Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

Transcription

1 Welcome to Modulo Risk Manager Next Generation Solutions for GRC

2 THE COMPLETE SOLUTION FOR GRC MANAGEMENT GRC MANAGEMENT AUTOMATION EASILY IDENTIFY AND ADDRESS RISK AND COMPLIANCE GAPS INTEGRATED GRC SOLUTIONS GRC SOLUTIONS FROM THE GLOBAL LEADER 5 Reasons to use Modulo Risk Manager

3 THE COMPLETE SOLUTION FOR GRC MANAGEMENT Modulo Risk Manager implements an effective set of solutions for Governance, Risk Management, and Compliance based on a wide range of relevant regulations and standards. It is a comprehensive multi-language web-based platform that automates the entire GRC process in a single platform without an army of consultants. KEY BENEFITS Utilize a common framework to manage all GRC-related processes Perform optimized governance, risk and compliance gap analyses Develop a risk scorecard providing executive management with an enterprise overview of risks, including indices and metrics Achieve results that are aligned with critical regulations and guidelines Produce a business-related enterprise risk profile, and prioritize investments according to each asset's potential impact and importance to the organization Track risk profile evolution Ensure the delivery of a centralized risk and compliance management capability Generate a geo-referenced risk map, automatically sharing the physical location of assets Carry out more efficient and cost-effective audits Manage security requirements in multiple audits, thereby eliminating redundant costs and unnecessary controls Address all requirements for Sox, PCI, HIPAA, GLBA, FISMA, BASEL II, ISO 27001, 25999, COBIT, Shared Assessment in the same solution BS

4 Modulo Risk Manager provides ease of use with the in-depth functionality that is easy to quickly customize for your needs. It is a secure, ready to use solution for proactive identification and remediation of the compliance and risk management process. Modulo Risk Manager is a client, hosted, or cloud-based application which takes advantage of the huge scalability offered by the cloud to run its services, offering an excellent cost-benefit for the flexibility and agility required by your business. Aligned with ISO 31000, a global standard for risk management, the software allows you to measure and control risks, comply with standards and regulations required for your business, and integrate with other solutions for effective and collaborative management of GRC processes. Modulo helps organizations automate the overwhelming challenge of identifying, prioritizing, and responding to regulation deficiencies and risk exposures, by providing a standardized, process-driven platform for consistency, accuracy and repeatability. This results in the visibility, process and knowledge required to effectively reduce compliance gaps and mitigate risk without adding to the GRC management burden in days instead of weeks or months with less resources and reduced costs.

5 GRC MANAGEMENT AUTOMATION Modulo Risk Manager automates the GRC management lifecycle providing the inventory, analysis, evaluation and treatment of risk and compliance programs. Inventory During the Inventory phase, the implementation team maps the organizations' assets, processes, systems, services, and the structure of your organization. The organizational structure tree is fully managed via a browser. It is possible to visualize it according to different criteria: per components and per relevance (other criteria can be defined). Assets (people, processes, environments, technologies, and suppliers) and components are managed through maps and overviews, allowing the location of risks to be viewed through Google Maps and Google Earth. Analysis Modulo Risk Manager automates and streamlines the analysis of compliance gaps in your organization through tools such as automatic and distributed collectors, online interviews, mobile devices (smartphones and iphone) and Excel spreadsheets. The collection of technology assets can be scheduled and executed in asynchronous mode, further streamlining the review process. Vulnerabilities Vulnerabilities Potencial Vulnerabilities /06/ /06/10 You can perform risk analysis of your organization's assets with third-party vulnerability scanners (Nessus, Rapid7, and Qualys) and open source collectors, and store the data in Modulo Risk Manager. Display by Quantity Display by Percentage Level 1 Level 2 Level 3 Level 4 Level 5

6 Evaluation Evaluation of the organizations analyzed risks is performed using reports, dashboards, and treatment simulations. Real-time What-If Scenario Analysis Treatment of non-implemented controls can be simulated, facilitating analysis of the results before making any final decisions. Not Evaluated Accepted Simulation of Risk Evaluation Statistics Before Simulation After Simulation PSR Controls Risk Index Gap Index Residual PSR Controls Risk Index Gap Index Residual (50) (16) 29.2% 12.4% 34.2% Risk: 41.7% 11.0% Gap: 45.2% (19) (16) 9.5% 12.4% 13.0% Risk: 21.9% 11.0% Gap: 24.0% Being Treated 522 (20) 10.4% 13.7% 1518 (51) 30.1% 34.9% Controlled 2418 (60) 48.0% 41.1% 2418 (60) 48.0% 41.1% Risk Treatment Simulation Statistics (PSR) Controlled 52.0% 29.2% 12.4% 9.5% 12.4% 30.1% Identified Being Treated Accepted Not Evaluated 10.4% 48.0% 48.0% 48.0% Analysis Evaluation Simulation Dashboards and reports View dashboards with indicators that provide a visual representation of GRC management performance throughout the organization. Through customizable dashboards, the solution provides integrated information, including indices and metrics for managing and monitoring GRC processes. Treatment The system provides recommendations for treating risks and non-compliance assets identified in evaluations, and prioritizes actions through the Workflow. Risk Management Non-Implemented Controls Compliance Management Non-Compliances Modulo Risk Manager enables events in Workflow Manager to treat non-compliance assets identified in compliance projects. As with the treatment of risks, the treatment of non-compliance assets can be viewed within the context of each project and fully managed in the Workflow module. Risk Treatment Event Workflow Standard Event Non-Compliance Treatment Event

7 EASILY IDENTIFY AND ADDRESS RISK AND COMPLIANCE GAPS Based on knowledge bases and authoritative documents, Modulo Risk Manager delivers quantitative and qualitative information about risks and controls, helping to prioritize actions, support the decision making process, and track and report on improvements as risks are addressed. Modulo Risk Manager s methodology allows clients to calculate a risk index and manage the controls as risks are evaluated and treated. Relevance (1-5) ANALYSIS PHASE RISK Risk= P x S x R CONTROL INDEX Implemented Controls Applicable Controls GAP INDEX Non-Implemented Controls Applicable Controls CONTROLS Probability (1-5) RISK INDEX SECURITY INDEX PSR of Identified Risks PSR of Avoided Risks PSR Severity (1-5) PSR of Applicable Risks PSR of Applicable Risks Modulo Risk Manager helps organizations assess and achieve compliance with regulatory standards including SOX, PCI, ISO 27001, HIPAA, COBIT, FISAP, FISMA, NIST a, BS 25999, A 130, and DOD , and can be customized to assess compliance with additional standards. One Solution for all your Risk and Compliance needs The module Knowledge Management centralizes all relevant functions for the automation of GRC. New editors have been released to enable the creation and management of client methodological content (Interviews, Authoritative Documents, Response Options, Knowledge Bases, Groupings and Types of Control Groupings, CPE's, Threats and Sources of Threats).

8 Knowledge Bases Statistics Total de Knowledge Bases improve image Total Controls Controls Divided by Asset Type 2,5% 2,5% 22,7% 273 Knowledge Bases Divided by Asset Type 50% 40% 30% 20% 10% 0% 2,5% 2,5% 41,7% 53,2% 74,0% 0% 10% 20% 30% 40% 50% 60% 70% 80% Environmet Person Process Technology Environmet Person Process Tecnology Knowledge Base Editing Modulo Risk Manager allows clients to create, query and edit Knowledge Bases and client controls, with support for NIST standards CPE and CCE. Authoritative Documents Editor Modulo Risk Manager comes equipped with several Authoritative Documents that are ready for immediate usage in Governance, Risk and Compliance projects. Customers can create their own Authoritative Documents. Web Interview Editing Create your own web interviews. Polls created in the Knowledge Management module can be used in risk and compliance projects in the form of web interviews. Multiple Compliance Requirements in a Single Solution To facilitate simultaneous compliance assessments with various standards and regulations, Modulo Risk Manager provides cross-references for requirements in common from different frameworks, policies, laws, standards, and regulations, such as SOX, PCI DSS, ISO 27002, BS 25999, Basel II, Shared Assessment Programs and more. Users can map the requirements from authoritative documents provided with the software to authoritative documents created by the organization, such as their own internal policies. These associations facilitate automating and managing multiple audits, evaluating compliance, and adapting to various frameworks, reducing times and costs of these activities.

9 INTEGRATED GRC SOLUTIONS Modulo Risk Manager provides a robust integration solution for rapidly and costeffectively integrating Governance, Risk and Compliance applications and information. Modulo Risk Manager Integration Services is a comprehensive solution using a flexible architecture that allows various applications to be connected with the organization's platforms, operating systems, and databases. The application can be integrated with systems such as vulnerability scanners, directory services via LDAP, and others, allowing users from the organization to work collaboratively and promoting integrated, seamless management of GRC and information security. EVALUATION EARTH TREATMENT HELP DESK CONFIGURATION & EXCEPTIONS API DASHBOARDS SIEM REPORTS WORKFLOW MESSAGE ROUTING FEDERATED AUTHENTICATION AUTOMATED SCHEDULING BUSINESS INTELLIGENCE WORKFLOW LIVE UPDATE CMDB DATA MAPPING DATA COLLECTORS KNOWLEDGE CENTER GRC INTEGRATION SERVICES FOUNDATION APPLICATIONS DISCOVERY DIRECTORY SERVICES ONLINE INTERVIEWS VULNERABILITY SCANNERS POLICY & COMPLIANCE COLLECTORS INVENTORY SCAP ANALYSIS st The 1 Open Source Data Collector for GRC Automation modsic (Modulo Open Distributed SCAP Infrastructure Collector) provides a common platform for developing a service to collect and analyze technology assets based on the open SCAP (Security Content Automation Protocol) standard. Data can be collected based on a custom model or using public knowledge bases through OVAL (Open Vulnerability and Assessment Language), an open and interoperable standard that establishes a global model for transferring information between various security tools and services.

10 GRC SOLUTIONS FROM THE GLOBAL LEADER Modulo is the global leader provider of comprehensive Governance, Risk and Compliance (GRC) management solutions. Founded in 1985, Modulo has gained the trust of over a thousand organizations worldwide with the solutions they need to automate the entire GRC management process to monitor, manage, and sustain adherence to policy and regulations while reducing costs, enterprise risk, and complexity. Modulo is ISO 9001 certified and was the first company in the world to obtain ISO certification the international information security management standard. Our award-winning software, Modulo Risk Manager provides organizations with an integrated GRC management solution. The tool greatly simplifies the management of risk analysis and reporting compliance with market standards and regulations, as well as IT environment governance mandates. Risk analysis is performed using a quantitative, consistent and structured methodology that is based on international risks management rules, standards, and best practices. Modulo has received numerous awards and international recognition including a positive rating in the 2010 Gartner IT Management Marketscope, Modulo Risk Manager is built on a firm foundation and proven approach that allows your enterprise to centrally manage policies and regulations in less time and with less staff. FROM OUR CLIENTS Modulo 'gets it' in terms of understanding the challenges in risk management. They are a strategic partner to us and are extremely well trained and responsive. Modulo proves that it is easy to grow with an IT GRC platform into broader operational and enterprise risk approaches, rather than the other way around. Steven Jones Vice President, Director of Operational Risk We chose Modulo's Risk Manager application as our GRC solution after a careful evaluation. We chose the application not only because of the functionalities but also due to its flexibility to address our GRC requirements. Rinaldo Ribeiro de Oliveira Head of IT GRC & IT Security Deploying Risk Manager and thereby automating the information risk management and regulatory compliance processes at NYUMC has been a successful initiative. We hope to expand the software roll-out to apply this automated model to several different areas. Hai Ngo CSO echiron has made the right decision in using Risk Manager. In this stage of our project, the application has proved to be a valuable tool in the collection and systematization of information, performing these tasks quickly and with minimal disturbance to our team. The tool has also provided us with an integrated view of the several technological, process and human components of the project. It has in fact been a key contributor to the success of the project. Hélio Fortunato Project Manager

11 GRC One Solution Automation for all of your Risk and Compliance needs Cloud in the

12 The Next Generation in GRC management is here today Through its friendly, simple, and intuitive interface, Modulo Risk Manager provides an effective solution for automating and integrating GRC reporting, management, and processes, enabling collaboration, eliminating silos, and reducing costs. Aligned with ISO 31000, a global standard for risk management, the software allows you to measure and control risks, acheive compliance with standards and regulations required for your business, govern information technology (IT) and information security (IS), and execute effective and collaborative management of GRC processes. Modulo Risk Manager is a cloud-based application which takes advantage of the huge scalability offered by the cloud to run its services, offering an excellent cost-benefit relationship in addition to the flexibility and agility required by your business. Policy Threat Asset Risk Remediation Workflow GRC Management Governance Incident Compliance Audit Business Continuity All in one! Vendor Risk Management Manage risks associated with partner, supplier, and third-party relationships, ensuring that the standards and policies established by your organization are fulfilled. Corporate Finance Trading & Sales Retail Banking Comercial Banking Analyze the organizations' risks with robust reports, charts, and map suppliers to associated processes. Market Making Finance Treasury Sales Card Services Proprietary Positions Advisory Services Retail Banking Private Banking Policy Management The solution allows centralized management of the creation, approval, and acceptance of organizational policies, providing a consistent set of controls for external and internal policies. Vendor 7 Vendor 5 Vendor 6 Vendor 3 Vendor 1 Vendor 4 Vendor 2 Compliance Management Automate verification of compliance and reduce duplicate controls, implementing a centralized and efficient process for managing compliance. Possible flaws and gaps in the regulatory compliance process with various standards such as SOX, ISO, PCI, Basel II, BS 25999, Shared Assessment, and others can easily and simultaneously be identified, organized, and addressed. Comparison of Project Phases Number of Requirements 50.0% 100.0% 100.0% 50.0% Analysis Evaluation Treatment Non-fulfilled Partially Compliant Fulfilled Not Evaluated Accepted Being Treated Open Treated Number of Objects Non-fulfilled Partially Compliant Audit Management Identify your organization's weaknesses before auditors arrive, keep controls and evidence in a centralized repository, and reduce time and costs with redundant audits. 66.7% 100.0% 100.0% 33.3% Analysis Evaluation Treatment Fulfilled Not Evaluated Accepted Being Treated Open Treated

13 Business Continuity Management Automate business continuity management by creating and dynamically updating information referring to plans and procedures for disaster recovery and crisis management. Workflow Events by Status Open: 93% Closed: 7% Incident and Workflow Management Treatment of risks and non-compliant assets in the organization are monitored through a comprehensive incident and workflow management system, providing visibility and remediation of events across the organization Events by USR Level Very Low: 26% Medium: 26% High: 42 % Very High: 5% Through Modulo Risk Manager's workflow module customers have a clear perspective of tasks and activities that have been scheduled, completed, or require action % 31.60% 40.56% of controlled risks SECURITY INDEX 59.44% of identified risks RISK INDEX 2.36 % 6.29 % Very Low: 0.00% Low: 2.36% Medium: 31.6% High: 59.75% Very High: 6.29% IT and Enterprise Risk Management Identify and proactively treat your organization's risks, providing a clear overview on the critical processes and assets. Using our GRC Metaframework, a robust methodology aligned with ISO 31000, you can inventory, analyze, evaluate, and treat risks, supporting the decision-making process and the prioritization of actions and resources. Obtain graphs and reports that allow management to compare risk indicators and establish priorities for implementing controls and investments. IT and IS Governance Through market standards and best practices, you can implement a management and monitoring model that facilitates technology and information security governance in a way that is fully transparent and aligned with the organization's objectives. Using pre-set indicators and alerts to monitor the performance and consistency of governance, Modulo Risk Manager helps organizations realize the benefits of IT and IS governance. Information Security Management Using Modulo Risk Manager, you can implement an information security management system based on international standards, such as ISO 27001, using a proven approach of inventory, analysis, evaluation, and treatment activities. You can perform risk and vulnerability analyses for your organization's assets as well as integrate with the Nessus, NeXpose, and Qualys vulnerability scanners, such that information collections can be scheduled and stored in Modulo Risk Manager itself. With powerful security controls, Modulo Risk Manager enables multiple audits, thereby reducing costs, eliminating silos, and facilitating better decision-making processes. You can create and manage indicators related to information security, easily perform analyses, and quickly monitor the results.

14 About Modulo Modulo is a Brazilian company with a global presence, specialized in providing automated solutions for Governance, Risk Management, and Compliance (GRC). With over 25 years of experience, Modulo is active in the software, consultancy, and educational fields. The first information security company in the world to be ISO certified, Modulo has clients from the most varied sectors, having participated in internationally recognized projects such as the Brazilian electronic elections, income tax delivery via the internet, and the Brazilian Payment System (SPB). In the XV Pan American Games held in Rio de Janeiro in 2007, Modulo provided the software program Modulo Risk Manager, used to manage, prevent, monitor, and control risks, incidents, and crises throughout the entire event. Awards recently received include the international 2010 Product Innovation Award, Global Product Excellence Awards Customer Trust 2010 in the category of best auditing solution, and Hot Company 2009, in addition to the FINEP Innovation Award in the mid-sized company category for the Southeast Region of Brazil. Contact us for more information Toll free: US: +1 (973) UK: +44 (0)