Achieving Business Imperatives through IT Governance and Risk
|
|
- Phillip Miles
- 8 years ago
- Views:
Transcription
1 IBM Global Technology Services Achieving Business Imperatives through IT Governance and Risk Peter Stremus Internet Security Systems, an IBM Company
2 Introduction : Compliance Value Over the past 15 years in the IT industry, people have been searching for better ways of illustrating (and thus measuring) the value that IT can provide to the business. This presentation provides an example of an executed approach used to successfully illustrate the value of an IT Control Activity for Business and Compliance. This approach can provide a solid foundation to successfully leverage your Compliance investments through the use of Best Practice standards and frameworks. 2
3 Trends The Financial Industry Competition in the financial industry has become critically dependant on IT as banks now spend the majority of non-compensation costs on IT and communications. Case studies of peers support the decisions made by other financial institutions to move to a fully centralized global IT governance model. Recent economic downturn and declining capital markets have caused banks to tighten financial control and trim costs. Increased criminal activity, such as Internet fraud and terrorism, heighten the need for security and wider reporting capabilities. 3
4 Trends Legislation & Regulations Sarbanes Oxley Act CMA FSA Terrorism Act 2000 Obscene Publications Act Gramm Leach Bliley Copyright Design & Patents Act Privacy and Electronic Comms. HIPAA Basel II Freedom of Information Act Data Protection Act RIPA 4
5 Issues - Aligning Business and IT Four levels of IT Risk Strategic Level Decisions on business strategy Programme Level Project Level Operational Level Decisions transforming strategy into action Decisions required to enable implementation of actions Source: Office of Government Commerce, Management of Risk Framework 5
6 Aligning IT with Business An effective IT risk approach addresses critical performance issues at both the Group level and the BU/LE levels. Group level Key Interests Does IT support the achievement of organizational objectives? Are targeted enterprise-wide IT synergies being achieved? Are IT risks being identified and managed? BU level Key Interests Does IT deliver on its service level commitments? Do investments in IT positively affect business productivity? Are IT costs being managed effectively? Group-level BU-level 6
7 Challenges: Business Alignment IT Risk Management is a key stakeholder in maintaining a balance between the business needs and the value associated with an IT solution. The business value of IT is dependent upon linking the business process to the supporting IT automation activity. Organization/Business Objectives Competitive/Leader Objectives IT Solution Framework(s) CobiT Profitable Growth ISO Client Satisfaction ITIL Employer of Choice Strengthen Reputation Risk Assessment Business Goal High-level (Self- Assessment) Compliance Low-level (Detailed) IT Automation Level of Process Automation Business An increasing number of business processes rely on IT automation (e.g. On-line Banking) IT Although the business risk is owned by the business, automating the processes increase the dependency on effective IT risk management. Risk Mitigation Pragmatic IT Risk Mitigation options align a more precise IT solution to support business needs without overengineering. 7
8 Example: Compliance Approach and Roadmap The approach is executed through 5 phases. Phase 1: Identification Phase 2: Cross-Reference Phase 3: Risk Analysis / Assessment Phase 4: Risk Mitigation Phase 5: Evaluate Results / Value Mapping Identify the organization and business goals, objectives and/or process. Identify the relevant framework(s). Identify the relevant control practices or activities. Execute crossreference mapping to all identified frameworks and standards. Execute crossreference mapping to all identified compliance initiatives. Execute crossreference mapping to all identified IT roles/areas Perform a high level risk analysis/selfassessment and record initial results as a benchmark for maturity measurement. Review selfassessment results and identify probable business and IT owners. Based on risk results, perform a detailed risk assessment to include asset impact, risk realization cost and acceptable level of risk. Identify potential risk mitigation options. (e.g. Products or Services) Identify all associated costs for each mitigation option. Identify any residual risk. Compare costs associated with risk mitigation option against risk realization cost to identify TCO/ROI. Review IT risk mitigation options with the business. If accepted, initiate a project to implement the selected IT risk mitigation option. Map the value associated with the IT activity back to the organization and business goals or objectives. Review the relevance of the IT control activity to the crossreferences for frameworks and compliance. 8
9 Example: Compliance Business Goal Phase 1: Identification Identify the organization and business goals, objectives and/or process. Identify the relevant framework(s). Identify the relevant control practices or activities. Organization/Business Objectives Client Satisfaction Strengthen Reputation Business Goal #14 Compliance with external laws and regulations (Sarbanes-Oxley, HIPAA, GLBA, etc.) Framework CobiT Version 4 CobiT Process DS 5: Ensure System Security Control Objective DS 5.5: Security Testing, Surveillance and Monitoring Control Activity: Monitor potential and actual security incidents Control Activity: Conduct regular vulnerability assessments Control Objective DS 5.10: Network Security Control Activity: Implement and maintain technical and procedural controls to protect information flows across networks. 9
10 Example: Compliance Cross-Reference Phase 2: Cross-Reference Execute crossreference mapping to all identified frameworks and standards. Execute crossreference mapping to all identified compliance initiatives. Execute crossreference mapping to all identified IT roles/areas. Frameworks BIT-map 1 Mapping CobiT Versions 3 & 4 to ISO Versions 2000 & 2005 Aligning CobiT, ITIL and ISO17799 for Business Benefit Compliance Initiatives IT Control Objectives for Sarbanes-Oxley IT Roles/Areas CobiT Role and Responsibility Matrix CobiT_ISO_Matrix Aligning CobiT ITIL and ISO IT Control Objectives for SOX Responsibility Matrix 1 Tool for Framework, Compliance and IT Role Cross-Reference Mapping: 10
11 Example: Compliance Risk Analysis/Assessment Phase 3: Risk Analysis / Assessment Perform a high level risk analysis/selfassessment and record initial results as a benchmark for maturity measurement. Review selfassessment results and identify probable business and IT owners. Based on risk results, perform a detailed risk assessment to include asset impact, risk realization cost and acceptable level of risk. High Level Risk Analysis/Self-Assessment Many tools are currently available (e.g. BIT-map, etc.) Review Risk Analysis/Self-Assessment Results Identify Probable Business and IT Owners Detailed Risk Assessment Detailed Risk Assessment consist of 4 main activities Threat Vulnerability Asset Probability / Activity Total Risk Identify the potential threat to the business and the IT systems supporting the process. (X-Force Threat Notification Service) Identify the vulnerability associated with the IT systems supporting the process. (Vulnerability Assessment) Identify the assets located on the vulnerable IT systems. Calculate the probability or identify any current activity. (IDS / IPS / Network Anomaly Detection) = Risk for Unauthorized Access to Sensitive Data 11
12 Example: Compliance Risk Mitigation Phase 4: Risk Mitigation Identify potential risk mitigation options. (e.g. Products or Services). Identify all associated costs for each mitigation option. Identify any residual risk. Compare costs associated with risk mitigation option against risk realization cost to identify TCO/ROI. Risk = Unauthorized Access to Sensitive Data Risk Mitigation Options CobiT Process DS 5: Ensure System Security Control Objective DS 5.5: Security Testing, Surveillance and Monitoring Control Activity: Monitor potential and actual security incidents Option: Proventia Server Option: Proventia Desktop Control Activity: Conduct regular vulnerability assessments Option: Vulnerability Assessment Internet Scanner Control Objective DS 5.10: Network Security Control Activity: Implement and maintain technical and procedural controls to protect information flows across networks. Option: Intrusion Prevention & Network Anomaly Detection Costs, Residual Risk and TCO Calculate a Business Case 12
13 Example: Compliance Value Mapping Phase 5: Evaluate Results/ Value Mapping Review IT risk mitigation options with the business. If accepted, initiate a project to implement the selected IT risk mitigation option. Map the value associated with the IT activity back to the organization and business goals or objectives. Review the relevance of the IT control activity to the crossreferences for frameworks and compliance. Organization/Business Objectives Client Satisfaction Strengthen Reputation Business Goal SOX Compliance Business Process Direct Net IT Automation Level of Process Automation Relevance Cross-Reference Mapping the Value Objectives IT Solution Control Activity: Monitor potential and actual security incidents SOX, HIPAA and GLBA relevant ISO17799 (9.4, 9.5, 9.7, 10.4) and ITIL (Security Mgmt. 4.2) relevant Framework CobiT Risk Assessment Unauthorized Access Risk Mitigation Proventia Server and Desktop Vulnerability Assessment IPS/Anomaly Detection 13
14 IDS vs. IPS (Internet Security Systems) The objective in implementing any control is to ensure the reduction or mitigation of the risk affecting the success in achieving the business goals. The example below illustrates how IDS/IPS help in facilitating the controls to support service availability and compliance with policies and regulations. ISO 17799:2005 Controls Controls against malicious code Network controls Business Information Systems Publicly available information Policy on use of network services Segregation in networks Network connection control Sensitive system isolation Information leakage Control of technical vulnerabilities Business continuity and risk assessment Data protection and privacy of personal information Prevention of misuse of information processing facilities Compliance with security policies and standards IDS IPS 14
15 Issues Addressing Compliance IT governance currently in place. Method for measuring the alignment of IT and the Group strategy. Internal drivers for synergies/group minded IT activities/decisions. 15
16 Issues Addressing Compliance (cont) Implement a centrally lead approach with respect to Group-wide cost saving projects. Link incentives of Business Managers to Group-wide project leadership performance. Impart a sense of urgency to all Business Division s for implementation Group wide issues. Clear communication of the Group's IT governance objectives to Business Division Management 16
17 Issues - Impacts Analysts question large IT costs arising in an unclear governance environment. Business Division s might make independent decisions and duplication of effort, i.e. focus on a "cooperative" approach. Isolated decisions potentially lead to negative overall cost implications Regulatory scrutiny. Proof of compliance becomes increasingly difficult - "SOX", Basel II, etc. 17
18 Information Security Landscape Attributes for IT Risk Management Federalized (Centralized) IT Risk Management Pioneering companies balance center-led template creation and coordination with assessment and mitigation efforts conducted at the local level. IT Security Risk Assessments Pioneering companies are developing frameworks to measure relative internal risk and creating mechanisms to monitor the security controls of the critical external partners. Centrally Coordinated Business Continuity Planning Leading organizations are chartering crossfunctional business continuity governance committees (including IT) to set policies, coordinate planning efforts, establish enterprise priorities, and invest in communication tools. Risk-Based Project Prioritization and Execution Exemplars deploy tools to surface and mitigate critical technological, organizational, and strategic risks across the project management life cycle. Collaboration for Regulatory Compliance Exemplar IT organizations support compliance efforts by tracking and reporting line unit progress, driving standardization across the company, and prioritizing the most critical controls. Comprehensive Sourcing Due Diligence Exemplar organizations conduct extensive due diligence regarding application eligibility for externalization and the fiscal health of service providers. 1Source: The Information Risk Executive Working Council for Chief Information Officers, conducted by the Corporate Executive Board (CEB). 18
19 Information Security Standards Best Practice ISO/IEC 17799//ISO/IEC Code of Practice for Information Security Management Provides best practice for information security management. Basis upon which baseline controls can be validated ITIL IT Infrastructure Library Best practice for IT service management COSO Committee of Sponsoring Organisation (of the Treadway Commission) Provides best practice on financial controls COBIT Control Objectives for IT and Related Technology 19
20 Information Security Standards - Standards ISO/IEC 17799:2005 Code of Practice for Information Security Management ISO/IEC Guidelines for the Management of IT Security NIST National Institute for Standards and Technology 20
21 Solution Summary Roadmap Phase 1: Identification Phase 2: Cross-Reference Phase 3: Self-Assessment / Benchmark Phase 4: IT Risk Mitigation Phase 5: Evaluate Results 1.Identify the organisation and business objectives. 2.Identify the business process. 3.Identify the relevant framework(s). 4.Identify the relevant control practices or activities. 1.Execute crossreference mapping to all identified frameworks and standards. 2.Execute crossreference mapping to all identified compliance initiatives. 3.Execute crossreference mapping to all identified IT areas, departments and roles. 1.Perform a high level selfassessment. 2.Record initial results as a benchmark for maturity measurement. 3.Review selfassessment results at both an aggregated level and control practice/activity level. 4.Based on risk results, perform a detailed risk assessment to include asset impact and risk realization cost. 1.Identify potential risk mitigation options. (e.g. Products or Services) 2.Identify all associated costs for each mitigation option. 3.Identify any residual risk. 4.Compare costs associated with risk mitigation option against risk realization cost to identify TCO/ROI. 1.Review IT risk mitigation options with the business. 2.If accepted, initiate a project to implement the selected IT risk mitigation option. 3.Map the value associated with the IT activity back to the organization and business objectives. 4.Review the relevance of the IT activity to the cross-references for frameworks and compliance initiatives. 1 Source: Bit-Map 4VAC GmbH 21
22 Solution Summary Mapping Compliance Defining the Objectives Extracting value from compliance investments Addressing future compliance initiatives effectively and efficiently With the adoption of an anchor framework, mapping compliance related initiatives can begin. Sarbanes-Oxley and Basel II were among the first to be selected for compliance mapping. 4 22
23 Solution Summary Risk Mitigation Options The challenge is in balancing a control activity with business needs. 23
24 Risk Mitigation Options (Cont.) Control Activity: Deploy Internet Security Systems Proventia Integrated Appliance Control Activity: Update latest Express Updates (XPU s) on Proventia appliance 24
25 Risk Mitigation Activities to Solutions The objective in implementing any control is to ensure the reduction or mitigation of the risk affecting the success in achieving the business goals. The example below illustrates how IDS/IPS help in facilitating the controls to support service availability and compliance with policies and regulations. ISO 17799:2005 Controls Controls against malicious software Controls against malicious code Network controls Business Information Systems Publicly available information Policy on use of network services Segregation in networks Network connection control Sensitive system isolation Information leakage Control of technical vulnerabilities Business continuity and risk assessment Data protection and privacy of personal information Prevention of misuse of information processing facilities Compliance with security policies and standards IDS IPS 25
26 Map IT Activity to Business Objectives With effective IT risk management approach in place, key interests of Credit Suisse are addressed; providing IT alignment with the business. Identify IT Risk Management Cross-reference mapping Risk Assessment Risk Mitigation Options Map IT control practice/activity Group Does IT support the achievement of organizational objectives? Are targeted enterprise-wide IT synergies being achieved? Are IT risks being identified and managed? BU Key Interest Does IT deliver on its service level commitments? Do IT investments positively affect business productivity? Are IT costs being managed effectively? Key Interest Addressed? YES YES YES YES YES YES 26
27 27
Compliance Applicata. Milano, 7 febbraio 2007. Dr. Jean Paul Ballerini Sr. Technology Solutions Expert
Compliance Applicata Milano, 7 febbraio 2007 Dr. Jean Paul Ballerini Sr. Technology Solutions Expert Legislazione e Normative Terrorism Act 2000 Sarbanes Oxley Act FSA CMA HIPAA Here is another one Obscene
More informationHow to Lead the People in a Program Based Environment
SESSION ID: GRC-W01 Balancing Compliance and Operational Security Demands Steve Winterfeld Bank Information Security Officer CISSP, PCIP What is more important? Compliance with laws / regulations Following
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationUsing QUalysgUard to Meet sox CoMplianCe & it Control objectives
WHITE PAPER Using QualysGuard to Meet SOX Compliance & IT Objectives Using QualysGuard To Meet SOX Compliance and IT Objectives page 2 CobIT 4.0 is a significant improvement on the third release, making
More informationSecurity & IT Governance: Strategies to Building a Sustainable Model for Your Organization
Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements
More informationSurviving an Identity Audit
What small and midsize organizations need to know about the identity portion of an IT compliance audit Whitepaper Contents Executive Overview.......................................... 2 Introduction..............................................
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationHow To Improve Your Business
IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationIT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma
IT Governance, Risk and Compliance (GRC) : A Strategic Priority Joerg Asma Agenda Introductions An Overview of IT Governance Risk & Compliance (IT-GRC) The Value Proposition Implementing an IT-GRC Program
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationIT Audit in the Cloud
IT Audit in the Cloud Pavlina Ivanova, CISM ISACA-Sofia Chapter Content: o 1. Introduction o 2. Cloud Computing o 3. IT Audit in the Cloud o 4. Residual Risks o Used Resources o Questions 1. ISACA Trust
More informationQRadar SIEM 6.3 Datasheet
QRadar SIEM 6.3 Datasheet Overview Q1 Labs flagship solution QRadar SIEM is unrivaled in its ability to provide an organization centralized IT security command and control. The unique capabilities of QRadar
More informationEnhancing IT Governance, Risk and Compliance Management (IT GRC)
Enhancing IT Governance, Risk and Compliance Management (IT GRC) Enabling Reliable eservices Tawfiq F. Alrushaid Saudi Aramco Agenda GRC Overview IT GRC Introduction IT Governance IT Risk Management IT
More informationWhat Should IS Majors Know About Regulatory Compliance?
What Should IS Majors Know About Regulatory Compliance? Working Paper Series 08-12 August 2008 Craig A. VanLengen Professor of Computer Information Systems/Accounting Northern Arizona University The W.
More informationBest Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, 2004 9:00 AM
Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance RSA Security and Accenture February 26, 2004 9:00 AM Agenda Laura Robinson, Industry Analyst, RSA Security Definition of
More informationUsing COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister
Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.
More informationTrends in Information Technology (IT) Auditing
Trends in Information Technology (IT) Auditing Padma Kumar Audit Officer May 21, 2015 Discussion Topics Common and Emerging IT Risks Trends in IT Auditing IT Audit Frameworks & Standards IT Audit Plan
More informationInformation Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza
Information Security Management System (ISMS) Overview Arhnel Klyde S. Terroza May 12, 2015 1 Arhnel Klyde S. Terroza CPA, CISA, CISM, CRISC, ISO 27001 Provisional Auditor Internal Auditor at Clarien Bank
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationPractical Guidance for Auditing IT General Controls. September 2, 2009
Practical Guidance for Auditing IT General Controls Chase Whitaker, CPA, CIA September 2, 2009 About Hospital Corporation of America $28B annual revenue $24B total assets $4.6B EBDITA $673M Net Income
More informationThe 2011 Standard of Good Practice for Information Security. June 2011
The 2011 Standard of Good Practice for Information Security June 2011 Published by Information Security Forum Limited Tel: +44 (0)20 7213 1745 Fax: +44 (0)20 7213 4813 Email: info@securityforum.org Web:
More informationIBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview
IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationEMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES
EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance
More informationBoosting enterprise security with integrated log management
IBM Software Thought Leadership White Paper May 2013 Boosting enterprise security with integrated log management Reduce security risks and improve compliance across diverse IT environments 2 Boosting enterprise
More informationLeveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs
IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government
More informationDebate Session II No More Mr. Nice Guy! Tightening the screws on Cloud Security. Thursday 27 March 2014 10:20 10:50 am Iben Rodriguez
Debate Session II No More Mr. Nice Guy! Tightening the screws on Cloud Security Thursday 27 March 2014 10:20 10:50 am Iben Rodriguez Security products tested Overview Business model aligned with enterprises
More informationStrengthen security with intelligent identity and access management
Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers
More informationIT Security & Compliance Risk Assessment Capabilities
ATIBA Governance, Risk and Compliance ATIBA provides information security and risk management consulting services for the Banking, Financial Services, Insurance, Healthcare, Manufacturing, Government,
More informationIntroduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors
Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Importance of Effective Internal Controls and COSO COSO
More informationWHITE PAPER. Best Practices for Wireless Network Security and Sarbanes-Oxley Compliance
WHITE PAPER Best Practices for Wireless Network Security and Sarbanes-Oxley Compliance Best Practices for Wireless Network Security and Sarbanes-Oxley Compliance The objective of this white paper is to
More informationData Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan
WHITE PAPER Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan Introduction to Data Privacy Today, organizations face a heightened threat landscape with data
More informationInformation Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com
Information Technology Governance Steve Crutchley CEO - Consult2Comply www.consult2comply.com What is IT Governance? Information Technology Governance, IT Governance is a subset discipline of Corporate
More informationMoving Forward with IT Governance and COBIT
Moving Forward with IT Governance and COBIT Los Angeles ISACA COBIT User Group Tuesday 27, March 2007 IT GRC Questions from the CIO Today s discussion focuses on the typical challenges facing the CIO around
More informationCertified Information Security Manager (CISM)
Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationAchieving Regulatory Compliance through Security Information Management
www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations
More informationSecureVue Product Brochure
SecureVue unifies next-generation SIEM, security configuration auditing, compliance automation and contextual forensic analysis into a single platform, delivering situational awareness, operational efficiency
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationfs viewpoint www.pwc.com/fsi
fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a
More informationEffectively Using CobiT in IT Service Management
Effectively Using CobiT in IT Service Management Crown copyright material is reproduced with the permission of the Controller of HMSO and Queen s Printer for Scotland. ITIL is a Registered Trade Mark of
More informationStaying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.
Managing business infrastructure White paper Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities. September 2008 2 Contents 2 Overview 5 Understanding
More informationAchieving SOX Compliance with Masergy Security Professional Services
Achieving SOX Compliance with Masergy Security Professional Services The Sarbanes-Oxley (SOX) Act, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 (and commonly called
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationKey Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing
Contents Introduction Why GRC Assessment Benefits of Cloud computing and Problem Statement Key Speculations & Problems faced by Cloud service user s in Today s time Threats, Vulnerabilities and related
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationCORE Security and GLBA
CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com
More informationIBM Internet Security Systems October 2007. FISMA Compliance A Holistic Approach to FISMA and Information Security
IBM Internet Security Systems October 2007 FISMA Compliance A Holistic Approach to FISMA and Information Security Page 1 Contents 1 Executive Summary 1 FISMA Overview 3 Agency Challenges 4 The IBM ISS
More informationUnified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES
Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES SOX COMPLIANCE Achieving SOX Compliance with Professional Services The Sarbanes-Oxley (SOX)
More informationUsing Assurance Models in IT Audit Engagements
Using Assurance Models in IT Audit Engagements Adrian Baldwin, Yolanta Beres, Simon Shiu Trusted Systems Laboratory HP Laboratories Bristol HPL-2006-148R1 January 29, 2008* audit, assurance, compliance,
More informationPreparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000
Preparation Guide Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000 Edition June 2015 Copyright 2015 EXIN All rights reserved. No part of this publication may be published,
More informationThe Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach
The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach by Philippe Courtot, Chairman and CEO, Qualys Inc. Information Age Security Conference - London - September 25
More informationThe College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012
The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why
More informationIT Risk Management Life Cycle and enabling it with GRC Technology
IT Risk Management Life Cycle and enabling it with GRC Technology Debbie Lew (debbie.lew@ey.com), Senior Manager, E&Y Steven Jones (steven.jones@ey.com), Senior Manager, E&Y Overview 1. What is risk management?
More informationInformation Security Risk Management
Information Security Risk Management Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net
More informationWHITEPAPER. Compliance: what it means for databases
WHITEPAPER Compliance: what it means for databases Introduction Compliance is the general term used to describe the efforts made by many (typically larger) organizations to meet regulatory standards. In
More informationAn Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011
An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011 Brian McLean, CISSP Sr Technology Consultant, RSA Changing Threats and More Demanding Regulations External
More informationRisk Assessment & Enterprise Risk Management
Risk Assessment & Enterprise Risk 1 Healthcare Corporate Governance Today s environment requires building a culture of risk awareness and management of risk across the organization, while formulating less
More informationInformation Security Management Systems
Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationCertified Software Quality Assurance Professional VS-1085
Certified Software Quality Assurance Professional VS-1085 Certified Software Quality Assurance Professional Certified Software Quality Assurance Professional Certification Code VS-1085 Vskills certification
More informationImproving Residual Risk Management Through the Use of Security Metrics
Improving Residual Risk Management Through the Use of Security Metrics Every investment in security should be effective in reducing risk, but how do you measure it? Jonathan Pagett and Siaw-Lynn Ng introduce
More informationBADM 590 IT Governance, Information Trust, and Risk Management
BADM 590 IT Governance, Information Trust, and Risk Management Information Technology Infrastructure Library (ITIL) Spring 2007 By Po-Kun (Dennis), Tseng Abstract: This report is focusing on ITIL framework,
More informationWorld Intrusion Detection and Intrusion Prevention Systems Markets
Brochure More information from http://www.researchandmarkets.com/reports/365289/ World Intrusion Detection and Intrusion Prevention Systems Markets Description: This Frost & Sullivan research service entitled
More informationIT Governance Dr. Michael Shaw Term Project
IT Governance Dr. Michael Shaw Term Project IT Auditing Framework and Issues Dealing with Regulatory and Compliance Issues Submitted by: Gajin Tsai gtsai2@uiuc.edu May 3 rd, 2007 1 Table of Contents: Abstract...3
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationThe Workplace of the Future and Mobile Device Risk ISACA Pittsburgh. May 20 th, 2013
The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh May 20 th, 2013 Companies are leveraging mobile computing today Three major consumption models: 1. Improving productivity Improving employee
More informationMaking Compliance Work for You
white paper Making Compliance Work for You with application lifecycle management Rocket bluezone.rocketsoftware.com Making Compliance Work for You with Application Lifecycle Management A White Paper by
More informationGLOBAL STANDARD FOR INFORMATION MANAGEMENT
GLOBAL STANDARD FOR INFORMATION MANAGEMENT Manohar Ganshani Businesses have today expanded beyond local geographies. Global presence demands uniformity within the processes across disparate locations of
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationEcom Infotech. Page 1 of 6
Ecom Infotech Page 1 of 6 Page 2 of 6 IBM Q Radar SIEM Intelligence 1. Security Intelligence and Compliance Analytics Organizations are exposed to a greater volume and variety of threats and compliance
More informationCOBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)
COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA
More informationFeature. Log Management: A Pragmatic Approach to PCI DSS
Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationEnforcive / Enterprise Security
TM Enforcive / Enterprise Security End to End Security and Compliance Management for the IBM i Enterprise Enforcive / Enterprise Security is the single most comprehensive and easy to use security and compliance
More informationCYBER SECURITY INFORMATION SHARING & COLLABORATION
Corporate Information Security CYBER SECURITY INFORMATION SHARING & COLLABORATION David N. Saul Senior Vice President & Chief Scientist 28 June 2013 Discussion Flow The Evolving Threat Environment Drivers
More informationA Sarbanes-Oxley Roadmap to Business Continuity
A Sarbanes-Oxley Roadmap to Business Continuity NEDRIX Conference June 23, 2004 Dr. Eric Schmidt eschmidt@controlsolutions.com Control Solutions International TECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all
More informationHP and netforensics Security Information Management solutions. Business blueprint
HP and netforensics Security Information Management solutions Business blueprint Executive Summary Every day there are new destructive cyber-threats and vulnerabilities that may limit your organization
More informationHow to Lock Down Data Privacy at the IT Worker Level
About this research note: Management & Staffing notes offer guidance on effectively managing people within an IT operation and dealing with associated leadership, staffing, and project management issues.
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationINFORMATION SYSTEMS. Revised: August 2013
Revised: August 2013 INFORMATION SYSTEMS In November 2011, The University of North Carolina Information Technology Security Council [ITSC] recommended the adoption of ISO/IEC 27002 Information technology
More informationCA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.
TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive
More informationThe Role of Internal Audit In Business Continuity Planning
The Role of Internal Audit In Business Continuity Planning Dan Bailey, MBCP Page 0 Introduction Dan Bailey, MBCP Senior Manager Protiviti Inc. dan.bailey@protiviti.com Actively involved in the Information
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationWhite paper September 2009. Realizing business value with mainframe security management
White paper September 2009 Realizing business value with mainframe security management Page 2 Contents 2 Executive summary 2 Meeting today s security challenges 3 Addressing risks in the mainframe environment
More informationCloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing
Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for
More informationThe Age of Audit: The Crucial Role of the 4 th A of Identity and Access Management in Provisioning and Compliance
The Age of Audit: The Crucial Role of the 4 th A of Identity and Access Management in Provisioning and Compliance Consul risk management, Inc Suite 250 2121 Cooperative Way Herndon, VA 20171 USA Tel: +31
More informationInformation & Asset Protection with SIEM and DLP
Information & Asset Protection with SIEM and DLP Keeping the Good Stuff in and the Bad Stuff Out Professional Services: Doug Crich Practice Leader Infrastructure Protection Solutions What s driving the
More informationAn Implementation Roadmap
An Implementation Roadmap The 2nd Abu Dhabi IT s Forum P J Corum, CSQA, CSTE, ITSM Managing Director Quality Assurance Institute Middle East and Africa Dubai, UAE Quality Assurance Institute Middle East
More informationHow To Manage Information Security At A University
Data Management & Protection: Roles & Responsibilities Document Version: 1.0 Effective Date: December, 2008 Original Issue Date: December, 2008 Most Recent Revision Date: November 29, 2011 Approval Authority:
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationWhite Paper. Imperva Data Security and Compliance Lifecycle
White Paper Today s highly regulated business environment is forcing corporations to comply with a multitude of different regulatory mandates, including data governance, data protection and industry regulations.
More informationITIL based IT management with live alerts and KPI s
ITIL based IT management with live alerts and KPI s This whitepaper describes, as a sample, the deployment of Ba-PRO for IT management as implemented within Ba-PRO development b.v. IT governance (ITIL),
More informationImplementing Change Management in a Regulated Environment
Implementing Change Management in a Regulated Environment Valerie Arraj Managing Director Session 227 Compliance Process Partners Service Management-focused consulting, automation and training organization
More information