6. http://www.enterprisegrc.com
ISO/IEC 17799:2005 – ISO 270001 Policy Mapping
Mapping ISO 17799:2005 (270001) to
Finance, Legal, Business and IT
Policies
Mapping CobiT to ISO allows us to
Link evidence across Policy, Program,
Process and System
Updates are evident to all areas in
real-time
6
13. http://www.enterprisegrc.com
RunBook Reports Satisfy Compliance Requirements
and Enable SOA - GRC
13
RunBooks provide a true CMDB of production services as
governed by Policies and Processes
Controlled Server and Application tables establish the system
inventory of tested items
Producing results in a searchable data format facilitates accurate
controls meta data, verified policy and systems associations, and
the foundation for accurate, complete and valid test design.
14. http://www.enterprisegrc.com
Automation of Audit Function
Changes in the risk landscape are rapid, dynamic and cannot be managed by manual
process.
Corporate audit function costs continue to rise due to increasing threats and events.
Greater efficiency and cost effectiveness are achieved by:
Automating audit processes
Better monitoring tools and techniques
Training key compliance team members
The R in GRC - Strategic Planning and Risk
Management
14
15. http://www.enterprisegrc.com
What is the value of implementing Enterprise
Risk Management ERM?
15
Enterprise Risk Management
helps business leadership
achieve the organization’s
performance
and profitability target$.
16. http://www.enterprisegrc.com
Why Risk Management?
16
•Likelihood of Material Loss Such As: Fraud, Critical
System Failure, Political Damage, Missed Strategic
Milestones or Significant Loss of Revenue.
Minimizes
•Delivery of Risk Information To The Business
Ensures
•Business Decisions By Providing A Management
Process For Capturing, Analyzing, Mitigating and
Monitoring Risks to the Business
Enables
•a Unified Management Process for Risk Response
Provides
17. http://www.enterprisegrc.com
Risk Management Programs, Guidance and Process
Quarterly
Business Review
Compliance
Hot-Line
IT RiskWatch
Assign Risk
Manager
Board
Reports
Vulnerability
Threat &
Vulnerability
Analysis
Input risk details
and status log
Residual Risk
Program
RiskWatch
Corporate
RiskWatch
Risk Meeting
IT Steering
Committee
21. http://www.enterprisegrc.com
Answers Simple Questions
21
What is Likelihood?
Define Likely
Define Relatively
Likelihood
Define Unlikely
Define Never
What is Impact?
Define Minor
Define Major
Define Catastrophic
What is
Significance?
In what
manner will
significance
change?
What were the
criteria we
used for our
interpretation
of significance?
25. http://www.enterprisegrc.com
Risk Process Maturity
25
Level Maturity Description
3 Defined Process: An organization-wide risk management policy defines when and
how to conduct risk assessments. Risk assessment follows a defined process that
is documented and available to all staff through training. Decisions to follow the
process and to receive training are left to the individual’s discretion. The
methodology is convincing and sound, and ensures that key risks to the business
are likely to be identified. Decisions to follow the process are left to individual IT
managers and there is no procedure to ensure that all projects are covered or
that the ongoing operation is examined for risk on a regular basis.
Risk Management
10 2 543
Non-Existent Initial Repeatable Defined Managed Optimized
26. http://www.enterprisegrc.com
Risk Process Maturity
26
Level Maturity Description
4 Managed and Measurable: The assessment of risk is a standard procedure and exceptions
to following the procedure would be noticed by IT management. It is likely that IT risk
management is a defined management function with senior level responsibility. The
process is advanced and risk is assessed at the individual project level and also regularly
with regard to the overall IT operation. Management is advised on changes in the IT
environment which could significantly affect the risk scenarios, such as an increased threat
from the network or technical trends that affect the soundness of the IT strategy.
Management is able to monitor the risk position and make informed decisions regarding
the exposure it is willing to accept. Senior management and IT management have
determined the levels of risk that the organization will tolerate and have standard
measures for risk/return ratios. Management budgets for operational risk management
projects to reassess risks on a regular basis. A risk management database is established.
Risk Management
10 2 543
Non-Existent Initial Repeatable Defined Managed Optimized
27. http://www.enterprisegrc.com
Risk Process Maturity
27
Level Maturity Description
5 Optimized: Risk assessments have developed to the stage where a structured,
organization-wide process is enforced, followed regularly and well managed. Risk
brainstorming and root cause analysis, involving expert individuals, are applied
across the entire organization. The capturing, analysis and reporting of risk
management data are highly automated. Guidance is drawn from leaders in the
field and the IT organization takes part in peer groups to exchange experiences.
Risk management is truly integrated into all business and IT operations, is well
accepted and extensively involves the users of IT services.
Risk Management
10 2 543
Non-Existent Initial Repeatable Defined Managed Optimized
29. http://www.enterprisegrc.com
Moving Through A Risk Cycle Status Codes
29
• Risk will be allowed to remain as described.
Risk is determined to be acceptable, given
business priorities & total vulnerability.
Reviewed &
Accepted
• Team is assigned to determine & implement
compensating controls
Controls
Required
• Exposure is determined to be unacceptable.
Team is to implement compensating controls
as quickly as possible.
Critical Controls
Required
• Emergency risk situation requires immediate
team management & notification.
Emergency –
Immediate
Action Required
30. http://www.enterprisegrc.com
Project Risk Management Purpose and Scope
Facilitates The Effective Management of Risk Within An IT
Project
Enables Project Team To Collaborate In
Identifying Risk, Analyzing Risk, And Planning Appropriate Actions.
Risk-related Actions Are Planned, Scheduled And Tracked As
Additional Tasks In The Project Plan
Risk Tracking Occurs In A Risk Watch List
On-going Activity Throughout The Project
Depends On All Project Team Members Being Risk-aware,
Utilizing The Defined Risk Management Process
30
31. http://www.enterprisegrc.com
Corporate Risk Management Purpose & Scope
Corporate Level Review of Company Specific Risk
Roll Up of Individual Company Risks,
Assignment of Relative Risk Criteria
Ownership of Communicated Risk To Both
Shareholders And Throughout The Corporate
Enterprise.
Governs How Corporate Leadership Interprets &
Assigns Weighted Value To Company Specific Risk &
Impact
Initial Risk Assessment & Accountability Rests At
The Individual Company Level
Disclosure Committee Reviews & Determines
Disclosure Requirements
31
32. http://www.enterprisegrc.com
Activity Outputs
32
•A person in the IT domain is made aware by interaction with others or through his/her own doing, of an apparent
technology weakness. This weakness is determined by management to possibly merit risk team consideration. The
risk is not associated with an SDM management effort, and therefore requires isolated entry to the RiskWatch
Apparent IT System or
Technology resource based
Vulnerability
•The significance evaluation is a formal process based in agreed standards for determining the quality
statements associated to an estimated risk. Establishing "RiskWatch COBIT Project Definitions" can be
achieved by implementing a template of criteria definitions
Significance Evaluation and
Risk Criteria Template
•Any IT person can launch the Risk Watch to enter details of a perceived risk. Management reviews the
risk to determine its appropriateness for Risk Watch. The steps to filling out the RiskWatch form are
detailed in the RiskWatch Form Entry Work Instruction
Report Risk
•Occurs weekly. Meeting is preceded by the posting of intended items for review and followed by posted
summary of results. Metrics are gathered and stored in the work products folder as determined by the
RiskWatch team.
RiskWatch Meeting Review
•Used to identify and document the threats and vulnerabilities associated with any asset being evaluated.
Threat & Vulnerability
Analysis
•Responds to identified threat by ensuring the risk response and compensating controls are effectively
enforcedSecurity Management
•The risk is mitigated to significance of 9 or less with acceptable controls in place.Mitigated Risk
•Fair and reasonable discovery and disclosure of risksAttestation of Risk
33. http://www.enterprisegrc.com
Process Exit Criteria
Risk Process Continues Until The Process
Response Is Implemented
Risk Is Mitigated To Acceptable Managed
Residual Risk or Removed
Mitigated Risk Where Significance Is Less Than
“9” & Appropriate Controls Are Identified For
Ongoing Risk Management
33
37. http://www.enterprisegrc.com
Business Process Application
Mapping
• Facilitate a walkthrough of each business process
• Identify those applications that support the processing of transactions
• Document the workflow of transactions through the entire process to
ensure complete identification of applications
Application Summary and Scope Development
• Complete list of applications
• Relevance, relation and criticality to the financial reporting
• Significance to the financial reporting process
• Management discretion, applications considered important or high risk
from management’s perspective
Application Technology Support Information
• in-scope for the Sarbanes-Oxley Program, gather complete RunBook
• Source of Application,
• purchased and implemented with and without customization,
• developed and maintained internally, and outsourced to a third-party.
• For Changes -the data of the last major change and next planned change
to each application.
Business Process Management
37
Business
Process
Application
Mapping
Application Scope
Development
Application
Technology
Support
Information
38. http://www.enterprisegrc.com
ISO/IEC 27001:2005
“ ISO/IEC 27001:2005 implements effective information security management in compliance with organizational
objectives and business requirements. Risk-based specification designed to take care of information security
aspects of corporate governance, protection of information assets, legal and contractual obligations as well
as the wide range of threats to an organization’s information and communications technology (ICT) systems
and business processes.” (re-number ISO/IEC 17799 as ISO/IEC 27002)
Define An
Information
Security Policy
Define scope of
the information
security
management
system
2
Perform A
Security Risk
Assessment
Manage the
identified risk
Select Controls
Implemented
5
Prepare
Statement Of
Applicability
ISO 27001 - This is the
specification for an information
security management system
(an ISMS) which replaced the old
BS7799-2 standard
ISO 27002 - 27000 series
standard number of what was
originally the ISO 17799
standard (which itself was
formerly known as BS7799-1)
ISO 27003 - standard guidance
for the implementation of an
ISMS (IS Management System)
ISO 27004 - information security
system management
measurement and metrics.
ISO 27005 - methodology
independent ISO standard for
information security risk
management
ISO 27006 - guidelines for the
accreditation of organizations
offering ISMS certification
40. http://www.enterprisegrc.com
INTERNATIONAL STANDARD ISO/IEC 38500
ISO - Performance of the organization
Proper Corporate Governance of IT assists directors to ensure that IT use
contributes positively to the performance of the organization, through:
Appropriate Implementation And Operation of IT Assets
Clarity of Responsibility And Accountability For Both The Use And Provision of IT In
Achieving The Goals of The Organization
Business Continuity And Sustainability
Alignment of IT With Business Needs
Efficient Allocation of Resources
Innovation In Services, Markets, And Business
Good Practice In Relationships With Stakeholders
Reduction In The Costs For An Organization
Actual Realization of The Approved Benefits From Each IT Investment
INTERNATIONAL STANDARD ISO/IEC 38500
41. http://www.enterprisegrc.com
Factors for Governance Success
Strong project management across IT (COBIT) and Finance Applications
(COSO)
Foster a culture of commitment, collaboration and knowledge
transfer
Regular status meetings (weekly or even daily in some cases)
Intelligent GRC (Governance, Risk, Compliance)
“OHIO” (only handle it once) means reduce redundant controls. Find
and remove controls that are non essential to the scope of audit. Nail
questions before they come up through evidence of strong
automated and system based policy. Leverage team knowledge to
properly align controls to their rightful owners.
Fail Fast; pass slow
Escalate non remediated controls (fails) before they become
“findings”
Remove unnecessary tests
Retest fails to confirm control design and validate against actual
statement of risk
41
43. http://www.enterprisegrc.com
IT Audit and
Compliance
Enterprise
Technology Risk
Management
Enterprise
Architecture
Business Continuity
Disaster Recovery
Enterprise GRC
Platforms and
Implementation
ERP Applications
Certification
Readiness
Data Warehousing
Business
Intelligence
Process
Reengineering
44. http://www.enterprisegrc.com
Some Key Points:
Control frameworks are designed to reduce operating cost and risk while
optimizing service delivery
A GRC program should:
Reduce external dependencies
Ensure that clients retains proprietary knowledge while reducing volume and time
on testing
Adeptly tailor proven methodology to meet unique culture and technical and
business environment
Meet and exceed goals set by leadership and critical industry regulation mandates
EnterpriseGRC Solutions Using Archer as our Audit
Governance Risk and Compliance Platform
44
Policy Management
Using ISO27001
EnterpriseGRC
Solutions maps HR, IT,
Finance, Business and
Legal Policy
Process & Policy
mapping according to
all major standards
Enterprise
Management
Baseline Configuration
Management (CMDB)
Using Asset Inventory
tools, create and
enable real-time
evidence of controls
enabled by service
operations.
Compliance
Management
CSA – (Control Self
Assessment) Based in
each organization’s
custom risk
frameworks, test
scripts and maturity,
Risk Assessments for
initial and continuing
audit phases
Risk Management
Enterprise Risk
Management - Top
Down - Dash boarding
program manages
actual exposures,
relative to real service,
real policy and
changing conditions
across the business &
IT.
4/4/2016