Wolkige Versprechungen - Freiraum mit Tuecken

Wolkige Versprechungen - Freiraum mit Tuecken Aria_Naderi@bmc.com

Wolkige Versprechungen Im Rechenzentrum Wölkchen sind inzwischen bereits einige Wölkchen am Netz Himmel aufgezogen, doch eine dichte Wolkendecke war bisher noch nicht in Sicht. Im spricht man Denglisch. [Denglisch (auch Engleutsch, Germish (engl.)) ist ein wertender Begriff aus der deutschen Sprachpflege. Diese verwendet den Begriff, um den vermehrten Gebrauch von Anglizismen und Scheinanglizismen in der deutschen Sprache zu bemängeln.] Quelle: http://de.wikipedia.org/wiki/denglisch Copyright 11/12/2011 BMC Software, Inc 2

Freiraum mit Tücken Das Rechenzentrum Wölkchen muss immer mehr gesetzliche Vorgaben und Richtlinien einhalten und deren Befolgung nachweisen. Dafür nutz eine BSM-Vorfgehensweise Totes Rad [in Denglisch = totesrad ] You are not a muffin, get out of there! Bei Rechtsverletzungen stehen CIOs oder IT-Compliance-Beauftragte mit einem Bein im Gefängnis. Copyright 11/12/2011 BMC Software, Inc 3

Governance, Risk, & Compliance Sustained Compliance is Costly and Time Consuming - IT is responsible for about 50% of overall regulatory burden Challenges of Managing a Comprehensive Compliance Program - Tracking and managing multiple compliance requirements across IT functions and processes - Identifying risks, controls - Managing & tracking the testing processes - Reporting and Audit to demonstrate health Im Rechenzentrum Wölkchen gibt es keine echte Tools für ITGRC! Copyright 11/12/2011 BMC Software, Inc 4

What is ITGRC? Governance: - Definition and oversight of policies and processes designed to meet objectives and mitigate risks. Risk: - Identification of exposure to potentially negative consequences prioritized by impact Compliance: - Demonstrable conformance to regulations, policies and processes IT and business management leaders worldwide agree that they need a systematic and automated approach to manage Governance, Risk and Compliance IDG Research Services IT Governance, Risk and Compliance survey January 2010 Copyright 11/12/2011 BMC Software, Inc 5

Governance and Controls Management BSM INITIATIVES IT Governance Risk and Compliance Ensure continuous compliance by simplifying, standardizing, and automating IT processes and controls Governance & Controls Management - Proactive management of controls and risks Configuration Compliance Management - Complete visibility into and control of key infrastructure configurations and components Software License Management - Identify underutilized or over-deployed licenses to avoid waste and operational risk Identity Access Governance - Assure proper access entitlements based on policies and roles Copyright 11/12/2011 BMC Software, Inc 6

Compliance Management Lifecycle Copyright 11/12/2011 BMC Software, Inc 7

Compliance Approach IT Governance Objective Sarbanes-Oxley HIPAA Basel 2 Frameworks CobIT ITIL In-house Business Processes Business Objectives Applications Projects Org Vendors & Contracts Skills Services Process Activities Application Instances IT Processes Risks Control Objectives Controls Assess Report Copyright 11/12/2011 BMC Software, Inc 8

Attacking IT Compliance at Two Levels: Program Level and Process Level Managing Compliance - Track and manage across regulations and processes - Track and manage risks and controls - Manage and report on periodic compliance testing Automating and Controlling Key Processes - Control and Audit Server Configurations - Access Privileges - Desktop Security - Change and Release Processes - IT Project and Financial Management Process Process Process Process Example Compliance Risk: Datacenter Operations Server Configuration, Change Control Overarching IT Compliance Program Network Operations Network Security Desktop Desktop Security IT Controls Management Apps Development Change and Release Control IT Business Management Project, Financial, Vendor Governance Copyright 11/12/2011 BMC Software, Inc 9

GRC Example Data Model Copyright 11/12/2011 BMC Software, Inc 10

Corporate Governance Copyright 11/12/2011 BMC Software, Inc 11

Corporate Governance Governance Objectives Artifact Management Scope Copyright 11/12/2011 BMC Software, Inc 12

Corporate Governance 13 Copyright 11/12/2011 BMC Software, Inc 13 Copyright 11/12/2011

Corporate Governance Copyright 11/12/2011 BMC Software, Inc 14

Industry Standards IT Processes Alignment Scope Hyperlinks Copyright 11/12/2011 BMC Software, Inc 15

Industry Standards - Details Framework Alignment Copyright 11/12/2011 BMC Software, Inc 16

IT Processes IT Processes Alignment Scope Hyperlinks Copyright 11/12/2011 BMC Software, Inc 17

IT Processes Details IT Processes Alignment Scope Hyperlinks Copyright 11/12/2011 BMC Software, Inc 18

IT Control Objects Copyright 11/12/2011 BMC Software, Inc 19

IT Control Objects - Detail IT Infrastructure Dependencies Resources Applications Copyright 11/12/2011 BMC Software, Inc 20

IT Control Objects - Drilldown IT Infrastructure Dependencies Resources Applications Copyright 11/12/2011 BMC Software, Inc 21

Risk Assessment Copyright 11/12/2011 BMC Software, Inc 22

Risk Assessment -- Workflow Process Consistency Ties to other Resources Alignment tabs Workflow Gates Copyright 11/12/2011 BMC Software, Inc 23

Risk Assessment Results and Artifacts Process Risk Connections Risk Catalog Risk Details and Documentation Copyright 11/12/2011 BMC Software, Inc 24

Controls Catalog Copyright 11/12/2011 BMC Software, Inc 25

Controls Catalog Staging Table Transfer Controls Created from Risk Assessment Frequency Exposure Severity Threat Likelihood Risk Type Responsibility Status/Timing Objective Copyright 11/12/2011 BMC Software, Inc 26

Sample Control Configuration 27 Copyright 11/12/2011 BMC Software, Inc 27 Copyright 11/12/2011

Controls Execution and Compliance Monitoring Copyright 11/12/2011 BMC Software, Inc 28

Controls Execution Procedures Tasks Ownership Attestation Monitoring Copyright 11/12/2011 BMC Software, Inc 29

Controls Execution Personalization Task Management Copyright 11/12/2011 BMC Software, Inc 30

Compliance Monitoring Exception Management Status and Filtering Copyright 11/12/2011 BMC Software, Inc 31

GRC Example Data Model Copyright 11/12/2011 BMC Software, Inc 32

2. v Dashboard The Value of Relationships 33 Copyright 11/12/2011 BMC Software, Inc 33 Copyright 11/12/2011

User s Views Assessment Manager s Tester s 34 Copyright 11/12/2011 BMC Software, Inc 34 Copyright 11/12/2011

Auditor s View 35 Copyright 11/12/2011 BMC Software, Inc 35 Copyright 11/12/2011

Backup Slides

BMC Accelerates Compliance Copyright 11/12/2011 BMC Software, Inc 37

ITBM Dashboard: Consolidated View of Compliance Activities Fully customizable dashboard shows consolidated high-level view of all compliance and assessment activity. Copyright 11/12/2011 BMC Software, Inc 38

ITBM Dashboard: Real-time and Actionable Real-time Assessment Status Monitoring Actionable Charts deliver Drill-Down Capabilities Copyright 11/12/2011 BMC Software, Inc 39

Quickly see Attestation Details for each Control Extensive Control search capabilities. In this case, autopopulated after clicking on the In Remediation bar in the Dashboard. Let s drill in to see detailed information about a particular control assessment. Copyright 11/12/2011 BMC Software, Inc 40

Control Assessment Details Here we see information identifying the tester of this control. Quickly drill in to see detailed information about each control and the associated assessment Below is a summary of the test results for this particular control assessment, including maturity rating, sample size, and remediation comments. In the next tab, we ll see the supporting documentation. Copyright 11/12/2011 BMC Software, Inc 41

Control Assessment Documentation Control evidence documents can be attached here. Remediation documents and other supporting documentation can also live with the control assessment in ITBM s centralized repository. End the nightmare of manually managing the evidence gathering process via emails! Copyright 11/12/2011 BMC Software, Inc 42

Governance Objective In the Governance Objective main tab, we can see the overall impact of this objective. Copyright 11/12/2011 BMC Software, Inc 43

IT Processes In the IT Process tab, we can see details on all IT Processes within the scope of the SOX objective. Let s drill into a specific IT Process and see more IT Process definition is critical as they link to the Risks and Controls that GRC must track. Copyright 11/12/2011 BMC Software, Inc 44

IT Process Details Ownership Importance, and Health, accountability are and critical Maturity to GRC. ratings of the control are defined Here Here here. we we can can see list application one or more IT instances, process business owners and units, executive and even vendors sponsors. associated with this IT process! Copyright 11/12/2011 BMC Software, Inc 45

Risks Each IT Process is associated with one or more risks. Like all ITBM objects, these risks are defined once and then leveraged as often as needed. Copyright 11/12/2011 BMC Software, Inc 46

Controls Controls are defined to mitigate the Risks to the IT Processes. These controls can be defined once and leveraged across multiple governance objectives; thereby reducing duplication of efforts. Copyright 11/12/2011 BMC Software, Inc 47

Assessments An assessment is simply the process of testing controls and documenting the results. Click here when ready to activate a new assessment period An assessment is defined by the assessment period. Only one assessment period is active at any one time per Governance Objective. Copyright 11/12/2011 BMC Software, Inc 48

Activating a New Assessment Period When ready to launch the next quarter s SOX assessment activities, simply choose it from the list and activate. Copyright 11/12/2011 BMC Software, Inc 49

Activating a New Assessment Period To run an assessment an alert is sent to all the Control Owners prompting them to test and document the results for their controls. Copyright 11/12/2011 BMC Software, Inc 50

Benefits Catalog of all business and IT processes, objectives, risks, and controls Leverage objects across objectives to reduce duplication of efforts Automation of assessment process Centralized evidence repository Real-time, at-a-glance compliance status charts Reduced cost and time to compliance Reduction in fire drill remediation efforts Increased security and increased confidence in compliance program efficacy Copyright 11/12/2011 BMC Software, Inc 51

Peel Back the Layers: Same Scenarios, More Detail TBD. Possibly cover DSSA / DSNA Scheduler Setup? Copyright 11/12/2011 BMC Software, Inc 52

Customer Proof Points Cost effectively manage compliance Eliminated 20 FTEs saving $3M Euro in the first year Reduce audit time Successfully audits 276 servers in less than 3 minutes Increase compliance efficiency Asset tracking saved $200,000 over three years Reduce the risk of identity access Proactively enforces access for over 80,000 suppliers Copyright 11/12/2011 BMC Software, Inc 53

Case Study: Medical Device Manufacturer Challenge - Critical SOX and FDA sustained compliance demands - Struggling to manage in 60-75 separate Excel spreadsheets - 15 Processes, 5 Locations, 3500 controls, 5400 Control Assessments - 33,000 hours of effort to gather data - 5 months late Solution - BMC ITBM with IT Controls Management Benefits - Centralized compliance across 5 operating units - On-time, real-time assessment reporting - Dramatically lower data collection effort - Notify and pro-actively manage through alerts Copyright 11/12/2011 BMC Software, Inc 54

Copyright 11/12/2011 BMC Software, Inc 55