Agiliance Wp Key Steps

A
agiliancecommunity
TechnologieBusinessÉconomie & finance

Agiliance Wp Key Steps

A
agiliancecommunity
TechnologieBusinessÉconomie & finance

Agiliance Wp Key Steps

1  sur  10
The Leader in IT Governance, Risk & Compliance Management Six Key Steps for Effective IT Risk and Compliance Management Take practical steps and use technology to improve quality, efficiency, and value Whitepaper
Six Key Steps for Effective IT Risk and Compliance Management Managing the confluence of IT governance, risk, and compliance Information technology organizations are at the center of three critical business management challenges: Regulation and control, risk management, and cost reduction. Successfully meeting these challenges requires IT to manage several interdependent disciplines. IT organizations manage business critical applications, systems, and processes, and are major participants in keeping the business secure and productive. At the same time they are facing the responsibility for more regulations and corporate policies, multiplying audit requests, ever-present risks, continuous change to meet strategic business goals, and pressures to create new efficiencies and meet cost reduction goals. Within this context, management is asking several critical questions: • Are we compliant? • Are we focusing on the risks that really matter to the business? • Do we have a repeatable and sustainable process for risk and compliance? • Are we using time, people, and money efficiently? The Key Steps By taking practical, key steps and using technology, IT organizations can answer these questions. They can gain greater control over risk and compliance. They can improve their ability to proactively manage risk and business priorities. At the same time, they can realize efficiencies to manage cost. The key steps to employ are: • Capture the appropriate assets • Implement a common control framework • Automate survey workflow and technical testing • Quantify and analyze risk • Take appropriate actions to manage risk • Provide visibility to support informed decisions. Not all the steps need be applied at once to achieve improved control, enhanced efficiency, and reduced cost. Start with an immediate project and broaden the scope of assets, regulations, and policies addressed in subsequent projects. By applying these key steps with technology, IT organizations and their companies can effectively: • Know their compliance position within the changing environment • Better understand and manage risk that matters • Effectively use current resources to assess and manage more compliance and risk requirements • Drive lower cost with sustainable processes and better quality information • Provide visibility to enable informed decisions at all organizational levels. IT organizations can take better advantage of the inter-relationships between risk and compliance,,achieve greater control over both, drive down cost, and make resources more productive. © Agiliance, Inc.
Six Key Steps for Effective IT Risk and Compliance Management Key step 1: Capture the appropriate assets In order to test controls and assess risks, organizations need to know which assets to include. Assets are any entity subject to a policy or control objective. These include people, processes and technology, as well as facilities and buildings. Assets can also include external services and third party vendors. Build the asset inventory in two steps: • Collect asset information. Leverage the many databases, systems, and documents already holding asset information. • Classify and group assets by their attributes. Attributes are the characteristics and properties that describe an asset such as location, operating system, business process, division, the business owner and the like. • Document relationships and dependencies among the assets. For example, an application has a relationship with the computer it runs on and the data center wher e it resides. • Classify assets based on their criticality to the business and relevant business processes. For example, a consumer application that contains private customer information would most likely have a higher criticality ranking than a business application that contains no confidential information. • Profile each ass et for confidentiality, integrity, and availability risk. • Use an automated survey workflow tool to gather asset classification information and to provide up-to-date information for the assets under consideration. To capture the assets under consideration, use technology that supports: • Dynamic updates, bulk loading, and manual additions/ changes • Automatic synchronization with the many existing systems already deployed • Assets belonging to more than one virtual group • Asset groupings enabling policies and their associated controls to be applied to a group as a whole • Dynamic addition of new assets to a group and their automatic inheritance of policies associated with that group • Support for on-the-fly group creation Once assets, their classification information, and their virtual groupings are in the repository, as- sessment and audit assessment and audit managers can create projects that address just the set of assets under consideration, for example, just the business applications of the enterprise. © Agiliance, Inc.
Six Key Steps for Effective IT Risk and Compliance Management Key step 2: Implement a common control framework Today, most regulations are managed independently. Because of the extensive overlap among regulatory policies, and therefore in policy controls, this approach is cumbersome and redundant. It is also complex and expensive. While some organizations maintain custom control sets, others have been able to take advantage of standard frameworks such as COBIT, NIST, and ISO 17799/7001. In some cases, organiza- tions apply a specific standard control framework to a specific regulation. Examples are: COBIT for Sarbanes-Oxley, NIST 800-5 for HIPAA, and FFIEC for GLBA. In others, they apply a mix of standards-based and custom controls. Using standard frameworks has aided organizations by reducing the overhead required to develop and maintain custom controls. But there is still more benefit to realize. A significant number of specific control requirements are common across several frameworks. For example, COBIT- , NIST 800-5, and FFIEC share a significant number of common controls. To further reduce cost and complexity and improve risk management effectiveness a key step is to employ a common control framework. By using a common control framework, one assessment, rather than multiple, will suffice to certify against any number of regulations. A common control framework supports: • Mapping of controls from 17799/7001, CO- BIT, COSO, NIST, FFIEC, and GAISP among others as well as custom-built con- trols to one common set of controls • Maintenance of the relationship between a common control and the corresponding regulation -specific control in the stan- dard simplifying change management. In building a common control framework, use technology that: • Includes a broad and extensible content library that automatically maps regulatory policy to control rules. • Maps custom-built controls to the common control framework • Simplifies version control and change management • Provides views of the common control set through the filter of a particular regulation or internal policy set. © Agiliance, Inc.
Six Key Steps for Effective IT Risk and Compliance Management The common control framework simplifies the process because there are fewer controls to test and independent assessments are unnecessary. Cost is lower as more work gets done faster with potentially fewer people. Now, the business can test once and certify against many regulations. Key step 3: Automate survey workflow and technical testing Commonly risk assessments and compliance testing use manual processes and personal inter- views. The tools are e-mail, paper and spreadsheets. These manual processes and tools are difficult to manage and error prone. They are typically costly, time consuming, confusing and complex. Results become obsolete because manual test- ing per regulation is typically done only once a year and it is not practical to share results across regulations. Automating survey workflow Automate the survey process to increase the quality and timeliness of controls testing while sim- plifying the effort and lowering the cost. Use technology that not only automates the survey workflow but also provides the content necessary to build surveys. Select technology that: • Provides an authoring tool to dynamically create and edit surveys • Supports the creation and implementation of automated workflow including : • The distribution of surveys to business or process owners and the collection and collation of data • Management of delegation and escalation, review and approval cycles, as well as reminders and user awareness/ training • On-line help within the survey itself. Survey process automation used with a common control framework and as- set repository can dramatically reduce errors, increase response quality, and cut the time to complete the survey work. © Agiliance, Inc. 5
Six Key Steps for Effective IT Risk and Compliance Management These benefits accrue to all involved, including project manage s, respondents, auditors, and management, allowing an increase in survey frequency for a nominal cost. Integrating and automating technical controls Computing assets, hardware, software, and the like, are generally subject to technical controls that can be monitored automatically. Automated testing can be performed frequently, even continuously. Use a technology that easily integrates with already deployed systems such as scanners (for example, Nessus Security Scanner) and other monitoring systems (for example, Symantec Enterprise Security Manager™). Ensure that the automation technology can connect remotely without the use of an agent running on the servers or hosts to avoid the complexity and cost of managing hosted agents on large numbers of servers. Coupling automated survey workflow and technical controls Full automation, while desired, is not achievable. Many objectives depend on controls that involve a combination of manual and technical checks. However, by using a technology that supports both automated survey workflow and technical testing, and seamlessly combines the data from each, a truer view of risk and compliance is obtained. By combining the results of both methods the organization achieves a compliance and risk picture that is more complete, accurate, and up-to-date as well as less costly to develop. Key step 4: Quantify and analyze risk Business strategy and practice requires taking controlled risks based on the business’s risk tolerance and maximizing risk-adjusted returns.The same principles apply for managing IT risk and compliance. By identifying and quantifying risk, organizations can make more informed decisions and take more appropriate actions. To quantify risk, identify threats and vulnerabilities against assets, apply likelihood, exposure, and criticality measures, and calculate risk scores for the assets using established and accepted methodologies. Later, rather than treating everything the same, actions can be tailored ac- cording to an asset’s risk score and its potential damage and cost to the business. Quality risk metrics support objec- tive analysis that drives better deci- sions; helps focus resources on the most important risks; and allows organizations to set objectives and track risk and compliance trends against these over time. © Agiliance, Inc.
Six Key Steps for Effective IT Risk and Compliance Management To quantify risk use technology that: • Uses standard methodologies and well-accepted scoring guidelines from standards organizations such as BITS, ISO, and NIST to generate meaningful risk metrics • Accounts for risk propagated through asset dependencies, for example, the risk associated with the data center is propagated to applications that run inside it • Keeps risk and compliance scores current by using both automated technical testing and manual self-assessment at the appropriate frequency • Clearly traces risk to its cause, such as a failure of a particular control, a new unmitigated threat, or increase in risk of a related asset. By using the right approach and technology a business can build a comprehensive, quantified pic- ture of risk, make informed decisions, and manage risk for the best business outcome. Key Step 5: Take appropriate actions to manage risk Risk scores provide decision-makers with insight and visibility. Once the business knows which risks matter, the next step is to take action to manage those risks. Actions include: • Transferring a risk to another entity • Avoiding a risk • Reducing the negative effect of a risk • Accepting some or all of the consequences of a risk. In addition to using relative risk scores, IT organizations can employ economic impact measures such as the Annual Loss Expectancy (ALE) to further optimize allocation of its resources on prioritized risks. Taking action on risk typically involves change management: A configuration change, a procedural change, or the development and deployment of a new policy and/or new controls to name a few. These changes must be defined, planned, approved, communicated, executed and verified. Over time, the organization will see the effectiveness of its preventive and corrective actions through periodic risk assessments and controls testing as well as through its business results. Select a technology that supports trouble ticketing and/or integrates easily with an existing trouble ticket management tool already in place. Ensure that the links between prioritized risk, actions and results can be tracked and completed. Key step 6: Provide visibility to support informed decisions The most up-to-date risk data is of little value to an organization if it cannot be communicated effectively to decision makers. Well-organized and effectively formatted information is powerful. Providing business owners, executives, and operational teams with access to the broad risk and control picture, laid out for easy viewing and interpretation, eliminates surprise and allows thought- ful action to address above-tolerance conditions. © Agiliance, Inc. 7
Six Key Steps for Effective IT Risk and Compliance Management Use a comprehensive, intuitive, graphical web-based dashboard tool to build customized views for access by authorized users anywhere at any time. Choose technology that provides: • Access control and also integrate easily with enterprise directories as needed • Scheduled and dynamic reports and dashboards • Graphical display of summary information relevant to each user’s needs and role in the organization, for example, executive, business unit manager, analyst, and internal auditor • Capabilities to easily drill down to any level to ascertain root cause or explore underlying details. • Providing visibility through flexible, interactive dashboards supports: • Easier audits because reports are ready when needed • Better decisions at all levels because customized management and operational views are accessible any time, any place • Improved governance because executives get the big picture and the detail they need to drive policy down throughout the business as well as provide transparency up to the board level • Better learning and improvement because managers, organizations, and teams can see compliance and risk trends over time. Continuous visibility into risk and compliance status and trends is a powerful tool to provide trans- parency to auditors, executives, and boards of directors as well as improve risk-adjusted business results and provide compliance peace of mind. © Agiliance, Inc. 8
Six Key Steps for Effective IT Risk and Compliance Management The Benefits to IT Risk and Compliance Management Information technology is a key business function standing at the center of the confluence of three critical management challenges: • Regulatory control • Risk management • Cost reduction. Regulatory and policy requirements are escalating. Unknown threats and vulnerabilities lurk every- where. Continuous change to the environment, people, and processes are normal. Cost pressure is constant. By applying some or all of the key steps and using a scalable, easily integrated technology platform, IT organizations can effectively meet these hard-to-control challenges, and, by doing so effectively manage the confluence of compliance, risk, and cost reduction. As a result they will: • Always know their compliance position continuously through time • Understand and manage risk that matters to the business • Effectively use current resource levels to manage growing risk and compliance requirements • Sustain lower cost through sustainable processes and better quality information • Provide visibility to enable informed decisions at all levels of the enterprise. © Agiliance, Inc. 9
Six Key Steps for Effective IT Risk and Compliance Management IT organizations can start today, through the application of these key steps and technology, such as the Agiliance IT-GRC platform, to leverage the inter-relationships between compliance, risk, and cost reduction to drive results for the IT organization, the business at large, regulators, and other external stakeholders. About Agiliance IT-GRC The Agiliance IT-GRC platform is the first software product to comprehensively address the inte- grated requirements of Information Technology Governance, Risk, and Compliance. The Platform is explicitly designed to assist organizations to deliver compliance peace of mind, manage risk, and reduce costs by: • Streamlining the management of policies and controls through standards and a common control framework • Automating survey workflow and technical testing • Integrating easily with existing systems to connect previously isolated elements into a comprehensive and productive environment for compliance and risk management • Quantifying and prioritizing risk to support informed decisions and actions • Providing up-to-date, broad visibility and transparency to managers, executives, and operational teams leading to enhanced governance and business decision- making The Agiliance IT-GRC platform is an indispensable tool for managing IT governance, risk, and compliance with less time, at a lower cost, and with more effectiveness. Agiliance, Inc. 17 North First Street p: 08.00.000 Suite 00 f: 08.00.001 San Jose, CA 9511 www.agiliance.com 10

Recommandé

Soc 2 vs iso 27001 certification withh links converted-converted par
Soc 2 vs iso 27001 certification withh links converted-convertedSoc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedVISTA InfoSec
180 vues6 diapositives
SOC 2 Compliance and Certification par
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
3.4K vues42 diapositives
OneAudit™ - Assess Once, Certify to Many par
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
704 vues34 diapositives
PCI DSS Business as Usual par
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
366 vues33 diapositives
Vendor risk management webinar 10022019 v1 par
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
291 vues24 diapositives
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC par
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
434 vues32 diapositives

Contenu connexe

Tendances

Performing One Audit Using Zero Trust Principles par
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
375 vues33 diapositives
Vendor Management for PCI DSS, HIPAA, and FFIEC par
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
361 vues31 diapositives
PCI DSS Compliance Checklist par
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
1.2K vues44 diapositives
PCI DSS Compliance in the Cloud par
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
565 vues30 diapositives
Log Monitoring and File Integrity Monitoring par
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
252 vues27 diapositives
PCI DSS Business as Usual (BAU) par
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
171 vues33 diapositives

Tendances(20)

Performing One Audit Using Zero Trust Principles par ControlCase
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
ControlCase375 vues
Vendor Management for PCI DSS, HIPAA, and FFIEC par ControlCase
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIEC
ControlCase361 vues
PCI DSS Compliance Checklist par ControlCase
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase1.2K vues
PCI DSS Compliance in the Cloud par ControlCase
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
ControlCase565 vues
Log Monitoring and File Integrity Monitoring par ControlCase
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
ControlCase252 vues
PCI DSS Business as Usual (BAU) par ControlCase
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
ControlCase171 vues
Introduction to Token Service Provider (TSP) Certification par ControlCase
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
ControlCase203 vues
Integrated Compliance – Collect Evidence Once, Certify to Many par ControlCase
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to Many
ControlCase327 vues
Continuous Compliance Monitoring par ControlCase
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
ControlCase815 vues
PCI PIN Security & Key Management Compliance par ControlCase
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management Compliance
ControlCase802 vues
Docker container webinar final par ControlCase
Docker container webinar finalDocker container webinar final
Docker container webinar final
ControlCase274 vues
Continuous Compliance Monitoring par ControlCase
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
ControlCase405 vues
Continuous Compliance Monitoring par ControlCase
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
ControlCase487 vues
PCI DSS and PA DSS Compliance par ControlCase
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
ControlCase268 vues
Performing PCI DSS Assessments Using Zero Trust Principles par ControlCase
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
ControlCase348 vues
FedRAMP Certification & FedRAMP Marketplace par ControlCase
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
ControlCase1.1K vues
Managing Multiple Assessments Using Zero Trust Principles par ControlCase
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
ControlCase260 vues
SOC 2 | SOC 2 Compliance par himalya sharma
SOC 2 | SOC 2 ComplianceSOC 2 | SOC 2 Compliance
SOC 2 | SOC 2 Compliance
himalya sharma91 vues
General Data Protection Regulation (GDPR) par ControlCase
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
ControlCase357 vues
CMMC Certification par ControlCase
CMMC CertificationCMMC Certification
CMMC Certification
ControlCase291 vues

En vedette

Agiliance HIPAA Whitepaper par
Agiliance HIPAA WhitepaperAgiliance HIPAA Whitepaper
Agiliance HIPAA Whitepaperagiliancecommunity
418 vues5 diapositives
Agiliance Wp Hipaa par
Agiliance Wp HipaaAgiliance Wp Hipaa
Agiliance Wp Hipaaagiliancecommunity
721 vues5 diapositives
It Budget Tips par
It Budget TipsIt Budget Tips
It Budget Tipsagiliancecommunity
807 vues12 diapositives
Agiliance Whitepaper - Six Key Steps par
Agiliance Whitepaper - Six Key StepsAgiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key Stepsagiliancecommunity
392 vues10 diapositives
Agiliance Risk Vision par
Agiliance Risk VisionAgiliance Risk Vision
Agiliance Risk Visionagiliancecommunity
861 vues6 diapositives
Agiliance Risk Vision par
Agiliance Risk VisionAgiliance Risk Vision
Agiliance Risk Visionagiliancecommunity
1K vues6 diapositives

En vedette(7)

Similaire à Agiliance Wp Key Steps

TrustedAgent GRC for Public Sector par
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
519 vues24 diapositives
TrustedAgent GRC for Public Sector par
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTri Phan
380 vues24 diapositives
IBM Banking: Automated Systems help meet new Compliance Requirements par
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking
1.2K vues23 diapositives
Fixnix GRC Suite A Glance par
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
1.1K vues29 diapositives
GRC in Australia slides par
GRC in Australia slidesGRC in Australia slides
GRC in Australia slidesInSync Conference
265 vues27 diapositives
It asset management_wp par
It asset management_wpIt asset management_wp
It asset management_wpwardell henley
407 vues9 diapositives

Similaire à Agiliance Wp Key Steps(20)

TrustedAgent GRC for Public Sector par Tuan Phan
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
Tuan Phan519 vues
TrustedAgent GRC for Public Sector par Tri Phan
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
Tri Phan380 vues
IBM Banking: Automated Systems help meet new Compliance Requirements par IBM Banking
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking1.2K vues
Fixnix GRC Suite A Glance par FixNix Inc.,
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
FixNix Inc.,1.1K vues
GRC in Australia slides par InSync Conference
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
InSync Conference265 vues
It asset management_wp par wardell henley
It asset management_wpIt asset management_wp
It asset management_wp
wardell henley407 vues
Enterprise Risk Management Solutions par LexComply
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management Solutions
LexComply 216 vues
Cybersecurity Risk Management Program and Your Organization par McKonly & Asbury, LLP
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP724 vues
Controls in Audit.pptx par HardikKundra
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
HardikKundra13 vues
It Security Audit Process par Ram Srivastava
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
Ram Srivastava12.3K vues
Xero Risk Product Presentation V3.2 par Carl Booth
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
Carl Booth725 vues
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice par itSMF UK
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceJohn Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
itSMF UK122 vues
IT Risk Management & Compliance par rhanna11
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliance
rhanna11439 vues
Conceptual security architecture par MubashirAslam5
Conceptual security architectureConceptual security architecture
Conceptual security architecture
MubashirAslam5233 vues
Governance Strategies & Tools for Cloud Formation par Amazon Web Services
Governance Strategies & Tools for Cloud Formation Governance Strategies & Tools for Cloud Formation
Governance Strategies & Tools for Cloud Formation
Amazon Web Services288 vues
Charting Your Path to Enterprise Key Management par SafeNet
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key Management
SafeNet447 vues
Data Governance: Description, Design, Delivery par InnoTech
Data Governance: Description, Design, DeliveryData Governance: Description, Design, Delivery
Data Governance: Description, Design, Delivery
InnoTech1.1K vues
2 Day MOSTI Workshop par Condition Zebra (CONZebra)
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
Condition Zebra (CONZebra)178 vues
Nist cybersecurity framework isc2 quantico par Tuan Phan
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
Tuan Phan2.2K vues
SLVA - Security monitoring and reporting itweb workshop par SLVA Information Security
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security644 vues

Dernier

Uni Systems for Power Platform.pptx par
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptxUni Systems S.M.S.A.
58 vues21 diapositives
Scaling Knowledge Graph Architectures with AI par
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AIEnterprise Knowledge
53 vues15 diapositives
Data Integrity for Banking and Financial Services par
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial ServicesPrecisely
56 vues26 diapositives
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... par
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...ShapeBlue
57 vues25 diapositives
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... par
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...Bernd Ruecker
50 vues69 diapositives
Business Analyst Series 2023 - Week 4 Session 7 par
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7DianaGray10
80 vues31 diapositives

Dernier(20)

Uni Systems for Power Platform.pptx par Uni Systems S.M.S.A.
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptx
Uni Systems S.M.S.A.58 vues
Scaling Knowledge Graph Architectures with AI par Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge53 vues
Data Integrity for Banking and Financial Services par Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely56 vues
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... par ShapeBlue
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
ShapeBlue57 vues
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... par Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker50 vues
Business Analyst Series 2023 - Week 4 Session 7 par DianaGray10
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray1080 vues
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 par IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining80 vues
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... par James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson133 vues
DRBD Deep Dive - Philipp Reisner - LINBIT par ShapeBlue
DRBD Deep Dive - Philipp Reisner - LINBITDRBD Deep Dive - Philipp Reisner - LINBIT
DRBD Deep Dive - Philipp Reisner - LINBIT
ShapeBlue62 vues
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... par TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc77 vues
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online par ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue102 vues
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue par ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue85 vues
Kyo - Functional Scala 2023.pdf par Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil434 vues
PharoJS - Zürich Smalltalk Group Meetup November 2023 par Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi141 vues
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates par ShapeBlue
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates
ShapeBlue119 vues
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... par ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue65 vues
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue par ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueMigrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
ShapeBlue96 vues
Why and How CloudStack at weSystems - Stephan Bienek - weSystems par ShapeBlue
Why and How CloudStack at weSystems - Stephan Bienek - weSystemsWhy and How CloudStack at weSystems - Stephan Bienek - weSystems
Why and How CloudStack at weSystems - Stephan Bienek - weSystems
ShapeBlue111 vues
20231123_Camunda Meetup Vienna.pdf par Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH46 vues
Ransomware is Knocking your Door_Final.pdf par Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp76 vues

Agiliance Wp Key Steps

  • 1. The Leader in IT Governance, Risk & Compliance Management Six Key Steps for Effective IT Risk and Compliance Management Take practical steps and use technology to improve quality, efficiency, and value Whitepaper
  • 2. Six Key Steps for Effective IT Risk and Compliance Management Managing the confluence of IT governance, risk, and compliance Information technology organizations are at the center of three critical business management challenges: Regulation and control, risk management, and cost reduction. Successfully meeting these challenges requires IT to manage several interdependent disciplines. IT organizations manage business critical applications, systems, and processes, and are major participants in keeping the business secure and productive. At the same time they are facing the responsibility for more regulations and corporate policies, multiplying audit requests, ever-present risks, continuous change to meet strategic business goals, and pressures to create new efficiencies and meet cost reduction goals. Within this context, management is asking several critical questions: • Are we compliant? • Are we focusing on the risks that really matter to the business? • Do we have a repeatable and sustainable process for risk and compliance? • Are we using time, people, and money efficiently? The Key Steps By taking practical, key steps and using technology, IT organizations can answer these questions. They can gain greater control over risk and compliance. They can improve their ability to proactively manage risk and business priorities. At the same time, they can realize efficiencies to manage cost. The key steps to employ are: • Capture the appropriate assets • Implement a common control framework • Automate survey workflow and technical testing • Quantify and analyze risk • Take appropriate actions to manage risk • Provide visibility to support informed decisions. Not all the steps need be applied at once to achieve improved control, enhanced efficiency, and reduced cost. Start with an immediate project and broaden the scope of assets, regulations, and policies addressed in subsequent projects. By applying these key steps with technology, IT organizations and their companies can effectively: • Know their compliance position within the changing environment • Better understand and manage risk that matters • Effectively use current resources to assess and manage more compliance and risk requirements • Drive lower cost with sustainable processes and better quality information • Provide visibility to enable informed decisions at all organizational levels. IT organizations can take better advantage of the inter-relationships between risk and compliance,,achieve greater control over both, drive down cost, and make resources more productive. © Agiliance, Inc.
  • 3. Six Key Steps for Effective IT Risk and Compliance Management Key step 1: Capture the appropriate assets In order to test controls and assess risks, organizations need to know which assets to include. Assets are any entity subject to a policy or control objective. These include people, processes and technology, as well as facilities and buildings. Assets can also include external services and third party vendors. Build the asset inventory in two steps: • Collect asset information. Leverage the many databases, systems, and documents already holding asset information. • Classify and group assets by their attributes. Attributes are the characteristics and properties that describe an asset such as location, operating system, business process, division, the business owner and the like. • Document relationships and dependencies among the assets. For example, an application has a relationship with the computer it runs on and the data center wher e it resides. • Classify assets based on their criticality to the business and relevant business processes. For example, a consumer application that contains private customer information would most likely have a higher criticality ranking than a business application that contains no confidential information. • Profile each ass et for confidentiality, integrity, and availability risk. • Use an automated survey workflow tool to gather asset classification information and to provide up-to-date information for the assets under consideration. To capture the assets under consideration, use technology that supports: • Dynamic updates, bulk loading, and manual additions/ changes • Automatic synchronization with the many existing systems already deployed • Assets belonging to more than one virtual group • Asset groupings enabling policies and their associated controls to be applied to a group as a whole • Dynamic addition of new assets to a group and their automatic inheritance of policies associated with that group • Support for on-the-fly group creation Once assets, their classification information, and their virtual groupings are in the repository, as- sessment and audit assessment and audit managers can create projects that address just the set of assets under consideration, for example, just the business applications of the enterprise. © Agiliance, Inc.
  • 4. Six Key Steps for Effective IT Risk and Compliance Management Key step 2: Implement a common control framework Today, most regulations are managed independently. Because of the extensive overlap among regulatory policies, and therefore in policy controls, this approach is cumbersome and redundant. It is also complex and expensive. While some organizations maintain custom control sets, others have been able to take advantage of standard frameworks such as COBIT, NIST, and ISO 17799/7001. In some cases, organiza- tions apply a specific standard control framework to a specific regulation. Examples are: COBIT for Sarbanes-Oxley, NIST 800-5 for HIPAA, and FFIEC for GLBA. In others, they apply a mix of standards-based and custom controls. Using standard frameworks has aided organizations by reducing the overhead required to develop and maintain custom controls. But there is still more benefit to realize. A significant number of specific control requirements are common across several frameworks. For example, COBIT- , NIST 800-5, and FFIEC share a significant number of common controls. To further reduce cost and complexity and improve risk management effectiveness a key step is to employ a common control framework. By using a common control framework, one assessment, rather than multiple, will suffice to certify against any number of regulations. A common control framework supports: • Mapping of controls from 17799/7001, CO- BIT, COSO, NIST, FFIEC, and GAISP among others as well as custom-built con- trols to one common set of controls • Maintenance of the relationship between a common control and the corresponding regulation -specific control in the stan- dard simplifying change management. In building a common control framework, use technology that: • Includes a broad and extensible content library that automatically maps regulatory policy to control rules. • Maps custom-built controls to the common control framework • Simplifies version control and change management • Provides views of the common control set through the filter of a particular regulation or internal policy set. © Agiliance, Inc.
  • 5. Six Key Steps for Effective IT Risk and Compliance Management The common control framework simplifies the process because there are fewer controls to test and independent assessments are unnecessary. Cost is lower as more work gets done faster with potentially fewer people. Now, the business can test once and certify against many regulations. Key step 3: Automate survey workflow and technical testing Commonly risk assessments and compliance testing use manual processes and personal inter- views. The tools are e-mail, paper and spreadsheets. These manual processes and tools are difficult to manage and error prone. They are typically costly, time consuming, confusing and complex. Results become obsolete because manual test- ing per regulation is typically done only once a year and it is not practical to share results across regulations. Automating survey workflow Automate the survey process to increase the quality and timeliness of controls testing while sim- plifying the effort and lowering the cost. Use technology that not only automates the survey workflow but also provides the content necessary to build surveys. Select technology that: • Provides an authoring tool to dynamically create and edit surveys • Supports the creation and implementation of automated workflow including : • The distribution of surveys to business or process owners and the collection and collation of data • Management of delegation and escalation, review and approval cycles, as well as reminders and user awareness/ training • On-line help within the survey itself. Survey process automation used with a common control framework and as- set repository can dramatically reduce errors, increase response quality, and cut the time to complete the survey work. © Agiliance, Inc. 5
  • 6. Six Key Steps for Effective IT Risk and Compliance Management These benefits accrue to all involved, including project manage s, respondents, auditors, and management, allowing an increase in survey frequency for a nominal cost. Integrating and automating technical controls Computing assets, hardware, software, and the like, are generally subject to technical controls that can be monitored automatically. Automated testing can be performed frequently, even continuously. Use a technology that easily integrates with already deployed systems such as scanners (for example, Nessus Security Scanner) and other monitoring systems (for example, Symantec Enterprise Security Manager™). Ensure that the automation technology can connect remotely without the use of an agent running on the servers or hosts to avoid the complexity and cost of managing hosted agents on large numbers of servers. Coupling automated survey workflow and technical controls Full automation, while desired, is not achievable. Many objectives depend on controls that involve a combination of manual and technical checks. However, by using a technology that supports both automated survey workflow and technical testing, and seamlessly combines the data from each, a truer view of risk and compliance is obtained. By combining the results of both methods the organization achieves a compliance and risk picture that is more complete, accurate, and up-to-date as well as less costly to develop. Key step 4: Quantify and analyze risk Business strategy and practice requires taking controlled risks based on the business’s risk tolerance and maximizing risk-adjusted returns.The same principles apply for managing IT risk and compliance. By identifying and quantifying risk, organizations can make more informed decisions and take more appropriate actions. To quantify risk, identify threats and vulnerabilities against assets, apply likelihood, exposure, and criticality measures, and calculate risk scores for the assets using established and accepted methodologies. Later, rather than treating everything the same, actions can be tailored ac- cording to an asset’s risk score and its potential damage and cost to the business. Quality risk metrics support objec- tive analysis that drives better deci- sions; helps focus resources on the most important risks; and allows organizations to set objectives and track risk and compliance trends against these over time. © Agiliance, Inc.
  • 7. Six Key Steps for Effective IT Risk and Compliance Management To quantify risk use technology that: • Uses standard methodologies and well-accepted scoring guidelines from standards organizations such as BITS, ISO, and NIST to generate meaningful risk metrics • Accounts for risk propagated through asset dependencies, for example, the risk associated with the data center is propagated to applications that run inside it • Keeps risk and compliance scores current by using both automated technical testing and manual self-assessment at the appropriate frequency • Clearly traces risk to its cause, such as a failure of a particular control, a new unmitigated threat, or increase in risk of a related asset. By using the right approach and technology a business can build a comprehensive, quantified pic- ture of risk, make informed decisions, and manage risk for the best business outcome. Key Step 5: Take appropriate actions to manage risk Risk scores provide decision-makers with insight and visibility. Once the business knows which risks matter, the next step is to take action to manage those risks. Actions include: • Transferring a risk to another entity • Avoiding a risk • Reducing the negative effect of a risk • Accepting some or all of the consequences of a risk. In addition to using relative risk scores, IT organizations can employ economic impact measures such as the Annual Loss Expectancy (ALE) to further optimize allocation of its resources on prioritized risks. Taking action on risk typically involves change management: A configuration change, a procedural change, or the development and deployment of a new policy and/or new controls to name a few. These changes must be defined, planned, approved, communicated, executed and verified. Over time, the organization will see the effectiveness of its preventive and corrective actions through periodic risk assessments and controls testing as well as through its business results. Select a technology that supports trouble ticketing and/or integrates easily with an existing trouble ticket management tool already in place. Ensure that the links between prioritized risk, actions and results can be tracked and completed. Key step 6: Provide visibility to support informed decisions The most up-to-date risk data is of little value to an organization if it cannot be communicated effectively to decision makers. Well-organized and effectively formatted information is powerful. Providing business owners, executives, and operational teams with access to the broad risk and control picture, laid out for easy viewing and interpretation, eliminates surprise and allows thought- ful action to address above-tolerance conditions. © Agiliance, Inc. 7
  • 8. Six Key Steps for Effective IT Risk and Compliance Management Use a comprehensive, intuitive, graphical web-based dashboard tool to build customized views for access by authorized users anywhere at any time. Choose technology that provides: • Access control and also integrate easily with enterprise directories as needed • Scheduled and dynamic reports and dashboards • Graphical display of summary information relevant to each user’s needs and role in the organization, for example, executive, business unit manager, analyst, and internal auditor • Capabilities to easily drill down to any level to ascertain root cause or explore underlying details. • Providing visibility through flexible, interactive dashboards supports: • Easier audits because reports are ready when needed • Better decisions at all levels because customized management and operational views are accessible any time, any place • Improved governance because executives get the big picture and the detail they need to drive policy down throughout the business as well as provide transparency up to the board level • Better learning and improvement because managers, organizations, and teams can see compliance and risk trends over time. Continuous visibility into risk and compliance status and trends is a powerful tool to provide trans- parency to auditors, executives, and boards of directors as well as improve risk-adjusted business results and provide compliance peace of mind. © Agiliance, Inc. 8
  • 9. Six Key Steps for Effective IT Risk and Compliance Management The Benefits to IT Risk and Compliance Management Information technology is a key business function standing at the center of the confluence of three critical management challenges: • Regulatory control • Risk management • Cost reduction. Regulatory and policy requirements are escalating. Unknown threats and vulnerabilities lurk every- where. Continuous change to the environment, people, and processes are normal. Cost pressure is constant. By applying some or all of the key steps and using a scalable, easily integrated technology platform, IT organizations can effectively meet these hard-to-control challenges, and, by doing so effectively manage the confluence of compliance, risk, and cost reduction. As a result they will: • Always know their compliance position continuously through time • Understand and manage risk that matters to the business • Effectively use current resource levels to manage growing risk and compliance requirements • Sustain lower cost through sustainable processes and better quality information • Provide visibility to enable informed decisions at all levels of the enterprise. © Agiliance, Inc. 9
  • 10. Six Key Steps for Effective IT Risk and Compliance Management IT organizations can start today, through the application of these key steps and technology, such as the Agiliance IT-GRC platform, to leverage the inter-relationships between compliance, risk, and cost reduction to drive results for the IT organization, the business at large, regulators, and other external stakeholders. About Agiliance IT-GRC The Agiliance IT-GRC platform is the first software product to comprehensively address the inte- grated requirements of Information Technology Governance, Risk, and Compliance. The Platform is explicitly designed to assist organizations to deliver compliance peace of mind, manage risk, and reduce costs by: • Streamlining the management of policies and controls through standards and a common control framework • Automating survey workflow and technical testing • Integrating easily with existing systems to connect previously isolated elements into a comprehensive and productive environment for compliance and risk management • Quantifying and prioritizing risk to support informed decisions and actions • Providing up-to-date, broad visibility and transparency to managers, executives, and operational teams leading to enhanced governance and business decision- making The Agiliance IT-GRC platform is an indispensable tool for managing IT governance, risk, and compliance with less time, at a lower cost, and with more effectiveness. Agiliance, Inc. 17 North First Street p: 08.00.000 Suite 00 f: 08.00.001 San Jose, CA 9511 www.agiliance.com 10