PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

Transcription

1 PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

2 1. The Challenge Large enterprises are experiencing an ever increasing burden of regulation and legislation against which they have to demonstrate compliance. To make matters worse, this myriad of legislation occurs in different areas, for example financial regulation, corporate governance, environmental issues, health & safety and industry sector specific. This problem is not going away and is further compounded by having to map the standards against the company s businesses processes. The mapping will expose the areas of noncompliance, the potential financial consequences, and the need to combine this with other existing risk management practices. Large enterprises no longer see these functions as separate project-based activities, but as a composite framework that guides people, standardizes processes, and integrates technology at every level in the organization, and throughout the supply chain. The increased need for enhancing governance, risk and compliance, and fraud avoidance is driving organizations towards unified Governance Risk, Compliance and Fraud (GRC&F) strategies. As has been identified from Gartner most large Enterprises need to adopt convergence of corporate governance and compliance with multiple standards, risk and fraud management in one unified solution.

3 2. Our Solution Proteus Enterprise, developed by the UK company InfoGov Ltd and recognised by Gartner, provides the solution through converging Corporate Governance, Compliance, Risk and Fraud Management into one web-based tool. Proteus Enterprise addresses multiple business needs Do you need to comply with several Standards? Proteus Enterprise web-based application is fully developed and easily deployed. It enables troublefree management of your Governance, Risk and Compliance (GRC) challenges - online. Are you a public, industry or corporate body? Proteus Enterprise handles any standard, and crossrefers clauses and controls to minimise workloads. Do you want to create a compelling shared GRC web-based environment? Demonstrably effective and efficient governance, risk and compliance is now essential to your reputation in the international market place. Multiple standards automated through Proteus Enterprise will enable and sustain this. Do you need assurance that your compliance challenges are being managed to the minute but there is too much detail? Or some of your services are outsourced and you have no visibility of compliance? Do you need to delegate a compliance task? Proteus Enterprise comes with a compelling desktop traffic light system that allows you to see green, amber or red status, and then drill down as you wish to see where and what the challenges and issues currently are. Tasks may be delegated to anyone, anywhere on the worldwide web - or mobile phone - with full traceability and reporting. And they don t need to buy a copy because Proteus Enterprise is sold sitebased, not by individual license. So it s not expensive to deploy to all your people. Confidential Page 3 of 13

4 Do you want an internationally recognised governance, risk and compliance utility? How do you implement and manage BS or BS ISO and a multiplicity of other standards, including risk management in one solution? Do you need a round table review of current actions because your reporting is taking too long, perhaps up to six months or more? Proteus Enterprise is recognised by Gartner and automates absolutely any legislation, regulation or standard - not just business continuity or information security. Operating across business lines in one web-based environment, Proteus Enterprise reinforces teamwork - from the Board down. The egrc utility - Proteus Enterprise provides compliance, risk, information and knowledge audits and assessments electronically, with remediation, action planning, incident and asset management, gap and business impact analysis and business continuity too. It also provides on-line policy and document management. Compliance with any Standard involving such challenges as fraud, crisis, identity and data management is evidenced through Proteus Enterprise, on-line. Proteus Enterprise has an absolutely compelling generic and bespoke on-line reporting utility. With Proteus Enterprise GRC performance reporting is instant. Proteus Enterprise brings together and links controls, compliance, business impact, risk analysis, documentation and incident management into one total solution. Proteus RiskView provides a powerful business intelligence dashboard and reporting capability allowing real time visibility of risks at Board level via the web. Using Proteus Enterprise, companies can perform any number of online compliance audits against any standard and compare between them. They can then assess how deficient compliance controls affect the company both financially and operationally by mapping them on to its critical business processes. Proteus Enterprise then identifies risks and mitigates those risks by formulating a work plan, maintains a current and demonstrable compliance status to the regulators and senior management alike. Proteus Enterprise works with the company s existing infrastructure and uses RiskView to bridge the gap between the technical / regulatory community and senior management by presenting the distilled information in a graphical 'dashboard' placed on their desktop. Confidential Page 4 of 13

5 Proteus Enterprise Features Proteus Enterprise is one comprehensive system that includes, Online Compliance & Gap Analysis, Business Impact, Risk Assessment, Business Continuity, Incident Management, Asset Management, Organisation Roles, Policy Repository and Action Plans, all from an Information Security Management perspective! Its Compliance engine supports any standard (International, Industry and corporate specific) and is supplied with a choice of comprehensive template questionnaires. The system is fully scalable and can size from a single user up to the largest of multinational organisations. The product maintains a full audit trail, every function, every action and decision is recorded for future reference. It can perform online audits for both internal departments and external suppliers. Fully supports BS ISO/IEC 27001, BS ISO/IEC 17799, PCI, ISF SOGP, NIST Combined Code, Sarbanes Oxley, GLB, Data Protection Act, Freedom of Information Act, Caldicott, Basel II, BS25999, Civil Contingency Bill as well and custom created questionnaires. It uniquely shares information between Business Impact and Risk Assessment that allows you to much more accurately assess your risk. Proteus RiskView presents real-time Corporate Governance, Compliance and Risk information directly to the board in a graphical format. The workflow engine helps you collect, collate and keep your compliance and corporate governance programme on-track. Industry leading reporting using Business Objects (Proteus includes many standard reports but custom reports can be user defined using a graphical drag and drop interface). Proteus Enterprise is composite from three modules, the Compliance, the Manager and RiskView Module. The product Architecture is as following: Confidential Page 5 of 13

6 Proteus Enterprise Architecture Confidential Page 6 of 13

7 Compliance module 1.1 Gap analysis Gap Analysis can automate any type of Standard or Regulation you need to comply with 1.2 Compliance delegation 1.3 Multiple users 1.4 Multiple sites A site is either a physical location, a logical or legal entity. Sites are organised as you see your company For example, country, then division, then sites or business process e.g. manufacturing, research etc Each site has its own compliance, assets, risk assessments, action plans, business processes, continuity plans, incidents, policies & procedures, and external suppliers 1.5 Multiple questionnaires Each site can be linked to questionnaires which perform gap analysis against International standards or Industry best practice. Questionnaires are used to assess the adherence to company standards and policies. Every answer is available for audit 1.6 Authoring 1.7 Work flow Delegation & workflow management gathers information from subject matter experts Manager module 2.1 Business Objects reporting 2.2 Open interface 2.3 Asset Register Manage critical IT systems, information assets, services and their interrelationships 2.4 Business impact & Establish process criticality, asset dependency and disaster Business Continuity recovery criteria 2.5 Risk assessment Establish asset value by business process, threat, risk exposure and generate action plans. 2.6 Incident Management Manage security incidents by legal entity Confidential Page 7 of 13

8 2.7 Document control Manage all Security & Risk Management Policies and Procedures in a central repository 2.8 Action plans Generate action plans for Risk Assessment, Business Impact, Business Continuity, Incidents 2.9 Sign-off workflow RiskView (Not Offered within that Proposal) 3.1 Global status view Proteus RiskView bridges the gap between the technical, regulatory compliance, risk communities and senior management within your organisation. 3.2 Real time dashboarding amount of security information gathered within your Proteus RiskView can display and report on an enormous organisation and display it within a real time dashboard view. 3.3 Impact modeling 3.4 User designed dashboard 3.5 Alert Module 3.6 Open interface Proteus RiskView is designed to integrate with the information and systems you have within your organisation via its Open Interface, gathering and combining with the existing data, the Enterprise suite can produce extremely powerful reports, unsurpassed in the industry to date. Confidential Page 8 of 13

9 Features Detailed 1.1 Compliance Gap Analysis Complete web based questionnaire system. On-line authoring of questionnaires, incl. question templates, scores, weightings, logical branching, help text, risk ranking, reporting groups, implications and deliverables o Comprehensive questionnaire template library available to give you a head start on the compliance you want to achieve, e.g: o BS ISO/IEC 17799:2005 o BS ISO/IEC 27001:2005 o BS o NIST o FISMA o ISF SoGP o ISF HC (ISF Members only) o Physical Security o Data Protection Act (DPA) o Payment Card Industry Data Security Standard (PCI DSS) o Civil Contingency Act (CCA) o Freedom of Information (FOI) o Plus more.. Self authoring of your own corporate standards. Question delegation gets the right question to the right Subject Matter Expert giving more timely and accurate information. All actions are available for audit. e.g. who answered what and when. All uploaded policies and procures are collected into a central repository and available for audit. Full workflow management with automated announcement and reminders. Graphical view of progress and status. 2.4 Business Impact Analysis Business Impact can be analysed quickly and easily using a graphical five stage process. All changes are logged and available for audit. Templates provided for Operational and Financial Disruptions. You can define an asset s contribution to a process. Confidential Page 9 of 13

10 Critical business processes are automatically assessed for threats to required assets. Action plans can be used to build a process re-engineering investment case. Processes automatically trigger Business Continuity assessment. Business processes can be reviewed and approved by non your GRC&F utility users using encrypted and PDFs 2.4 Business Continuity Business Continuity assessments can be performed quickly and easily using a ten stage graphical process. Template support services lists are provided as standard. Work around procedures can be uploaded or linked to a continuity assessment. Critical data can be identified and its handling assessed. Recovery Time Objectives can be applied to a process Availability of paper based records can be recorded. Work in progress, backlog and process dependencies can be identified. A continuity process can be cross-referenced to other critical process dependencies. A work group or contact list can be defined should a continuity incident arise with the process. 2.5 Risk Assessment Risk assessments can be performed quickly and easily using a graphical five-stage process. All changes are logged and available for audit. An asset s importance is evaluated by its CIA assessment, its value & contribution to the process(es) it supports. Threat & countermeasure template lists are available relating to ISO, BSI and ISF publications. Threats and countermeasures can be applied to generic asset types. Threats & countermeasures can be inherited from the asset s location e.g. datacenter. Threats are inherited from related assets. e.g. a CRM database (information asset) will inherit threats from the Server (physical asset) it runs on. Action plans or work packages can be evaluated to calculate a Return On Security Investment (ROSI). Action plans maintain a feed-back loop for corrective actions. Risk assessments can be reviewed and authorised outside of your GRC&F utility using encrypted s and PDFs. Comprehensive Risk Matrix plotting Risk vs Business Impact. Confidential Page 10 of 13

11 Using your GRC&F utility you can graphically picture risk exposure. Si views (charts, graphs, reports etc.) can be customised and published to your Intranet for viewing independently of your GRC&F utility. 2.6 Incident Management Raise, define, categorise, prioritise and grade the severity of an incident. Identify & manage an incident team to bring the incident to a conclusion. Maintain a fully auditable log of events as the incident lifecycle is played out. Cross reference an incident to failed controls and affected assets. Automatically view the policies & procedures associated with an incident. Automatically generate management reports that show the potential impact to the business in PDF, Word or Excel format. Use your GRC&F utility to graphically view multiple occurrences of the same types of incidents. Set up closed user groups for sensitive investigations. 2.7 Document Control Policies and Procedures are collected into a central repository. Procedures are uploaded by subject matter experts. All Policies, procedures or Control test documents are available for audit. Documentation can be viewed via related controls linked to Assets. You can use your existing document control system. Multiple revisions of a document can be stored and archived. Documents requiring review are highlighted. Documents can be linked to multiple Standards and Controls, reducing duplication. 2.8 Action plans Action plans can be used to schedule work packages. Action plans can be used to build investment cases. Action plans can be reviewed and authorised by users outside of your GRC&F utility using encrypted links. Action plans can be initiated from all critical areas of the system. All actions are logged and available for audit. Threat Countermeasures are automatically converted to action plan tasks. Completed Countermeasures are automatically applied to Risk Assessments. Confidential Page 11 of 13

12 RiskView RiskView distils the detailed information inside your GRC&F utility into a management focused graphical format Real time compliance, business impact, risk assessment and incident views Global risk, compliance or threat status View risks by categories, e.g. assets, business impact, continuity or disaster recovery Financial impact of risks, control failures or incidents on the business Threat exposures Residual risk Visualise how risk and impacts inter-relate using the relationships browser Helps you build an investment using the action plans, work-flow and task management Compliance schedules Extensive template views covering all areas of the product Integrates a graphical reporting engine from Business Objects Supports design of custom reports using a drag and drop report designer 3.5 Alert Module With P.A.M you can add a primary & secondary alert category to an Asset, Business Process, Policy or Incident. Each combination of alert categories can have their own instructions on the best course of action after the incident occurs, who to contact, and how, by either by SMS or or both. When an alert message is received, the authorised user is prompted to login to Proteus with the P.A.M number given in the message. Once logged in the user is then taken directly to the alert information. P.A.M will show the incident details, the potential operational and financial impact to the business, the potential assets affected, who has been contacted and a full history of what s been done to mitigate the incident so far. P.A.M provides an interface that can be branded to your company and made available on your companies intra-net. An example of a primary & secondary alert category might be 'Theft', then 'Customer Data' respectively. So say a laptop or blackberry was stolen and it had private data on, then an Alert message will be generated. Confidential Page 12 of 13

13 Upcoming Futures - Integrating fraud management strategies within Proteus Enterprise Over recent years these reports and the Government s Fraud Review have led to recognition of the need for the development of a National Fraud Strategic Authority and a National Fraud Reporting Centre, yet the business approach to fraud remains fragmented through the lack of a standard. The Publicly Available Specification (PAS 8000), a fast-track standard expected to be available in September 2008, will provide organizations with a framework for managing the prevention of all types of commercial and industrial fraud. Among other things it will define terms and definitions within the area of fraud management and set the norm for good practice. Due to an unrelenting rise in the many different types of fraud, InfoGov is to supply its Proteus EnterpriseTM governance, risk and compliance solution as the underpinning technology for the British Standards Institution s forthcoming standard (PAS 8000) on fraud prevention and detection, sponsored by Telsecure. Confidential Page 13 of 13