Enterprise governance risk_compliance_fcm slides

http://www.enterprisegrc.com

EnterpriseGRC Solutions Inc.

A Governance, Risk and Compliance Company

A Service Oriented Approach

Policy Baseline, RunBook - CMDB, Control Self Assessment, RiskWatch

http://www.enterprisegrc.com/




2

Functional Teams IT Support – HR Facilities – Drive SOD and Applications Controls Baseline




3

Internal Audit Addresses Dynamic Regulatory Requirements and Risk Conditions




4

Every Organization Has Unique Needs




5

Enterprise Security and Compliance Custom Tabs and Menus




ISO/IEC 17799:2005 – ISO 270001 Policy Mapping

Mapping ISO 17799:2005 (270001) to Finance, Legal, Business and IT Policies

Mapping CobiT to ISO allows us to Link evidence across Policy, Program,

Process and System Updates are evident to all areas in

real-time

6




© EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com

4Point GRC is A Service Oriented Architecture

7




8

Baseline Configuration Is Critical to Available Service

Enterprise Management SystemsOpportunities for Workflow and Controls Automation

8




9

Link Configuration Management Database, Policy Mapping, leveraging a Service Oriented Architecture




10

Link Configuration Management Database, Policy Mapping, Service Oriented Architecture




Enable Continuous Service

11




12

Define the Control Relationship




13

RunBook Reports Satisfy Compliance Requirements and Enable SOA - GRC

RunBooks provide a true CMDB of production services as governed by Policies and Processes

Controlled Server and Application tables establish the system inventory of tested items

Producing results in a searchable data format facilitates accurate controls meta data, verified policy and systems associations, and the foundation for accurate, complete and valid test design.




14

Automation of Audit Function Changes in the risk landscape are rapid, dynamic and cannot be managed by manual

process. Corporate audit function costs continue to rise due to increasing threats and events. Greater efficiency and cost effectiveness are achieved by:

Automating audit processes Better monitoring tools and techniques Training key compliance team members

The R in GRC - Strategic Planning and Risk Management




15

What is the value of implementing Enterprise Risk Management ERM?

Enterprise Risk Management helps business leadership achieve the organization’s

performance and profitability target$.




Why Risk Management?

16

• Likelihood of Material Loss Such As: Fraud, Critical System Failure, Political Damage, Missed Strategic Milestones or Significant Loss of Revenue. Minimizes

• Delivery of Risk Information To The BusinessEnsures• Business Decisions By Providing A Management

Process For Capturing, Analyzing, Mitigating and Monitoring Risks to the BusinessEnables

• a Unified Management Process for Risk ResponseProvides




Risk Management Programs, Guidance and Process

Quarterly Business Review

Compliance Hot-Line

IT RiskWatch

Assign Risk Manager

Board Reports

Vulnerability

Threat & Vulnerability

Analysis

Input risk details and status log

Residual Risk

Program RiskWatch

Corporate RiskWatch

Risk Meeting

IT Steering Committee




Risk Watch Components

18

Risk Identification

Business Risk Assessment

Scope & Boundary Definition

Risk Measurement

Risk Action Plan

Risk Acceptance

Safeguard Selection

Risk Assessment

Commitment




Risk Tracking

19

RespondReportReduce




The Risk Management Process

20

Esta

blis

h th

e co

ntex

t

Iden

tify

the

risks

Anal

ysis

of th

e ris

ks

Eval

uate

the

risks

Trea

t the

risk

s

Mon

itor a

nd

revi

ew

Com

mun

icat

e an

d co

nsul

t




21

Answers Simple Questions

What is Likelihood?Define Likely

Define Relatively Likelihood

Define UnlikelyDefine Never

What is Impact?Define MinorDefine Major

Define Catastrophic

What is Significance?

In what manner will significance

change?

What were the criteria we

used for our interpretation

of significance?




Risk Mitigation

22

Reported Risk levels in RiskWatch

Prioritize Actions

Evaluate Recommended Control Options Evaluate Recommended Control

Options

Conduct Cost-Benefit Analysis

Develop Safeguard Implementation Plan

Assign Responsibility Select Controls

Implement Selected Controls

Residual Risks




Key Role & Responsibilities

Chief Financial officer Security Manager Risk Management Committee Risk Mitigation Implementation

Owners Stakeholders & Users

23

…Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume ownership. Other managers SUPPORT the entity’s risk management philosophy, promote compliance with its risk appetite, and manage risks within their spheres of responsibility consistent with risk tolerances. A risk officer, financial officer, internal auditor, and others usually have key SUPPORT responsibilities. Other entity personnel are responsible for executing enterprise risk management in accordance with established directives and protocols. The board of directors provides important oversight to enterprise risk management, and is aware of and concurs with the entity’s risk appetite. A number of external parties, such as customers, vendors, business partners, external auditors, regulators, and financial analysts often provide information useful in effecting enterprise risk management, but they are not responsible for the effectiveness of, nor are they a part of, the entity’s enterprise risk management.

Enterprise Risk Management — Integrated Framework Executive Summary Copyright © September 2004 by the Committee of Sponsoring organizations of the Treadway Commission.




Achieve Risk Transparency

24

Communicate -Risk- Inputs and Agenda

Execute – Program, Meetings, Risk

Response

Measure – Risk Measurement & Impact Analysis, Performance

Record – Meeting Minutes, Management

Reporting

Archive – Meeting Minutes, KPI Results




Risk Process Maturity

25

Level Maturity Description

3 Defined Process: An organization-wide risk management policy defines when and how to conduct risk assessments. Risk assessment follows a defined process that is documented and available to all staff through training. Decisions to follow the process and to receive training are left to the individual’s discretion. The methodology is convincing and sound, and ensures that key risks to the business are likely to be identified. Decisions to follow the process are left to individual IT managers and there is no procedure to ensure that all projects are covered or that the ongoing operation is examined for risk on a regular basis.

Risk Management10 2 543

Non-Existent Initial Repeatable Defined Managed Optimized





26


4 Managed and Measurable: The assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. The process is advanced and risk is assessed at the individual project level and also regularly with regard to the overall IT operation. Management is advised on changes in the IT environment which could significantly affect the risk scenarios, such as an increased threat from the network or technical trends that affect the soundness of the IT strategy. Management is able to monitor the risk position and make informed decisions regarding the exposure it is willing to accept. Senior management and IT management have determined the levels of risk that the organization will tolerate and have standard measures for risk/return ratios. Management budgets for operational risk management projects to reassess risks on a regular basis. A risk management database is established.







27


5 Optimized: Risk assessments have developed to the stage where a structured, organization-wide process is enforced, followed regularly and well managed. Risk brainstorming and root cause analysis, involving expert individuals, are applied across the entire organization. The capturing, analysis and reporting of risk management data are highly automated. Guidance is drawn from leaders in the field and the IT organization takes part in peer groups to exchange experiences. Risk management is truly integrated into all business and IT operations, is well accepted and extensively involves the users of IT services.






© EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com

Reliable Services

Transparency

Responsiveness of IT to business

Confidence At The Top

Return on Investment

Reap Benefits




Moving Through A Risk Cycle Status Codes

29

•Risk will be allowed to remain as described. Risk is determined to be acceptable, given business priorities & total vulnerability.

Reviewed & Accepted

•Team is assigned to determine & implement compensating controlsControls Required

•Exposure is determined to be unacceptable. Team is to implement compensating controls as quickly as possible.

Critical Controls Required

•Emergency risk situation requires immediate team management & notification.Emergency –

Immediate Action Required




Project Risk Management Purpose and Scope

Facilitates The Effective Management of Risk Within An IT Project

Enables Project Team To Collaborate In Identifying Risk, Analyzing Risk, And Planning Appropriate Actions.

Risk-related Actions Are Planned, Scheduled And Tracked As Additional Tasks In The Project Plan

Risk Tracking Occurs In A Risk Watch List On-going Activity Throughout The Project Depends On All Project Team Members Being Risk-aware,

Utilizing The Defined Risk Management Process

30




31

Corporate Risk Management Purpose & Scope

Corporate Level Review of Company Specific Risk Roll Up of Individual Company Risks, Assignment of Relative Risk Criteria Ownership of Communicated Risk To Both Shareholders

And Throughout The Corporate Enterprise. Governs How Corporate Leadership Interprets & Assigns

Weighted Value To Company Specific Risk & Impact Initial Risk Assessment & Accountability Rests At The

Individual Company Level Disclosure Committee Reviews & Determines Disclosure

Requirements




Activity Outputs

32

•A person in the IT domain is made aware by interaction with others or through his/her own doing, of an apparent technology weakness. This weakness is determined by management to possibly merit risk team consideration. The risk is not associated with an SDM management effort, and therefore requires isolated entry to the RiskWatchApparent IT System or

Technology resource based Vulnerability

•The significance evaluation is a formal process based in agreed standards for determining the quality statements associated to an estimated risk. Establishing "RiskWatch COBIT Project Definitions" can be achieved by implementing a template of criteria definitions

Significance Evaluation and Risk Criteria Template

•Any IT person can launch the Risk Watch to enter details of a perceived risk. Management reviews the risk to determine its appropriateness for Risk Watch. The steps to filling out the RiskWatch form are detailed in the RiskWatch Form Entry Work Instruction

Report Risk

•Occurs weekly. Meeting is preceded by the posting of intended items for review and followed by posted summary of results. Metrics are gathered and stored in the work products folder as determined by the RiskWatch team.

RiskWatch Meeting Review

•Used to identify and document the threats and vulnerabilities associated with any asset being evaluated.Threat & Vulnerability Analysis

•Responds to identified threat by ensuring the risk response and compensating controls are effectively enforcedSecurity Management

•The risk is mitigated to significance of 9 or less with acceptable controls in place. Mitigated Risk

•Fair and reasonable discovery and disclosure of risksAttestation of Risk




33

Process Exit Criteria

Risk Process Continues Until The Process Response Is Implemented

Risk Is Mitigated To Acceptable Managed Residual Risk or Removed

Mitigated Risk Where Significance Is Less Than “9” & Appropriate Controls Are Identified For Ongoing Risk Management




34© EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com

Governance in IT Service Management Culture of change management Culture of causality Culture of compliance and desire to continually reduce variance




Change Management and Governance

35

Change Management’s Relationship to Governance

• Request for Change RFC, CMDB, Release

• Implementation Plans

INPUTS

• Change Management Team

• Review Board• Steering

COMMITTEE

• Implementations• Meeting Minutes • Schedules

OUTPUTS

• Reports• Key Performance

Indicators• Client Service

Metrics

Audit




36© EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com

Enterprise Change Management

• business decisions by providing a management system housing data for analysis, implementation and follow-up

enable

• problem management to identify known errors

support

Goal Of Change Management Goal of Change Management Systems

•the benefits to the business of making changes to the IT infrastructure

Maximize

•the risks involved in making those changes

Minimize

•that standardized methods and procedures are used for efficient and prompt handling of all changes

Ensure

•impact of change-related incidents and improving day-to-day function

Reduce




Business Process Application Mapping• Facilitate a walkthrough of each business process • Identify those applications that support the processing of transactions • Document the workflow of transactions through the entire process to

ensure complete identification of applications

Application Summary and Scope Development• Complete list of applications • Relevance, relation and criticality to the financial reporting • Significance to the financial reporting process • Management discretion, applications considered important or high risk

from management’s perspective

Application Technology Support Information• in-scope for the Sarbanes-Oxley Program, gather complete RunBook• Source of Application,

• purchased and implemented with and without customization, • developed and maintained internally, and outsourced to a third-party.

• For Changes -the data of the last major change and next planned change to each application.

Business Process Management

37

Business Process Application MappingApplication Scope DevelopmentApplication Technology Support

Information




ISO/IEC 27001:2005 “ ISO/IEC 27001:2005 implements effective information security management in compliance with organizational

objectives and business requirements. Risk-based specification designed to take care of information security aspects of corporate governance, protection of information assets, legal and contractual obligations as well as the wide range of threats to an organization’s information and communications technology (ICT) systems and business processes.” (re-number ISO/IEC 17799 as ISO/IEC 27002)

Define An Information

Security Policy

Define scope of the information

security management

system

2

Perform A Security Risk Assessment

Manage the identified risk

Select Controls Implemented

5

Prepare Statement Of Applicability

ISO 27001 - This is the specification for an information

security management system (an ISMS) which replaced the old

BS7799-2 standard

ISO 27002 - 27000 series standard number of what was

originally the ISO 17799 standard (which itself was

formerly known as BS7799-1)

ISO 27003 - standard guidance for the implementation of an

ISMS (IS Management System)

ISO 27004 - information security system management

measurement and metrics.

ISO 27005 - methodology independent ISO standard for

information security risk management

ISO 27006 - guidelines for the accreditation of organizations

offering ISMS certification




ISO27001

ISO 27001Compliance

Initiate

• Understand Define Information Security Policy

• Initial Information gathering

Define

ISMS• Security

Manuals• Procedures• Guidelines

Templates

Assess

• Risk Analysis Ranking

• Risk Management

Develop

• Controls Identification & Development

Readiness

• Statement of applicability

• Assistance in Implementation and Certification Process

Plan Do Check Act




INTERNATIONAL STANDARD ISO/IEC 38500

ISO - Performance of the organization Proper Corporate Governance of IT assists directors to ensure that IT use

contributes positively to the performance of the organization, through: Appropriate Implementation And Operation of IT Assets Clarity of Responsibility And Accountability For Both The Use And Provision of IT In

Achieving The Goals of The Organization Business Continuity And Sustainability Alignment of IT With Business Needs Efficient Allocation of Resources Innovation In Services, Markets, And Business Good Practice In Relationships With Stakeholders Reduction In The Costs For An Organization Actual Realization of The Approved Benefits From Each IT Investment

INTERNATIONAL STANDARD ISO/IEC 38500




41

Factors for Governance Success

Strong project management across IT (COBIT) and Finance Applications (COSO)

Foster a culture of commitment, collaboration and knowledge transfer Regular status meetings (weekly or even daily in some cases)Intelligent GRC (Governance, Risk, Compliance) “OHIO” (only handle it once) means reduce redundant controls. Find

and remove controls that are non essential to the scope of audit. Nail questions before they come up through evidence of strong automated and system based policy. Leverage team knowledge to properly align controls to their rightful owners.

Fail Fast; pass slow Escalate non remediated controls (fails) before they become “findings” Remove unnecessary tests Retest fails to confirm control design and validate against actual

statement of risk




EffectivenessDeals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, and usable manner.

Efficiency Concerns the provision of information through the optimal ─ most productive and economical ─ use of resources.

Confidentiality Concerns the protection of sensitive information from unauthorized disclosure.

IntegrityRelates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.

AvailabilityRelates to information being available ,when required by the business process, at present and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Compliance Deals with complying with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria as well as internal policies.

Reliability Relates to the provision of appropriate information for the management to operate the entity and to exercise its fiduciary and governance responsibilities.

Information Criteria

IT ResourcesIT Processes

The COBIT Cube: Business Requirements

42© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821




IT Audit and Compliance

Enterprise Technology Risk

Management

Enterprise Architecture

Business Continuity Disaster Recovery

Enterprise GRC Platforms and

Implementation

ERP Applications Certification Readiness

Data WarehousingBusiness

Intelligence

Process Reengineering




Some Key Points: Control frameworks are designed to reduce operating cost and risk while

optimizing service delivery A GRC program should:

Reduce external dependencies Ensure that clients retains proprietary knowledge while reducing volume and time

on testing Adeptly tailor proven methodology to meet unique culture and technical and

business environment Meet and exceed goals set by leadership and critical industry regulation mandates

EnterpriseGRC Solutions Using Archer as our Audit Governance Risk and Compliance Platform

44

Policy ManagementUsing ISO27001 EnterpriseGRC

Solutions maps HR, IT, Finance, Business and

Legal PolicyProcess & Policy

mapping according to all major standards

Enterprise Management

Baseline Configuration Management (CMDB) Using Asset Inventory

tools, create and enable real-time

evidence of controls enabled by service

operations.

Compliance Management

CSA – (Control Self Assessment) Based in

each organization’s custom risk

frameworks, test scripts and maturity, Risk Assessments for initial and continuing

audit phases

Risk ManagementEnterprise Risk

Management - Top Down - Dash boarding

program manages actual exposures,

relative to real service, real policy and

changing conditions across the business &

IT.

05/01/2023

