RSA ARCHER INSPIRE EVERYONE TO OWN RISK

Transcription

1 RSA ARCHER INSPIRE EVERYONE TO OWN RISK

2 Executive Priorities Growth is the highest priority 54 % 25 % Technology initiatives are second priority Business Growth & Technology Copyright 2016 EMC Corporation. All rights reserved. 2 From Gartner s report The 2015 CEO and Senior Executive Survey: Committing to Digital

3 Executive Perspectives on Risk 77 % 65 % 83 % New risks challenge the business Risk Management is falling behind Agility is increasingly important According to Gartner s report The 2015 CEO and Senior Executive Survey: Committing to Digital : Copyright 2016 EMC Corporation. All rights reserved. 3

4 Risk Convergence The business relies on technology like never before Business and Digital strategies are intertwined Technology risk is a board level topic To be successful in today s market, organizations must address cyber risk and business risk together Copyright 2016 EMC Corporation. All rights reserved. 7

5 Decision Makers Need Insight Who owns this risk? What controls need to be implemented? When do we have to be ready? Where do we allocate resources? How can investments be arranged? 8 Copyright 2016 EMC Corporation. All rights reserved.

6 Is Your GRC Program Ready? Copyright 2016 EMC Corporation. All rights reserved. 9

7 Results The Challenge Lack of resources Lack of business context Resource overload High rate of change Compliance Risk Opportunity Copyright 2016 EMC Corporation. All rights reserved. 10 Reach

8 Results Inspire Everyone to Own Risk Risk management is the key to protecting your competitive advantage. Transform Compliance Harness Risk Exploit Opportunity Copyright 2016 EMC Corporation. All rights reserved. 11 Reach

9 RSA Archer: Risk Management for the Modern Enterprise Risk is multi-dimensional Constant vigilance is necessary to keep up with risk The pressure is on to manage risk Empower a common risk conversation Copyright 2016 EMC Corporation. All rights reserved. 12 Adapt your program at the speed of risk Tap into collective knowledge

10 Risk Is Multi-Dimensional Empower a Common Risk Conversation Broadest suite of integrated solutions Rapid implementation Business context Most companies do not have a consistent way of assessing risk across the enterprise. 20% of companies say there is no process to develop and aggregate a risk profile and a further 38% rely on a self-assessment by the business units. Almost half profess difficulties in understanding their enterprise-wide risk exposure. - Global Risk Survey: Expectations of Risk Management Outpacing Capabilities It s Time for Action, KPMG, Copyright 2016 EMC Corporation. All rights reserved. 13

11 Constant Vigilance is Necessary Adapt at the Speed of Risk Configurable system administration Configurable reporting engine Upgradable 73% of companies have seen the volume and complexity of risks increase over the past five years, and 20% of companies have seen the volume and complexity of risks extensively increase over that same period. - Current State of Enterprise Risk Oversight: Progress is Occurring but Opportunities for Improvement Remain, July 2012, ERM Initiative at North Carolina State University on behalf of the American Institute of CPAs Business, Industry & Government Team. Copyright 2016 EMC Corporation. All rights reserved. 14

12 Pressure to Get Your Program Right Tap into Collective Knowledge Largest GRC peer community Collaborative partner ecosystem Partner with the industry leader 98% of company Boards or Board-level risk committees regularly review risk management reports, an increase from 85 percent in Setting a Higher Bar, Deloitte, 2013 Copyright 2016 EMC Corporation. All rights reserved. 15

13 Industry Leadership Leader in Ops Risk MQ 2015 Leader in IT Risk MQ 2015 Leader in IT Vendor Management 2016 Leader in BCM MQ 2014 Leader in Forrester GRC Wave Quoted as the most mature offering in many occasions 43 + countries deployments 25 + industries 125 Global Fortune Fortune Copyright 2016 EMC Corporation. All rights reserved. 16 Out of 10 Biggest U.S. Banks* * bankrate.com

14 Transition Transform Take Command of Your Journey Siloed compliance focus, disconnected risk, basic reporting Managed automated compliance, expanded risk focus, improved analysis/metrics Advantaged fully risk aware, exploit opportunity Reduce compliance cost Compliance Manage Known & unknown risks Risk Identify new business opportunities Opportunity 17 Copyright 2016 EMC Corporation. All rights reserved.

15 RSA ARCHER SOLUTIONS

16 RSA Archer Solutions and Use Cases IT and Security Policy Program Management IT Controls Assurance IT Security Vulnerabilities Program IT Risk Management PCI Management Security Incident Management Security Operations and Breach Management IT Regulatory Management Corporate Obligations Management Information Security Management System (ISMS) Policy Program Management Controls Assurance Program Management Risk Catalog Bottom-Up Risk Assessment Key Indicator Management Loss Event Management Top-Down Risk Assessment Operational Risk Management Third Party Catalog Third Party Risk Assessment Third Party Engagement Third Party Governance Controls Monitoring Program Management Business Impact Analysis Incident Management Business Continuity and IT Disaster Recovery Planning Resiliency Management 19 Use Case list as of Q (subject to change) Issues Management Audit Engagement & Workpapers Audit Planning & Quality Plan of Action & Milestones (POA&Ms) Assessment & Authorization (A&A) Continuous Monitoring

17 IT & Security Risk Management Use Cases IT and Security Policy Program Management IT Controls Assurance IT Security Vulnerabilities Program IT Risk Management PCI Management Security Incident Management Security Operations and Breach Management IT Regulatory Management Information Security Management System (ISMS) 20 Use Case list as of Q (subject to change)

18 Security incidents Vulnerabilities Key Drivers: Compliance issues Policy/Standards IT & Security Risk Management Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Siloed Transition Managed Transform Advantaged IT & Security Policy Program Management IT Regulatory Management Policies Standards Procedures Regulatory Intel Regulatory Change PCI Management Information Security Management System IT Controls Assurance Manual assessments Automated assessments Continuous Controls Monitoring Issues Management Findings + Remediation Plans Risk & Threat assessments IT Risk Management Risk Register & KRIs Vulnerability Scans IT Security Vulnerabilities Program Vulnerability Intel Ad-hoc Response Security Incident Management 21 Measured Response Breach Assessment Security Operations & Breach Management 24x7 Staffing & Operations

19 Issues Management Before Scenarios Scattered lists of issues and findings in various documents No consolidated view of outstanding issues related to security audits, IT compliance or IT/security risk assessments Limited documentation on current and planned remediation efforts to address open risks No list of approved and accepted risks (unapproved exceptions) Key Features Consolidated issue management process Consolidated list of findings from IT and security audits and assessments Consolidated list of remediation plans for IT & security issues Exception management and governance through appropriate risk acceptance and sign-off 22

20 IT & Security Policy Program Management Before Scenarios Scattered repositories of policies, standards and controls with ambiguity between compliance/business requirements and internal controls Limited documentation of operational procedures (controls) Manual tracking of policy changes or policies falling out of step with business changes Key Features Framework and taxonomy for governance content (policies, standards, controls) Workflow and change management tracking Best practice baseline IT & security content library 23

21 IT Regulatory Management Before Scenarios No workflow or defined process to monitor changes to regulations or laws Disjointed strategy to manage changes to data protection standards Outdated controls based on old requirements or haphazard approach to adjusting controls based on changing business requirements Key Features Regulatory intelligence feeds with workflow for impact analysis and change management tracking Issue management for changes related to regulations and other corporate obligations Managed exceptions with appropriate risk signoff/acceptance 24

22 IT Controls Assurance Before Scenarios Duplicative efforts for measuring IT compliance based on reacting to emerging regulatory and business requirements individually Limited to no consolidated visibility into IT compliance levels across the enterprise with extensive manual testing and reporting cycles Haphazard approach to managing issues related to compliance testing, audits and assessments Key Features Asset catalog, control repository and taxonomy for compliance processes Multiple testing approaches (automated and manual) for a wide variety of IT controls including Integration with testing/assessment technologies Integrated issues management to manage reporting and remediation of control gaps 25

23 IT Security Vulnerabilities Program Before Scenarios Multiple scanners producing too much data to be actually helpful in managing security risk Poor handoff (if any) to IT operations to address security vulnerability Limited to no visibility into remediation efforts to close security vulnerabilities Vulnerability scanning solely for compliance purposes and limited added value for the effort Key Features No prioritization of security vulnerabilities Central repository and taxonomy for vulnerability Integration with multiple scanning technologies Large data/high volume storage of vulnerability scanning results IT asset catalog with business context Reporting and researching platform Rules based issues management 26

24 IT Risk Management Before Scenarios No consolidated definition of IT risk, e.g. taxonomy, catalog, ownership, accountability relying on manual processes to perform IT risk assessments Limited to no visibility into a consolidated view of IT risks Haphazard approach to managing Issues related to risk identification Key Features Asset catalog for risk processes and reporting IT Risk Register and Control repository and taxonomy Consistent risk and threat assessment processes with prebuilt content Integrated issues management to report and track remediation of risks identified during risk assessments 27

25 Security Incident Management Before Scenarios SIEM infrastructure producing too much data and overwhelming security team with limited or no prioritization of security events Manual/ad-hoc documentation of security incident handling Poor handoff (if any) to IT operations to address security incident issues and limited to no visibility into remediation efforts to close security incidents Key Features Central repository and taxonomy for security alerts w/ integration with SIEM/log/packet capture infrastructure with an IT asset catalog with business context Integrated incident management workflow with escalation, investigation documentation and response procedures 28

26 Security Operations & Breach Management Before Scenarios Security operations managed by spreadsheet, , SharePoint or other point solutions No consistent operational procedures for handling security incidents or breaches Manual processes for managing shifts in the SOC, emergency notifications and data breach handling Key Features Central repository and taxonomy for security alerts with integration with SIEM/log/packet capture infrastructure IT asset catalog with business context for reporting and researching platform for incident rates Shift and staffing management 29

27 PCI Management Before Scenarios Ad-hoc PCI compliance process Inconsistent stakeholder accountability Manual processes for gathering & reporting evidence No consistent methods for handling compliance gaps and ongoing assessment Key Features Project workflows to manage CDE (cardholder data environment) scoping and ongoing assessments Structured content libraries link the PCI-DSS to an extensive control testing repository Persona-driven dashboards and questionnaires Centralized issues management One-click reporting template for creating a properly formatted Report on Compliance (ROC) 30

28 Information Security Management System (ISMS) Before Scenarios No consolidated repository of assets, risks, and security controls No workflow or defined process to perform IT risk assessments No systematic approach to map IT risks to IT controls Key Features Scope your ISMS and document your Statement of Applicability Catalog resources related to your ISMS, including information assets, applications, business processes, devices and facilities Document and maintain an information security risk register Establish policies and standards in support of your ISMS Manage issues related to ISMS assessment processes 31

29 EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.