Governance, Risk, Compliance

Transcription

1 A SEARCHCOMPLIANCE.COM/SEARCHSECURITY.COM E-BOOK Governnce, Risk, Complince POLICY MANAGEMENT: METHODS AND TOOLS IT mngers re looking to governnce structures nd the discipline of risk mngement to help them mke decisions nd crete sustinble processes round regultory complince. : Risk Mngement: The Right Blnce : A Risky Approch : Buyer Bewre: The Complexities of Evluting GRC Solutions

2 » RISK MAN Risk Mngement: The Right Blnce Informtion security is business issue nd not n IT issue, nd must involve cross-functionl pproch. ONE OF THE most criticl components of ny informtion security progrm is the risk ssessment. It is lso one of the most misunderstood nd poorly executed. In truth, good informtion security progrm is not bsed on one risk ssessment, but series of them t vrious levels of grnulrity. For instnce, n orgniztion with Web servers is likely to hire n outside security firm to perform specific vulnerbility ssessment on those servers. But every orgniztion, regrdless of size, complexity or business model, should hve core, enterprise-wide informtion security risk ssessment tht is foundtionl to its risk mngement ctivities. This foundtionl spect highlights one of the centrl chllenges of developing this risk ssessment, nd tht is the tension between mnging risk by intuition versus by fct. This is prticulrly pronounced in the BY E R I C H OL M Q U I ST field of informtion security, becuse there is perception tht the risk is obvious tht the dt could be compromised. Therefore, people often hve tendency to build controls bsed lrgely on their perception of the risks without fully nlyzing exctly where the risks re nd then focusing commensurte mount of mitigting ctivities on those res. A holistic, risk-bsed pproch to mnging informtion security (IS) will lwys be blnce between intuition nd some sort of frmework. The chllenge is in finding tht blnce nd using frmework tht is relevnt, culturlly cceptble nd ctionble. The purpose of this rticle is to outline one frmework for ssessing informtion security risk bsed entirely on wreness nd ccountbility. The worst possible pproch tht n orgniztion could tke in developing n informtion security risk 2 GOVERNANCE, RISK, COMPLIANCE

3 » RISK MAN ssessment would be to tsk it to IT to develop. Informtion security is not solely n IT issue; it is business issue nd must be mnged tht wy. In tht light, the first structurl elements of the informtion security risk ssessment re the focl points, which re: Informtion systems (IT) Electronic dt (business heds) Physicl files (deprtment heds) Third prties (reltionship owners) Wht is criticl to note here is tht ech of these four res hs distinctly different owner. It is resonble to sk IT to tke ownership of the internl systems nd to ssess the inherent risk to those systems. The other three res, however, re ech represented by unique business owners. Wheres IT should be sked to document nd ssess the systems infrstructure, this is different thn the ctul dt. It would be unresonble to expect the IT stff to be in every cse intimtely wre of exctly wht dt is being populted into every dt source, prticulrly things like nlytic nd d hoc reporting dtbses. Insted, these should hve specific business owners tht cn identify the use nd content of every dtbse. Likewise, deprtment heds must be responsible for documenting wht they mintin in physicl files within their respective res nd third-prty business owners must be responsible for certifying their third prties in terms of wht informtion is shred with them nd wht controls re utilized by those third prties. When viewed in this context, it becomes immeditely obvious why informtion security is business issue nd not n IT issue, s it must involve cross-functionl pproch. Next, in terms of developing rough clcultion of ctul informtion security risk, the following methodology is one I hve developed over the yers, which hs proved firly effective s tool to help prioritize efforts nd vlidte the ppliction of internl controls. IS risk cn be generlly grouped into four brod ctegories: Wht is t risk? Wht would be the impct? Wht could be the source? Wht cn we mitigte? We ll look t ech one of these briefly to consider the prmeters to be evluted nd how these fctors contribute to n overll risk score. Wht is t risk? This is the dt ctegoriztion step. Every orgniztion should utilize some form of dt ctegoriztion strtegy to help define its dt sources. In my model I use five ctegories: Customer/pplicnt, corporte, opertionl, prospect nd 3 GOVERNANCE, RISK, COMPLIANCE

4 » RISK MAN third prty. Within ech of these I use subctegoriztion of confidentil, sensitive or public to indicte level of confidentility. Therefore, we first sk how much nd wht type of dt resides within ny given system, dtbse, physicl re or third prty. These quntity plus sensitivity vlues crete the first dt point. Wht would be the impct? The second fctor is n impct fctor in the event of dt compromise. This ctegory is mde up of four criteri: Finncil, opertionl, regultory nd reputtion. The score in this cse represents the degree of impct within ech of those four criteri, which would be somewht dependent on the dt ctegoriztion but my consider other fctors s well. Wht could be the source? This ctegory contins five vlues: person inside the compny, person outside the compny, system inside the compny (tht, sy, mlfunctioned, indvertently exposing dt), system outside the compny nd nturl disster. Within this ctegory the weight fctor is the degree of likelihood, which is represented both by the number of people or systems involved (the more people ccessing given dtbse, the more source risk there is) s well s some estimte of the likelihood of something going wrong. This is the ssessment ctegory tht is used to cpture things like systems vulnerbilities s well s scope of dt ccess. Wht cn we mitigte? Finlly, wheres the previous three res provide n increse in risk scores, this re reduces those scores. The three spects of mitigtion re prevention, monitoring nd recovery. Unfortuntely, the best tht one cn usully expect is high score under prevention, moderte score under monitoring (since some dt movements cn be monitored) nd virtully no score under recovery, since once the dt is gone, it s gone nd you re not going to get it bck. The importnt thing to remember is the gol is not to develop perfect risk score. The gol is to understnd which systems, dtbses, physicl environments nd third prties re riskier thn others, which should provide bsis to prioritize controls nd risk mngement ctivities. The fct is there is no perfect model for ssessing informtion security risk. The key is to develop something nd use it to crete dilogue. The rel vlue in this exercise is not necessrily the numbers tht re produced, but the wreness tht it cretes in reserching nd nlyzing dt sources nd potentil risks. Anything tht increses wreness nd ccountbility is good thing. Eric Holmquist is consultnt nd former director of opertionl risk mngement t Advnt Bnk Corp. Write to him t echolmquist@verizon.net. 4 GOVERNANCE, RISK, COMPLIANCE

5 Three criticl questions... How secure & complint is my network? Wht re the top 10 things we need to do? Who is ccountble & how re they doing? One Suite nswer. ncircle Suite360 The Leder in Security & Complince Auditing Get the reports your boss wnts:

6 » A Risky Approch A risk-bsed methodology to regultory mndtes is ll the rge in complince circles, but it s not for beginners. BY L I N DA T U C C I WHEN CANDY ALEXANDER lists the complince obligtions of the Greenlnd, N.H., insurnce compny where she runs security, she homes in on the Federl Informtion Security Mngement Act of 2002 (FISMA). Tht s becuse Long Term Cre Prtners LLC, formed in 2002 to provide federl long-term cre insurnce nd dminister medicl benefits for federl employees, is U.S. prime contrctor. If we re not complint with FISMA we don t run the business, sys Alexnder, chief informtion security officer t Long Term Cre Prtners, owned jointly by Bostonbsed John Hncock Life Insurnce Co. nd New York-bsed Metropolitn Life Insurnce Co. Tht s our first nd foremost complince driver. Rnking second on Alexnder s list re the dt privcy lws encted by 44 sttes. The Helth Insurnce Portbility nd Accountbility Act of 1996 (HIPAA) comes in close third. But dre to suggest these big three mndtes drive her orgniztion s security strtegy, nd Alexnder sets the record stright. I hve been in orgniztions where my min focus ws to meet complince, nothing more, nothing less. People who re doing security for complince purposes re putting their orgniztions t risk, Alexnder sys. Regultions, she dds, should be the bseline. Alexnder prctices wht s known in complince circles s risk-bsed pproch to regultory mndtes, s opposed to complince by checklist. Wht constitutes risk mngement strtegy for complince differs depending on who s tlking. But the gist is this: Rther thn llowing the ever-multiplying regultory mndtes to determine its complince progrm, n orgniztion focuses on the threts tht relly mtter to its business opertionl, finncil, environmentl nd so on nd implements the controls nd processes required to protect ginst them. You need to do informtion 6 GOVERNANCE, RISK, COMPLIANCE

7 » security, not to meet complince but to protect the business. There is huge difference between those two methodologies, Alexnder explins. PROTECTING THE BUSINESS FROM RISK Focusing on protecting the business will result in risk progrm tht, in theory, will nswer complince regultions but in some cses go well beyond the mndte. A risk mngement pproch, sy dvoctes, lso sves money by reducing the redundnt controls nd disprte processes tht result when compnies tke n d hoc pproch. The scope of protection ginst threts nd degree of complince depends on n orgniztion s risk ppetite. The ppetite for risk cn wx nd wne, depending on externlities such s dt brech, globl economic crisis or n ngry mob of customers outrged by executive py pckges. When compnies re mking big profits, they cn spend their wy out of complince disster. In finncilly rocky times, however, there is much less mrgin for error. IT pros like Alexnder nd vriety of experts suggest tht while riskbsed pproch might be the right thing to do, it is lso difficult, requiring: Defining the orgniztion s risk ppetite. Inventorying the complince obligtions fcing the orgniztion. Understnding the threts tht put the vrious spects of the business t risk. Identifying vulnerbilities. Implementing the controls nd processes tht mitigte those threts. Mesuring the residul risk ginst the orgniztion s risk ppetite. Reclibrting the orgniztion s risk ppetite to reflect internl nd externl chnges in the thret lndscpe. A risk-bsed pproch to complince requires certin level of orgniztionl mturity nd, some experts hsten to dd, is ill-dvised for young compnies. Risk-bsed complince cn be done mnully, or by Excel spredsheets, but vendors promise tht sophisticted governnce, risk nd complince (GRC) technology pltforms will ese the pin. Mentime, those bseline complince regultions still need to be met to n uditor s stisfction. $1 MILLION CONTROL FOR $100K WORTH OF RISK The ssumption in risk mngement pproch to complince is the business knows best bout the risk level it cn tolerte. But there s the rub, sys Eric Holmquist, risk mn- 7 GOVERNANCE, RISK, COMPLIANCE

8 » gement expert. When it comes to risk mngement, getting your hed round tolernce level is extremely difficult, sys Holmquist, former director of opertionl risk mngement t Advnt Bnk Corp. Then there s the dirty little secret of every orgniztion, he dds. For hundreds of yers, businesses hve been mnging risk intuitively. I perceive there to be risk; therefore I build control. But most controls re built to perception of the risk nd perception of the scope of the risks, without relly stopping to consider wht is the rel risk nd is this the right control. By not doing the risk-benefit nlysis, compnies get the controls wrong. I cn t tell you how mny times I ve seen $1 million control mitigting $100,000 risk, Holmquist sys. Tht s putting good fce on it. PAYING THE PRICE: HOW MUCH IS BEING SPENT ON IT? A look t where regultory complince requirements spending fits into the overll IT budgets for North Americn (NA) nd Europe, Middle Est nd Afric (EMEA) compnies: NUMBER OF EMPLOYEES EMEA NA ALL EMEA ALL NA PERCENTAGE OF 2006 BUDGET ALLOCATED TO: <10,000* <10,000 10, ,000+ Trnsforming the business Strengthening competitive position Improving productivity nd efficiency within IT orgniztion Improving productivity nd efficiency outside IT orgniztion Opertions (running nd supporting the business) Mintining/improving IT stff skills Meeting regultory requirements Mintining/improving informtion security Other SOURCE: GARTNER INC. SURVEY OF IT MANAGERS (JANUARY 2007) 8 GOVERNANCE, RISK, COMPLIANCE

9 » Bck in the 1970s, Ford Motor Co. ws sued for llegedly mking the cllous clcultion tht it ws cheper to settle with the fmilies of Pinto owners burnt in rer-end collisions thn to redesign the gs tnk. The cse ginst Ford, s it turns out, ws not so cut nd dried, but the Pinto lives on in infmy s n exmple of compny pplying cost-benefit nlysis nd opting ginst the public welfre. Regultions introduce externlities tht risk mngement itself would not hve brought to ber, sys Trent Henry, security nlyst t Midvle, Uth-bsed Burton Group Inc. Regultions mke it cost of doing business. A recent exmple concerns new lws governing dt privcy. For mny yers in the U.S., compnies tht collected personlly identifible informtion owned tht dt. In the pst, losing tht informtion didn t hurt the collector much but could cuse gret hrm to the consumer, Henry sys, hence the regultions. But the degree to which business decides to meet the regultion vries, depending once gin on its tolernce for risk. Orgniztions must decide whether they wnt to follow the letter of the lw to get checkmrk from the uditor, Henry sys, or more fully embrce the spirit of the lw. Is your philosophy s n orgniztion miniml or mximl? And if it is miniml, you my decide tht it is worth it to get smll regultory fine rther thn comply, he sys. Indeed, businesses now re cutting costs so nrrowly tht some I cn t tell you how mny times I ve seen $1 million control mitigting $100,000 risk. ERIC HOLMQUIST, CONSULTANT know their controls re indequte nd re choosing not to spend tht $1 million to put the processes, the people nd infrstructure in plce for tht $100,000 fee, Henry sys, echoing Holmquist. They clculte they re still $900,000 hed. But don t expect business to own up to tht. They never let tht ct out of the bg. SOX DRIVES RISK MANAGEMENT STRATEGY Complince is expensive. It is hrdly surprising tht compnies re looking for wys to reduce the cost of complince or, better yet, use complince to competitive dvntge. According to Boston-bsed AMR Reserch Inc. s 2008 survey of more thn 400 business nd IT executives, GRC spending totled more thn $32 billion in 2008, 9 GOVERNANCE, RISK, COMPLIANCE

10 » 7.4% increse from the prior yer. The yer-over-yer growth ws ctully less thn the 8.5% growth from 2006 to 2007, but the dt shows tht spending mong compnies is shifting from specific GRC projects to brod-bsed support of risk. In ddition to risk nd complince, respondents told AMR they re using GRC budgets to stremline business processes, get better visibility to opertions, improve qulity nd secure the environment. In prior yers, complince s well s risk of noncomplince ws the primry driving force behind investments in GRC technology nd services. GRC hs emerged s the new complince, sys AMR nlyst John Hgerty. Folding regultory mndtes into the orgniztion s holistic risk strtegy gined momentum in the wke of the Srbnes-Oxley Act of 2002 (SOX), one of the most expensive regultions imposed on compnies. SOX ws pssed s protection for investors fter the finncil frud perpetrted by Enron Corp. nd other publicly held compnies, but it ws quickly condemned by critics s yoke on Americn business, costing billions of dollrs more thn projected nd hndicpping U.S. compnies in the globl mrketplce. Indeed, the lw s initil lck of guidnce on the infmous Section 404 prompted mny compnies to err on the (expensive) side of cution, treting the lw s lundry list of controls. By 2007, under fire from business groups, the Securities nd Exchnge Commission nd Public Compny Accounting Oversight Bord issued new set of rules encourging In prior yers, complince s well s risk of noncomplince ws the primry driving force behind investments in GRC technology nd services. GRC hs emerged s the new complince. JOHN HAGERTY, ANALYST, AMR RESEARCH INC. more top down-pproch to SOX. There re certin res mndted you wouldn t wnt to meddle with it is legl nd no exceptions but insted of checking every little box, compnies were dvised to tke more risk-bsed pproch, sys Rvi Shnkr, hed of ssurnce services t Cpgemini s business process outsourcing division in Bnglore, Indi. STABLE PROCESSES VS. COMPLIANCE WHACK-A-MOLE Risk mngement frmeworks re not new, nd neither, relly, is riskbsed pproch to complince, 10 GOVERNANCE, RISK, COMPLIANCE

11 Let them rom lose surf udit cut lptops budgets who cres You do! Liberting your people nd freeing up time nd resources mkes productive sense. Sophos security nd dt protection solutions deliver: Instll, set nd forget. Esy on your time, esy on your system nd esy on your business, everything from Endpoint to Complince, Emil, Web nd Encryption is covered nd ll ccessed nd controlled with refreshing simplicity. Now, with security tken cre of, you ve got the rest of the dy to do ll the other things tht cn t wit. See for yourself lern more bout Sophos tody.

12 » Shnkr points out. But the strtegy hs been gining ground, driven in lrge prt by IT s well s by IT best prctices frmeworks such s COBIT nd the IT Infrstructure Librry. Ten yers go t ny well-mnged orgniztion, 75% of controls were mnul. Tody, the industry benchmrk is the other wy round. IT drives bout 70% of the controls nd 30% re mnul. The endpoint is to move the 30% mnul controls to utomted controls, Shnkr sys. Two fundmentl building blocks re essentil to dopting risk-bsed pproch to complince, in Shnkr s view: stble systems nd processes, nd strong business ethos. If compny hs bsolutely diverse processes, it is not good choice, he sys. Burton Group's Henry concurs. It s more like crisis mngement thn risk mngement for those guys complince Whck--Mole. Formulting sound risk strtegy lso requires cler definition of the vlues nd principles tht drive the orgniztion s business in other words, certin level of mturity, Shnkr sys. If the ethos is loosely defined, then it is not sfe to tke holistic pproch to complince. Compnies tht mke the grde, tht give consistent guidnce to investors, indeed ny tht operte successfully in the SOX ren, re probbly redy for risk-bsed pproch, Shnkr sys. Wht did we hve before? We hd nightmre! We hd bunch of Excel schedules nd Word documents nd Microsoft Project to mnge things. ALEXANDER PARAS, DIVISIONAL CONTROLLER, MEXICO DIVISION, LEAPFROG ENTERPRISES INC. A GLIMPSE INTO THE TOOLBOX Shnkr gets no rgument on tht point from Alexnder Prs, who joined LepFrog Enterprises Inc. in 2006 to mnge the eductionl toy mker s SOX complince. LepFrog recently bought GRC mngement softwre from BWise to support SOX complince nd mnge enterprise risk. Wht did we hve before? We hd nightmre! We hd bunch of Excel schedules nd Word documents nd Microsoft Project to mnge things, sys Prs, senior mnger for complince t Emeryville, Clif.-bsed LepFrog until Mrch 2009, when he ws nmed divisionl controller for the compny s Mexico division. As you cn imgine from version control stndpoint, this creted quite bit of frustrtion for the uditors, business process owners 12 GOVERNANCE, RISK, COMPLIANCE

13 » nd senior mngement. LepFrog needed greter trnsprency into its complince efforts nd controls. Unlike come of the other 20 solutions vetted, BWise GRC works t process level, Prs sys, cpturing chnges s they re mde to documents nd utomticlly ensuring those chnges re reflected in ll the other relevnt systems in the complince process. You hve one point of contct in the system nd ll the informtion cscdes down, Prs sys. SOX is just prt of the routine, rther thn n onerous project, which is wht it should be. Luc Brndts, BWise founder nd chief technology officer, sys the strting point for most customers is money. GRC to improve business is gret story, but we come in to solve pin point. The cost of complince is too high. Customers see they re doing the sme thing eight times nd wnt to get grip on this, nd s second result they get grip on their business. In the process they find out they hve 16 different wys of doing ccounts pyble nd there is no reson on erth to do so. THE GOOD OLD DAYS NOT! In n er of incresing regultion nd more guidelines likely on the wy, compnies might be excused for seeing the uditor s the next thret. But don t tell tht to Long Term Cre Prtners Alexnder, who got her strt t Digitl Equipment Corp. (DEC) in the dys before there were regultions. Security folks hd to jump up nd down to try to get the business to protect informtion. And they would GRC to improve business is gret story, but we come in to solve pin point. The cost of complince is too high. LUC BRANDTS, FOUNDER AND CTO, BWISE sy, We relly don t need tht, or there is no ROI. DEC quickly lerned the vlue of dt protection fter its source code ws stolen by notorious hcker Kevin Mitnick, she sys. But the response from the business side ws often tht it would tke the risk to n bsurd degree, Alexnder reclls. Tht risk cceptnce level ws getting higher nd higher nd higher until it got to ridiculous point, nd tht is when they cme out with these regultions, with HIPAA, with Grmm- Lech-Bliley, with FISMA. A lot of folks in the security business went, Phew! At lest now we cn get it done. Lind Tucci is senior news writer for SerchComplince.com. Write to her t ltucci@techtrget.com. 13 GOVERNANCE, RISK, COMPLIANCE

14 » BUYER BEWARE Buyer Bewre: The Complexities of Evluting GRC Solutions GRC is bout more thn governnce, risk nd complince; it s bout integrtion nd stremlined mngement. BY E D MOY L E WHEN YOU GO shopping for cr, you likely hve n inkling of wht you wnt nd shop t the pproprite deler. If you wnt truck, you re not going to shop t Mini delership; if you re fter sports cr, you re not stopping by the Hummer deler. But wht if every delership dvertised generic vehicles, nd vehicle ment nything from crs to sktebords to locomotives? Wht if you couldn t tell who sold wht becuse the product spce ws so big you couldn t differentite one from the other? How would you strt mking decision? This is the position buyers re in with governnce, risk nd complince (GRC) products. MASTERING THE SPIN CYCLE GRC is huge mrket with mny vendors, ech with its own GRC story. These products re extrordinrily vried in the type of functionlity they provide, the res in which they excel nd the spects of the complete GRC picture where they hve utility. And the wy they re being sold? Well, sying it s difficult to tell which vendor does wht is one whopper of n understtement. And it s not mde ny esier by the fct tht there re multiple types of GRC: IT GRC, finncil GRC, enterprise risk mngement, etc. Vendors re spinning their products everything from document mngement to technicl control vlidtion, risk nlysis nd identity mngement to clim slice of the GRC pie. IT nd security mngers with buying power re left confused nd unsure bout where to spend their GRC dollrs. And t the end of the dy, confusion is bd for everyone. 14 GOVERNANCE, RISK, COMPLIANCE

15 » BUYER BEWARE For vendors, it mens reduced doption nd more difficult sles pitch. And for prctitioners, it s n obstcle to workmnlike pproch to informtion security mngement nd to getting internl trction for GRC deployment. Confusion is, s is usully the cse in IT, the enemy. It isn't just the mrket GRC s product is huge s well. Breking it PROMISING PRODUCTS Mpping GRC s clims to your compny s requirements: E-BUSINESS DRIVER Multiple overlpping regultions. down, governnce is the bility of mngement to ensure tht ctivities re performed ccording to set, defined processes; risk mngement is bout identifying nd quntifying risk nd mking sure the orgniztion opertes within its risk tolernce; nd complince is the process by which the orgniztion opertes on the pproprite side of the lw, industry GRC PROMISE Regultory frmework construction llows multiple regultions to be mpped to one set of controls. Mpping of policy to controls nd regul- tory requirements llows you to keep trck of complince ctivities. Demonstrtion of regultory complince to mngement/uditors. Difficulty mnging numerous controls cross multiple environments. Complexity of business mkes risk evlution difficult. Burdensome trcking of policy exceptions including exception expirtion. Inefficient, complicted or expensive security progrm mngement. Monitoring tools for technicl controls, bility to record which controls re implemented t wht loctions (nd to stisfy wht requirements). Ability to ssign risk bsed on criticlity of components nd sensitivity of stored dt. Ability to correlte chnges in environment nd controls to overll risk. Ability to trck policy exceptions, owners of components in exception scope. Ability to utomte workflow for security progrm tsks such s exception pprovl, policy uthorship nd incidents. 15 GOVERNANCE, RISK, COMPLIANCE

16 » BUYER BEWARE regultion nd policy. Looking t it logiclly, vendors could mke the rgument tht n identity mngement solution is IT GRC becuse it enforces governnce, i.e., it helps ensure personnel follow the policies nd procedures set down by mngement. Antivirus? Sure, why not? AV softwre tht monitors its signture version nd provides feedbck bout wht mchines don t hve the softwre instlled is policy enforcement t its finest. In fct, people could mke the rgument tht every security product plys in the governnce, risk nd complince spce, to one degree or nother nd they d be correct. But the point of GRC isn t just to govern, mnge risk nd comply; in fct, you re probbly doing them ll lredy. The point is insted how you do those three things. It s bout trnsprency nd integrtion ultimtely, by shring common vocbulry, these spects of mngement cn become more mesurble, repetble nd, in the best cse, efficient. It s n evolution wy from mngement processes tht grew orgniclly over time nd movement towrd more stremlined, integrted nd mngeble processes tht better serve the needs of your business. It s not bout doing something new; it s bout tking wht you lredy do nd refining it. And it doesn t tke ny prticulr product (or set of products) to get there. In fct, mny customers my not even relize they cn get pretty fr long in their GRC gols in-house without relying on prticulr vendor. All it tkes is n understnding of their requirements, bit of orgniztion nd some plnning. People could mke the rgument tht every security product plys in the GRC spce, to one degree or nother nd they d be correct. So in the interest of doing more with less, let s look t wht you cn do with tools you lredy hve nd try to move towrd GRC nirvn. Once you know wht you need nd hve strted to chrt out how fr you cn go without mking purchse, filling in the gps with the products in the mrket becomes totlly different experience. Once you chnge your discussions with vendors from Wht does your product do? to Does your product do this? the process becomes much less stressful, less time consuming nd, ultimtely, esier to figure out. DESIGN, THEN BUILD The first step to implementing GRC is 16 GOVERNANCE, RISK, COMPLIANCE

17 PCIComplince crosyourvirtulndphysiclinfrstructures. CheckoutourPCIResourceCentert:

18 » BUYER BEWARE to understnd how you re currently running these spects of your business, specificlly how you d like to improve nd for wht purpose. Figuring this out should be group effort wht you re doing should hve brod impct on the whole orgniztion nd should be bout integrtion so this is not the time to crete new silos in your orgniztion. Rech out to ll the stkeholders: IT, complince, business, risk mngement, internl udit nd counsel, nd get them on bord to help define requirements. Some questions to sk in ech spect of GRC: Governnce: How re you currently orgnizing nd publishing your policies nd procedures? Do you even hve policies nd procedures? How re you enforcing them throughout the orgniztion? Are you interested in just one prticulr set of policies nd procedures, or is your interest more generl for exmple, re you just interested in IT or re you interested in business processes s well? Risk mngement: Wht is your current process for identifying, clssifying nd treting risk? Are you using formlized pproch or n d hoc one? Is tht method quntittive or qulittive? Are you interested in just IT risk, or re you interested in other res such s opertionl or finncil risk? Complince: Wht is the extent of wht you currently do for complince? Are you currently using complince frmework pproch, or hve ll your efforts gone into trgeting one or two specific regultions? Are you in hevily regulted industry such s helth cre or finncil services? Coming to quick nd dirty understnding of where you re in ech of these res is good first step nd cn give you vluble insight on Rech out to ll the stkeholders: IT, complince, business, risk mngement, internl udit nd counsel, nd get them on bord to help define requirements. where you might see the most benefit from your investment. For exmple, if you re helth cre provider nd you ve lredy spent more thn few dollrs on risk ssessment i.e., to comply with the Helth Insurnce Portbility nd Accountbility Act (HIPAA) mybe risk mngement in your firm is in pretty good shpe. Wheres if you re smll retiler, you might not hve ny formlized risk mngement in plce nd so you 18 GOVERNANCE, RISK, COMPLIANCE

19 » BUYER BEWARE cn benefit more from investment in this re. On the other hnd, tht sme helth cre provider might hve spent quite bit of time nd energy trgeting HIPAA, nd might not hve brod pproch to complince tht covers other regultions tht hve developed since HIPAA ws introduced. So mybe dollrs re better spent expnding the complince pproch insted of concentrting on risk mngement. Be honest with yourself bout where you re nd your mturity in these res. If you re looking to move beyond quick nd dirty nlysis nd re looking for something little bit more forml, tke look t the Open Complince nd Ethics Group s GRC Cpbility Model (the Red Book). This document provides systemtic (nd highly detiled) outline for orgniztions looking to refine their overll GRC posture nd seeking to implement these concepts within their orgniztions. But t the end of the dy, if it s choice between setting the br high nd not mking progress versus setting the br low nd moving forwrd, set the br low. If you hve the time, funding nd ptience for thorough, forml nd rigorous pproch, so much the better. But if you don t, it s better to do something thn nothing. The IT Policy Complince Group in its 2008 nnul report drws direct prllel between IT GRC mturity nd firm s revenue; specificlly, firms on the highest end of the IT GRC mturity spectrum hve 17 percent higher revenue thn those t the lowest end. Mening, it s in the best interest of your bottom line to do something. REPACKAGE AND REPURPOSE Once you hve some ide of where you need help, determine whether there re tools in one re tht you cn expnd to cover other res. Remember gin tht the point of governnce, risk nd complince is integrtion, so use this s n opportunity to find out wht s working well nd bring it into broder fold. For exmple, mybe tht tool tht you re If you re looking to move beyond quick nd dirty nlysis, nd re looking for something little bit more forml, tke look t the Open Complince nd Ethics Group s GRC Cpbility Model (the Red Book). using just for the internl udit crowd might be useful in other res s well. Or mybe the IT tool tht you re using to mnge technicl complince could be repckged for reporting 19 GOVERNANCE, RISK, COMPLIANCE

20 » BUYER BEWARE If you ve lredy built complince frmework bsed on stndrds such s the ISO series, NIST SP , COBIT or ny other bseline, fold tht process nd documenttion in s well. outside of just IT. If you re lrge orgniztion, don t skimp on figuring out wht you lredy hve (chnces re good tht you lredy hve something somewhere). This could include commercil tools tht you ve lredy purchsed for exmple, uditingcentric tools used to drive risk mngement, policy uthorship nd publiction tools, mngement reporting tools or ny number of other commercil products tht hve n impct in ny of these ctegories. Technicl tools tht provide feedbck on whether or not individul mchines nd user ccounts re in line with defined policy re in scope s well. Tke thorough inventory of wht you ve lredy purchsed so you don t buy something new with overlpping functionlity (or so you cn t lest decide purposefully tht you re going to replicte functionlity rther thn discovering it fter the fct), nd so you cn integrte wht you lredy hve into the broder scope of wht you re trying to do. Include lso in-house tools tht you my hve developed. This could be n in-house tool with ll the bells nd whistles, but it could lso be more humble tools such s the spredsheets nd reports provided for tsks such s reporting the sttus of udit items, trcking complince with industry regultion or lerning more bout just bout nything else tht gthers or pckges dt bout control effectiveness. If you ve lredy built complince frmework bsed on stndrds such s the ISO series, NIST SP , COBIT or ny other bseline, fold tht process nd documenttion in s well. If you hven t done tht lredy, tht s fine, too, but if you hve, mking sure tht your pproch reuses wht you ve lredy done will sve time in the long run nd void stepping on toes. THINGS TO REMEMBER After you ve done these things, you ll probbly relize couple of things bout your orgniztion: NO. 1: You re probbly more interested in some res of GRC versus others bsed on your prticulr needs. NO. 2: You ve probbly lredy spent 20 GOVERNANCE, RISK, COMPLIANCE

21 » BUYER BEWARE dump truck full of money on tools nd processes to help utomte certin spects of complete GRC picture. You my lso relize tht there re some res where you hven t spent much in the wy of time, effort or resources. Now you re redy to come up with purchsing strtegy for tools. And you should hve pretty cler ide bout where tool would be the most vluble. Are you just interested in IT? Does your compny hve mostly mnul processes in plce? Mybe turnkey technicl solution is for you? When you shop round (nd pilot those systems), you ll find out pretty rpidly tht vendor focused solely on risk mngement bsent control vlidtion is probbly not the right choice. Do you hve firly sophisticted technicl processes nd hep of regultions to comply with (nd not much in the wy of complince spending to dte)? Mybe the vendor selling the techniclly focused solution isn t the right pick for your compny. Tke cue from the Orcle in The Mtrix nd know thyself. Knowing wht products you need before you invite the vendors in is the only wy governnce, risk nd complince will mke ny sense. Ed Moyle is founding prtner of consultncy Security Curve. GRC nd Policy Mngement: Methods nd Tools is produced by CIO/ IT Strtegy Medi nd Security Medi, 2009 by TechTrget. MANAGING EDITOR CIO/IT STRATEGY MEDIA GROUP Jcqueline Biscobing ART DIRECTOR Lind Koury CONTRIBUTING WRITERS Eric Holmquist nd Ed Moyle SENIOR NEWS WRITER CIO/IT STRATEGY MEDIA GROUP Lind Tucci EXECUTIVE EDITOR CIO/IT STRATEGY MEDIA GROUP Scot Petersen EDITORIAL DIRECTOR SECURITY MEDIA GROUP Kelley Dmore SENIOR TECHNOLOGY EDITOR SECURITY MEDIA GROUP Neil Roiter FOR SALES INQUIRIES: Stephnie Corby, Senior Director of Product Mngement, scorby@techtrget.com (781) BUSINESS STAFF SENIOR VICE PRESIDENT AND GROUP PUBLISHER Andrew Briney PUBLISHER, SALES Jillin Coffin 21 GOVERNANCE, RISK, COMPLIANCE

22 RESOURCES FROM OUR SPONSORS q IT Complince Reporting: Delivering Continuous, Consistent IT Complince q ncircle Suite360: Automted Security & Complince Auditing q Stopping Dt Lekge: Mking the Most of Your Security Budget q Beyond Pyment Crd Industry (PCI) Checklists: Securing Crdholder Dt with Tripwire s Enhnced File Integrity Monitoring q Configurtion Control for Virtul nd Physicl Infrstructures: How the Visible Ops Approch Offers Solutions to the Problem of Unplnned Work q File Integrity Monitoring: Secure Your Virtul nd Physicl IT Environments 22 GOVERNANCE, RISK, COMPLIANCE