How to Implement an Integrated GRC Architecture



Similar documents
CHECK POINT. Software Blade Architecture

The Evolution of IPS. Intrusion Prevention (Protection) Systems aren't what they used to be

CHECK POINT. Software Blade Architecture. Secure. Flexible. Simple.

The New Face of Intrusion Prevention. Check Point IPS Software Blade gives breakthrough performance and protection at a breakthrough price

Check Point Software Blade Architecture. Achieving the right balance between security protection and investment

Check Point Whitepaper. Securing Web 2.0. More Security, Lower TCO

Check Point GO: A Virtual Secure Workspace Technical Whitepaper

Endpoint Security Considerations for Achieving PCI Compliance

Check Point Whitepaper. Enterprise IPv6 Transition Technical Whitepaper

Secure Remote Access for the Distributed Business. Challenges, trends, and considerations

Leverage IPS to Make Patch Tuesday Just Another Day

Software Blade Architecture

Check Point Whitepaper. Check Point Abra: A Virtual Secure Workspace Technical Whitepaper

Defending Small and Medium Sized Businesses with Cloud-Managed Security

Guide to the TCO of Encryption. Deployment of Check Point data security can reduce the total cost of ownership by half

How to Get NAC Up-and-Running in One Hour. For Check Point Firewall or Endpoint Security Administrators

Check Point Software Blade Architecture. Achieving the right balance between security protection and investment

Check Point. Software Blade Architecture

UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C FORM 6-K Report of Foreign Private Issuer

SOFTWARE BLADE ARCHITECTURE

SOFTWARE BLADE ARCHITECTURE

CHECK POINT TOTAL SECURITY APPLIANCES. Flexible Deployment. Centralized Management.

The Power-1 Performance Architecture: Delivering Application-layer Security at Data Center Performance Levels

FORM 6-K SECURITIES AND EXCHANGE COMMISSION Washington, D.C Report of Foreign Private Issuer

Solving the Performance Hurdle for Integrated IPS

Check Point Corporate Logo Usage Guidelines

USB Drives: Friend or Foe? New User Trends and Exploits in USB Requires Security Controls to Protect Endpoints and the Networked Enterprise

Portal On-Demand Cost-effective and hosted managed security

Neutralizing Spyware in the Enterprise Environment

Check Point Endpoint Security. Single agent for endpoint security delivering total protection and simplified management

Stateful Inspection Technology

Unified Threat Management from Check Point. The security you need. The simplicity you want

Best Practices for Deploying Intrusion Prevention Systems. A better approach to securing networks

Achieving a Clean Bill of Health in HIPAA Compliance with Check Point Solutions

Virtualized Network Security with. A VPN-1 better approach Power to securing VSX networks

A Getting Started Guide: What Every Small Business Needs To Know About Internet Security

Check Point Endpoint Security Full Disk Encryption. Detailed product overview for Windows and Linux

Preventing Data Leaks on USB Ports. Check Point Endpoint Security Media Encryption simply regulates access and data for any plug-and-play peripherals

SECURITY APPLIANCES

Check Point Appliances Models

Check Point UserAuthority Guide. Version NGX R61

User Guide for ZoneAlarm security software

Check Point QoS. Administration Guide Version NGX R65

Firewall and SmartDefense. Administration Guide Version NGX R65

Integrity Advanced Server Gateway Integration Guide

Malicious Code Protector

Configuring Check Point Firewall-1 to support Avaya Contact Center Solutions - Issue 1.1

Pointsec PC. Quick Start Guide

The Seven Key Factors for Internet Security TCO

LICENSE GUIDE. Software Blades products. Number of Strings. SKU Prefix Name Description Additive

A Practical Guide to Web Application Security

User Guide for Zone Labs security software

User Guide for Zone Labs security software

The Attacker s Target: The Small Business

User Guide for Zone Labs Security Software

Check Point Positions

PURE Security. Revolutionising the way you think about IT Security. Protected infrastructure and data. Unified security architecture

Check Point License Guide (April-2012) General Pricelist

Eventia Suite. Getting Started Guide. Version: NGX R January 10, 2007

User Guide for ZoneAlarm security software

R75. Installation and Upgrade Guide

Pointsec PC Linux Edition. Installation Guide

Payment Card Industry Data Security Standard

Introduction to Endpoint Security

Check Point taps the power of virtualization to simplify security for private clouds

Check Point NAC and Endpoint Security Martin Koldovský SE Manager Eastern Europe

Why Choose Integrated VPN/Firewall Solutions over Stand-alone VPNs

How To Set Up Checkpoint Vpn For A Home Office Worker

Securing Virtualization with Check Point and Consolidation with Virtualized Security

Check Point ZoneAlarm

How To Buy Nitro Security

Curing the compliance headache

Clean VPN Approach to Secure Remote Access for the SMB

Zone Labs Integrity Smarter Enterprise Security

Multi-Domain Security Management

NG with Application Intelligence (R55)

Navigate Securely with Check Point and FishNet Security

Policy Management: The Avenda Approach To An Essential Network Service

How To Improve Your Business

Securing the private cloud

Remote Access VPN Solutions

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Virtualized Security: The Next Generation of Consolidation

Cert Pro 4/17/01 2:05 AM Page 1 T HE C HECK P OINT. Certified Professional Program SECURE.

Stateful Inspection Technology

Endpoint Management and Mobility Solutions from Symantec. Adapting traditional IT operations for new end-user environments

Infrastruktur Sicherheit mit Checkpoint

NG with Application Intelligence (R55) See the latest version of this document in the User Center at:

IT Security & Compliance. On Time. On Budget. On Demand.

Antivirus. Quick Start Guide. Antivirus

How To Implement Data Loss Prevention

RSA SecurID Two-factor Authentication

Securing the Service Desk in the Cloud

10 Building Blocks for Securing File Data

Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES

Check Point AMON (Application Monitoring)

Total Protection for Compliance: Unified IT Policy Auditing

Alcatel-Lucent Services

Clean VPN Approach to Secure Remote Access

Enterprise Data Protection

Transcription:

How to Implement an Integrated GRC Architecture Companies that select individual solutions for each regulatory challenge they face will spend 10 times more on IT portion of compliance projects than companies that take on a proactive and more integrated approach. Gartner

Contents Introduction 3 GRC Complexity 4 The Intergrated GRC Approach 5 Easy2comply Intergrated GRC Approach 7 2

Introduction Risk Management, Compliance and Governance reforms that followed the corporate failures of the past decade have dramatically changed today s business environment. Organizations worldwide are coping with a proliferation of new regulations and standards, and are challenged to do so in a way that supports performance objectives, upholds stakeholder expectations, sustains value and protects the organization's brand. Recent studies indicate that Fortune 1000 corporations are subject to 35 40 different regulatory mandates and the management of regulation and compliance has become a serious risk factor in itself. Complying with each individual regulation is always complicated, lengthy and costly. Managing the burden of complying with multiple and overlapping regulations is becoming increasingly difficult and expensive. The need for an integrated GRC (Governance, Risk Management and Compliance) platform in today's business environment is obvious. Despite the hype around this topic, only a few organizations have succeeded in implementing a truly integrated GRC platform due to the complexity of the GRC environment. 3

GRC Complexity In order to implement an integrated GRC platform, organizations need to cope with the following complexity: 1. Multiple Regulations: Vertical Industry Regulations (e.g. Banking: Basel II, Insurance: Solvency) Horizontal Regulations (e.g. Sox) Internal Corporate Governance International Regulations Regional Regulations Local Regulations 2. Different Scope Operational Risk Internal Audit Financial Control IT Governance Anti-Fraud Management Business Continuity Planning Information Security Risk 3. Different Consulting Firms involved in each project 4. Different Objectives for each project 5. Different Methodologies and Diverging Workflows 6. Different Data Architecture Requirements 7. Diverse Participants Business Executives Risk & Compliance Officers Business Unit and Process Managers Employees Contractors Consultants Business Partners 4

Due to this complexity, most organizations still manage GRC projects in silos, adopting different methodologies and different software point solutions for each project. As a result of this approach, organizations face the following difficulties: Inconsistency among the different projects Lack of a unified view of risk and compliance that limits management s decision making process Lack of scalability from an enterprise wide prospective Duplication of activities and overlapping efforts that increase cost, internal overhead and external consulting expenses Owing to the complex regulatory environment, GRC related costs in enterprises are skyrocketing. For example, according to a recent SIA study, the cost of compliance in the U.S. securities community alone has nearly doubled in three years reaching $25 billion in 2006. The Integrated GRC Approach An integrated GRC strategy must provide an environment that on one hand allows each GRC process to be fully managed independently, while providing tools for defining complex relationships and the sharing and linking of information between the different regulations and standards. Check Point has defined a series of mandatory steps for managing multiple GRC processes in harmony which we call GRC Modelling. Definition of a single GRC terminology. Adopting a common language is s a crucial step to avoid misunderstandings within the organization. Creation of a unified organizational structure. Variant organizational structures often inadvertently cause mistaken assessments that are based on erroneous risk and control calculations up the organizational tree. Granularity at the level of risk and control attributes. It is common knowledge that there are many-to-many relationships between risks and controls. This is indeed necessary, but not enough to support an integrated GRC environment. The organization must be able to define different, distinct attributes for common risks and controls shared by multiple GRC processes. A common control that occurs in two separate regulations might be critically important for one regulation and less important in the other. The ability to define this level granularity is critical for the success of an integrated approach. Defining hierarchical, complex relationships between controls. In order to reduce the duplication of controls between separate compliance procedures, the organization needs tools to define control dependencies intelligently. For example, a high level control in a regulation may be identical to a combination of 5 controls in another standard. The ability to define such smart links and multi-level hierarchies between risks, controls and GRC processes is vital to reducing the overhead of managing and testing controls across the enterprise. 5

Leveraging information between separate GRC workflows. Each GRC unit has its own individual workflow that might consist of periodic control tests, multi-year audit plans or collected loss events. In order to achieve an overall view of the organization s risk; information must be shared between the different processes. For example, the Internal Audit team should receive status of control tests for determining how to build its audit plans. Loss event information collected by the operational risk group should be shared with other GRC functions. Consequentially, we believe that the deployment of a comprehensive, integrated GRC strategy is composed of three phases: GRC Modeling GRC Operations GRC Automation In this phase tools are needed to model the relations between the different entities and to integrate them into the different GRC workflows. Among the activities in this phase: Defining a common language Defining a common organizational structure Defining hierarchies between risks, controls and modules Defining many to many relationships at the level of the attributes of risks, controls, and other data entities Leveraging and integrating information flow between the diverging workflows This is the stage where each individual business or GRC unit uses a software platform to perform its own specific process. Among the activities in this phase: Process Documentation Risk and Control Assessment Reporting Remediation Plans Loss Data Accumulation More After the ongoing GRC operations are modelled and operating for at least one to two years, these offline GRC processes can evolve into a more transactional system. In this phase, selected GRC processes can be automated and linked with the organization s online systems and thereby saving time and costs of manual processes. Among the activities in this phase: Control Testing Loss Events Identification KRI Monitoring KPI Monitoring Identification of abnormal behaviour for BCP and/ or Fraud Management Scenarios 6

Easy2comply Integrated GRC Approach easy2comply is a web based software platform that enables companies to continuously manage and control compliance, corporate governance and risk management processes with built-in tools for GRC modelling. There are 5 groups of GRC applications supported: 1. Operational Risk Management (ORM) including modules such as general ORM, Basel II, Solvency II, Arrow, BilMoG, MaRisk, etc. 2. Internal Control Management (ICM), including modules such as general ICM, SOX, JSOX, MiFID, Turnbull, Tabaksblat, etc. 3. IT Risk and Governance (ITG) including modules such as: CobiT, ITIL, ISO27001, ISO17799, Business Continuity Planning (BCP), BCM (25999), Information Security. 4. Internal Audit Management (IA) 5. General Compliance (GC) for special needs such as corporate governance and procedures, strategic projects, privacy and local laws, and more. easy2comply provides the tools and functionality required to design the integrated workflow and data relationships between the different GRC projects, while providing each software module with its own full set of functionality, unique workflow and if relevant, best practices data. easy2comply s unique data model is composed of four logical layers built as a single data model. It is this architecture that enables the intelligent sharing of information between the different GRC projects, the elimination of redundancy between risks and controls and enabling each project to be managed separately according to its specific time frame, methodology, workflow and reporting needs. Securitive toolkit build your own modules 7

The bottom layer is a repository that stores all the entities that are part of the GRC projects such as: organizational units, processes, sub-processes, systems, risks, controls, loss events, scenarios and others. The second layer provides tools that enable GRC modelling the creation of complex relations between the data entities and workflows thereby facilitating the integrated multi-regulatory concept. The third layer is the applications layer for the different GRC modules. Each application is composed of the relevant methodology, functionality and workflow needed for its specific requirements. The fourth layer is a shared management layer that enables communication, coordination, and measurement of GRC processes. Authorized users can create and view reports, dashboards, remediation simulations and plans, warnings and notifications, and more. 8

About Check Point Software Technologies Ltd. Check Point Software Technologies Ltd. (www.checkpoint.com), worldwide leader in securing the Internet, is the only vendor to deliver Total Security for networks, data and endpoints, unified under a single management framework. Check Point provides customers uncompromised protection against all types of threats, reduces security complexity and lowers total cost of ownership. Check Point first pioneered the industry with FireWall-1 and its patented Stateful Inspection technology. Today, Check Point continues to innovate with the development of the software blade architecture. The dynamic software blade architecture delivers secure, flexible and simple solutions that can be fully customized to meet the exact security needs of any organization or environment. Check Point customers include tens of thousands of businesses and organizations of all sizes including all Fortune 100 companies. Check Point award-winning ZoneAlarm solutions protect millions of consumers from hackers, spyware and identity theft. CHECK POINT OFFICES Worldwide Headquarters 5 Ha Solelim Street Tel Aviv 67897, Israel Tel: 972-3-753 4555 Fax: 972-3-624-1100 email: info@checkpoint.com U.S. Headquarters 800 Bridge Parkway Redwood City, CA 94065 Tel: 800-429-4391 ; 650-628-2000 Fax: 650-654-4233 URL: http://www.checkpoint.com 2003 2011 Check Point Software Technologies Ltd. All rights reserved. Check Point, Abra, AlertAdvisor, Application Intelligence, Check Point DLP Check Point Endpoint Security, Check Point Endpoint Security On Demand, the Check Point logo, Check Point Full Disk Encryption, Check Point Horizon Manager, Check Point Media Encryption, Check Point NAC, Check Point Network Voyager, Check Point OneCheck, Check Point R70, Check Point Security Gateway, Check Point Update Service, Check Point WebCheck, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, DefenseNet, DLP-1, DynamicID, Endpoint Connect VPN Client, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IP Appliances, IPS-1, IPS Software Blade, IPSO, Software Blade, IQ Engine, MailSafe, the More, better, Simpler Security logo, MultiSpect, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management,Power-1, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@ Home, Safe@Office, Secure Virtual Workspace, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal,, SiteManager-1, Smart-1, SmartCenter,, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, SmartEvent, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartProvisioning, SmartReporter, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SmartWorkflow, SMP, SMP On-Demand, SofaWare, Software Blade architecture, the softwareblades logo, SSL Network Extender, Stateful Clustering, Total Security, the totalsecurity logo, TrueVector, UserCheck, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Edge, VPN-1 MASS, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VE, VPN-1 VSX, VSX-1, Web Intelligence, ZoneAlarm, ZoneAlarm Antivirus, ZoneAlarm DataLock, ZoneAlarm Extreme Security, ZoneAlarm ForceField, ZoneAlarm Free Firewall, ZoneAlarm Pro, ZoneAlarm Internet Security Suite, ZoneAlarm Security Toolbar, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, 7,165,076, 7,540,013 and 7,725,737 and may be protected by other U.S. Patents, foreign patents, or pending applications. November 14, 2011

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information