SLVA - Developing an IT GRC Strategy

Download SLVA - Developing an IT GRC Strategy

Post on 28-Jul-2015




2 download

Embed Size (px)


<p> 1. Presentation Title Comes Here Name &amp; Surname Company Developing an IT GRC Strategy Assess once, test once, satisfy many Kris Budnik MD, SLVA Information Security 2. What is GRC? An academic definition of the word mess CFO Magazine A prickly tangle of controls and practices buried inside functional or geographic silos with hundreds of isolated activities. Bewildering complexity and duplication, even as it leaves major gaps uncovered and fails to deliver the desired results - Deloitte Isnt the GRC acronym invented by consulting and technology firms to help sell services and software? Risk Management Magazine 3. Current state of GRC activities in IT BIAs Information Risk Assessments Data Classification MaturityAssessments Vulnerability Assessments GCCs SLA/OLA management Configuration Management Policies Standards Application Control and Authorizations (ACR) Penetration Testing Change Control Performance Management Incident Management Access Management ProjectManagement Laws/Regulations 4. But why is GRC important? While there may be debate about the GRC term, there is near consensus on the following: - Executives and directors are being held to higher standards and levels of accountability - Compliance costs have spiralled amidst the increasing volume and complexity of laws, regulations and rules - Stakeholders are more active and aggressive - More transparency is demanded - The speed and consequence of risk events have dramatically increased - Lee Dittmar, Deloitte Consulting 5. So what is GRC really? A system of people, processes and technology that enables an organisation to: - understand and prioritize stakeholder expectations - set business objectives that are congruent with values and risks - operate within legal, contractual, internal, social and ethical boundaries - provide relevant, reliable and timely information to appropriate stakeholders - enable the measurement of the performance and effectiveness of the system - OCEG call it whatever you want. For the sake of argument, throw away the term altogether. Now ask yourself: Did the underlying business issues go away? - Lee Dittmar, Deloitte Consulting 6. Fitting the pieces together Identify all who play part in the process - IT Ops, Security Ops, Information Risk, IT Audit, Information Security, Ops Risk, ERM, executive, etc. Identify what drives IT GRC in your environment - Laws/Regulations, Industry standards, Common practices, Internal requirements IMap the key elements of the IT operation that contribute to GRC in the environment IAlign the elements to remove duplication, identify control gaps and define effective measurement criteria 7. Integrated IT Governance, Risk and Compliance Policies Standards Procedures Laws/Regulations BIAsInform ation Risk Assessm ents Data Classification MaturityAssessments Vulnerability Assessments GCCs ACRs 8. Maximising efficiency Laws &amp; RegulationsLaws &amp; Regulations Industry Standards &amp; Frameworks Industry Standards &amp; Frameworks Internal requirementsInternal requirementsDrivers and Constraints Drivers and Constraints Eliminating silo responses creates opportunities for harmonization and consolidation Harmonised GRC objectives Harmonised GRC objectives Consolidated GRC activities Consolidated GRC activities Assess Once, Test once, Satisfy manyAssess Once, Test once, Satisfy many R1R1 R2R2 R3R3 R4R4 C1C1 C2C2 C3C3 C4C4 C5C5 C6C6 C7C7 C8C8 C9C9 C10 C11C11 C12C12 9. Does it work? The following is an example of the level of consolidation realized by a global financial services companys Information Technology division 139 Authoritative sources that applied to the global Information Technology division at the organisation 4,900 + Over 4,900 individual requirements 276 Reduction by over 17 times from 4,900+ to 276 rationalized requirements 3 to 1 Over 3 million hours of assessment and reporting reduced to 1 million hours across 30,000 employees 5 to 1 Information Security, BCP, FFIEC &amp; FDICIA, PCI, and SOX assessments reduced to a single integrated RCSA Source: Deloitte 10. Questions? Thank you </p>