.g. Control ID, Integrated Requirement, Control Implementation Statement 2.0 Change Operations Determine applicability and impact to CCF content library Offline reviews Changed business context i.e. new acquisitions, frameworks, products & services New, changed, or retired requirements e.g. ISO, NIST GDPR BP Signoff TC Signoff Changes during audit cycles (TC or External) i.e. Test Procedures, Evidence, Control Owners Changed CCF data attributes Content refresh process required? Yes No MetricStream TC Signoff
MetricStream Journey and Timeline System Selection Solution Design Build vs. Buy Vendor Selection: MetricStream 2015 Oct 2015 - Jan 2016 2016 2017 Process and Data Readiness Refine Requirements Process Alignment Data Harmonization Jun 2016 - Aug 2016 Phase 1 Nov 2016 - May 2017 Implementation Phase 1 - SOX & IT Compliance Modules Phase 2 - IA and ERM Modules Phase 3 - SOX & IT Compliance Enhancements Phase 4 - SOX 3.0 SubCerts Phase 2 Phase 3 Phase 4 May 2017 - Oct 2017 May 2017 - Jul 2017 May 2017 - Jun 2017 Completed Active
Libraries Single Sign On HR System Integration Audit Planning/Scoping Testing Evidence Gathering Findings/Remediation Other System Integrations Email Escalations Internal Audit Enterprise Risk Management SOX Certifications
Thank You! Continue the conversation online #GRCSummit