Upload
anthony-de-monroy
View
400
Download
1
Embed Size (px)
Citation preview
Governance, Risk, & Compliance Nov 2015
GRC v1
Presented by: Anthony De Monroy
November 8, 2015
2
What is it?
• WHAT: Provides a “single” version of organizational effectiveness to
executives, auditors, & regulators.
• WHY: Executives & boards demand IT exposure visibility so they can effectively manage the organization’s long-term IT strategies.
3
The Problem
GRC Defined
4
Governance: Oversight roles& processes by which
companies manage & mitigate business risks. Risk: Risk Management enables an organization to evaluate all relevant business regulatory risks & controls. It monitors mitigation actions in a structured manner.
Compliance: Ensures that an organization has the processes & internal controls to meet the requirements imposed by governmental bodies, industry mandates or internal policies. • NOTE: no separate silos, each work in tandem
aligning IT initiatives with overall business objectives.
Focus
5
NEW GRC FOCUS LEGACY GRC FOCUS
GRC Wheel
6
7
IT Governance
Importance
Defines importance (Evaluate), how decisions will be made & accountability
(Direction), & measurement (Monitor):
1) Key IT Policy Management
2) Enterprise IT Risk Management
3) Regulatory compliance management & oversight.
4) Evaluating IT business performance through performance
scorecards, risk scorecards, & operational dashboards.
8
9
Governance Roadmap
10
IT Risk Management
Ensures strategic IT objectives take into account acceptable levels of risk
in relation to stakeholders, industry mandates, & regulations. There are
four key concerns:
11
Importance
12
IT Compliance
Importance When we say “Compliance” what does that mean?
Establishes & monitors IT controls & ensures decisions are made &
prioritized according to policy. Typically begins as a project to meet
deadlines to comply with a government regulation, Industry mandates
or internal policies
It is not a one-time event, but a repeatable process so they can
continue to sustain compliance at progressively lower costs.
Five Elements:
1. 1) Oversight & Reporting
2. 2) Standards & Procedures
3. 3) Monitoring & Auditing
4. 4) Education & Training
5. 5) Response & Prevention
Five Elements:
1. 1) Oversight & Reporting
2. 2) Standards & Procedures
3. 3) Monitoring & Auditing
4. 4) Education & Training
5. 5) Response & Prevention
Critical Controls
14
15
Industry Overview
16
Security Requirements
17
WS Compliance Matrix
18
Thank You!
Appendix A
19
20
Alphabet Soup
GLBA, GLB - GRAMM-LEACH-BLILEY ACT: applies to the financial services industry (insurance, securities, banking), & includes credit reporting agencies, ATM operators, appraisers, couriers, and tax preparers. Related Standards and Items: Standards for Safe- guarding Customer Information 16 CFR Part 314, Federal Trade Commission (2002), Fair Credit Reporting Act (FCRA) Financial Privacy Rule, Federal Financial Institutions HIPAA- HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT: Applies to healthcare, medical records, insurance, and other
medical related business. Organizations explicitly covered by HIPAA include:: Health Care Providers, Health Plans, Health Clearinghouses, & Medicare Prescription Drug Card Sponsors. Related Standards and Items, NIST 800-66 National Institute of Standards and Technology documentation for HIPAA, PSQIA – Patient Safety and Quality Improvement Act of 2005. HITECH Regulations regarding electronic transmission of patient information. FISMA - FEDERAL INFORMATION SECURITY ACT: Applies to governmental agencies, governmental contractors and tele- communications providers who provide services to anything deemed related to national security (very broad stroke). Also applies to Federal agencies, contractors, and any other company or organization that uses or operates an information system o n behalf of a federal agency. Related Standards and Items: FIPS Federal Information Processing Standards, DISA Defense
Information Systems Agency, NIST National Institute of Standards and Technology PCI: PAYMENT CARD INDUSTRY: Is an independent organization that sets standards for credit card processors and merchants. Applies to merchants and processors of Visa, Mastercard, American Express, Diners Club International, or JCB (an Asian based credit card), transactions. PCI security covers "Any system that stores, processes, or transmits cardholder data". Unlike SOX and GLBA, The standard is quite straight forward and IT specific. Related Stadards & Bodies: CISP: Cardholder Information Security Protection (Visa) SDP, Site Data Protection Program (Mastercard), SB1656- Credit Card Data Disclosure - California Assembly Bill 1656, (2008)
• NERC - NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION: Applies to companies that
generate, provide, or transmit energy. NERC is subject to Federal Energy Regulatory Commission
(FERC) mandates and control. NRC (Nuclear Regulatory Commission), is a related commission
for nuclear power. The primary focus of NERC is on SC ADA, which stands for supervisory control
and data acquisition devices and networks. The majority of IT related policies will be found in the
Critical Infrastructure Protection Standards (CIP) standards. Standard CIP-002-3 requires the
identification.
• ISO 27002 / 17799 / BS7799 / NZS 7799 / AS 7799 / IEC 17799: Originally known, and commonly
known as ISO 17799, the revised current version is ISO 27002. ISO standards are applied to
multinational companies. British Standards (BS), Australian Standards (AS), and New Zealand
Standards (NZS), and others were incorporated into a common international framework.
• Sarbanes–Oxley: SOX Applies to all publicly traded companies. A majority of the regulations apply to
auditing, the board of directors, disclosures, and improper trading.
21
Alphabet Soup II
Governance Frameworks
22
GRC Processes Where each fits
24