Embed Size (px)
Citation preview
EDITOR’S NOTE SUCCESSFUL GRC AUTOMATION STARTS WITH THE PLANNING PROCESS
USE AUTOMATED COMPLIANCE POLICY GOVERNANCE TO EASE MOBILE MANAGEMENT
AFLAC CISO: FIVE STEPS TO GRC PROGRAM AUTOMATION
The Data Governance Keys to Successful GRC AutomationAutomated GRC assessments can cut costs and create smoother workflows, but they can be challenging to implement. Learn strategies to integrate automated GRC processes with existing governance objectives.
HOME
EDITOR’S NOTE
SUCCESSFUL GRC
AUTOMATION STARTS
WITH THE PLANNING
PROCESS
USE AUTOMATED
COMPLIANCE
POLICY GOVERNANCE
TO EASE MOBILE
MANAGEMENT
AFLAC CISO:
FIVE STEPS
TO GRC PROGRAM
AUTOMATION
THE DATA GOVERNANCE KEYS TO SUCCESSFUL GRC AUTOMATION2
EDITOR’SNOTE
Don’t be Fooled: ‘Automated’ GRC Still Requires Human Input
Modern enterprises face a range of regulatory compliance responsibilities and may be subject to mandates such as HIPAA, PCI DSS and SOX, to name just a few. In the past, spreadsheets were used to track compli-ance and manage audits, but the complexity of today’s regulatory environment stretches tradi-tional methods to its limits.
More organizations are turning to GRC software tools to help automate compliance assessment tasks. But automation is a bit of a misnomer—there is much front-end, human input required for automation to be success-ful. And, of course, any flaws in data manage-ment processes that are ultimately automated could result in costly, embarrassing regulatory problems down the road. In this SearchCompli-ance handbook, we’ll examine how compliance officers and IT managers can deploy automated GRC strategies that support the organization’s existing data governance objectives.
In the first article, attorney and informa- tion governance expert Jeffrey Ritter discu-sses the initial steps to GRC automation and why thorough planning is required for it to be successful.
In the second article, digital transformation and enterprise mobility expert Bryan Barrin-ger explains how automation technology helps maintain mobile data compliance.
And in our third and final article, Aflac Inc. CISO Tim Callahan discusses the insurance giant’s five-step plan for GRC automation.
Enterprises will likely continue to seek GRC automation strategies as the regulatory land-scape continues to expand in scope. We hope you find this information useful as your busi-ness considers automated GRC processes to save time, money and resources. n
Ben ColeEditor, SearchCompliance
HOME
EDITOR’S NOTE
SUCCESSFUL GRC
AUTOMATION STARTS
WITH THE PLANNING
PROCESS
USE AUTOMATED
COMPLIANCE
POLICY GOVERNANCE
TO EASE MOBILE
MANAGEMENT
AFLAC CISO:
FIVE STEPS
TO GRC PROGRAM
AUTOMATION
THE DATA GOVERNANCE KEYS TO SUCCESSFUL GRC AUTOMATION3
AUTOMATION PLANNING
Successful GRC Automation Starts With the Planning Process
As compliance regulations continue to grow in number and complexity, companies have started to turn to automating governance, risk and compliance (GRC) processes to save resources. Automated GRC embeds specific data management rules in existing company pro-cesses to help ensure compliance and security. The automated processes must closely align with the company’s existing data management objec-tives, however, and can be difficult to implement without everyone from the legal department to risk officers on board with the plan.
In this Q&A, attorney and information gov-ernance expert Jeffrey Ritter discusses the GRC automation movement and why its success will depend on how well companies prepare for implementation.
Is it difficult to find or develop GRC
automation software because compliance
needs are so unique for each organization?
Generally, GRC software is merely documenting the occurrence of events according to defined processes. Within industries, the requirements for those processes are established by regula-tions. To that extent, the compliance needs are comparable. However, particularly in the United States, the flexibility afforded by many regulations has allowed companies to develop solutions that are remarkably nonuniform. In other words, their compliance needs are not unique, but their internal solutions are incred-ibly diverse and inconsistent in their approach. GRC automation first requires a company to author its process rules so that they produce data-specific measurements and documenta-tion. Many companies have resisted developing such rigid rules—often on the advice of legal counsel—in order to preserve flexibility should an investigation be launched.
Corporations [that] have aligned their business processes to published standards,
HOME
EDITOR’S NOTE
SUCCESSFUL GRC
AUTOMATION STARTS
WITH THE PLANNING
PROCESS
USE AUTOMATED
COMPLIANCE
POLICY GOVERNANCE
TO EASE MOBILE
MANAGEMENT
AFLAC CISO:
FIVE STEPS
TO GRC PROGRAM
AUTOMATION
THE DATA GOVERNANCE KEYS TO SUCCESSFUL GRC AUTOMATION4
AUTOMATION PLANNING
particularly those for information security and information governance, are best posi-tioned to take advantage of GRC automation solutions.
How can compliance and IT managers ensure
GRC automation processes integrate smoothly
with existing company processes? Who needs
to be involved in that integration?
The 21st century is witnessing a remarkable transformation in the corporate board’s view of compliance. Previously, compliance was an obligation to be avoided at any possible cost to net profits. The tide has shifted, and compli-ance to defined processes is a now a critical requirement for corporations to be profitable. Six Sigma and other measurement-based man-agement strategies emphasize consistency and documentation. As a result, GRC automation is becoming equivalent to effective corporate governance.
Compliance and IT managers require senior management buy-in in order to be successful. To achieve that buy-in and acquire the involve-ment of all of the necessary stakeholders, com-pliance and IT managers have to demonstrate
that GRC automation not only reduces operat-ing costs, but increases net profits. Once that business case is made, senior management’s support will be powerful.
The bottom line is that to succeed with GRC automation, compliance and IT managers should never mention the word “compliance.” Instead, they should emphasize efficiency, reduced rate of failures and similar important business objectives that GRC automation can accomplish.
If a company chooses a vendor for GRC
automation, is the company more at risk
when its compliance data resides in a
public or private cloud setting?
That is a hard question to answer. Any GRC automation solution creates an authorita-tive, difficult-to-erase record of the company’s conduct. In other words, it is creating digital evidence of the truth. Whether that informa-tion is stored internally or in the cloud is less important than the overall security and integ-rity with which the corporation protects all of its digital assets. If the company does not have effective security deployed across cloud-based
HOME
EDITOR’S NOTE
SUCCESSFUL GRC
AUTOMATION STARTS
WITH THE PLANNING
PROCESS
USE AUTOMATED
COMPLIANCE
POLICY GOVERNANCE
TO EASE MOBILE
MANAGEMENT
AFLAC CISO:
FIVE STEPS
TO GRC PROGRAM
AUTOMATION
THE DATA GOVERNANCE KEYS TO SUCCESSFUL GRC AUTOMATION5
relationships, their data will be at risk. The key is to design effective security around any data asset so that the migration or storage of that data to a public or private cloud does not create security risk.
Can GRC automation software adequately
respond to the governance demands
of big data, and even ultimately make
compliance processes easier?
Companies that use GRC automation software, by necessity, are documenting and execut-ing their governance rules against information consistently and efficiently. The stored data inherently has greater value and helps improve the efficiency and profitability of a company. Those who resist GRC automation are also limiting their potential to benefit from big data analytics at the lowest possible cost.
If GRC processes are automated, what stipulations
must be included in governance policies to ensure
auditability of the compliance data?
The governance policies and GRC processes must be connected by synchronized rules. It is no longer acceptable for lawyers to build cor-porate policies that include ambiguities that conflict with the precision on which GRC and other competitive uses of IT now require. Cor-porate governance policies must be crafted to anticipate that compliance with their require-ments will be measured and capable of audit in quantitative terms.
Relying upon employees and contractors to “do the right thing” also will not accomplish the level of compliance and governance that the market is demanding from companies. Therefore, the reforms require a fundamental rethinking of how the policies will promote measured compliance and governance across a corporation and its connected ecosystems. —Ben Cole
AUTOMATION PLANNING
HOME
EDITOR’S NOTE
SUCCESSFUL GRC
AUTOMATION STARTS
WITH THE PLANNING
PROCESS
USE AUTOMATED
COMPLIANCE
POLICY GOVERNANCE
TO EASE MOBILE
MANAGEMENT
AFLAC CISO:
FIVE STEPS
TO GRC PROGRAM
AUTOMATION
THE DATA GOVERNANCE KEYS TO SUCCESSFUL GRC AUTOMATION6
AUTOMATED MOBILE
MANAGEMENT
Use Automated Compliance Policy Governance to Ease Mobile Management
The enterprise mobility management suites available today do a fantastic job of managing mobile device compliance and data governance. That is, of course, if there is a policy in place that clearly defines the types of devices that an enterprise can use, as well as what each of those devices can and cannot do in relation to applications, content develop-ment and access to the corporate network. If an enterprise wants to support only iPhones, for example, no problem: It simply sets policies to block other smartphones. If it wants to quar-antine and block a device that has been rooted or is jail-broken, that’s easy too: Set policy so the enterprise mobility management (EMM) tool will mark the device as noncompliant and restrict its access.
Typically, EMM suite vendors are very good about keeping their toolkits up to date with mobile device technology advances. For each technological release, however, there could be
hundreds of possible restriction options for each device hardware type, operating system or application. For the iPhone, it is a bit more straightforward because there is only one pro-vider. And Microsoft devices are managed mostly like their desktop/laptop counterparts. But in the Android space, there are dozens of hardware vendors, and each includes its own twist on the very popular operating system. For IT departments, trying to manage all of these variations would be impossible if it were not for EMM’s ability to automate compliance data governance.
Automated compliance enables mobility administrators, usually in coordination with the information security team, to establish a set of GRC “rules” that allow the EMM tool to do all the heavy regulatory lifting. An example: Let’s say that over the weekend, an employee with a corporate-owned device decides to “root” his or her Android OS to make fairly
HOME
EDITOR’S NOTE
SUCCESSFUL GRC
AUTOMATION STARTS
WITH THE PLANNING
PROCESS
USE AUTOMATED
COMPLIANCE
POLICY GOVERNANCE
TO EASE MOBILE
MANAGEMENT
AFLAC CISO:
FIVE STEPS
TO GRC PROGRAM
AUTOMATION
THE DATA GOVERNANCE KEYS TO SUCCESSFUL GRC AUTOMATION7
AUTOMATED MOBILE
MANAGEMENT
harmless modifications to the phone’s oper-ating system. The company, however, has a policy that doesn’t allow rooted (or jail-broken) phones to access the network because doing so could result in a network security breach. If the phone is required to “check in” for authoriza-tion before it can access the network, the EMM suite can intercede and restrict the device from accessing the network. Also, a good EMM pol-icy will initiate notifications to the employee, the company’s IT mobility administration and possibly even the employee’s supervisor.
All these processes can be automated by set-ting data management rules in the EMM tool. This is a huge timesaver for the IT team. But as mobile technology evolves, the policies must change as well. When new features are intro-duced to mobile devices, administrators must change the policy that depicts the EMM’s data governance rules, and the tool will update all device profiles accordingly. If you’re a mobile IT administrator responsible for thousands of
devices, you’ll no doubt welcome the ability to push a change out once and have the EMM suite do the hard part.
By the same token, as government regula-tions change, EMM tools make reacting to the new rules easier. For instance, when the Payment Card Industry Data Security Stan-dard (PCI DSS) is updated, enterprises need to implement the new controls and processes on all of its managed devices. This process is much easier when the change is made just once via a big push through EMM policy. Another example is at large healthcare networks, where staff members increasingly track patient infor-mation using handheld devices. As HIPAA regulations evolve, healthcare providers can ensure compliance with the new rules via an automated push through EMM processes.
EMM tools, when used in concert with employee management tools like Active Direc-tory and identity management software, are also useful in controlling network access. Too
When new features are introduced to mobile devices, administrators must change the policy that depicts the EMM’s data governance rules.
HOME
EDITOR’S NOTE
SUCCESSFUL GRC
AUTOMATION STARTS
WITH THE PLANNING
PROCESS
USE AUTOMATED
COMPLIANCE
POLICY GOVERNANCE
TO EASE MOBILE
MANAGEMENT
AFLAC CISO:
FIVE STEPS
TO GRC PROGRAM
AUTOMATION
THE DATA GOVERNANCE KEYS TO SUCCESSFUL GRC AUTOMATION8
AUTOMATED MOBILE
MANAGEMENT
often, an employee will leave a company or be terminated but the employee’s network access doesn’t get revoked. With a simple change in an identity management (IDM) product that is integrated with an EMM suite, the terminat-ing manager can simply revoke mobile access privileges by changing the employee status from “active” to “terminated.” The IDM sys-tem, in coordination with the EMM suite, will immediately and automatically revoke access by the terminated employee device and can even initiate a remote wipe of the device’s data.
Again, automated processes set to trigger via the EMM tool allow these actions to be taken without intervention by the IT administrators.
Having worked with many IT mobility administrators over the years, I know how daunting it is to manage devices when EMM tools didn’t have automated compliance capa-bilities. Now, however, IT staffers can spend their time taking advantage of the business benefits created by mobility rather than focus-ing on keeping devices compliant. —Bryan Barringer
HOME
EDITOR’S NOTE
SUCCESSFUL GRC
AUTOMATION STARTS
WITH THE PLANNING
PROCESS
USE AUTOMATED
COMPLIANCE
POLICY GOVERNANCE
TO EASE MOBILE
MANAGEMENT
AFLAC CISO:
FIVE STEPS
TO GRC PROGRAM
AUTOMATION
THE DATA GOVERNANCE KEYS TO SUCCESSFUL GRC AUTOMATION9
GRC PROGRAM AUTOMATION
Aflac CISO: Five Steps to GRC Program Automation
Like many companies competing in the age of digitization, Aflac Inc. is undergoing a transformation to modernize our IT delivery platforms and methods. The goal is to facilitate higher-quality products and services to better serve our policyholders, help build value for our shareholders and supply superior services for our agents. It is incumbent upon IT and information security to support the execution of this mission using proven processes and cutting-edge technology.
There are regulatory obstacles to meeting these goals, because the company has access to customers’ private financial, health and credit card data. We need to meet the demands of a range of regulations, including the Gramm-Leach-Bliley Act, the Health Insur-ance Portability and Accountability Act and PCI DSS. To ensure compliance with these regulatory frameworks, we must protect the confidentiality, integrity, availability and
accountability of Aflac’s company and client information. By automating our information security and technology governance program, it helps our ability to maintain regulatory compliance while still achieving our business objectives.
Governance, risk and compliance (GRC) automation is successful only with the right foundation in place: The right team must be chosen that can analyze risk and compliance processes and then map these processes into business objectives.
The following are five critical steps to GRC automation:
We need enough transpar ency and flexibility to ensure that we achieve technology compliance at a reasonable cost to the business.
HOME
EDITOR’S NOTE
SUCCESSFUL GRC
AUTOMATION STARTS
WITH THE PLANNING
PROCESS
USE AUTOMATED
COMPLIANCE
POLICY GOVERNANCE
TO EASE MOBILE
MANAGEMENT
AFLAC CISO:
FIVE STEPS
TO GRC PROGRAM
AUTOMATION
THE DATA GOVERNANCE KEYS TO SUCCESSFUL GRC AUTOMATION10
GRC PROGRAM AUTOMATION
1. Start with one use case and expand: Aflac targeted IT risk management first, because we determined that the risk assessment pro-cess was in need of improvement and could benefit from automation. We are rebuilding our risk mitigation processes, including the development of an asset repository. Once our team assesses the risk stemming from our vendors, applications and systems, we will dedicate a group of people to the next phase of automation. Regardless of where an organization starts, each GRC automation phase doesn’t have to be 100% complete to proceed. It’s more important to get the foun-dation built and governance modules in place. Then, the company can expand into other areas.
2. Create an enterprise framework as a founda-
tion: The National Institute of Standards and Technology, ISO and COBIT all offer great regulatory frameworks with which to start. Aflac is using a hybrid NIST/COBIT model. We found a hybrid model to be the best fit for us because of our significant compliance needs. For example, after building our asset
management capabilities, we will match those with Federal Financial Institutions Examina-tion Council criteria, and through that stream-line compliance across other standards and regulations. These include bank requirements such as GLBA or payment card requirements such as PCI.
3. Evaluate GRC automation tools: After taking stock of the team, processes and tools available to support GRC, we started looking for ways to automate and centralize risk management activities. We looked at several GRC vendors and their products and evaluated each based on the following requirements:
■n The ability to implement GRC automation rapidly but with minimal impact on com-pany processes during implementation. We also wanted a product with proven scalabil-ity so it could adapt to changing compliance regulations.
■n The vendor’s previous experience with GRC automation and enterprise risk management capabilities.
HOME
EDITOR’S NOTE
SUCCESSFUL GRC
AUTOMATION STARTS
WITH THE PLANNING
PROCESS
USE AUTOMATED
COMPLIANCE
POLICY GOVERNANCE
TO EASE MOBILE
MANAGEMENT
AFLAC CISO:
FIVE STEPS
TO GRC PROGRAM
AUTOMATION
THE DATA GOVERNANCE KEYS TO SUCCESSFUL GRC AUTOMATION11
GRC PROGRAM AUTOMATION
■n The vendor’s past record with implementing GLBA, HIPAA and PCI security compliance processes.
■n Information on details such as pricing and how technical support would respond to any problems.
The GRC vendor we selected meets the above requirements and works with us to ensure alignment with Aflac’s business goals and strategies.
4. Map risk and compliance goals into business
metrics: Technology compliance generates its own form of risk. We need enough transpar-ency and flexibility to ensure that we achieve technology compliance at a reasonable cost to the business. We can then focus on defin-ing risk thresholds and driving risk down to acceptable levels. This process includes the following:
■n Completing a risk assessment
■n Creating a risk register to outline key risks
■n Measuring the inherent risk in terms of probability and impact
■n Listing mitigating controls and determining residual risk
We also have to be transparent with our pri-orities. We might have a process that is consid-ered high risk, but a mitigating control brings it down to a low level. What might seem low risk, however, might not have any controls at all and therefore becomes a high risk. We must know where to address our attention. Automation allows us to deal with this process in a more systematic way, because it is impossible to effectively align these risks and controls when using a manual process.
5. Design flexibility in: Designing flexibility into our process allows us to absorb known and new risk. The GRC concept continues to mature as factors that shape a company’s programs change. New risks are revealed, the regulatory environment creates new pressures and new technology enters the workspace. A GRC program must have flexibility to adjust
HOME
EDITOR’S NOTE
SUCCESSFUL GRC
AUTOMATION STARTS
WITH THE PLANNING
PROCESS
USE AUTOMATED
COMPLIANCE
POLICY GOVERNANCE
TO EASE MOBILE
MANAGEMENT
AFLAC CISO:
FIVE STEPS
TO GRC PROGRAM
AUTOMATION
THE DATA GOVERNANCE KEYS TO SUCCESSFUL GRC AUTOMATION12
GRC PROGRAM AUTOMATION
to the many changes, such as threats from organized crime, state-sponsored cyber- attacks and new variants on old threats. Flex-ibility helps build resiliency and enables us to maintain structural integrity while address-ing emerging threats.
The next step is to incorporate and align Aflac’s other business-critical processes with our GRC program. This includes align-ing governance and policy objectives with the tactical requirements of day-to-day risk
identification and reduction. When it comes to GRC automation, I’ve seen
CISOs who implement a tool and get frustrated because it’s not 100% complete from Day 1. It is important to understand that you must start somewhere. You might not be firing on all cyl-inders to start; you can learn new information and adjust, then learn and adjust again. The key is to keep going and accept that GRC automa-tion is going to be a long journey. —Tim Callahan
HOME
EDITOR’S NOTE
SUCCESSFUL GRC
AUTOMATION STARTS
WITH THE PLANNING
PROCESS
USE AUTOMATED
COMPLIANCE
POLICY GOVERNANCE
TO EASE MOBILE
MANAGEMENT
AFLAC CISO:
FIVE STEPS
TO GRC PROGRAM
AUTOMATION
THE DATA GOVERNANCE KEYS TO SUCCESSFUL GRC AUTOMATION13
ABOUT THE
AUTHORS
BEN COLE is senior site editor for SearchCIO and Search-Compliance. Prior to joining TechTarget, Cole was the on-line editor for HealthLeaders Media, based in Marblehead, Mass. He began his journalism career as a reporter with the Massachusetts daily newspapers The Gardner News and Sentinel & Enterprise.
BRYAN BARRINGER is a digital transformation and enter-prise mobility expert who specializes in creating user-cen-tric, omni-channel solutions. Barringer has more than 20 years of experience in mobility and product design/man-agement strategy in multiple verticals, most recently as the leader of FedEx’s Office of Mobility and Collaboration. He is now an independent product development and en-terprise mobility consultant, writer and speaker.
TIM CALLAHAN is vice president and chief information se-curity officer at Aflac Inc. He is responsible for the Aflac Information Security Program, which includes threat and vulnerability management, security operations and in-cident response, information technology compliance and risk management, security engineering and disaster recovery.
The Data Governance Keys to Successful GRC Automation is a SearchCompliance.com e-publication.
Ben Cole | Senior Site Editor
Fran Sales | Associate Editor
Bryan Barringer, Tim Callahan | Contributing Writers
Sue Troy | Editorial Director
Linda Koury | Director of Online Design
Neva Maniscalco | Graphic Designer
FOR SALES INQUIRIES
Amalie Keerl | Director of Product Management [email protected]
TechTarget 275 Grove Street, Newton, MA 02466
www.techtarget.com
© 2015 TechTarget Inc. No part of this publication may be transmitted or re-produced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and pro-cesses crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.
COVER ART: ISTOCK
STAY CONNECTED!
Follow @SearchCompliance today.
