igrc: Intelligent Governance, Risk, and Compliance White Paper



Similar documents
Governance, Risk, and Compliance (GRC) White Paper

How To Improve Your Business

WHITEPAPER. Compliance: what it means for databases

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Microsoft s Compliance Framework for Online Services

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

Self-Service SOX Auditing With S3 Control

Making Compliance Work for You

XBRL & GRC Future opportunities?

IT Security & Compliance Risk Assessment Capabilities

Enterprise Security Solutions

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Vendor Management Panel Discussion. Managing 3 rd Party Risk

White Paper. Managing Risk to Sensitive Data with SecureSphere

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

FUJITSU Software Interstage Business Operations Platform: A Foundation for Smart Process Applications

Enterprise Risk Management in Compliance 360

Security Controls What Works. Southside Virginia Community College: Security Awareness

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

IT Security & Compliance. On Time. On Budget. On Demand.

AlienVault for Regulatory Compliance

Vendor Risk Management Financial Organizations

The ABCs of DaaS. Enabling Data as a Service for Application Delivery, Business Intelligence, and Compliance Reporting.

Trend Micro Cloud Security for Citrix CloudPlatform

IBM Software A Journey to Adaptive MDM

building a business case for governance, risk and compliance

Maximizing Configuration Management IT Security Benefits with Puppet

Feature. Log Management: A Pragmatic Approach to PCI DSS

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

10 Best-Selling Modules For Home Information Technology Professionals

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

FTP-Stream Data Sheet

Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

HIPAA and HITRUST - FAQ

Big Data Approaches to Life Sciences

Hans Bos Microsoft Nederland.

Cisco SAFE: A Security Reference Architecture

SOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for Compliance

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

Compliance for the Road Ahead

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Governance Simplified

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA PHONE:

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

BIG SHIFT TO CLOUD-BASED SECURITY

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

Hosting Services VITA Contract VA AISN (Statewide contract available to any public entity in the Commonwealth)

Encryption Services

Total Protection for Compliance: Unified IT Policy Auditing

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Sarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:

The Age of Audit: The Crucial Role of the 4 th A of Identity and Access Management in Provisioning and Compliance

Governance, Risk and Compliance in the Healthcare Industry

Did security go out the door with your mobile workforce? Help protect your data and brand, and maintain compliance from the outside

E l i m i n a t i n g Au t hentication Silos and Passw or d F a t i g u e w i t h Federated Identity a n d Ac c e s s

Vulnerability Management

Metrics that Matter Security Risk Analytics

Optimizing Automation of Internal Controls for GRC and General Business Process Compliance

Integration Time, expense, cost, billing and work process data collected and approved in Tenrox software can be exchanged with:

SecureVue Product Brochure

Securing the Microsoft Cloud

Why Encryption is Essential to the Safety of Your Business

Vulnerability. Management

SutiExpense Platform. A SaaS Integration Platform (SIP) for End to End Travel and Expense Management

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Ramco Cloud for Connected Enterprise RACE

The Return on Investment (ROI) for Forefront Identity Manager

7 things to ask when upgrading your ERP solution

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

Contact Center Security: Moving to the True Cloud

Making Money With Kaseya

Keep Your Data Secure in the Cloud Using encryption to ensure your online data is protected from compromise

Transcription:

igrc: Intelligent Governance, Risk, and Compliance White Paper 2013 2013 Edgile, Inc. All Rights Reserved

Executive Overview This whitepaper discusses the business needs addressed by Edgile s igrc solution, which introduces a new approach to simplifying a company s governance, risk, and compliance (GRC) program. This white paper analyzes the current state of GRC solutions and addresses the competing goals that exist between software vendor licensing models and a company s need for a fully integrated solution. A new lower cost GRC model is then defined, which is born out of years of practical experience by Big 4 GRC professionals. This new model incorporates the following GRC services: Current State of GRC The Sarbanes Oxley Act, commonly referred to as SOX, was adopted on July 30, 2002 as the answer to financial accounting irregularities through auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure. The hangover from the party and related control bloat is still being felt nearly a decade later as unintended consequences. A myriad of other mandates HIPAA, PCI or FISMA have resulted in assurance overhead. Peeling away the initial layer of complexity (e.g., alphabet soup regulations) exposes a core set of issues. The issues boil down to what amounts to an arms race between the one off tools and point specific activities addressing each set of regulations. Every new law results in a new team being assigned to go solve the problem. Every new team develops its own approach, its own definition of the operating environment, its own methodology, process, tools and technologies. More people are required to not only develop the content and control environment, but also to test, manage, and monitor the remediation. Each law in affect creates a new island of assurance. The result is an inordinate increase in the amount of time spent on assurance activities and GRC systems, as compared to harmonization of assurance requirements over time. 2013 Edgile, Inc. All Rights Reserved 2

The following diagram illustrates the ever increasing expectations of a company s assurance functions mirrored by an ever increasing amount of time spent meeting those expectations. The task of managing these assurance expectations is daunting and meaningful relief from regulations does not appear to be on the horizon. In fact, the situation at most organizations is getting worse with the adoption of the Dodd Frank Act and the increase of OCR audits and fines related to the enforcement of HIPAA security and privacy rules. The reaction from global legislators and boards alike is resulting in greater attention and demand for better quality information of GRC topics. Assurance services (i.e., the audit, risk and compliance activities, policy and governance management, control testing, finding and remediation management) are those services that are helping organizations improve the quality, context and quantity of information so that management can make better and more informed decisions. The three biggest cost factors of today s GRC programs and solutions are: Highly Manual Processes Significant Overlap in Effort Poor Risk Visibility Highly Manual Processes: Highly manual processes for assurance services are still the norm at large and small organizations alike. Anecdotally, one leading Big 4 audit firm was still using manual, paper based work papers as recently as 2012. And that manual mindset permeates both the firms that provide assurance services and the assurance functions within organizations. These manual processes result in challenges to ensure quality (e.g., it s difficult to reconcile different risk ratings and control descriptions for the same asset in Word and Excel 2013 Edgile, Inc. All Rights Reserved 3

documents), and have a high opportunity cost due to time not spent on higher value work (e.g., smart remediation planning and execution, assessing emerging technologies, preparing for changes in the regulatory environment). Significant Overlap in Effort: Potential for significant overlap is another challenge plaguing clients. The most common complaint We are audited around the same topic, in the same area, by five different groups. Can t they share information or talk to one another? And recent return on investment analysis performed at clients across industries has demonstrated this overlap between assurance functions (e.g., compliance, risk, internal audit, security, business continuity, and external audit) is costing companies millions of dollars each year. According to a Thomson Reuters press release in February 2012, companies were hit with 14,215 regulatory announcements globally in 2011, up sixteen percent from 2010. Fifty seven percent of these regulatory announcements came from the United States alone. With that volume, it s likely the overlap, especially for companies doing business in the United States, will continue to be a challenge. Poor Risk Visibility: Lack of visibility to risks is another factor resulting in millions of dollars of avoidable cost. Companies have estimated that a substantial re work of a new product offering or application can double the cost of the implementation due to missing controls needed to address risk and compliance requirements. The ability to spot risks early, have the right requirements and information about potential problems, allows management to adopt a more thoughtful remediation or informed risk acceptance. A New Approach to GRC Traditional GRC vendors have tried to address this inefficiency by bundling standalone modules into loosely coupled suites. This approach makes it easier for vendors to sell separate modules, but creates automation silos which mirror the organizational silos across a company s assurance functions. In contrast, Edgile s igrc solution takes a holistic approach with one integrated application automating all of a company s assurance services: One application One data model One process model The designers of igrc spent the last decade cutting their teeth on all the traditional GRC products in the market. igrc was then built from the ground up based on two design principles. The first principle is that a thoughtful design can synthesize the needs of each assurance stakeholder into one solution. The second principle is that companies within a given industry have very similar GRC content needs, which can be pre seeded as part of the initial installation. The first principle results in significant operational efficiency and the second principle results in faster setup times. This allows a company to save money while improving their GRC situational awareness. 2013 Edgile, Inc. All Rights Reserved 4

igrc Process An intelligent GRC process enables both top down management (traditionally only seen in an Enterprise GRC platform), and detailed bottoms up management (traditionally only seen in an IT GRC platform). Our cross functional processes help assurance organizations streamline and automate their related activities. Our hierarchical process design facilitates discrete risk and compliance ratings, while also enabling risk and compliance roll up reporting necessary for the big picture view. Unlike other products in the market, igrc uses an organization centric perspective, not a software module perspective. This gives the customer the ability to do rollup and drill down risk and compliance ratings. 2013 Edgile, Inc. All Rights Reserved 5

Business Unit The highest level groupings of the organization, the business unit is generally akin to line of business (LOB) and can be organized in any manner that makes sense to the organization (geography, legal entity, product, channel). A business unit has an inherent risk rating, residual risk rating, and compliance rating that considers the underlying risk units that comprise the BU. Risk Units A flexible construct designed to allow for both profit and loss (P&L) organizational modeling, as well as process or product modeling (e.g., when a process or service spans several departments). This unique approach allows for both traditional Sarbanes Oxley department based P&L modeling as well as operational risk and enterprise risk oriented process modeling. A risk unit has an inherent risk rating, residual risk rating, and compliance rating that considers the underlying Control Plans that comprise the RU. Control Plans The containers for risk and compliance related information including controls. Control Plans can take a variety of forms that include business process (e.g., Sales), IT process (e.g., Change Management), business function (e.g., legal), application (e.g., ERP Finance Application), infrastructure (e.g., WAN), property plant and equipment (e.g., facility), vendor (e.g., payroll outsourcing), data (e.g., PII), and cloud (e.g., SaaS). The Control Plan allows for high level analysis, detailed analysis, or both. A Control Plan has an inherent risk rating, residual risk rating, and compliance rating that considers the underlying Controls that comprise the Control Plans. Control The most granular level of risk and compliance analysis. Where appropriate, controls are directly tied to laws and regulations through the Regulatory Requirements to enable an understanding of the mandates driving the control design and the consequences of potential non compliance if the control isn t operating effectively. Test The assurance activity, potentially performed by multiple audiences (e.g., internal audit, security, compliance, the business) and tailored to the level of detail and rigor needed. Whether formal Sarbanes Oxley style testing is needed, or a quick review or confirmation from the control owner, the test at minimum rates the control design and operating effectiveness. Findings Should a control fail, or pass with findings noted, a Finding is created. A Finding links directly to a Test and through that linkage, clear transparency to related mandates is maintained. Findings are evaluated by severity and adjudicated through either a risk acceptance or remediation decision. A Remediation Plan, discussed in more detail below, can in turn be linked to the Finding. Remediation Plan The project, solution or fix for a Finding is referred to as a Remediation Plan. Remediation Plans can be developed that address one or more Findings. Remediation Plans allow for management of the corrective actions, as well as tracking of costs associated with compliance oriented enhancements. 2013 Edgile, Inc. All Rights Reserved 6

igrc Content igrc Content offers a better way to address regulatory change management. Our extensive experience implementing GRC solutions have shown that content is key to achieving GRC solution efficiency and quality objectives. Edgile provides harmonized laws and regulations in an easy to use format for any GRC automation tool or manual compliance programs, and of course works seamlessly with the igrc software. The annual subscription services provide not only the synchronization of the laws and regulations that matter most to your organization, but also highly useful risk, governance and control related information to help your compliance program run at an optimized level. igrc Content is currently available for the following industries: Financial Services Healthcare Life Sciences Retail Government Manufacturing Gaming Energy & Utilities Edgile s igrc solution includes content from over 70 sources and quarterly updates, to help with your risk and compliance programs, including: Gramm Leach Bliley Act (GLBA) 12 CFR 30 Appendix B FFIEC Handbooks Sarbanes Oxley HIPAA US Privacy Laws EU Data Protection Directive COBIT PCI DSS HIPAA, HITECH, HITRUST, Meaningful Use 2013 Edgile, Inc. All Rights Reserved 7

21 CFR 11, 21 CFR 820 and General Principles of Software Validation: Final Guidance for Industry and FDA Staff NIST 800 53, NIST 800 53A, NIST 800 30, NIST 800 39, NIST 800 66 ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005 Other content accelerators that come standard with the igrc Solution include: Risk Register of likely threat vulnerabilities categorized and linked Policy, Standard, Procedure, and Guideline Templates sourced to Regulatory Requirements Operating Environment starter kits Risk Profilers, Risk Methodology and Risk Rollup Techniques Regulatory Change Management as a Service plug in Control Plan Templates with typical Controls already linked Audience Specific Dashboards that Inform Management on What Matters Most Reporting Packages for Laws and Programs (e.g., PCI, FISMA, SOX, etc.) igrc Technology Platform The igrc Solution embraces industry standard technologies and was built by Information Security professionals. Typically deployed in a Software as a Service (SaaS) configuration, freeing our customers up to focus on the high value GRC tasks. Compatible with Microsoft, MacOS, and mobile based devices, our technology highlights include: Key technology features of igrc include the following: Configurable by function (e.g., audit, Information Security, risk, compliance, etc.) Process & workflow models Interactive dashboards & reporting Role based access control (RBAC) with field level control A no install web based client Support for Microsoft, Apple and mobile phone clients Industry standard encryption Data import and export capabilities igrc Lower Cost of Ownership We have developed a proven Return on Investment (ROI) calculator, with both hard dollar and soft dollar savings. Lower cost of ownership value propositions include: One low cost enterprise subscription Based on standard Microsoft technologies Replaces the need for multiple piecemeal solutions Provided through a hosted service 2013 Edgile, Inc. All Rights Reserved 8

Getting Started Because igrc comes with all the features ready to go out of thebox and a variety of content accelerators pre configured and preloaded, your users are already licensed to use them all and they can quickly start benefiting from the value of an automated GRC process. A 30 minute demo is all it will take for you to be convinced that igrc redefines how companies will spend less money and get better results from their GRC programs in the future. Contact Edgile today to schedule a consultation and demonstration. Edgile, Inc. Company Headquarters 7000 N. Mopac Expressway Suite 200 Austin, TX 78731 Telephone: +1 512.241.0919 Fax: +1 512.857.0176 Email: info@edgile.com 2013 Edgile, Inc. All Rights Reserved 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information