integrated risk management providing an actionable view of it and operational risk to the c suite n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Integrated Risk Management: Providing an Actionable view of IT and Operational Risk to the C-Suite PowerPoint Presentation
Download Presentation
Integrated Risk Management: Providing an Actionable view of IT and Operational Risk to the C-Suite

Loading in 2 Seconds...

play fullscreen
1 / 48

Integrated Risk Management: Providing an Actionable view of IT and Operational Risk to the C-Suite - PowerPoint PPT Presentation


  • 182 Views
  • Uploaded on

Integrated Risk Management: Providing an Actionable view of IT and Operational Risk to the C-Suite. ISACA 2012 North America Information Security and Risk Management Conference Las Vegas November 14-15, 2012. Company. Company. Profile. Global presence: North and South America, EMEA, APAC

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Integrated Risk Management: Providing an Actionable view of IT and Operational Risk to the C-Suite' - stash


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
integrated risk management providing an actionable view of it and operational risk to the c suite

Integrated Risk Management: Providing an Actionable view of IT and Operational Risk to the C-Suite

ISACA 2012 North America Information Security and Risk Management Conference

Las Vegas November 14-15, 2012

company
Company

Company

Profile

  • Global presence: North and South America, EMEA, APAC
  • 400+ employees
  • 80+ partners in 25+ countries
  • Integration capability with 40+ products
  • Version 8 scheduled for Q1 2013

Modulo is a premier global provider of Security and Risk Management solutions across IT/eGRC, operations, infrastructure and mobile/social domain

Offering

Sample Customers

  • Platform and modules including 16 distinct solutions covering Risk, Compliance, Enterprise, BCP, Ops, Physical, Mobile
  • 431+ Knowledge bases with 18,095+ controls and 3,145+ built-in data collectors
risk management challenges
Risk Management: challenges
  • Progress-tracking and monitoring with “messy” spreadsheets and emails
  • Prioritizing and remediating findings
  • Harmonizing risk scores from many sources
  • Reporting risk assessment results across LOB’s & applications
solutions a ssessment framework a ggregation framework
Solutions: assessment framework, aggregation framework
  • Automate key elements of risk assessment
  • Marry real business relevance with IT assets, compliance needs, and findings
  • Capture data and harmonize findings from multiple risk management tools
  • Rapid and complete reporting on results of enterprise IT & Compliance checks
automated risk management
Automated Risk Management

Reports

Uses: Integrated risk & compliance dashboard; reports for audit; policy management

Assessments

Uses: automated collections; surveys; questionnaires with guidelines on meeting control requirements

Monitoring & Planning

Uses: Continuous monitoring; build long-term business plans to maintain ongoing compliance and reduce risk

Risk Data Collection

Uses: Map compensatory controls; incorporate vulnerabilities, app-scan results, and more; map application configuration data to risk findings

slide8

Build a comprehensive GRC program

Risk Management

NERC - SCADA

HIPAA Compliance

Vendor Management

Policy Management

ISO 27001 Certification

Incident & Remediation Management

Compliance Management

PCI Assessment

Vulnerability Management

Continuous Monitoring

SAP ABAP Code

slide9

Integrations facilitate all stages of risk management & assessment

TREATMENT

INVENTORY

EVALUATION

  • ANALYSIS
slide11

Automatically import & manually input your assets

Active Directory Import

RM Project Manager

RM@client.com

Crucial Server

End User

eu@client.com

Controls & Legal Frameworks

slide13

Selectrelevant frameworks & controls

Processes

HIPAA – NIST 800-66

HITECH

Change Management

Data and System Backup

Systems Continuity Management

Contracts with Vendors

Business Process Information Flow

IT Security Organization

ISO 27001

CobiT 4.1 - IT Process Maturity

FISMA – NIST 800-53

PCI Data Security Standard

BITs - FISAP – AUP and SIG

People

IT Technician

Senior Manager

Security Officers

Area or Process Manager

End User

Technologies

Cisco Router

Oracle

Microsoft SQL Server

Unix Solaris

Microsoft IIS

SAP

Apache

Windows

Linux

Access Point - WLAN

Application System in Production

Check Point VPN 1/Firewall 1 NG

IBM Lotus Notes R5

Microsoft ISA Server

PDA

Firewalls

Physical Controls

Datacenter

Office

slide14

Maplegal frameworkstocontrols

User-defined project scoping

slide15

Reportassets in scope

  • Dashboard: Organizational overview of assets, type (OS, Vendor, Network, Database, etc.) & quantity
assign business relevance to assets apps departments
Assign Business Relevance to Assets, Apps, & Departments

IT

Department

Finance

Health Records

Risk Manager

Customer Service

IT Laws

OrderEntry

Windows 2008

Security Officer

Legal Requirements

End User

Windows 7

Oracle 10 G

CFO

data collection processes
Data collection processes

Options for automated data collection speed & improve analysis

1. Questionnaires

2. Surveys

3. Automated collections

4. Vulnerabilities

5. Mobile applications

1 questionnaires
1. Questionnaires

Security Officer

HIPAA project manager

2 surveys
2. Surveys

Security Officer

End User

CISO

3 agent less automated collectors
3. Agent-less Automated Collectors
  • Modulo Open Distributed SCAPInfrastructure Collector (modSIC): Open Source collection and assessment service for technology assets based on the open SCAP (Security Content Automation Protocol) standard.
tools for monitoring efficient project management
Tools for monitoring & efficient project management

Keep track of assessment status

Quickly identify lagging assessment efforts

slide28

Compliancelevels

  • Dashboard: Snapshot of level of compliance to HIPAA & other frameworks
slide29

RiskLevels

  • Dashboard: Gauge risk by department, process, and threat
slide30

Prioritize Risk

Set appropriate remediation priorities by business relevance

Human Resources

HIPAA Requirements

Crucial Server

Crucial Server

slide31

Risk Calculation

Relevance

Business-related

(Get from Mgmt)

Risk

Probability

Severity

Control-related

(Defaults from Security Lab)

Risk = P . S . R

prioritize remediation efforts
Prioritize remediation efforts

CONTROL

RISK

APPETITE

track assessment status
Track assessment status

Review gap analysis

Quickly view progress of evaluation

slide35

Monitor Workflow

  • Dashboard: Manage workflow by open events, cost of fix, event status, event type, relevance, and more
flexible remediation w orkflow
Flexible remediation workflow

Security Officer

End User

CFO

End User

Add extra steps …

Approved

$$$ Added

workflow gateway
Workflow Gateway

Security Officer

slide39

Events x Mitigation Cost

Opportunities to accept or create an exception

Should be evaluated carefully

Event 28

Event 19

Event 5

Event 14

Event 2

Event 12

Mitigation Cost $

Event 42

Event 5

Event 7

High priority on the treatment

Event 8

Event 1

Opportunities for remediation andreductionof overall risk

Risk

variety of reporting options integrated throughout assessment
Variety of reporting options integrated throughout assessment

Word Templates

Integrated Overview

Detail Excel Grids

Geographic Reports

Dashboards

slide43

Build on assessments for complete GRC solution

State

Federal

# Controls & Laws

Internal Policies

ISO2700x

COBIT

PCI

# Assets

slide44

Transparency and sharing across projects

Security

Risk

Compliance

State

?

# Controls & Laws

Internal Policies

ISO27001

COBIT

PCI

# Assets

manual risk management process
Manual Risk Management Process

Real

Company Risk

Reduction

15%

25%

35%

25%

thank you arti raman arti raman@modulo com portia mills portia mills@modulo com www modulo com

Thank YouArti Ramanarti.raman@modulo.comPortia Millsportia.mills@modulo.comwww.modulo.com