SlideShare una empresa de Scribd logo

Enterprise governance risk_compliance_fcm slides

Descargar como PPTX, PDF
EnterpriseGRC Solutions, Inc.
EnterpriseGRC Solutions, Inc.

Enterprise Governance Risk and Compliance using SharePoint and Access to facilitate baseline years 1-3 GRC

Tecnología
1 de 44
http://www.enterprisegrc.com EnterpriseGRC Solutions Inc. A Governance, Risk and Compliance Company A Service Oriented Approach Policy Baseline, RunBook - CMDB, Control Self Assessment, RiskWatch
http://www.enterprisegrc.com Functional Teams IT Support – HR Facilities – Drive SOD and Applications Controls Baseline 2
http://www.enterprisegrc.com Internal Audit Addresses Dynamic Regulatory Requirements and Risk Conditions 3
http://www.enterprisegrc.com 4 Every Organization Has Unique Needs
http://www.enterprisegrc.com Enterprise Security and Compliance Custom Tabs and Menus 5
http://www.enterprisegrc.com ISO/IEC 17799:2005 – ISO 270001 Policy Mapping  Mapping ISO 17799:2005 (270001) to Finance, Legal, Business and IT Policies  Mapping CobiT to ISO allows us to  Link evidence across Policy, Program, Process and System  Updates are evident to all areas in real-time 6
http://www.enterprisegrc.com © EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com 4Point GRC is A Service Oriented Architecture 7
http://www.enterprisegrc.com Baseline Configuration Is Critical to Available Service 8 Enterprise ManagementSystems Opportunitiesfor Workflow and Controls Automation 8
http://www.enterprisegrc.com Link Configuration Management Database, Policy Mapping, leveraging a Service Oriented Architecture 9
http://www.enterprisegrc.com Link Configuration Management Database, Policy Mapping, Service Oriented Architecture 10
http://www.enterprisegrc.com Enable Continuous Service 11
http://www.enterprisegrc.com Define the Control Relationship 12
http://www.enterprisegrc.com RunBook Reports Satisfy Compliance Requirements and Enable SOA - GRC 13 RunBooks provide a true CMDB of production services as governed by Policies and Processes Controlled Server and Application tables establish the system inventory of tested items Producing results in a searchable data format facilitates accurate controls meta data, verified policy and systems associations, and the foundation for accurate, complete and valid test design.
http://www.enterprisegrc.com Automation of Audit Function  Changes in the risk landscape are rapid, dynamic and cannot be managed by manual process.  Corporate audit function costs continue to rise due to increasing threats and events.  Greater efficiency and cost effectiveness are achieved by:  Automating audit processes  Better monitoring tools and techniques  Training key compliance team members The R in GRC - Strategic Planning and Risk Management 14
http://www.enterprisegrc.com What is the value of implementing Enterprise Risk Management ERM? 15 Enterprise Risk Management helps business leadership achieve the organization’s performance and profitability target$.
http://www.enterprisegrc.com Why Risk Management? 16 •Likelihood of Material Loss Such As: Fraud, Critical System Failure, Political Damage, Missed Strategic Milestones or Significant Loss of Revenue. Minimizes •Delivery of Risk Information To The Business Ensures •Business Decisions By Providing A Management Process For Capturing, Analyzing, Mitigating and Monitoring Risks to the Business Enables •a Unified Management Process for Risk Response Provides
http://www.enterprisegrc.com Risk Management Programs, Guidance and Process Quarterly Business Review Compliance Hot-Line IT RiskWatch Assign Risk Manager Board Reports Vulnerability Threat & Vulnerability Analysis Input risk details and status log Residual Risk Program RiskWatch Corporate RiskWatch Risk Meeting IT Steering Committee
http://www.enterprisegrc.com Risk Watch Components 18 Risk Identification Business Risk Assessment Scope & Boundary Definition Risk Measurement Risk Action Plan Risk Acceptance Safeguard Selection Risk Assessment Commitment
http://www.enterprisegrc.com Risk Tracking 19 Respond Report Reduce
http://www.enterprisegrc.com The Risk Management Process 20
http://www.enterprisegrc.com Answers Simple Questions 21 What is Likelihood? Define Likely Define Relatively Likelihood Define Unlikely Define Never What is Impact? Define Minor Define Major Define Catastrophic What is Significance? In what manner will significance change? What were the criteria we used for our interpretation of significance?
http://www.enterprisegrc.com Risk Mitigation 22
http://www.enterprisegrc.com Key Role & Responsibilities  Chief Financial officer  Security Manager  Risk Management Committee  Risk Mitigation Implementation Owners  Stakeholders & Users 23 …Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume ownership. Other managers SUPPORT the entity’s risk management philosophy, promote compliance with its risk appetite, and manage risks within their spheres of responsibility consistent with risk tolerances. A risk officer, financial officer, internal auditor, and others usually have key SUPPORT responsibilities. Other entity personnel are responsible for executing enterprise risk management in accordance with established directives and protocols. The board of directors provides important oversight to enterprise risk management, and is aware of and concurs with the entity’s risk appetite. A number of external parties, such as customers, vendors, business partners, external auditors, regulators, and financial analysts often provide information useful in effecting enterprise risk management, but they are not responsible for the effectiveness of, nor are they a part of, the entity’s enterprise risk management. Enterprise Risk Management — Integrated Framework Executive Summary Copyright © September 2004 by the Committee of Sponsoring organizations of the Treadway Commission.
http://www.enterprisegrc.com Achieve Risk Transparency 24 Communicate -Risk- Inputs and Agenda Execute – Program, Meetings, Risk Response Measure – Risk Measurement & Impact Analysis, Performance Record – Meeting Minutes, Management Reporting Archive – Meeting Minutes, KPI Results
http://www.enterprisegrc.com Risk Process Maturity 25 Level Maturity Description 3 Defined Process: An organization-wide risk management policy defines when and how to conduct risk assessments. Risk assessment follows a defined process that is documented and available to all staff through training. Decisions to follow the process and to receive training are left to the individual’s discretion. The methodology is convincing and sound, and ensures that key risks to the business are likely to be identified. Decisions to follow the process are left to individual IT managers and there is no procedure to ensure that all projects are covered or that the ongoing operation is examined for risk on a regular basis. Risk Management 10 2 543 Non-Existent Initial Repeatable Defined Managed Optimized
http://www.enterprisegrc.com Risk Process Maturity 26 Level Maturity Description 4 Managed and Measurable: The assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. The process is advanced and risk is assessed at the individual project level and also regularly with regard to the overall IT operation. Management is advised on changes in the IT environment which could significantly affect the risk scenarios, such as an increased threat from the network or technical trends that affect the soundness of the IT strategy. Management is able to monitor the risk position and make informed decisions regarding the exposure it is willing to accept. Senior management and IT management have determined the levels of risk that the organization will tolerate and have standard measures for risk/return ratios. Management budgets for operational risk management projects to reassess risks on a regular basis. A risk management database is established. Risk Management 10 2 543 Non-Existent Initial Repeatable Defined Managed Optimized
http://www.enterprisegrc.com Risk Process Maturity 27 Level Maturity Description 5 Optimized: Risk assessments have developed to the stage where a structured, organization-wide process is enforced, followed regularly and well managed. Risk brainstorming and root cause analysis, involving expert individuals, are applied across the entire organization. The capturing, analysis and reporting of risk management data are highly automated. Guidance is drawn from leaders in the field and the IT organization takes part in peer groups to exchange experiences. Risk management is truly integrated into all business and IT operations, is well accepted and extensively involves the users of IT services. Risk Management 10 2 543 Non-Existent Initial Repeatable Defined Managed Optimized
http://www.enterprisegrc.com © EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com Reap Benefits
http://www.enterprisegrc.com Moving Through A Risk Cycle Status Codes 29 • Risk will be allowed to remain as described. Risk is determined to be acceptable, given business priorities & total vulnerability. Reviewed & Accepted • Team is assigned to determine & implement compensating controls Controls Required • Exposure is determined to be unacceptable. Team is to implement compensating controls as quickly as possible. Critical Controls Required • Emergency risk situation requires immediate team management & notification. Emergency – Immediate Action Required
http://www.enterprisegrc.com Project Risk Management Purpose and Scope  Facilitates The Effective Management of Risk Within An IT Project  Enables Project Team To Collaborate In  Identifying Risk, Analyzing Risk, And Planning Appropriate Actions.  Risk-related Actions Are Planned, Scheduled And Tracked As Additional Tasks In The Project Plan  Risk Tracking Occurs In A Risk Watch List  On-going Activity Throughout The Project  Depends On All Project Team Members Being Risk-aware, Utilizing The Defined Risk Management Process 30
http://www.enterprisegrc.com Corporate Risk Management Purpose & Scope  Corporate Level Review of Company Specific Risk  Roll Up of Individual Company Risks,  Assignment of Relative Risk Criteria  Ownership of Communicated Risk To Both Shareholders And Throughout The Corporate Enterprise.  Governs How Corporate Leadership Interprets & Assigns Weighted Value To Company Specific Risk & Impact  Initial Risk Assessment & Accountability Rests At The Individual Company Level  Disclosure Committee Reviews & Determines Disclosure Requirements 31
http://www.enterprisegrc.com Activity Outputs 32 •A person in the IT domain is made aware by interaction with others or through his/her own doing, of an apparent technology weakness. This weakness is determined by management to possibly merit risk team consideration. The risk is not associated with an SDM management effort, and therefore requires isolated entry to the RiskWatch Apparent IT System or Technology resource based Vulnerability •The significance evaluation is a formal process based in agreed standards for determining the quality statements associated to an estimated risk. Establishing "RiskWatch COBIT Project Definitions" can be achieved by implementing a template of criteria definitions Significance Evaluation and Risk Criteria Template •Any IT person can launch the Risk Watch to enter details of a perceived risk. Management reviews the risk to determine its appropriateness for Risk Watch. The steps to filling out the RiskWatch form are detailed in the RiskWatch Form Entry Work Instruction Report Risk •Occurs weekly. Meeting is preceded by the posting of intended items for review and followed by posted summary of results. Metrics are gathered and stored in the work products folder as determined by the RiskWatch team. RiskWatch Meeting Review •Used to identify and document the threats and vulnerabilities associated with any asset being evaluated. Threat & Vulnerability Analysis •Responds to identified threat by ensuring the risk response and compensating controls are effectively enforcedSecurity Management •The risk is mitigated to significance of 9 or less with acceptable controls in place.Mitigated Risk •Fair and reasonable discovery and disclosure of risksAttestation of Risk
http://www.enterprisegrc.com Process Exit Criteria  Risk Process Continues Until The Process Response Is Implemented  Risk Is Mitigated To Acceptable Managed Residual Risk or Removed  Mitigated Risk Where Significance Is Less Than “9” & Appropriate Controls Are Identified For Ongoing Risk Management 33
http://www.enterprisegrc.com © EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com Security Availability & Contingency Management IT Service Design & Management Service Level Management & Service Level Reporting Capacity Management Financial Management Resolution Processes Incident and Problem Management Control Processes Asset & Configuration Management Change Management Release Processes Release Management Supplier Processes Customer Relationship and Supplier Management Automation Governance in IT Service Management 34  Culture of change management  Culture of causality  Culture of compliance and desire to continually reduce variance
http://www.enterprisegrc.com Change Management and Governance 35 Change Management’s Relationship to Governance •Request for Change RFC, CMDB, Release •Implementation Plans INPUTS •Change Management Team •Review Board •Steering COMMITTEE •Implementations •Meeting Minutes •Schedules OUTPUTS •Reports •Key Performance Indicators •Client Service Metrics Audit
http://www.enterprisegrc.com © EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com Enterprise Change Management 36 •business decisions by providing a management system housing data for analysis, implementation and follow-up enable • problem management to identify known errors support Goal Of Change Management Goal of Change Management Systems • the benefits to the business of making changes to the IT infrastructure Maximize • the risks involved in making those changesMinimize • that standardized methods and procedures are used for efficient and prompt handling of all changes Ensure • impact of change-related incidents and improving day-to-day functionReduce
http://www.enterprisegrc.com Business Process Application Mapping • Facilitate a walkthrough of each business process • Identify those applications that support the processing of transactions • Document the workflow of transactions through the entire process to ensure complete identification of applications Application Summary and Scope Development • Complete list of applications • Relevance, relation and criticality to the financial reporting • Significance to the financial reporting process • Management discretion, applications considered important or high risk from management’s perspective Application Technology Support Information • in-scope for the Sarbanes-Oxley Program, gather complete RunBook • Source of Application, • purchased and implemented with and without customization, • developed and maintained internally, and outsourced to a third-party. • For Changes -the data of the last major change and next planned change to each application. Business Process Management 37 Business Process Application Mapping Application Scope Development Application Technology Support Information
http://www.enterprisegrc.com ISO/IEC 27001:2005 “ ISO/IEC 27001:2005 implements effective information security management in compliance with organizational objectives and business requirements. Risk-based specification designed to take care of information security aspects of corporate governance, protection of information assets, legal and contractual obligations as well as the wide range of threats to an organization’s information and communications technology (ICT) systems and business processes.” (re-number ISO/IEC 17799 as ISO/IEC 27002) Define An Information Security Policy Define scope of the information security management system 2 Perform A Security Risk Assessment Manage the identified risk Select Controls Implemented 5 Prepare Statement Of Applicability ISO 27001 - This is the specification for an information security management system (an ISMS) which replaced the old BS7799-2 standard ISO 27002 - 27000 series standard number of what was originally the ISO 17799 standard (which itself was formerly known as BS7799-1) ISO 27003 - standard guidance for the implementation of an ISMS (IS Management System) ISO 27004 - information security system management measurement and metrics. ISO 27005 - methodology independent ISO standard for information security risk management ISO 27006 - guidelines for the accreditation of organizations offering ISMS certification
http://www.enterprisegrc.com ISO27001 Initiate •Understand Define Information Security Policy •Initial Information gathering Define ISMS •Security Manuals •Procedures •Guidelines Templates Assess •Risk Analysis Ranking •Risk Management Develop • Controls Identification & Development Readiness • Statement of applicability • Assistance in Implementation and Certification Process Plan Do Check Act
http://www.enterprisegrc.com INTERNATIONAL STANDARD ISO/IEC 38500  ISO - Performance of the organization  Proper Corporate Governance of IT assists directors to ensure that IT use contributes positively to the performance of the organization, through:  Appropriate Implementation And Operation of IT Assets  Clarity of Responsibility And Accountability For Both The Use And Provision of IT In Achieving The Goals of The Organization  Business Continuity And Sustainability  Alignment of IT With Business Needs  Efficient Allocation of Resources  Innovation In Services, Markets, And Business  Good Practice In Relationships With Stakeholders  Reduction In The Costs For An Organization  Actual Realization of The Approved Benefits From Each IT Investment INTERNATIONAL STANDARD ISO/IEC 38500
http://www.enterprisegrc.com Factors for Governance Success Strong project management across IT (COBIT) and Finance Applications (COSO)  Foster a culture of commitment, collaboration and knowledge transfer  Regular status meetings (weekly or even daily in some cases) Intelligent GRC (Governance, Risk, Compliance)  “OHIO” (only handle it once) means reduce redundant controls. Find and remove controls that are non essential to the scope of audit. Nail questions before they come up through evidence of strong automated and system based policy. Leverage team knowledge to properly align controls to their rightful owners. Fail Fast; pass slow  Escalate non remediated controls (fails) before they become “findings”  Remove unnecessary tests  Retest fails to confirm control design and validate against actual statement of risk 41
http://www.enterprisegrc.com Effectiveness Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, and usable manner. Efficiency Concerns the provision of information through the optimal ─ most productive and economical ─ use of resources. Confidentiality Concerns the protection of sensitive information from unauthorized disclosure. Integrity Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. Availability Relates to information being available ,when required by the business process, at present and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. Compliance Deals with complying with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria as well as internal policies. Reliability Relates to the provision of appropriate information for the management to operate the entity and to exercise its fiduciary and governance responsibilities. Information Criteria IT Resources IT Processes The COBIT Cube: Business Requirements 42© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com IT Audit and Compliance Enterprise Technology Risk Management Enterprise Architecture Business Continuity Disaster Recovery Enterprise GRC Platforms and Implementation ERP Applications Certification Readiness Data Warehousing Business Intelligence Process Reengineering
http://www.enterprisegrc.com Some Key Points:  Control frameworks are designed to reduce operating cost and risk while optimizing service delivery  A GRC program should:  Reduce external dependencies  Ensure that clients retains proprietary knowledge while reducing volume and time on testing  Adeptly tailor proven methodology to meet unique culture and technical and business environment  Meet and exceed goals set by leadership and critical industry regulation mandates EnterpriseGRC Solutions Using Archer as our Audit Governance Risk and Compliance Platform 44 Policy Management Using ISO27001 EnterpriseGRC Solutions maps HR, IT, Finance, Business and Legal Policy Process & Policy mapping according to all major standards Enterprise Management Baseline Configuration Management (CMDB) Using Asset Inventory tools, create and enable real-time evidence of controls enabled by service operations. Compliance Management CSA – (Control Self Assessment) Based in each organization’s custom risk frameworks, test scripts and maturity, Risk Assessments for initial and continuing audit phases Risk Management Enterprise Risk Management - Top Down - Dash boarding program manages actual exposures, relative to real service, real policy and changing conditions across the business & IT. 4/4/2016

Recomendados

Erm talking points
Erm talking pointsErm talking points
Erm talking pointsEnterpriseGRC Solutions, Inc.
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secureEnterpriseGRC Solutions, Inc.
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRCTranscendent Group
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepEnterpriseGRC Solutions, Inc.
 
Risk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Management Institution of Australasia
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 

Recomendados

Erm talking points
Erm talking pointsErm talking points
Erm talking pointsEnterpriseGRC Solutions, Inc.
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secureEnterpriseGRC Solutions, Inc.
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRCTranscendent Group
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepEnterpriseGRC Solutions, Inc.
 
Risk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Management Institution of Australasia
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...PECB
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Aladdin Dandis
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014Aladdin Dandis
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014Aladdin Dandis
 
Aligning Risk Management with ITIL
Aligning Risk Management with ITILAligning Risk Management with ITIL
Aligning Risk Management with ITILAustin Songer
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslideZakaria Salah, Ph.D,MBA
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Jim Meyer
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1securityAnne Starr
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
S Rod Simpson Resume
S Rod Simpson ResumeS Rod Simpson Resume
S Rod Simpson ResumeRod Simpson CRISC, CISM, CISA
 
SAMA BCM Framework
SAMA BCM Framework SAMA BCM Framework
SAMA BCM Framework Continuity and Resilience
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesSlideTeam
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Resolver Inc.
 
CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free TrainingEnterpriseGRC Solutions, Inc.
 
Cryptographic lifecycle security training
Cryptographic lifecycle security trainingCryptographic lifecycle security training
Cryptographic lifecycle security trainingEnterpriseGRC Solutions, Inc.
 

Más contenido relacionado

La actualidad más candente

Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...PECB
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Aladdin Dandis
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Aligning Risk Management with ITIL
Aligning Risk Management with ITILAligning Risk Management with ITIL
Aligning Risk Management with ITILAustin Songer
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Jim Meyer
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1securityAnne Starr
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesSlideTeam
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Resolver Inc.
 

La actualidad más candente (20)

Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
Aligning Risk Management with ITIL
Aligning Risk Management with ITILAligning Risk Management with ITIL
Aligning Risk Management with ITIL
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
 
S Rod Simpson Resume
S Rod Simpson ResumeS Rod Simpson Resume
S Rod Simpson Resume
 
SAMA BCM Framework
SAMA BCM Framework SAMA BCM Framework
SAMA BCM Framework
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation Slides
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
 

Destacado

Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesEnterpriseGRC Solutions, Inc.
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture designEnterpriseGRC Solutions, Inc.
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4EnterpriseGRC Solutions, Inc.
 
LinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-PresentedLinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-PresentedSlideShare
 

Destacado (11)

CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
 
Cryptographic lifecycle security training
Cryptographic lifecycle security trainingCryptographic lifecycle security training
Cryptographic lifecycle security training
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studies
 
The Perils of Mount Must Read
The Perils of Mount Must ReadThe Perils of Mount Must Read
The Perils of Mount Must Read
 
Procedures and Controls Documentation Guidelines
Procedures and Controls Documentation GuidelinesProcedures and Controls Documentation Guidelines
Procedures and Controls Documentation Guidelines
 
The value of our data
The value of our dataThe value of our data
The value of our data
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
 
LinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-PresentedLinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-Presented
 

Similar a Enterprise governance risk_compliance_fcm slides

Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisionsAlireza Ghahrood
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk managementInfosys
 
GP for Regulatory Management Product Sheet
GP for Regulatory Management Product SheetGP for Regulatory Management Product Sheet
GP for Regulatory Management Product SheetMarco Villacorta Olano
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard Jim Robins
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk ConsultingPrashant Jain
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk TransferCBIZ, Inc.
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 
How to Drive Value from Operational Risk Data - Part 2
How to Drive Value from Operational Risk Data - Part 2How to Drive Value from Operational Risk Data - Part 2
How to Drive Value from Operational Risk Data - Part 2Perficient, Inc.
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsSubhajit Bhuiya
 
Erm overview of auditing fraud and revenue assurance
Erm overview of auditing fraud and revenue assuranceErm overview of auditing fraud and revenue assurance
Erm overview of auditing fraud and revenue assurancewisnu wardhana, i nyoman
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 

Similar a Enterprise governance risk_compliance_fcm slides (20)

Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
GP for Risk Management product sheet
GP for Risk Management product sheetGP for Risk Management product sheet
GP for Risk Management product sheet
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisions
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk management
 
GP for Regulatory Management Product Sheet
GP for Regulatory Management Product SheetGP for Regulatory Management Product Sheet
GP for Regulatory Management Product Sheet
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem Risk
 
It62015 slides
It62015 slidesIt62015 slides
It62015 slides
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
 
RAP GC 2016
RAP GC 2016RAP GC 2016
RAP GC 2016
 
How to Drive Value from Operational Risk Data - Part 2
How to Drive Value from Operational Risk Data - Part 2How to Drive Value from Operational Risk Data - Part 2
How to Drive Value from Operational Risk Data - Part 2
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_efforts
 
Erm overview of auditing fraud and revenue assurance
Erm overview of auditing fraud and revenue assuranceErm overview of auditing fraud and revenue assurance
Erm overview of auditing fraud and revenue assurance
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 

Último

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 

Último (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Enterprise governance risk_compliance_fcm slides

  • 1. http://www.enterprisegrc.com EnterpriseGRC Solutions Inc. A Governance, Risk and Compliance Company A Service Oriented Approach Policy Baseline, RunBook - CMDB, Control Self Assessment, RiskWatch
  • 2. http://www.enterprisegrc.com Functional Teams IT Support – HR Facilities – Drive SOD and Applications Controls Baseline 2
  • 3. http://www.enterprisegrc.com Internal Audit Addresses Dynamic Regulatory Requirements and Risk Conditions 3
  • 5. http://www.enterprisegrc.com Enterprise Security and Compliance Custom Tabs and Menus 5
  • 6. http://www.enterprisegrc.com ISO/IEC 17799:2005 – ISO 270001 Policy Mapping  Mapping ISO 17799:2005 (270001) to Finance, Legal, Business and IT Policies  Mapping CobiT to ISO allows us to  Link evidence across Policy, Program, Process and System  Updates are evident to all areas in real-time 6
  • 7. http://www.enterprisegrc.com © EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com 4Point GRC is A Service Oriented Architecture 7
  • 8. http://www.enterprisegrc.com Baseline Configuration Is Critical to Available Service 8 Enterprise ManagementSystems Opportunitiesfor Workflow and Controls Automation 8
  • 9. http://www.enterprisegrc.com Link Configuration Management Database, Policy Mapping, leveraging a Service Oriented Architecture 9
  • 10. http://www.enterprisegrc.com Link Configuration Management Database, Policy Mapping, Service Oriented Architecture 10
  • 13. http://www.enterprisegrc.com RunBook Reports Satisfy Compliance Requirements and Enable SOA - GRC 13 RunBooks provide a true CMDB of production services as governed by Policies and Processes Controlled Server and Application tables establish the system inventory of tested items Producing results in a searchable data format facilitates accurate controls meta data, verified policy and systems associations, and the foundation for accurate, complete and valid test design.
  • 14. http://www.enterprisegrc.com Automation of Audit Function  Changes in the risk landscape are rapid, dynamic and cannot be managed by manual process.  Corporate audit function costs continue to rise due to increasing threats and events.  Greater efficiency and cost effectiveness are achieved by:  Automating audit processes  Better monitoring tools and techniques  Training key compliance team members The R in GRC - Strategic Planning and Risk Management 14
  • 15. http://www.enterprisegrc.com What is the value of implementing Enterprise Risk Management ERM? 15 Enterprise Risk Management helps business leadership achieve the organization’s performance and profitability target$.
  • 16. http://www.enterprisegrc.com Why Risk Management? 16 •Likelihood of Material Loss Such As: Fraud, Critical System Failure, Political Damage, Missed Strategic Milestones or Significant Loss of Revenue. Minimizes •Delivery of Risk Information To The Business Ensures •Business Decisions By Providing A Management Process For Capturing, Analyzing, Mitigating and Monitoring Risks to the Business Enables •a Unified Management Process for Risk Response Provides
  • 17. http://www.enterprisegrc.com Risk Management Programs, Guidance and Process Quarterly Business Review Compliance Hot-Line IT RiskWatch Assign Risk Manager Board Reports Vulnerability Threat & Vulnerability Analysis Input risk details and status log Residual Risk Program RiskWatch Corporate RiskWatch Risk Meeting IT Steering Committee
  • 18. http://www.enterprisegrc.com Risk Watch Components 18 Risk Identification Business Risk Assessment Scope & Boundary Definition Risk Measurement Risk Action Plan Risk Acceptance Safeguard Selection Risk Assessment Commitment
  • 21. http://www.enterprisegrc.com Answers Simple Questions 21 What is Likelihood? Define Likely Define Relatively Likelihood Define Unlikely Define Never What is Impact? Define Minor Define Major Define Catastrophic What is Significance? In what manner will significance change? What were the criteria we used for our interpretation of significance?
  • 23. http://www.enterprisegrc.com Key Role & Responsibilities  Chief Financial officer  Security Manager  Risk Management Committee  Risk Mitigation Implementation Owners  Stakeholders & Users 23 …Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume ownership. Other managers SUPPORT the entity’s risk management philosophy, promote compliance with its risk appetite, and manage risks within their spheres of responsibility consistent with risk tolerances. A risk officer, financial officer, internal auditor, and others usually have key SUPPORT responsibilities. Other entity personnel are responsible for executing enterprise risk management in accordance with established directives and protocols. The board of directors provides important oversight to enterprise risk management, and is aware of and concurs with the entity’s risk appetite. A number of external parties, such as customers, vendors, business partners, external auditors, regulators, and financial analysts often provide information useful in effecting enterprise risk management, but they are not responsible for the effectiveness of, nor are they a part of, the entity’s enterprise risk management. Enterprise Risk Management — Integrated Framework Executive Summary Copyright © September 2004 by the Committee of Sponsoring organizations of the Treadway Commission.
  • 24. http://www.enterprisegrc.com Achieve Risk Transparency 24 Communicate -Risk- Inputs and Agenda Execute – Program, Meetings, Risk Response Measure – Risk Measurement & Impact Analysis, Performance Record – Meeting Minutes, Management Reporting Archive – Meeting Minutes, KPI Results
  • 25. http://www.enterprisegrc.com Risk Process Maturity 25 Level Maturity Description 3 Defined Process: An organization-wide risk management policy defines when and how to conduct risk assessments. Risk assessment follows a defined process that is documented and available to all staff through training. Decisions to follow the process and to receive training are left to the individual’s discretion. The methodology is convincing and sound, and ensures that key risks to the business are likely to be identified. Decisions to follow the process are left to individual IT managers and there is no procedure to ensure that all projects are covered or that the ongoing operation is examined for risk on a regular basis. Risk Management 10 2 543 Non-Existent Initial Repeatable Defined Managed Optimized
  • 26. http://www.enterprisegrc.com Risk Process Maturity 26 Level Maturity Description 4 Managed and Measurable: The assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. The process is advanced and risk is assessed at the individual project level and also regularly with regard to the overall IT operation. Management is advised on changes in the IT environment which could significantly affect the risk scenarios, such as an increased threat from the network or technical trends that affect the soundness of the IT strategy. Management is able to monitor the risk position and make informed decisions regarding the exposure it is willing to accept. Senior management and IT management have determined the levels of risk that the organization will tolerate and have standard measures for risk/return ratios. Management budgets for operational risk management projects to reassess risks on a regular basis. A risk management database is established. Risk Management 10 2 543 Non-Existent Initial Repeatable Defined Managed Optimized
  • 27. http://www.enterprisegrc.com Risk Process Maturity 27 Level Maturity Description 5 Optimized: Risk assessments have developed to the stage where a structured, organization-wide process is enforced, followed regularly and well managed. Risk brainstorming and root cause analysis, involving expert individuals, are applied across the entire organization. The capturing, analysis and reporting of risk management data are highly automated. Guidance is drawn from leaders in the field and the IT organization takes part in peer groups to exchange experiences. Risk management is truly integrated into all business and IT operations, is well accepted and extensively involves the users of IT services. Risk Management 10 2 543 Non-Existent Initial Repeatable Defined Managed Optimized
  • 28. http://www.enterprisegrc.com © EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com Reap Benefits
  • 29. http://www.enterprisegrc.com Moving Through A Risk Cycle Status Codes 29 • Risk will be allowed to remain as described. Risk is determined to be acceptable, given business priorities & total vulnerability. Reviewed & Accepted • Team is assigned to determine & implement compensating controls Controls Required • Exposure is determined to be unacceptable. Team is to implement compensating controls as quickly as possible. Critical Controls Required • Emergency risk situation requires immediate team management & notification. Emergency – Immediate Action Required
  • 30. http://www.enterprisegrc.com Project Risk Management Purpose and Scope  Facilitates The Effective Management of Risk Within An IT Project  Enables Project Team To Collaborate In  Identifying Risk, Analyzing Risk, And Planning Appropriate Actions.  Risk-related Actions Are Planned, Scheduled And Tracked As Additional Tasks In The Project Plan  Risk Tracking Occurs In A Risk Watch List  On-going Activity Throughout The Project  Depends On All Project Team Members Being Risk-aware, Utilizing The Defined Risk Management Process 30
  • 31. http://www.enterprisegrc.com Corporate Risk Management Purpose & Scope  Corporate Level Review of Company Specific Risk  Roll Up of Individual Company Risks,  Assignment of Relative Risk Criteria  Ownership of Communicated Risk To Both Shareholders And Throughout The Corporate Enterprise.  Governs How Corporate Leadership Interprets & Assigns Weighted Value To Company Specific Risk & Impact  Initial Risk Assessment & Accountability Rests At The Individual Company Level  Disclosure Committee Reviews & Determines Disclosure Requirements 31
  • 32. http://www.enterprisegrc.com Activity Outputs 32 •A person in the IT domain is made aware by interaction with others or through his/her own doing, of an apparent technology weakness. This weakness is determined by management to possibly merit risk team consideration. The risk is not associated with an SDM management effort, and therefore requires isolated entry to the RiskWatch Apparent IT System or Technology resource based Vulnerability •The significance evaluation is a formal process based in agreed standards for determining the quality statements associated to an estimated risk. Establishing "RiskWatch COBIT Project Definitions" can be achieved by implementing a template of criteria definitions Significance Evaluation and Risk Criteria Template •Any IT person can launch the Risk Watch to enter details of a perceived risk. Management reviews the risk to determine its appropriateness for Risk Watch. The steps to filling out the RiskWatch form are detailed in the RiskWatch Form Entry Work Instruction Report Risk •Occurs weekly. Meeting is preceded by the posting of intended items for review and followed by posted summary of results. Metrics are gathered and stored in the work products folder as determined by the RiskWatch team. RiskWatch Meeting Review •Used to identify and document the threats and vulnerabilities associated with any asset being evaluated. Threat & Vulnerability Analysis •Responds to identified threat by ensuring the risk response and compensating controls are effectively enforcedSecurity Management •The risk is mitigated to significance of 9 or less with acceptable controls in place.Mitigated Risk •Fair and reasonable discovery and disclosure of risksAttestation of Risk
  • 33. http://www.enterprisegrc.com Process Exit Criteria  Risk Process Continues Until The Process Response Is Implemented  Risk Is Mitigated To Acceptable Managed Residual Risk or Removed  Mitigated Risk Where Significance Is Less Than “9” & Appropriate Controls Are Identified For Ongoing Risk Management 33
  • 34. http://www.enterprisegrc.com © EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com Security Availability & Contingency Management IT Service Design & Management Service Level Management & Service Level Reporting Capacity Management Financial Management Resolution Processes Incident and Problem Management Control Processes Asset & Configuration Management Change Management Release Processes Release Management Supplier Processes Customer Relationship and Supplier Management Automation Governance in IT Service Management 34  Culture of change management  Culture of causality  Culture of compliance and desire to continually reduce variance
  • 35. http://www.enterprisegrc.com Change Management and Governance 35 Change Management’s Relationship to Governance •Request for Change RFC, CMDB, Release •Implementation Plans INPUTS •Change Management Team •Review Board •Steering COMMITTEE •Implementations •Meeting Minutes •Schedules OUTPUTS •Reports •Key Performance Indicators •Client Service Metrics Audit
  • 36. http://www.enterprisegrc.com © EnterpriseGRC Solutions, Inc. All Rights Reserved www.enterprisegrc.com Enterprise Change Management 36 •business decisions by providing a management system housing data for analysis, implementation and follow-up enable • problem management to identify known errors support Goal Of Change Management Goal of Change Management Systems • the benefits to the business of making changes to the IT infrastructure Maximize • the risks involved in making those changesMinimize • that standardized methods and procedures are used for efficient and prompt handling of all changes Ensure • impact of change-related incidents and improving day-to-day functionReduce
  • 37. http://www.enterprisegrc.com Business Process Application Mapping • Facilitate a walkthrough of each business process • Identify those applications that support the processing of transactions • Document the workflow of transactions through the entire process to ensure complete identification of applications Application Summary and Scope Development • Complete list of applications • Relevance, relation and criticality to the financial reporting • Significance to the financial reporting process • Management discretion, applications considered important or high risk from management’s perspective Application Technology Support Information • in-scope for the Sarbanes-Oxley Program, gather complete RunBook • Source of Application, • purchased and implemented with and without customization, • developed and maintained internally, and outsourced to a third-party. • For Changes -the data of the last major change and next planned change to each application. Business Process Management 37 Business Process Application Mapping Application Scope Development Application Technology Support Information
  • 38. http://www.enterprisegrc.com ISO/IEC 27001:2005 “ ISO/IEC 27001:2005 implements effective information security management in compliance with organizational objectives and business requirements. Risk-based specification designed to take care of information security aspects of corporate governance, protection of information assets, legal and contractual obligations as well as the wide range of threats to an organization’s information and communications technology (ICT) systems and business processes.” (re-number ISO/IEC 17799 as ISO/IEC 27002) Define An Information Security Policy Define scope of the information security management system 2 Perform A Security Risk Assessment Manage the identified risk Select Controls Implemented 5 Prepare Statement Of Applicability ISO 27001 - This is the specification for an information security management system (an ISMS) which replaced the old BS7799-2 standard ISO 27002 - 27000 series standard number of what was originally the ISO 17799 standard (which itself was formerly known as BS7799-1) ISO 27003 - standard guidance for the implementation of an ISMS (IS Management System) ISO 27004 - information security system management measurement and metrics. ISO 27005 - methodology independent ISO standard for information security risk management ISO 27006 - guidelines for the accreditation of organizations offering ISMS certification
  • 40. http://www.enterprisegrc.com INTERNATIONAL STANDARD ISO/IEC 38500  ISO - Performance of the organization  Proper Corporate Governance of IT assists directors to ensure that IT use contributes positively to the performance of the organization, through:  Appropriate Implementation And Operation of IT Assets  Clarity of Responsibility And Accountability For Both The Use And Provision of IT In Achieving The Goals of The Organization  Business Continuity And Sustainability  Alignment of IT With Business Needs  Efficient Allocation of Resources  Innovation In Services, Markets, And Business  Good Practice In Relationships With Stakeholders  Reduction In The Costs For An Organization  Actual Realization of The Approved Benefits From Each IT Investment INTERNATIONAL STANDARD ISO/IEC 38500
  • 41. http://www.enterprisegrc.com Factors for Governance Success Strong project management across IT (COBIT) and Finance Applications (COSO)  Foster a culture of commitment, collaboration and knowledge transfer  Regular status meetings (weekly or even daily in some cases) Intelligent GRC (Governance, Risk, Compliance)  “OHIO” (only handle it once) means reduce redundant controls. Find and remove controls that are non essential to the scope of audit. Nail questions before they come up through evidence of strong automated and system based policy. Leverage team knowledge to properly align controls to their rightful owners. Fail Fast; pass slow  Escalate non remediated controls (fails) before they become “findings”  Remove unnecessary tests  Retest fails to confirm control design and validate against actual statement of risk 41
  • 42. http://www.enterprisegrc.com Effectiveness Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, and usable manner. Efficiency Concerns the provision of information through the optimal ─ most productive and economical ─ use of resources. Confidentiality Concerns the protection of sensitive information from unauthorized disclosure. Integrity Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. Availability Relates to information being available ,when required by the business process, at present and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. Compliance Deals with complying with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria as well as internal policies. Reliability Relates to the provision of appropriate information for the management to operate the entity and to exercise its fiduciary and governance responsibilities. Information Criteria IT Resources IT Processes The COBIT Cube: Business Requirements 42© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
  • 43. http://www.enterprisegrc.com IT Audit and Compliance Enterprise Technology Risk Management Enterprise Architecture Business Continuity Disaster Recovery Enterprise GRC Platforms and Implementation ERP Applications Certification Readiness Data Warehousing Business Intelligence Process Reengineering
  • 44. http://www.enterprisegrc.com Some Key Points:  Control frameworks are designed to reduce operating cost and risk while optimizing service delivery  A GRC program should:  Reduce external dependencies  Ensure that clients retains proprietary knowledge while reducing volume and time on testing  Adeptly tailor proven methodology to meet unique culture and technical and business environment  Meet and exceed goals set by leadership and critical industry regulation mandates EnterpriseGRC Solutions Using Archer as our Audit Governance Risk and Compliance Platform 44 Policy Management Using ISO27001 EnterpriseGRC Solutions maps HR, IT, Finance, Business and Legal Policy Process & Policy mapping according to all major standards Enterprise Management Baseline Configuration Management (CMDB) Using Asset Inventory tools, create and enable real-time evidence of controls enabled by service operations. Compliance Management CSA – (Control Self Assessment) Based in each organization’s custom risk frameworks, test scripts and maturity, Risk Assessments for initial and continuing audit phases Risk Management Enterprise Risk Management - Top Down - Dash boarding program manages actual exposures, relative to real service, real policy and changing conditions across the business & IT. 4/4/2016