Wolkige Versprechungen - Freiraum mit Tuecken Aria_Naderi@bmc.com
Wolkige Versprechungen Im Rechenzentrum Wölkchen sind inzwischen bereits einige Wölkchen am Netz Himmel aufgezogen, doch eine dichte Wolkendecke war bisher noch nicht in Sicht. Im spricht man Denglisch. [Denglisch (auch Engleutsch, Germish (engl.)) ist ein wertender Begriff aus der deutschen Sprachpflege. Diese verwendet den Begriff, um den vermehrten Gebrauch von Anglizismen und Scheinanglizismen in der deutschen Sprache zu bemängeln.] Quelle: http://de.wikipedia.org/wiki/denglisch Copyright 11/12/2011 BMC Software, Inc 2
Freiraum mit Tücken Das Rechenzentrum Wölkchen muss immer mehr gesetzliche Vorgaben und Richtlinien einhalten und deren Befolgung nachweisen. Dafür nutz eine BSM-Vorfgehensweise Totes Rad [in Denglisch = totesrad ] You are not a muffin, get out of there! Bei Rechtsverletzungen stehen CIOs oder IT-Compliance-Beauftragte mit einem Bein im Gefängnis. Copyright 11/12/2011 BMC Software, Inc 3
Governance, Risk, & Compliance Sustained Compliance is Costly and Time Consuming - IT is responsible for about 50% of overall regulatory burden Challenges of Managing a Comprehensive Compliance Program - Tracking and managing multiple compliance requirements across IT functions and processes - Identifying risks, controls - Managing & tracking the testing processes - Reporting and Audit to demonstrate health Im Rechenzentrum Wölkchen gibt es keine echte Tools für ITGRC! Copyright 11/12/2011 BMC Software, Inc 4
What is ITGRC? Governance: - Definition and oversight of policies and processes designed to meet objectives and mitigate risks. Risk: - Identification of exposure to potentially negative consequences prioritized by impact Compliance: - Demonstrable conformance to regulations, policies and processes IT and business management leaders worldwide agree that they need a systematic and automated approach to manage Governance, Risk and Compliance IDG Research Services IT Governance, Risk and Compliance survey January 2010 Copyright 11/12/2011 BMC Software, Inc 5
Governance and Controls Management BSM INITIATIVES IT Governance Risk and Compliance Ensure continuous compliance by simplifying, standardizing, and automating IT processes and controls Governance & Controls Management - Proactive management of controls and risks Configuration Compliance Management - Complete visibility into and control of key infrastructure configurations and components Software License Management - Identify underutilized or over-deployed licenses to avoid waste and operational risk Identity Access Governance - Assure proper access entitlements based on policies and roles Copyright 11/12/2011 BMC Software, Inc 6
Compliance Management Lifecycle Copyright 11/12/2011 BMC Software, Inc 7
Compliance Approach IT Governance Objective Sarbanes-Oxley HIPAA Basel 2 Frameworks CobIT ITIL In-house Business Processes Business Objectives Applications Projects Org Vendors & Contracts Skills Services Process Activities Application Instances IT Processes Risks Control Objectives Controls Assess Report Copyright 11/12/2011 BMC Software, Inc 8
Attacking IT Compliance at Two Levels: Program Level and Process Level Managing Compliance - Track and manage across regulations and processes - Track and manage risks and controls - Manage and report on periodic compliance testing Automating and Controlling Key Processes - Control and Audit Server Configurations - Access Privileges - Desktop Security - Change and Release Processes - IT Project and Financial Management Process Process Process Process Example Compliance Risk: Datacenter Operations Server Configuration, Change Control Overarching IT Compliance Program Network Operations Network Security Desktop Desktop Security IT Controls Management Apps Development Change and Release Control IT Business Management Project, Financial, Vendor Governance Copyright 11/12/2011 BMC Software, Inc 9
GRC Example Data Model Copyright 11/12/2011 BMC Software, Inc 10
Corporate Governance Copyright 11/12/2011 BMC Software, Inc 11
Corporate Governance Governance Objectives Artifact Management Scope Copyright 11/12/2011 BMC Software, Inc 12
Corporate Governance 13 Copyright 11/12/2011 BMC Software, Inc 13 Copyright 11/12/2011
Corporate Governance Copyright 11/12/2011 BMC Software, Inc 14
Industry Standards IT Processes Alignment Scope Hyperlinks Copyright 11/12/2011 BMC Software, Inc 15
Industry Standards - Details Framework Alignment Copyright 11/12/2011 BMC Software, Inc 16
IT Processes IT Processes Alignment Scope Hyperlinks Copyright 11/12/2011 BMC Software, Inc 17
IT Processes Details IT Processes Alignment Scope Hyperlinks Copyright 11/12/2011 BMC Software, Inc 18
IT Control Objects Copyright 11/12/2011 BMC Software, Inc 19
IT Control Objects - Detail IT Infrastructure Dependencies Resources Applications Copyright 11/12/2011 BMC Software, Inc 20
IT Control Objects - Drilldown IT Infrastructure Dependencies Resources Applications Copyright 11/12/2011 BMC Software, Inc 21
Risk Assessment Copyright 11/12/2011 BMC Software, Inc 22
Risk Assessment -- Workflow Process Consistency Ties to other Resources Alignment tabs Workflow Gates Copyright 11/12/2011 BMC Software, Inc 23
Risk Assessment Results and Artifacts Process Risk Connections Risk Catalog Risk Details and Documentation Copyright 11/12/2011 BMC Software, Inc 24
Controls Catalog Copyright 11/12/2011 BMC Software, Inc 25
Controls Catalog Staging Table Transfer Controls Created from Risk Assessment Frequency Exposure Severity Threat Likelihood Risk Type Responsibility Status/Timing Objective Copyright 11/12/2011 BMC Software, Inc 26
Sample Control Configuration 27 Copyright 11/12/2011 BMC Software, Inc 27 Copyright 11/12/2011
Controls Execution and Compliance Monitoring Copyright 11/12/2011 BMC Software, Inc 28
Controls Execution Procedures Tasks Ownership Attestation Monitoring Copyright 11/12/2011 BMC Software, Inc 29
Controls Execution Personalization Task Management Copyright 11/12/2011 BMC Software, Inc 30
Compliance Monitoring Exception Management Status and Filtering Copyright 11/12/2011 BMC Software, Inc 31
GRC Example Data Model Copyright 11/12/2011 BMC Software, Inc 32
2. v Dashboard The Value of Relationships 33 Copyright 11/12/2011 BMC Software, Inc 33 Copyright 11/12/2011
User s Views Assessment Manager s Tester s 34 Copyright 11/12/2011 BMC Software, Inc 34 Copyright 11/12/2011
Auditor s View 35 Copyright 11/12/2011 BMC Software, Inc 35 Copyright 11/12/2011
Backup Slides
BMC Accelerates Compliance Copyright 11/12/2011 BMC Software, Inc 37
ITBM Dashboard: Consolidated View of Compliance Activities Fully customizable dashboard shows consolidated high-level view of all compliance and assessment activity. Copyright 11/12/2011 BMC Software, Inc 38
ITBM Dashboard: Real-time and Actionable Real-time Assessment Status Monitoring Actionable Charts deliver Drill-Down Capabilities Copyright 11/12/2011 BMC Software, Inc 39
Quickly see Attestation Details for each Control Extensive Control search capabilities. In this case, autopopulated after clicking on the In Remediation bar in the Dashboard. Let s drill in to see detailed information about a particular control assessment. Copyright 11/12/2011 BMC Software, Inc 40
Control Assessment Details Here we see information identifying the tester of this control. Quickly drill in to see detailed information about each control and the associated assessment Below is a summary of the test results for this particular control assessment, including maturity rating, sample size, and remediation comments. In the next tab, we ll see the supporting documentation. Copyright 11/12/2011 BMC Software, Inc 41
Control Assessment Documentation Control evidence documents can be attached here. Remediation documents and other supporting documentation can also live with the control assessment in ITBM s centralized repository. End the nightmare of manually managing the evidence gathering process via emails! Copyright 11/12/2011 BMC Software, Inc 42
Governance Objective In the Governance Objective main tab, we can see the overall impact of this objective. Copyright 11/12/2011 BMC Software, Inc 43
IT Processes In the IT Process tab, we can see details on all IT Processes within the scope of the SOX objective. Let s drill into a specific IT Process and see more IT Process definition is critical as they link to the Risks and Controls that GRC must track. Copyright 11/12/2011 BMC Software, Inc 44
IT Process Details Ownership Importance, and Health, accountability are and critical Maturity to GRC. ratings of the control are defined Here Here here. we we can can see list application one or more IT instances, process business owners and units, executive and even vendors sponsors. associated with this IT process! Copyright 11/12/2011 BMC Software, Inc 45
Risks Each IT Process is associated with one or more risks. Like all ITBM objects, these risks are defined once and then leveraged as often as needed. Copyright 11/12/2011 BMC Software, Inc 46
Controls Controls are defined to mitigate the Risks to the IT Processes. These controls can be defined once and leveraged across multiple governance objectives; thereby reducing duplication of efforts. Copyright 11/12/2011 BMC Software, Inc 47
Assessments An assessment is simply the process of testing controls and documenting the results. Click here when ready to activate a new assessment period An assessment is defined by the assessment period. Only one assessment period is active at any one time per Governance Objective. Copyright 11/12/2011 BMC Software, Inc 48
Activating a New Assessment Period When ready to launch the next quarter s SOX assessment activities, simply choose it from the list and activate. Copyright 11/12/2011 BMC Software, Inc 49
Activating a New Assessment Period To run an assessment an alert is sent to all the Control Owners prompting them to test and document the results for their controls. Copyright 11/12/2011 BMC Software, Inc 50
Benefits Catalog of all business and IT processes, objectives, risks, and controls Leverage objects across objectives to reduce duplication of efforts Automation of assessment process Centralized evidence repository Real-time, at-a-glance compliance status charts Reduced cost and time to compliance Reduction in fire drill remediation efforts Increased security and increased confidence in compliance program efficacy Copyright 11/12/2011 BMC Software, Inc 51
Peel Back the Layers: Same Scenarios, More Detail TBD. Possibly cover DSSA / DSNA Scheduler Setup? Copyright 11/12/2011 BMC Software, Inc 52
Customer Proof Points Cost effectively manage compliance Eliminated 20 FTEs saving $3M Euro in the first year Reduce audit time Successfully audits 276 servers in less than 3 minutes Increase compliance efficiency Asset tracking saved $200,000 over three years Reduce the risk of identity access Proactively enforces access for over 80,000 suppliers Copyright 11/12/2011 BMC Software, Inc 53
Case Study: Medical Device Manufacturer Challenge - Critical SOX and FDA sustained compliance demands - Struggling to manage in 60-75 separate Excel spreadsheets - 15 Processes, 5 Locations, 3500 controls, 5400 Control Assessments - 33,000 hours of effort to gather data - 5 months late Solution - BMC ITBM with IT Controls Management Benefits - Centralized compliance across 5 operating units - On-time, real-time assessment reporting - Dramatically lower data collection effort - Notify and pro-actively manage through alerts Copyright 11/12/2011 BMC Software, Inc 54
Copyright 11/12/2011 BMC Software, Inc 55