http://www.enterprisegrc.com
EnterpriseGRC Solutions Inc.
A Governance, Risk and Compliance Company
A Service Oriented Approach
Policy Baseline, RunBook - CMDB, Control Self Assessment, RiskWatch
http://www.enterprisegrc.com
2
Functional Teams IT Support – HR Facilities – Drive SOD and Applications Controls Baseline
http://www.enterprisegrc.com
3
Internal Audit Addresses Dynamic Regulatory Requirements and Risk Conditions
http://www.enterprisegrc.com
4
Every Organization Has Unique Needs
http://www.enterprisegrc.com
5
Enterprise Security and Compliance Custom Tabs and Menus
http://www.enterprisegrc.com
ISO/IEC 17799:2005 – ISO 270001 Policy Mapping
Mapping ISO 17799:2005 (270001) to Finance, Legal, Business and IT Policies
Mapping CobiT to ISO allows us to Link evidence across Policy, Program,
Process and System Updates are evident to all areas in
real-time
6
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com
4Point GRC is A Service Oriented Architecture
7
http://www.enterprisegrc.com
8
Baseline Configuration Is Critical to Available Service
Enterprise Management SystemsOpportunities for Workflow and Controls Automation
8
http://www.enterprisegrc.com
9
Link Configuration Management Database, Policy Mapping, leveraging a Service Oriented Architecture
http://www.enterprisegrc.com
10
Link Configuration Management Database, Policy Mapping, Service Oriented Architecture
http://www.enterprisegrc.com
Enable Continuous Service
11
http://www.enterprisegrc.com
12
Define the Control Relationship
http://www.enterprisegrc.com
13
RunBook Reports Satisfy Compliance Requirements and Enable SOA - GRC
RunBooks provide a true CMDB of production services as governed by Policies and Processes
Controlled Server and Application tables establish the system inventory of tested items
Producing results in a searchable data format facilitates accurate controls meta data, verified policy and systems associations, and the foundation for accurate, complete and valid test design.
http://www.enterprisegrc.com
14
Automation of Audit Function Changes in the risk landscape are rapid, dynamic and cannot be managed by manual
process. Corporate audit function costs continue to rise due to increasing threats and events. Greater efficiency and cost effectiveness are achieved by:
Automating audit processes Better monitoring tools and techniques Training key compliance team members
The R in GRC - Strategic Planning and Risk Management
http://www.enterprisegrc.com
15
What is the value of implementing Enterprise Risk Management ERM?
Enterprise Risk Management helps business leadership achieve the organization’s
performance and profitability target$.
http://www.enterprisegrc.com
Why Risk Management?
16
• Likelihood of Material Loss Such As: Fraud, Critical System Failure, Political Damage, Missed Strategic Milestones or Significant Loss of Revenue. Minimizes
• Delivery of Risk Information To The BusinessEnsures• Business Decisions By Providing A Management
Process For Capturing, Analyzing, Mitigating and Monitoring Risks to the BusinessEnables
• a Unified Management Process for Risk ResponseProvides
http://www.enterprisegrc.com
Risk Management Programs, Guidance and Process
Quarterly Business Review
Compliance Hot-Line
IT RiskWatch
Assign Risk Manager
Board Reports
Vulnerability
Threat & Vulnerability
Analysis
Input risk details and status log
Residual Risk
Program RiskWatch
Corporate RiskWatch
Risk Meeting
IT Steering Committee
http://www.enterprisegrc.com
Risk Watch Components
18
Risk Identification
Business Risk Assessment
Scope & Boundary Definition
Risk Measurement
Risk Action Plan
Risk Acceptance
Safeguard Selection
Risk Assessment
Commitment
http://www.enterprisegrc.com
Risk Tracking
19
RespondReportReduce
http://www.enterprisegrc.com
The Risk Management Process
20
Esta
blis
h th
e co
ntex
t
Iden
tify
the
risks
Anal
ysis
of th
e ris
ks
Eval
uate
the
risks
Trea
t the
risk
s
Mon
itor a
nd
revi
ew
Com
mun
icat
e an
d co
nsul
t
http://www.enterprisegrc.com
21
Answers Simple Questions
What is Likelihood?Define Likely
Define Relatively Likelihood
Define UnlikelyDefine Never
What is Impact?Define MinorDefine Major
Define Catastrophic
What is Significance?
In what manner will significance
change?
What were the criteria we
used for our interpretation
of significance?
http://www.enterprisegrc.com
Risk Mitigation
22
Reported Risk levels in RiskWatch
Prioritize Actions
Evaluate Recommended Control Options Evaluate Recommended Control
Options
Conduct Cost-Benefit Analysis
Develop Safeguard Implementation Plan
Assign Responsibility Select Controls
Implement Selected Controls
Residual Risks
http://www.enterprisegrc.com
Key Role & Responsibilities
Chief Financial officer Security Manager Risk Management Committee Risk Mitigation Implementation
Owners Stakeholders & Users
23
…Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume ownership. Other managers SUPPORT the entity’s risk management philosophy, promote compliance with its risk appetite, and manage risks within their spheres of responsibility consistent with risk tolerances. A risk officer, financial officer, internal auditor, and others usually have key SUPPORT responsibilities. Other entity personnel are responsible for executing enterprise risk management in accordance with established directives and protocols. The board of directors provides important oversight to enterprise risk management, and is aware of and concurs with the entity’s risk appetite. A number of external parties, such as customers, vendors, business partners, external auditors, regulators, and financial analysts often provide information useful in effecting enterprise risk management, but they are not responsible for the effectiveness of, nor are they a part of, the entity’s enterprise risk management.
Enterprise Risk Management — Integrated Framework Executive Summary Copyright © September 2004 by the Committee of Sponsoring organizations of the Treadway Commission.
http://www.enterprisegrc.com
Achieve Risk Transparency
24
Communicate -Risk- Inputs and Agenda
Execute – Program, Meetings, Risk
Response
Measure – Risk Measurement & Impact Analysis, Performance
Record – Meeting Minutes, Management
Reporting
Archive – Meeting Minutes, KPI Results
http://www.enterprisegrc.com
Risk Process Maturity
25
Level Maturity Description
3 Defined Process: An organization-wide risk management policy defines when and how to conduct risk assessments. Risk assessment follows a defined process that is documented and available to all staff through training. Decisions to follow the process and to receive training are left to the individual’s discretion. The methodology is convincing and sound, and ensures that key risks to the business are likely to be identified. Decisions to follow the process are left to individual IT managers and there is no procedure to ensure that all projects are covered or that the ongoing operation is examined for risk on a regular basis.
Risk Management10 2 543
Non-Existent Initial Repeatable Defined Managed Optimized
http://www.enterprisegrc.com
Risk Process Maturity
26
Level Maturity Description
4 Managed and Measurable: The assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. The process is advanced and risk is assessed at the individual project level and also regularly with regard to the overall IT operation. Management is advised on changes in the IT environment which could significantly affect the risk scenarios, such as an increased threat from the network or technical trends that affect the soundness of the IT strategy. Management is able to monitor the risk position and make informed decisions regarding the exposure it is willing to accept. Senior management and IT management have determined the levels of risk that the organization will tolerate and have standard measures for risk/return ratios. Management budgets for operational risk management projects to reassess risks on a regular basis. A risk management database is established.
Risk Management10 2 543
Non-Existent Initial Repeatable Defined Managed Optimized
http://www.enterprisegrc.com
Risk Process Maturity
27
Level Maturity Description
5 Optimized: Risk assessments have developed to the stage where a structured, organization-wide process is enforced, followed regularly and well managed. Risk brainstorming and root cause analysis, involving expert individuals, are applied across the entire organization. The capturing, analysis and reporting of risk management data are highly automated. Guidance is drawn from leaders in the field and the IT organization takes part in peer groups to exchange experiences. Risk management is truly integrated into all business and IT operations, is well accepted and extensively involves the users of IT services.
Risk Management10 2 543
Non-Existent Initial Repeatable Defined Managed Optimized
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com
Reliable Services
Transparency
Responsiveness of IT to business
Confidence At The Top
Return on Investment
Reap Benefits
http://www.enterprisegrc.com
Moving Through A Risk Cycle Status Codes
29
•Risk will be allowed to remain as described. Risk is determined to be acceptable, given business priorities & total vulnerability.
Reviewed & Accepted
•Team is assigned to determine & implement compensating controlsControls Required
•Exposure is determined to be unacceptable. Team is to implement compensating controls as quickly as possible.
Critical Controls Required
•Emergency risk situation requires immediate team management & notification.Emergency –
Immediate Action Required
http://www.enterprisegrc.com
Project Risk Management Purpose and Scope
Facilitates The Effective Management of Risk Within An IT Project
Enables Project Team To Collaborate In Identifying Risk, Analyzing Risk, And Planning Appropriate Actions.
Risk-related Actions Are Planned, Scheduled And Tracked As Additional Tasks In The Project Plan
Risk Tracking Occurs In A Risk Watch List On-going Activity Throughout The Project Depends On All Project Team Members Being Risk-aware,
Utilizing The Defined Risk Management Process
30
http://www.enterprisegrc.com
31
Corporate Risk Management Purpose & Scope
Corporate Level Review of Company Specific Risk Roll Up of Individual Company Risks, Assignment of Relative Risk Criteria Ownership of Communicated Risk To Both Shareholders
And Throughout The Corporate Enterprise. Governs How Corporate Leadership Interprets & Assigns
Weighted Value To Company Specific Risk & Impact Initial Risk Assessment & Accountability Rests At The
Individual Company Level Disclosure Committee Reviews & Determines Disclosure
Requirements
http://www.enterprisegrc.com
Activity Outputs
32
•A person in the IT domain is made aware by interaction with others or through his/her own doing, of an apparent technology weakness. This weakness is determined by management to possibly merit risk team consideration. The risk is not associated with an SDM management effort, and therefore requires isolated entry to the RiskWatchApparent IT System or
Technology resource based Vulnerability
•The significance evaluation is a formal process based in agreed standards for determining the quality statements associated to an estimated risk. Establishing "RiskWatch COBIT Project Definitions" can be achieved by implementing a template of criteria definitions
Significance Evaluation and Risk Criteria Template
•Any IT person can launch the Risk Watch to enter details of a perceived risk. Management reviews the risk to determine its appropriateness for Risk Watch. The steps to filling out the RiskWatch form are detailed in the RiskWatch Form Entry Work Instruction
Report Risk
•Occurs weekly. Meeting is preceded by the posting of intended items for review and followed by posted summary of results. Metrics are gathered and stored in the work products folder as determined by the RiskWatch team.
RiskWatch Meeting Review
•Used to identify and document the threats and vulnerabilities associated with any asset being evaluated.Threat & Vulnerability Analysis
•Responds to identified threat by ensuring the risk response and compensating controls are effectively enforcedSecurity Management
•The risk is mitigated to significance of 9 or less with acceptable controls in place. Mitigated Risk
•Fair and reasonable discovery and disclosure of risksAttestation of Risk
http://www.enterprisegrc.com
33
Process Exit Criteria
Risk Process Continues Until The Process Response Is Implemented
Risk Is Mitigated To Acceptable Managed Residual Risk or Removed
Mitigated Risk Where Significance Is Less Than “9” & Appropriate Controls Are Identified For Ongoing Risk Management
http://www.enterprisegrc.com
34© EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com
Governance in IT Service Management Culture of change management Culture of causality Culture of compliance and desire to continually reduce variance
http://www.enterprisegrc.com
Change Management and Governance
35
Change Management’s Relationship to Governance
• Request for Change RFC, CMDB, Release
• Implementation Plans
INPUTS
• Change Management Team
• Review Board• Steering
COMMITTEE
• Implementations• Meeting Minutes • Schedules
OUTPUTS
• Reports• Key Performance
Indicators• Client Service
Metrics
Audit
http://www.enterprisegrc.com
36© EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com
Enterprise Change Management
• business decisions by providing a management system housing data for analysis, implementation and follow-up
enable
• problem management to identify known errors
support
Goal Of Change Management Goal of Change Management Systems
•the benefits to the business of making changes to the IT infrastructure
Maximize
•the risks involved in making those changes
Minimize
•that standardized methods and procedures are used for efficient and prompt handling of all changes
Ensure
•impact of change-related incidents and improving day-to-day function
Reduce
http://www.enterprisegrc.com
Business Process Application Mapping• Facilitate a walkthrough of each business process • Identify those applications that support the processing of transactions • Document the workflow of transactions through the entire process to
ensure complete identification of applications
Application Summary and Scope Development• Complete list of applications • Relevance, relation and criticality to the financial reporting • Significance to the financial reporting process • Management discretion, applications considered important or high risk
from management’s perspective
Application Technology Support Information• in-scope for the Sarbanes-Oxley Program, gather complete RunBook• Source of Application,
• purchased and implemented with and without customization, • developed and maintained internally, and outsourced to a third-party.
• For Changes -the data of the last major change and next planned change to each application.
Business Process Management
37
Business Process Application MappingApplication Scope DevelopmentApplication Technology Support
Information
http://www.enterprisegrc.com
ISO/IEC 27001:2005 “ ISO/IEC 27001:2005 implements effective information security management in compliance with organizational
objectives and business requirements. Risk-based specification designed to take care of information security aspects of corporate governance, protection of information assets, legal and contractual obligations as well as the wide range of threats to an organization’s information and communications technology (ICT) systems and business processes.” (re-number ISO/IEC 17799 as ISO/IEC 27002)
Define An Information
Security Policy
Define scope of the information
security management
system
2
Perform A Security Risk Assessment
Manage the identified risk
Select Controls Implemented
5
Prepare Statement Of Applicability
ISO 27001 - This is the specification for an information
security management system (an ISMS) which replaced the old
BS7799-2 standard
ISO 27002 - 27000 series standard number of what was
originally the ISO 17799 standard (which itself was
formerly known as BS7799-1)
ISO 27003 - standard guidance for the implementation of an
ISMS (IS Management System)
ISO 27004 - information security system management
measurement and metrics.
ISO 27005 - methodology independent ISO standard for
information security risk management
ISO 27006 - guidelines for the accreditation of organizations
offering ISMS certification
http://www.enterprisegrc.com
ISO27001
ISO 27001Compliance
Initiate
• Understand Define Information Security Policy
• Initial Information gathering
Define
ISMS• Security
Manuals• Procedures• Guidelines
Templates
Assess
• Risk Analysis Ranking
• Risk Management
Develop
• Controls Identification & Development
Readiness
• Statement of applicability
• Assistance in Implementation and Certification Process
Plan Do Check Act
http://www.enterprisegrc.com
INTERNATIONAL STANDARD ISO/IEC 38500
ISO - Performance of the organization Proper Corporate Governance of IT assists directors to ensure that IT use
contributes positively to the performance of the organization, through: Appropriate Implementation And Operation of IT Assets Clarity of Responsibility And Accountability For Both The Use And Provision of IT In
Achieving The Goals of The Organization Business Continuity And Sustainability Alignment of IT With Business Needs Efficient Allocation of Resources Innovation In Services, Markets, And Business Good Practice In Relationships With Stakeholders Reduction In The Costs For An Organization Actual Realization of The Approved Benefits From Each IT Investment
INTERNATIONAL STANDARD ISO/IEC 38500
http://www.enterprisegrc.com
41
Factors for Governance Success
Strong project management across IT (COBIT) and Finance Applications (COSO)
Foster a culture of commitment, collaboration and knowledge transfer Regular status meetings (weekly or even daily in some cases)Intelligent GRC (Governance, Risk, Compliance) “OHIO” (only handle it once) means reduce redundant controls. Find
and remove controls that are non essential to the scope of audit. Nail questions before they come up through evidence of strong automated and system based policy. Leverage team knowledge to properly align controls to their rightful owners.
Fail Fast; pass slow Escalate non remediated controls (fails) before they become “findings” Remove unnecessary tests Retest fails to confirm control design and validate against actual
statement of risk
http://www.enterprisegrc.com
EffectivenessDeals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, and usable manner.
Efficiency Concerns the provision of information through the optimal ─ most productive and economical ─ use of resources.
Confidentiality Concerns the protection of sensitive information from unauthorized disclosure.
IntegrityRelates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.
AvailabilityRelates to information being available ,when required by the business process, at present and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
Compliance Deals with complying with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria as well as internal policies.
Reliability Relates to the provision of appropriate information for the management to operate the entity and to exercise its fiduciary and governance responsibilities.
Information Criteria
IT ResourcesIT Processes
The COBIT Cube: Business Requirements
42© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
IT Audit and Compliance
Enterprise Technology Risk
Management
Enterprise Architecture
Business Continuity Disaster Recovery
Enterprise GRC Platforms and
Implementation
ERP Applications Certification Readiness
Data WarehousingBusiness
Intelligence
Process Reengineering
http://www.enterprisegrc.com
Some Key Points: Control frameworks are designed to reduce operating cost and risk while
optimizing service delivery A GRC program should:
Reduce external dependencies Ensure that clients retains proprietary knowledge while reducing volume and time
on testing Adeptly tailor proven methodology to meet unique culture and technical and
business environment Meet and exceed goals set by leadership and critical industry regulation mandates
EnterpriseGRC Solutions Using Archer as our Audit Governance Risk and Compliance Platform
44
Policy ManagementUsing ISO27001 EnterpriseGRC
Solutions maps HR, IT, Finance, Business and
Legal PolicyProcess & Policy
mapping according to all major standards
Enterprise Management
Baseline Configuration Management (CMDB) Using Asset Inventory
tools, create and enable real-time
evidence of controls enabled by service
operations.
Compliance Management
CSA – (Control Self Assessment) Based in
each organization’s custom risk
frameworks, test scripts and maturity, Risk Assessments for initial and continuing
audit phases
Risk ManagementEnterprise Risk
Management - Top Down - Dash boarding
program manages actual exposures,
relative to real service, real policy and
changing conditions across the business &
IT.
05/01/2023