More Related Content
Similar to Inv306 going social in a world of grc v.1.1 (20)
Inv306 going social in a world of grc v.1.1
- 1. INV306 Going Social in a world of
Governance, Risk Management, and Compliance (GRC)
Arthur Fontaine | Program Director |
IBM Collaboration Solutions
© 2012 IBM Corporation
- 2. IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal
without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product direction
and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or
legal obligation to deliver any material, code or functionality. Information about potential future
products may not be incorporated into any contract. The development, release, and timing of any
future features or functionality described for our products remains at our sole discretion.
2 | © 2012 IBM Corporation
- 3. Agenda
■ GRC – What is it, and why is it important?
■ Collaboration in a GRC world
■ Functional perspectives to GRC
3 | © 2012 IBM Corporation
- 4. Governance
Setting policies for
risk in the organization
Focus
● Regulations
● Contractual Duties
● Business Strategy
Risk
Management
Limiting actions to
within risk tolerance
Compliance
Focus
Confirming adherence ● Education/certification
to policies ● Security and Defense
● Information Lifecycle
Focus
● Audit
● Ediscovery
● Documentation
| © 2012 IBM Corporation
- 5. A role-based approach to GRC
Chief
Chief Chief Chief Chief Information Chief
Legal Risk Financial Information Security Compliance
Role Officer Officer Officer Officer Officer Officer
Goal Reduce legal Quantify and Manage Risk- Reduce IT expense Reduce IT risk Ensure regulatory
exposure reduce risk adjusted exposure compliance
exposure forecasting and
allocation
Concerns ● Identifying legal risks ● Integrated view of ● Financial risk ● Guarding against ● Anticipating and ● Adherence to policy
● Reducing exposure risk across financial, management intrusions and avoiding threats and and procedures
from retention of operational and other ● Regulatory malware breaches ● Managing regulatory
unnecessary domains requirements ● Reducing storage ● Managing records exams, audits and
information ● Anticipating and ● Financial reporting and admin costs lifecycles in IT requests
● Anticipating and avoiding unexpected (e.g. SOX) ● Ensure business systems ● Reducing cost for
managing discovery loss continuity ● Driving content compliance
tasks policies management
| © 2012 IBM Corporation
- 7. Information Lifecycle Governance
Data
Credit Risk
Consolidated Risk
Market Risk
Trusted Risk
Results
Datamart
Information Warehouse
CRO
ALM &
Liquidity Risk
KRI Mgmt
Loss Event Data Operational
Risk
Applications
Database
IT Risk
GRC – IBM Reference Architecture
Network
Endpoint IT Security
Risk
Access and IM
CIO
GRC Analytics*
GRC Execution
Industry Content Business
GRC Management*
Continuity
Operational Systems
Records Mgmt
Training Vendor Risk
Legal case Mgmt
Policy &
Whistle Blower
CCO
Compliance
Asset Mgmt
Financial
AML Reporting
CFO
Fraud Monitoring
Internal Audit
Seg of Duties
Cntll Monitoring
Operations Lifecycle Management
|
ation
GRC
GRC
Mgmt
Change
Services
Services
Strategic
Consulting
Implement-
Operational
GTS,GBS SWG-Lab GBS/BAO Services
© 2012 IBM Corporation
- 8. Agenda
■ GRC – What is it, and why is it important?
■ Collaboration in a GRC world
■ Functional perspectives to GRC
8 | © 2012 IBM Corporation
- 9. IBM Social Business Capabilities
Envision Enable Adopt Optimize
Social Networking Social Content Social Analytics
Owned social networks Engagement apps & svcs. Analytics
Discover
Engage
Reach
Identity systems Social network connectors Monitoring
Communication channels Content services Optimization
Process Management Information Management Governance and Lifecycle
Integrate
Social BPM Rules Information integration Info. lifecycle gov. Security
Connectors ESB MDM Data warehousing Community gov. Mobile
Open Standards
Workload-Optimized Systems
| © 2012 IBM Corporation
- 10. “Dynamic Tension”
Social Business and GRC impacts
Benefits of Social Impacts on Governance, Risk, and C-level roles
Business Compliance impacted
Instant access to professional ● Directly conflicts with regulatory “internal firewall” CFO, CRO, CCO,
experts and networks requirements CISO
● Multiplies the channels, volume, and velocity that have to
Multi-modal communications be monitored, logged, audited, discovered. CIO, CISO, CLO
● Complicates identity and access management
● Creates risk of releasing or procuring information
Access to public data sources and CLO, CRO, CCO,
improperly
applications ● Adds threat exposures
CIO
Mobile access to enterprise 'big ● Places core enterprise IP in uncontrolled environments CIO, CISO
data'
Rich information about people and ● Allows better targeted threats
CISO, CCO, CRO
projects ● Updates can be studied to reveal patterns and clues
Common customer request:
“How can you help us deploy your social business solutions in a way that doesn't break the GRC
regime we've constructed over the years?”
10 | © 2012 IBM Corporation
- 11. Enterprises understand unique GRC issues
Issue Mitigation Representative IBM
Customer statements
Offerings
● Atlas Policy Federation Framework
We lack an overall social business Develop an enterprise-wide social ● Atlas Global Retention Policy and
policy for our enterprise business policy & governance model Schedule Management
Expands the universe of things I need Expanded policy management and ●Actiance Vantage for Connections and
enforce policy on (monitor, retain, enforcement tools to modify behaviors, Sametime
● IBM Content Collector, IBM eDiscovery
discover, and dispose) raise risk awareness
Manager
● Atlas Governance for IT
Raises challenges of managing within Identity/access management tools need ●Atlas Governance for IT
regulated industries to be extended to social applications ●Tivoli Identity Manager
● Tivoli Content Manager
● Qradar SIEM/Risk Manager
Raises risk and velocity of content Content inspection solutions must ● Lotus Protector
leaks prevent leaks, flag inappropriate ● InfoSphere Guardium db Security
behaviors ● Infosphere Optim Data Masking
Breaks existing security / compliance Tools must reuse and extend existing ● Atlas Policy Federation Framework
regimes such as internal firewalls security/compliance regimes for social ● IBM Information Lifecycle Governance
content ● Lotus Protector ICAPI
Creates new vectors of attack and
raises risk of social engineering Security systems must identify, and
exploits protect against, social business attacks
● Tivoli Network Intrusion Prevention
● Tivoli Endpoint Manager
and exploits
| © 2012 IBM Corporation
- 12. IBM Information Lifecycle Governance (ILG)
The ILG solution portfolio enables customers to:
effectively retain and archive information
efficiently meet eDiscovery obligations
defensibly dispose of information
to lower both cost and risk.
| © 2012 IBM Corporation
12
- 13. Information Lifecycle – it is a process...
Of all the information and content generated in any organization only the right
information has to be retained. But which is the right one?
Risk:
Cost of storage
Create Collect Analyze Archive Discover
Dispose
Risk:
Cost of lost evidence
Inability to comply with
regulatory requirements
| © 2012 IBM Corporation
- 14. Agenda
■ GRC – What is it, and why is it important?
■ Collaboration in a GRC world
■ Functional perspectives to GRC
14 | © 2012 IBM Corporation
- 15. Use Case: Chief Legal Officer
Chief Legal Officer
GOAL: REDUCE LEGAL EXPOSURE
KEY OBJECTIVES
● Identifying legal risks
● Reducing exposure from retention of unnecessary information
● Anticipating and managing legal discovery tasks
Impacts of Social Business
● Increased opportunities for legal risks, due to new communication modes and unlimited ad hoc interactions
● New data sources and types that constitute business records (must be discoverable per FRCP)
● Greater complexity of business records, including data hosted on external applications/platforms
Strategies / Tools / Services from IBM
● Actiance Vantage for Connections and Sametime – Brings Connections/Sametime content into enterprise data corpus
● IBM Content Collector, IBM eDiscovery Manager – Enables cross-enterprise legal discovery of data and content
●Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to reduce expense
and exposure in legal cases
●Atlas Retention for Employees – Brings business knowledge into the retention process, to inform system of data that contains (or does
not contain) business value or duty
● Atlas eDiscovery Process Management – Helps automate the workflows in legal discovery activities
| © 2012 IBM Corporation
- 16. Use Case: Chief Risk Officer
Chief Risk Officer
GOAL: QUANTIFY AND REDUCE RISK EXPOSURE
KEY OBJECTIVES
● Integrated view of risk across financial, operational and other domains
● Anticipating and avoiding unexpected loss
Impacts of Social Business
● Increased opportunities for financial or IP disclosure
● New entry vectors for attacks, including social engineering exploits
● Frictionless collaboration with attendant information velocity
Strategies / Tools / Services from IBM
● GBS Social Business GRC offering – Identify risks and apply mitigation strategies
●Atlas Policy Federation Framework and Connectors – Brings business knowledge into the retention process, to inform system of data that
contains (or does not contain) business value or duty
● IBM Content Collector, IBM eDiscovery Manager – Enables cross-enterprise legal discovery of data and content
● IBM Content Analytics and Classification – Provides enhanced view of information and content, for improved risk awareness
| © 2012 IBM Corporation
- 17. Use Case: Chief Financial Officer
Chief Financial Officer
GOAL: RISK-ADJUSTED FORECASTING AND ALLOCATION
KEY OBJECTIVES
● Financial risk management
● Regulatory requirements
● Financial reporting (e.g. SOX)
Impacts of Social Business
● Increased opportunities for financial disclosure (e.g., “ Quarter looks great!”)
● Rapid and unconstrained data growth may impact IT budget
Strategies / Tools / Services from IBM
● GBS Social Business GRC offering – Design policies based on role or identity, content, and mode
● Actiance Vantage for Connections and Sametime – Brings Connections/Sametime content into enterprise data corpus for
● IBM Content Analytics, IBM Classification Module – Enables analysis
● Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to reduce IT expense
| © 2012 IBM Corporation
- 18. Use Case: Chief Information / Security Officer
Chief Information / Security Officer
GOAL: REDUCING IT EXPENSE AND RISK EXPOSURE
KEY OBJECTIVES
● Ensuring regulatory compliance in IT systems
● Reducing storage and admin costs
● Business continuity risk
● Vendor risk
Impacts of Social Business
● Increased opportunities for noncompliance in IT systems, with greater complexity of user/role access management
● Data growth that's difficult to apply lifecycle controls against, due to ad hoc/unstructured nature of data
● New vectors for attack, including social engineering and public social platform vulnerabilities
Strategies / Tools / Services from IBM
● Actiance Vantage for Connections and Sametime – Brings Connections content into enterprise data corpus
●Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to minimize IT
expense
● Atlas Retention for Employees – Brings business knowledge into the retention process, to inform system of data that contains (or does
not contain) business value or duty
● IBM Security Services components/controls (Tivoli, Q1) – Protects against intrusions and threats originating from social vectors
| © 2012 IBM Corporation
- 19. Use Case: Chief Compliance Officer
Chief Compliance Officer
GOAL: ENSURING REGULATORY COMPLIANCE
KEY OBJECTIVES
● Adherence to policy and procedures
● Managing regulatory exams, audits and requests
● Reducing cost for policy and control management
Impacts of Social Business
● Increased opportunities for noncompliance, with new modalities and unlimited ad hoc interactions
● New data sources and types that constitute business records, applicable to regulatory activities
● Greater complexity of business records, including data hosted on external applications
Strategies / Tools / Services from IBM
● Actiance Vantage for Connections and Sametime – Brings Connections content into enterprise data corpus
●Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to minimize expense
and exposure in compliance actions
● IBM Content Collector, IBM eDiscovery Manager – Enables cross-enterprise discovery of data and content for compliance actions
● Atlas eDiscovery Process Management – Helps automate the workflows in discovery activities for compliance actions
●Atlas Retention for Employees – Brings business knowledge into the retention process, to inform system of data that contains (or does
not contain) business value or duty
| © 2012 IBM Corporation
- 20. Summary
■ GRC is a cross-functional imperative that addresses risks through policy, active
management, and audit
■ Social Business offers unique challenges to GRC, but ultimately must be
addressed within the larger GRC framework
■ Roles-based GRC analysis is needed to design comprehensive, lasting GRC
programs
| © 2012 IBM Corporation
- 21. Arthur Fontaine
afontaine@us.ibm.com
Thank you! 720-395-5676
Please remember to fill out your evaluations | © 2012 IBM Corporation
- 22. Legal disclaimer
© IBM Corporation 2012. All Rights Reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and
accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this
information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible
for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is
intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and
conditions of the applicable license agreement governing the use of IBM software.
References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM
operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on
market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing
contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any
specific sales, revenue growth or other results.
IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of
International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United
States, other countries, or both.
22 | © 2012 IBM Corporation