SlideShare uma empresa Scribd logo

Agiliance Wp Key Steps

A
agiliancecommunity
TecnologiaNegóciosEconomia e finanças
1 de 10
Baixar para ler offline
The Leader in IT Governance, Risk & Compliance Management Six Key Steps for Effective IT Risk and Compliance Management Take practical steps and use technology to improve quality, efficiency, and value Whitepaper
Six Key Steps for Effective IT Risk and Compliance Management Managing the confluence of IT governance, risk, and compliance Information technology organizations are at the center of three critical business management challenges: Regulation and control, risk management, and cost reduction. Successfully meeting these challenges requires IT to manage several interdependent disciplines. IT organizations manage business critical applications, systems, and processes, and are major participants in keeping the business secure and productive. At the same time they are facing the responsibility for more regulations and corporate policies, multiplying audit requests, ever-present risks, continuous change to meet strategic business goals, and pressures to create new efficiencies and meet cost reduction goals. Within this context, management is asking several critical questions: • Are we compliant? • Are we focusing on the risks that really matter to the business? • Do we have a repeatable and sustainable process for risk and compliance? • Are we using time, people, and money efficiently? The Key Steps By taking practical, key steps and using technology, IT organizations can answer these questions. They can gain greater control over risk and compliance. They can improve their ability to proactively manage risk and business priorities. At the same time, they can realize efficiencies to manage cost. The key steps to employ are: • Capture the appropriate assets • Implement a common control framework • Automate survey workflow and technical testing • Quantify and analyze risk • Take appropriate actions to manage risk • Provide visibility to support informed decisions. Not all the steps need be applied at once to achieve improved control, enhanced efficiency, and reduced cost. Start with an immediate project and broaden the scope of assets, regulations, and policies addressed in subsequent projects. By applying these key steps with technology, IT organizations and their companies can effectively: • Know their compliance position within the changing environment • Better understand and manage risk that matters • Effectively use current resources to assess and manage more compliance and risk requirements • Drive lower cost with sustainable processes and better quality information • Provide visibility to enable informed decisions at all organizational levels. IT organizations can take better advantage of the inter-relationships between risk and compliance,,achieve greater control over both, drive down cost, and make resources more productive. © Agiliance, Inc.
Six Key Steps for Effective IT Risk and Compliance Management Key step 1: Capture the appropriate assets In order to test controls and assess risks, organizations need to know which assets to include. Assets are any entity subject to a policy or control objective. These include people, processes and technology, as well as facilities and buildings. Assets can also include external services and third party vendors. Build the asset inventory in two steps: • Collect asset information. Leverage the many databases, systems, and documents already holding asset information. • Classify and group assets by their attributes. Attributes are the characteristics and properties that describe an asset such as location, operating system, business process, division, the business owner and the like. • Document relationships and dependencies among the assets. For example, an application has a relationship with the computer it runs on and the data center wher e it resides. • Classify assets based on their criticality to the business and relevant business processes. For example, a consumer application that contains private customer information would most likely have a higher criticality ranking than a business application that contains no confidential information. • Profile each ass et for confidentiality, integrity, and availability risk. • Use an automated survey workflow tool to gather asset classification information and to provide up-to-date information for the assets under consideration. To capture the assets under consideration, use technology that supports: • Dynamic updates, bulk loading, and manual additions/ changes • Automatic synchronization with the many existing systems already deployed • Assets belonging to more than one virtual group • Asset groupings enabling policies and their associated controls to be applied to a group as a whole • Dynamic addition of new assets to a group and their automatic inheritance of policies associated with that group • Support for on-the-fly group creation Once assets, their classification information, and their virtual groupings are in the repository, as- sessment and audit assessment and audit managers can create projects that address just the set of assets under consideration, for example, just the business applications of the enterprise. © Agiliance, Inc.
Six Key Steps for Effective IT Risk and Compliance Management Key step 2: Implement a common control framework Today, most regulations are managed independently. Because of the extensive overlap among regulatory policies, and therefore in policy controls, this approach is cumbersome and redundant. It is also complex and expensive. While some organizations maintain custom control sets, others have been able to take advantage of standard frameworks such as COBIT, NIST, and ISO 17799/7001. In some cases, organiza- tions apply a specific standard control framework to a specific regulation. Examples are: COBIT for Sarbanes-Oxley, NIST 800-5 for HIPAA, and FFIEC for GLBA. In others, they apply a mix of standards-based and custom controls. Using standard frameworks has aided organizations by reducing the overhead required to develop and maintain custom controls. But there is still more benefit to realize. A significant number of specific control requirements are common across several frameworks. For example, COBIT- , NIST 800-5, and FFIEC share a significant number of common controls. To further reduce cost and complexity and improve risk management effectiveness a key step is to employ a common control framework. By using a common control framework, one assessment, rather than multiple, will suffice to certify against any number of regulations. A common control framework supports: • Mapping of controls from 17799/7001, CO- BIT, COSO, NIST, FFIEC, and GAISP among others as well as custom-built con- trols to one common set of controls • Maintenance of the relationship between a common control and the corresponding regulation -specific control in the stan- dard simplifying change management. In building a common control framework, use technology that: • Includes a broad and extensible content library that automatically maps regulatory policy to control rules. • Maps custom-built controls to the common control framework • Simplifies version control and change management • Provides views of the common control set through the filter of a particular regulation or internal policy set. © Agiliance, Inc.
Six Key Steps for Effective IT Risk and Compliance Management The common control framework simplifies the process because there are fewer controls to test and independent assessments are unnecessary. Cost is lower as more work gets done faster with potentially fewer people. Now, the business can test once and certify against many regulations. Key step 3: Automate survey workflow and technical testing Commonly risk assessments and compliance testing use manual processes and personal inter- views. The tools are e-mail, paper and spreadsheets. These manual processes and tools are difficult to manage and error prone. They are typically costly, time consuming, confusing and complex. Results become obsolete because manual test- ing per regulation is typically done only once a year and it is not practical to share results across regulations. Automating survey workflow Automate the survey process to increase the quality and timeliness of controls testing while sim- plifying the effort and lowering the cost. Use technology that not only automates the survey workflow but also provides the content necessary to build surveys. Select technology that: • Provides an authoring tool to dynamically create and edit surveys • Supports the creation and implementation of automated workflow including : • The distribution of surveys to business or process owners and the collection and collation of data • Management of delegation and escalation, review and approval cycles, as well as reminders and user awareness/ training • On-line help within the survey itself. Survey process automation used with a common control framework and as- set repository can dramatically reduce errors, increase response quality, and cut the time to complete the survey work. © Agiliance, Inc. 5
Six Key Steps for Effective IT Risk and Compliance Management These benefits accrue to all involved, including project manage s, respondents, auditors, and management, allowing an increase in survey frequency for a nominal cost. Integrating and automating technical controls Computing assets, hardware, software, and the like, are generally subject to technical controls that can be monitored automatically. Automated testing can be performed frequently, even continuously. Use a technology that easily integrates with already deployed systems such as scanners (for example, Nessus Security Scanner) and other monitoring systems (for example, Symantec Enterprise Security Manager™). Ensure that the automation technology can connect remotely without the use of an agent running on the servers or hosts to avoid the complexity and cost of managing hosted agents on large numbers of servers. Coupling automated survey workflow and technical controls Full automation, while desired, is not achievable. Many objectives depend on controls that involve a combination of manual and technical checks. However, by using a technology that supports both automated survey workflow and technical testing, and seamlessly combines the data from each, a truer view of risk and compliance is obtained. By combining the results of both methods the organization achieves a compliance and risk picture that is more complete, accurate, and up-to-date as well as less costly to develop. Key step 4: Quantify and analyze risk Business strategy and practice requires taking controlled risks based on the business’s risk tolerance and maximizing risk-adjusted returns.The same principles apply for managing IT risk and compliance. By identifying and quantifying risk, organizations can make more informed decisions and take more appropriate actions. To quantify risk, identify threats and vulnerabilities against assets, apply likelihood, exposure, and criticality measures, and calculate risk scores for the assets using established and accepted methodologies. Later, rather than treating everything the same, actions can be tailored ac- cording to an asset’s risk score and its potential damage and cost to the business. Quality risk metrics support objec- tive analysis that drives better deci- sions; helps focus resources on the most important risks; and allows organizations to set objectives and track risk and compliance trends against these over time. © Agiliance, Inc.
Six Key Steps for Effective IT Risk and Compliance Management To quantify risk use technology that: • Uses standard methodologies and well-accepted scoring guidelines from standards organizations such as BITS, ISO, and NIST to generate meaningful risk metrics • Accounts for risk propagated through asset dependencies, for example, the risk associated with the data center is propagated to applications that run inside it • Keeps risk and compliance scores current by using both automated technical testing and manual self-assessment at the appropriate frequency • Clearly traces risk to its cause, such as a failure of a particular control, a new unmitigated threat, or increase in risk of a related asset. By using the right approach and technology a business can build a comprehensive, quantified pic- ture of risk, make informed decisions, and manage risk for the best business outcome. Key Step 5: Take appropriate actions to manage risk Risk scores provide decision-makers with insight and visibility. Once the business knows which risks matter, the next step is to take action to manage those risks. Actions include: • Transferring a risk to another entity • Avoiding a risk • Reducing the negative effect of a risk • Accepting some or all of the consequences of a risk. In addition to using relative risk scores, IT organizations can employ economic impact measures such as the Annual Loss Expectancy (ALE) to further optimize allocation of its resources on prioritized risks. Taking action on risk typically involves change management: A configuration change, a procedural change, or the development and deployment of a new policy and/or new controls to name a few. These changes must be defined, planned, approved, communicated, executed and verified. Over time, the organization will see the effectiveness of its preventive and corrective actions through periodic risk assessments and controls testing as well as through its business results. Select a technology that supports trouble ticketing and/or integrates easily with an existing trouble ticket management tool already in place. Ensure that the links between prioritized risk, actions and results can be tracked and completed. Key step 6: Provide visibility to support informed decisions The most up-to-date risk data is of little value to an organization if it cannot be communicated effectively to decision makers. Well-organized and effectively formatted information is powerful. Providing business owners, executives, and operational teams with access to the broad risk and control picture, laid out for easy viewing and interpretation, eliminates surprise and allows thought- ful action to address above-tolerance conditions. © Agiliance, Inc. 7
Six Key Steps for Effective IT Risk and Compliance Management Use a comprehensive, intuitive, graphical web-based dashboard tool to build customized views for access by authorized users anywhere at any time. Choose technology that provides: • Access control and also integrate easily with enterprise directories as needed • Scheduled and dynamic reports and dashboards • Graphical display of summary information relevant to each user’s needs and role in the organization, for example, executive, business unit manager, analyst, and internal auditor • Capabilities to easily drill down to any level to ascertain root cause or explore underlying details. • Providing visibility through flexible, interactive dashboards supports: • Easier audits because reports are ready when needed • Better decisions at all levels because customized management and operational views are accessible any time, any place • Improved governance because executives get the big picture and the detail they need to drive policy down throughout the business as well as provide transparency up to the board level • Better learning and improvement because managers, organizations, and teams can see compliance and risk trends over time. Continuous visibility into risk and compliance status and trends is a powerful tool to provide trans- parency to auditors, executives, and boards of directors as well as improve risk-adjusted business results and provide compliance peace of mind. © Agiliance, Inc. 8
Six Key Steps for Effective IT Risk and Compliance Management The Benefits to IT Risk and Compliance Management Information technology is a key business function standing at the center of the confluence of three critical management challenges: • Regulatory control • Risk management • Cost reduction. Regulatory and policy requirements are escalating. Unknown threats and vulnerabilities lurk every- where. Continuous change to the environment, people, and processes are normal. Cost pressure is constant. By applying some or all of the key steps and using a scalable, easily integrated technology platform, IT organizations can effectively meet these hard-to-control challenges, and, by doing so effectively manage the confluence of compliance, risk, and cost reduction. As a result they will: • Always know their compliance position continuously through time • Understand and manage risk that matters to the business • Effectively use current resource levels to manage growing risk and compliance requirements • Sustain lower cost through sustainable processes and better quality information • Provide visibility to enable informed decisions at all levels of the enterprise. © Agiliance, Inc. 9
Six Key Steps for Effective IT Risk and Compliance Management IT organizations can start today, through the application of these key steps and technology, such as the Agiliance IT-GRC platform, to leverage the inter-relationships between compliance, risk, and cost reduction to drive results for the IT organization, the business at large, regulators, and other external stakeholders. About Agiliance IT-GRC The Agiliance IT-GRC platform is the first software product to comprehensively address the inte- grated requirements of Information Technology Governance, Risk, and Compliance. The Platform is explicitly designed to assist organizations to deliver compliance peace of mind, manage risk, and reduce costs by: • Streamlining the management of policies and controls through standards and a common control framework • Automating survey workflow and technical testing • Integrating easily with existing systems to connect previously isolated elements into a comprehensive and productive environment for compliance and risk management • Quantifying and prioritizing risk to support informed decisions and actions • Providing up-to-date, broad visibility and transparency to managers, executives, and operational teams leading to enhanced governance and business decision- making The Agiliance IT-GRC platform is an indispensable tool for managing IT governance, risk, and compliance with less time, at a lower cost, and with more effectiveness. Agiliance, Inc. 17 North First Street p: 08.00.000 Suite 00 f: 08.00.001 San Jose, CA 9511 www.agiliance.com 10

Recomendados

Soc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedSoc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedVISTA InfoSec
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesControlCase
 

Recomendados

Soc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedSoc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedVISTA InfoSec
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesControlCase
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar finalControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
SOC 2 | SOC 2 Compliance
SOC 2 | SOC 2 ComplianceSOC 2 | SOC 2 Compliance
SOC 2 | SOC 2 Compliancehimalya sharma
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
Agiliance HIPAA Whitepaper
Agiliance HIPAA WhitepaperAgiliance HIPAA Whitepaper
Agiliance HIPAA Whitepaperagiliancecommunity
 
Agiliance Wp Hipaa
Agiliance Wp HipaaAgiliance Wp Hipaa
Agiliance Wp Hipaaagiliancecommunity
 

Mais conteúdo relacionado

Mais procurados

Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar finalControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
SOC 2 | SOC 2 Compliance
SOC 2 | SOC 2 ComplianceSOC 2 | SOC 2 Compliance
SOC 2 | SOC 2 Compliancehimalya sharma
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 

Mais procurados (20)

Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIEC
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to Many
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management Compliance
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar final
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
SOC 2 | SOC 2 Compliance
SOC 2 | SOC 2 ComplianceSOC 2 | SOC 2 Compliance
SOC 2 | SOC 2 Compliance
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 

Destaque

Agiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key StepsAgiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key Stepsagiliancecommunity
 
Multi-channel Customer Experience Management
Multi-channel Customer Experience ManagementMulti-channel Customer Experience Management
Multi-channel Customer Experience ManagementNitten Bbinhhani
 

Destaque (7)

Agiliance HIPAA Whitepaper
Agiliance HIPAA WhitepaperAgiliance HIPAA Whitepaper
Agiliance HIPAA Whitepaper
 
Agiliance Wp Hipaa
Agiliance Wp HipaaAgiliance Wp Hipaa
Agiliance Wp Hipaa
 
It Budget Tips
It Budget TipsIt Budget Tips
It Budget Tips
 
Agiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key StepsAgiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key Steps
 
Agiliance Risk Vision
Agiliance Risk VisionAgiliance Risk Vision
Agiliance Risk Vision
 
Agiliance Risk Vision
Agiliance Risk VisionAgiliance Risk Vision
Agiliance Risk Vision
 
Multi-channel Customer Experience Management
Multi-channel Customer Experience ManagementMulti-channel Customer Experience Management
Multi-channel Customer Experience Management
 

Semelhante a Agiliance Wp Key Steps

TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTri Phan
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
 
It asset management_wp
It asset management_wpIt asset management_wp
It asset management_wpwardell henley
 
Enterprise Risk Management Solutions
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management SolutionsLexComply
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptxHardikKundra
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Carl Booth
 
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceJohn Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceitSMF UK
 
IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliancerhanna11
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Governance Strategies & Tools for Cloud Formation
Governance Strategies & Tools for Cloud Formation Governance Strategies & Tools for Cloud Formation
Governance Strategies & Tools for Cloud Formation Amazon Web Services
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementSafeNet
 
Data Governance: Description, Design, Delivery
Data Governance: Description, Design, DeliveryData Governance: Description, Design, Delivery
Data Governance: Description, Design, DeliveryInnoTech
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 

Semelhante a Agiliance Wp Key Steps (20)

TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance Requirements
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
 
GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
 
It asset management_wp
It asset management_wpIt asset management_wp
It asset management_wp
 
Enterprise Risk Management Solutions
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management Solutions
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
 
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceJohn Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
 
IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliance
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
 
Governance Strategies & Tools for Cloud Formation
Governance Strategies & Tools for Cloud Formation Governance Strategies & Tools for Cloud Formation
Governance Strategies & Tools for Cloud Formation
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key Management
 
Data Governance: Description, Design, Delivery
Data Governance: Description, Design, DeliveryData Governance: Description, Design, Delivery
Data Governance: Description, Design, Delivery
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 

Último

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

Agiliance Wp Key Steps

  • 1. The Leader in IT Governance, Risk & Compliance Management Six Key Steps for Effective IT Risk and Compliance Management Take practical steps and use technology to improve quality, efficiency, and value Whitepaper
  • 2. Six Key Steps for Effective IT Risk and Compliance Management Managing the confluence of IT governance, risk, and compliance Information technology organizations are at the center of three critical business management challenges: Regulation and control, risk management, and cost reduction. Successfully meeting these challenges requires IT to manage several interdependent disciplines. IT organizations manage business critical applications, systems, and processes, and are major participants in keeping the business secure and productive. At the same time they are facing the responsibility for more regulations and corporate policies, multiplying audit requests, ever-present risks, continuous change to meet strategic business goals, and pressures to create new efficiencies and meet cost reduction goals. Within this context, management is asking several critical questions: • Are we compliant? • Are we focusing on the risks that really matter to the business? • Do we have a repeatable and sustainable process for risk and compliance? • Are we using time, people, and money efficiently? The Key Steps By taking practical, key steps and using technology, IT organizations can answer these questions. They can gain greater control over risk and compliance. They can improve their ability to proactively manage risk and business priorities. At the same time, they can realize efficiencies to manage cost. The key steps to employ are: • Capture the appropriate assets • Implement a common control framework • Automate survey workflow and technical testing • Quantify and analyze risk • Take appropriate actions to manage risk • Provide visibility to support informed decisions. Not all the steps need be applied at once to achieve improved control, enhanced efficiency, and reduced cost. Start with an immediate project and broaden the scope of assets, regulations, and policies addressed in subsequent projects. By applying these key steps with technology, IT organizations and their companies can effectively: • Know their compliance position within the changing environment • Better understand and manage risk that matters • Effectively use current resources to assess and manage more compliance and risk requirements • Drive lower cost with sustainable processes and better quality information • Provide visibility to enable informed decisions at all organizational levels. IT organizations can take better advantage of the inter-relationships between risk and compliance,,achieve greater control over both, drive down cost, and make resources more productive. © Agiliance, Inc.
  • 3. Six Key Steps for Effective IT Risk and Compliance Management Key step 1: Capture the appropriate assets In order to test controls and assess risks, organizations need to know which assets to include. Assets are any entity subject to a policy or control objective. These include people, processes and technology, as well as facilities and buildings. Assets can also include external services and third party vendors. Build the asset inventory in two steps: • Collect asset information. Leverage the many databases, systems, and documents already holding asset information. • Classify and group assets by their attributes. Attributes are the characteristics and properties that describe an asset such as location, operating system, business process, division, the business owner and the like. • Document relationships and dependencies among the assets. For example, an application has a relationship with the computer it runs on and the data center wher e it resides. • Classify assets based on their criticality to the business and relevant business processes. For example, a consumer application that contains private customer information would most likely have a higher criticality ranking than a business application that contains no confidential information. • Profile each ass et for confidentiality, integrity, and availability risk. • Use an automated survey workflow tool to gather asset classification information and to provide up-to-date information for the assets under consideration. To capture the assets under consideration, use technology that supports: • Dynamic updates, bulk loading, and manual additions/ changes • Automatic synchronization with the many existing systems already deployed • Assets belonging to more than one virtual group • Asset groupings enabling policies and their associated controls to be applied to a group as a whole • Dynamic addition of new assets to a group and their automatic inheritance of policies associated with that group • Support for on-the-fly group creation Once assets, their classification information, and their virtual groupings are in the repository, as- sessment and audit assessment and audit managers can create projects that address just the set of assets under consideration, for example, just the business applications of the enterprise. © Agiliance, Inc.
  • 4. Six Key Steps for Effective IT Risk and Compliance Management Key step 2: Implement a common control framework Today, most regulations are managed independently. Because of the extensive overlap among regulatory policies, and therefore in policy controls, this approach is cumbersome and redundant. It is also complex and expensive. While some organizations maintain custom control sets, others have been able to take advantage of standard frameworks such as COBIT, NIST, and ISO 17799/7001. In some cases, organiza- tions apply a specific standard control framework to a specific regulation. Examples are: COBIT for Sarbanes-Oxley, NIST 800-5 for HIPAA, and FFIEC for GLBA. In others, they apply a mix of standards-based and custom controls. Using standard frameworks has aided organizations by reducing the overhead required to develop and maintain custom controls. But there is still more benefit to realize. A significant number of specific control requirements are common across several frameworks. For example, COBIT- , NIST 800-5, and FFIEC share a significant number of common controls. To further reduce cost and complexity and improve risk management effectiveness a key step is to employ a common control framework. By using a common control framework, one assessment, rather than multiple, will suffice to certify against any number of regulations. A common control framework supports: • Mapping of controls from 17799/7001, CO- BIT, COSO, NIST, FFIEC, and GAISP among others as well as custom-built con- trols to one common set of controls • Maintenance of the relationship between a common control and the corresponding regulation -specific control in the stan- dard simplifying change management. In building a common control framework, use technology that: • Includes a broad and extensible content library that automatically maps regulatory policy to control rules. • Maps custom-built controls to the common control framework • Simplifies version control and change management • Provides views of the common control set through the filter of a particular regulation or internal policy set. © Agiliance, Inc.
  • 5. Six Key Steps for Effective IT Risk and Compliance Management The common control framework simplifies the process because there are fewer controls to test and independent assessments are unnecessary. Cost is lower as more work gets done faster with potentially fewer people. Now, the business can test once and certify against many regulations. Key step 3: Automate survey workflow and technical testing Commonly risk assessments and compliance testing use manual processes and personal inter- views. The tools are e-mail, paper and spreadsheets. These manual processes and tools are difficult to manage and error prone. They are typically costly, time consuming, confusing and complex. Results become obsolete because manual test- ing per regulation is typically done only once a year and it is not practical to share results across regulations. Automating survey workflow Automate the survey process to increase the quality and timeliness of controls testing while sim- plifying the effort and lowering the cost. Use technology that not only automates the survey workflow but also provides the content necessary to build surveys. Select technology that: • Provides an authoring tool to dynamically create and edit surveys • Supports the creation and implementation of automated workflow including : • The distribution of surveys to business or process owners and the collection and collation of data • Management of delegation and escalation, review and approval cycles, as well as reminders and user awareness/ training • On-line help within the survey itself. Survey process automation used with a common control framework and as- set repository can dramatically reduce errors, increase response quality, and cut the time to complete the survey work. © Agiliance, Inc. 5
  • 6. Six Key Steps for Effective IT Risk and Compliance Management These benefits accrue to all involved, including project manage s, respondents, auditors, and management, allowing an increase in survey frequency for a nominal cost. Integrating and automating technical controls Computing assets, hardware, software, and the like, are generally subject to technical controls that can be monitored automatically. Automated testing can be performed frequently, even continuously. Use a technology that easily integrates with already deployed systems such as scanners (for example, Nessus Security Scanner) and other monitoring systems (for example, Symantec Enterprise Security Manager™). Ensure that the automation technology can connect remotely without the use of an agent running on the servers or hosts to avoid the complexity and cost of managing hosted agents on large numbers of servers. Coupling automated survey workflow and technical controls Full automation, while desired, is not achievable. Many objectives depend on controls that involve a combination of manual and technical checks. However, by using a technology that supports both automated survey workflow and technical testing, and seamlessly combines the data from each, a truer view of risk and compliance is obtained. By combining the results of both methods the organization achieves a compliance and risk picture that is more complete, accurate, and up-to-date as well as less costly to develop. Key step 4: Quantify and analyze risk Business strategy and practice requires taking controlled risks based on the business’s risk tolerance and maximizing risk-adjusted returns.The same principles apply for managing IT risk and compliance. By identifying and quantifying risk, organizations can make more informed decisions and take more appropriate actions. To quantify risk, identify threats and vulnerabilities against assets, apply likelihood, exposure, and criticality measures, and calculate risk scores for the assets using established and accepted methodologies. Later, rather than treating everything the same, actions can be tailored ac- cording to an asset’s risk score and its potential damage and cost to the business. Quality risk metrics support objec- tive analysis that drives better deci- sions; helps focus resources on the most important risks; and allows organizations to set objectives and track risk and compliance trends against these over time. © Agiliance, Inc.
  • 7. Six Key Steps for Effective IT Risk and Compliance Management To quantify risk use technology that: • Uses standard methodologies and well-accepted scoring guidelines from standards organizations such as BITS, ISO, and NIST to generate meaningful risk metrics • Accounts for risk propagated through asset dependencies, for example, the risk associated with the data center is propagated to applications that run inside it • Keeps risk and compliance scores current by using both automated technical testing and manual self-assessment at the appropriate frequency • Clearly traces risk to its cause, such as a failure of a particular control, a new unmitigated threat, or increase in risk of a related asset. By using the right approach and technology a business can build a comprehensive, quantified pic- ture of risk, make informed decisions, and manage risk for the best business outcome. Key Step 5: Take appropriate actions to manage risk Risk scores provide decision-makers with insight and visibility. Once the business knows which risks matter, the next step is to take action to manage those risks. Actions include: • Transferring a risk to another entity • Avoiding a risk • Reducing the negative effect of a risk • Accepting some or all of the consequences of a risk. In addition to using relative risk scores, IT organizations can employ economic impact measures such as the Annual Loss Expectancy (ALE) to further optimize allocation of its resources on prioritized risks. Taking action on risk typically involves change management: A configuration change, a procedural change, or the development and deployment of a new policy and/or new controls to name a few. These changes must be defined, planned, approved, communicated, executed and verified. Over time, the organization will see the effectiveness of its preventive and corrective actions through periodic risk assessments and controls testing as well as through its business results. Select a technology that supports trouble ticketing and/or integrates easily with an existing trouble ticket management tool already in place. Ensure that the links between prioritized risk, actions and results can be tracked and completed. Key step 6: Provide visibility to support informed decisions The most up-to-date risk data is of little value to an organization if it cannot be communicated effectively to decision makers. Well-organized and effectively formatted information is powerful. Providing business owners, executives, and operational teams with access to the broad risk and control picture, laid out for easy viewing and interpretation, eliminates surprise and allows thought- ful action to address above-tolerance conditions. © Agiliance, Inc. 7
  • 8. Six Key Steps for Effective IT Risk and Compliance Management Use a comprehensive, intuitive, graphical web-based dashboard tool to build customized views for access by authorized users anywhere at any time. Choose technology that provides: • Access control and also integrate easily with enterprise directories as needed • Scheduled and dynamic reports and dashboards • Graphical display of summary information relevant to each user’s needs and role in the organization, for example, executive, business unit manager, analyst, and internal auditor • Capabilities to easily drill down to any level to ascertain root cause or explore underlying details. • Providing visibility through flexible, interactive dashboards supports: • Easier audits because reports are ready when needed • Better decisions at all levels because customized management and operational views are accessible any time, any place • Improved governance because executives get the big picture and the detail they need to drive policy down throughout the business as well as provide transparency up to the board level • Better learning and improvement because managers, organizations, and teams can see compliance and risk trends over time. Continuous visibility into risk and compliance status and trends is a powerful tool to provide trans- parency to auditors, executives, and boards of directors as well as improve risk-adjusted business results and provide compliance peace of mind. © Agiliance, Inc. 8
  • 9. Six Key Steps for Effective IT Risk and Compliance Management The Benefits to IT Risk and Compliance Management Information technology is a key business function standing at the center of the confluence of three critical management challenges: • Regulatory control • Risk management • Cost reduction. Regulatory and policy requirements are escalating. Unknown threats and vulnerabilities lurk every- where. Continuous change to the environment, people, and processes are normal. Cost pressure is constant. By applying some or all of the key steps and using a scalable, easily integrated technology platform, IT organizations can effectively meet these hard-to-control challenges, and, by doing so effectively manage the confluence of compliance, risk, and cost reduction. As a result they will: • Always know their compliance position continuously through time • Understand and manage risk that matters to the business • Effectively use current resource levels to manage growing risk and compliance requirements • Sustain lower cost through sustainable processes and better quality information • Provide visibility to enable informed decisions at all levels of the enterprise. © Agiliance, Inc. 9
  • 10. Six Key Steps for Effective IT Risk and Compliance Management IT organizations can start today, through the application of these key steps and technology, such as the Agiliance IT-GRC platform, to leverage the inter-relationships between compliance, risk, and cost reduction to drive results for the IT organization, the business at large, regulators, and other external stakeholders. About Agiliance IT-GRC The Agiliance IT-GRC platform is the first software product to comprehensively address the inte- grated requirements of Information Technology Governance, Risk, and Compliance. The Platform is explicitly designed to assist organizations to deliver compliance peace of mind, manage risk, and reduce costs by: • Streamlining the management of policies and controls through standards and a common control framework • Automating survey workflow and technical testing • Integrating easily with existing systems to connect previously isolated elements into a comprehensive and productive environment for compliance and risk management • Quantifying and prioritizing risk to support informed decisions and actions • Providing up-to-date, broad visibility and transparency to managers, executives, and operational teams leading to enhanced governance and business decision- making The Agiliance IT-GRC platform is an indispensable tool for managing IT governance, risk, and compliance with less time, at a lower cost, and with more effectiveness. Agiliance, Inc. 17 North First Street p: 08.00.000 Suite 00 f: 08.00.001 San Jose, CA 9511 www.agiliance.com 10