RSA Solution for egrc. A holistic strategy for managing risk and compliance across functional domains and lines of business.

Transcription

1 RSA Solution for egrc A holistic strategy for managing risk and compliance across functional domains and lines of business Solution Brief

2 Enterprise Governance, Risk and Compliance or egrc is an umbrella term that describes how an organization defines the objectives, policies and procedures by which it is managed; pursues opportunities while avoiding or managing negative events; and demonstrates adherence to laws, regulations, policies, contractual obligations and industry standards. Organizations have been practicing egrc in a piecemeal fashion for decades, but only in recent history have they approached egrc as a holistic strategy for managing risk and compliance across functional domains and the lines of business. In the current atmosphere of global economic stress, heightened regulation and increasingly complex risks, an egrc strategy supported by the right technology platform is more important than ever before. Key Challenges in egrc One of the main challenges of adopting an enterprise-wide strategy for governance, risk and compliance is the fragmentation of information and processes across the organization. According to Gartner*, 60% of enterprises use Word and Excel as their primary GRC management tools. While word processing documents and spreadsheets certainly have their value especially with regards to user adoption and a low learning curve they also limit the organization s ability to share real-time information, standardize processes, understand trends, and make informed decisions based on a holistic view of their risk and compliance profile. Organizations that rely on the processes and technologies of old in an increasingly complex risk and regulatory landscape face significant obstacles, including the following: Risk and compliance initiatives, including new regulations, are tackled as one-off projects rather than sustainable processes that are ingrained in the organization s DNA. Business units face a barrage of redundant assessments and control tests looking for similar information for different purposes. The evaluation of assessment results is disjointed, restricting management s ability to identify trends and recurring issues. Business leaders struggle to prioritize resources for the mitigation of risks and deficiencies because they don t understand which issues have the greatest impact. Left unsolved, these challenges can threaten the organization s ability to deliver its products and services, maximize new business opportunities and deliver shareholder value. The RSA Solution for egrc As organizations define their strategy for egrc, many are looking beyond office productivity software and point products toward platform-based solutions that can address their current business challenges and adapt to meet future requirements. Answering this market demand, RSA has developed a solution for egrc that unifies policies, controls, risks, assessments and deficiencies across IT, Operations, legal and finance domains. Built on the RSA Archer egrc Platform, this central management system allows organizations to: Get multiple roles and business units working together using common processes and information Prioritize resources for the mitigation of risks and deficiencies See the status of exceptions and issues, and hold appropriate personnel accountable for fixing them Gain a holistic view of the organization s enterprise risk profile and compliance status * Gartner Security & Risk Management Summit, Content or Workflow Who Dominates the GRC Space? French Caldwell, Dan Miklovic, June page 2

3 Prioritize Document the Control Framework and Identify Risks Identify Consolidate and Visualize Compliance Efforts Report Prioritize Deficiencies and Risks Manage Figure 1. Cycle Enabled by the RSA Solution for Enterprise Governance, Risk and Compliance Remediate Findings and Manage Exceptions With RSA s solution for egrc, organizations can move away from their tangled web of spreadsheets and point tools toward a streamlined, coordinated and consistent egrc program. The end result is tangible business value, measured in the following ways: Decreased cost of preparing for and conducting regulatory audits Increased attention on high-priority risks, and faster time to address those risks Reduced time to demonstrate compliance with new regulations Reduced operational costs through consolidation in processes, information and systems Increased awareness of policies, objectives and responsibilities among business personnel and third-parties RSA s solution for egrc supports four key processes: Identify, Prioritize, Manage and Report. These processes are illustrated in Figure 1. Identify In order to effectively manage risk and compliance across the enterprise, organizations must know what they re up against the rules they must abide by and the issues that could prevent them from delivering their products and services. RSA s solution for egrc centralizes and streamlines the identification of policies, objectives, risks and deficiencies, enabling organizations to define governance structures, understand the risks they face and monitor issues of non-compliance. Policies Defining policies and controls and mapping them to regulations and objectives is the groundwork of an egrc program. But for many organizations, policies and procedures are scattered across functional domains, out of date and largely unaligned with compliance requirements. RSA s solution for egrc addresses this challenge by enabling organizations to document their policy and control framework and rationalize it against external regulations and internal objectives. RSA delivers the industry s most comprehensive library of policies, control standards, procedures and assessments mapped to current, global regulations and industry guidelines a solid foundation for any egrc program. Organizations can also import their own policies and controls, communicate them to appropriate personnel, and test comprehension and acceptance. page 3

4 Managing Third-party Risk and Compliance In today s changing global economy, organizations often delegate significant business processes to third-party providers. Unfortunately, as vendor relationships increase, they also become more difficult to manage. In order to preserve successful operations, companies must maintain accurate vendor data, assess risk in third-party relationships, and ensure vendor compliance with corporate policies and regulatory requirements all while reducing costs and duplication of effort. RSA s solution for egrc extends beyond internal risk and compliance processes to address the challenges of third-party relationships. RSA facilitates three key activities as part of an effective vendor management program: Risk-based vendor selection Relationship management Compliance monitoring With RSA s solution for egrc, organizations can establish a lower-cost, higher-quality vendor management process through a centralized repository of thirdparty data, clear reporting of activities related to vendor risk, and a consistent and repeatable assessment process. Risks With policy management structures in place, organizations must also build a risk management program that can address both business and compliance risks. Central to this program is the risk register, a repository of potential risks that could impact the achievement of business objectives, and a systematic program to identify, analyze and treat risks. Many organizations struggle to build a coordinated risk program because they have no central location in which to capture and maintain risk information across the business. They also lack a common risk taxonomy or rating scale to build a universal understanding of risk. For many organizations particularly large, global enterprises the process of gathering and correlating risk data can also be extremely time intensive and cumbersome. With RSA s solution for egrc, organizations can implement an efficient process for building their risk program and maintaining it over time. Based on several industry standard risk frameworks, RSA s webbased solution enables a risk management program through: A centralized registry of potential risks (strategic, operational, financial, security and compliance-related), the risk source and nature, and impacted objectives, business units and stakeholders Defined metrics to be used as key risk indicators (KRIs) for tracking operational risk A taxonomy that connects risks to mitigating controls defined within the company s policies and procedures The execution of risk identification and analysis processes through risk projects and a common risk assessment infrastructure Risk management is core to RSA s solution for egrc, enabling a full lifecycle of risk identification, mitigation and treatment. This integrated approach allows organizations to not only manage their risk function but also to support multiple automated methods to fold in qualitative, quantitative and trending metrics from multiple sources. Finally, RSA s solution builds the much-needed risk taxonomy to get everyone on the same page. As a result, organizations can eliminate redundant, inefficient efforts and implement cost-effective risk management strategies. Issues In addition to documenting policies and potential risks, organizations must proactively identify issues within their environment. One way to achieve this is through risk and compliance assessments, shown in Figure 2. RSA s web-based solution for egrc takes the complexity and inefficiency out of the traditional spreadsheet-based assessment process. With RSA, organizations can quickly build process control self-assessments, design and operating tests, technical control manual assessments, and risk assessments of many types. Testers are automatically notified of their work queues via rules-driven workflow and My Tasks lists, and RSA auto-generates deficiencies based on failures noted within assessments and test results. These issues are linked to related controls, operating entities, policies, regulations, risks, the business hierarchy and operational infrastructure components. Organizations can also integrate data from scanning tools, point solutions and call centers into the RSA Archer egrc Platform for an aggregate view of issues across the enterprise. Examples of risk and compliance data that can be pulled into the Platform include (but are not limited to) the following: page 4

5 Figure 2: Risk Assessment within RSA s Solution for egrc Risk analytics (predictive modeling, simulation and forecasting) Loss events Whistle blower reports ediscovery Configuration scan results Security event logs Sensitive data discovery Document and records retention data Threat intelligence Vulnerability scan results Prioritize Identifying risks and compliance deficiencies is critical for any egrc program. However, without a mechanism to evaluate business impact and prioritize those risks and issues, organizations may find themselves swimming in a sea of data, unable to allocate resources effectively and respond appropriately. RSA s solution for egrc provides the business context required for informed decision making. Organizations can document their business hierarchy and enterprise infrastructure, including (but not limited to) the following elements: Company, divisional and business unit responsibilities and leadership Products and services Business processes Technology and information assets Facilities Employee, partner and vendor contacts These elements not only serve as the target of risk and compliance assessments, but also the basis for determining which risks and deficiencies to address first based on their impact to the business. For example, within the RSA Archer egrc Platform, organizations can link information assets to the business processes they support, the applications where they are managed, the facilities where they are housed, and the owners and custodians of the information. Based on these relationships, RSA automatically generates a criticality rating for each information asset. page 5

6 Figure 3: Remediation Plan Relating Multiple Risk and Compliance Issues When a log management or data loss prevention system (such as RSA envision SIEM or RSA Data Loss Prevention) identifies a potential compromise of sensitive information and those events are passed into the RSA Archer egrc Platform, both IT and business users have the context they need to respond appropriately. Events that impact critical information assets will receive prioritized attention. Manage Once organizations have defined their policy and control framework and established an ongoing process for identifying and prioritizing issues, they are poised to effectively manage risks and compliance deficiencies. RSA s solution for egrc offers automated task management functionality that streamlines the complete issue mitigation process. Issue owners are notified of their responsibilities via and My Task queues on user-specific dashboards. For each risk or compliance deficiency requiring their attention, owners can respond by completing remediation tasks or logging exception requests that identify effective compensating controls. RSA also enables issue owners to manage multiple risks and compliance deficiencies in the context of a single remediation plan (shown in Figure 3) in order to identify and manage larger issues. Report For many organizations, reporting on risk and compliance activities is manual, project-based and extremely time intensive. RSA s solution for egrc addresses this challenge with automated reporting capabilities that range from simple keyword searches to advanced, multi-application reports to sophisticated charts and graphs. All reports present real-time information, and users can adjust their search criteria on the fly for instant access to the data they require. Through RSA s graphical dashboards (shown in Figure 4), managers and executives can understand the status of risk and compliance activities in a format that s easy to digest. Dashboards enable business leaders to visualize activities and results across business units and make informed decisions to ensure that the organization achieves its objectives and stays within regulatory boundaries. page 6

7 Why RSA for egrc? RSA s solution for egrc has been developed over nearly a decade through collaboration with global corporations, industry analysts and an extensive partner ecosystem. With the RSA Archer egrc Platform, organizations can manage the core processes of egrc Policy, Risk and Compliance Management across functional domains, the lines of business and the extended enterprise of partners, suppliers and outsourcers. RSA s platform approach gives organizations the flexibility they need to manage egrc on their own terms without being confined to a rigid solution structure. Through the pointand-click interface of the RSA Archer egrc Platform, business users can adapt the solution to their business requirements, build their own supporting applications and integrate with other systems without touching a single line of code. Organizations also derive significant value from RSA s industry-leading library of policies, control standards, procedures and assessment questions mapped to global regulations and industry standards. This library is the result of nearly 10 years of content development and regulatory mapping, and enterprises can employ it out-of-the box to save hundreds of hours of internal effort. RSA also makes it simple for organizations to import and map their own policies, controls and requirements over time as the business and regulatory climate evolve. Figure 4: Executive Dashboard within the RSA Archer egrc Platform page 7

8 RSA s egrc Solution at a Glance With RSA, organizations that are implementing an egrc strategy can: Take advantage of best-practice policies and control procedures mapped to industry guidelines and regulatory requirements Communicate policies and procedures to appropriate personnel based on their roles and responsibilities Build a registry of potential risks and evaluate risk likelihood and impact Perform assessments to identify risks and compliance deficiencies across the extended enterprise Employ automated workflow for issue prioritization and remediation Centrally report on their risk and compliance posture Implement a sustainable, coordinated process that keeps pace with the evolving business and regulatory landscape Conclusion RSA is committed to furthering the adoption of egrc as a holistic strategy for managing risk and demonstrating compliance across the extended enterprise. To this end, RSA continues to enhance its platform, solutions, content and services to provide organizations with the capabilities they require to: Identify policies, objectives, requirements and issues Prioritize their response to risks and compliance deficiencies Manage issue mitigation via remediation plans or exceptions requests Report on their risk and compliance profile in real time Today, RSA helps global organizations to rationalize a multitude of compliance requirements, control frameworks, standards and best practices into a set of centralized policies that can be administered consistently across the enterprise. Additionally, risk and compliance teams can work cooperatively with the lines of business to manage adherence to policies and regulations, prioritize risk mitigation activities, standardize processes and ultimately reduce operational costs. As a result, organizations can deliver their products or services, achieve better business performance, confidently pursue new opportunities and increase stakeholder value. About RSA RSA is the premier provider of security, risk and compliance solutions, helping the world s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, data loss prevention, encryption and tokenization, fraud protection and SIEM with industry leading egrc capabilities and consulting services, RSA brings trust and visibility to millions of user identities, the transactions that they perform and the data that is generated. EMC2, EMC, RSA, envision, Archer and the RSA logo are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other products or services mentioned are trademarks of their respective companies. EGRC SB 0311 page 8