• No results found

RSA Archer Risk Intelligence

N/A
N/A
Protected

Academic year: 2021

Share "RSA Archer Risk Intelligence"

Copied!
46
0
0

Loading.... (view fulltext now)

Full text

(1)

RSA Archer Risk

Intelligence

Harnessing Risk to Exploit Opportunity

June 4, 2014

Steve Schlarman

GRC Strategist

(2)

Risk and Compliance

(3)
(4)

Global, Technology and Organizational factors have created significant risk

landscapes for organizations.

We must focus on building sustainable risk programs to address the rate and velocity of risk

to navigate the risk landscape.

(5)

Compliance can become a barrier to success or a competitive advantage. The path is

decided by how well compliance processes are positioned for the future.

We must focus on priority, the flow of incoming regulatory obligations and automation to

turn compliance into a competitive advantage.

Since 2009 • 131 new major regulations enacted • $70 billion in costs In 2012 • 2,605 new rules • 69 classified as major • >$100 Million annual impact

In 2013 • 134 new rules enacted just by the EPA

Source: Heritage Foundation

(6)
(7)
(8)

Risk or Opportunity?

Big

Data

Gl

ob

al

izati

on

Cloud

Computing

Regulatory

Change

M

ob

ile

(9)

What your

market wants

What you want

to do

What you are

good at

Opportunity

The Opportunity Landscape

(10)

Opportunity

What you

have to do

Got it

covered

“Must

Haves”

Fuels growth

but no time to

execute

Compliance Activities

$216B 87M hours

Risks

83% 20%

?

Risk Management Maturity

-11% +37%

What your

market wants

What you want

to do

What you are

good at

The Compliance Burden

(11)

Transform Compliance

Harness risks

Exploit Opportunity

Risk Intelligence

What you

have to do

Got it

covered

“Must

Haves”

Fuels growth

but no time to

execute

?

What your

market wants

What you want

to do

What you are

good at

Passion

Compliance Activities

$216B 87M hours

Risks

83% 20%

Risk Management Maturity

-11% +37%

(12)

Change the Game…

Automate compliance, reallocate resources/budget to manage risk, and proactively

exploit opportunity

Compliance

Governance

Risk

Proactive

Risk Intelligence

Reactive

Today’s GRC Focus

(13)

Risk Intelligence

Harness risk for to exploit opportunities for

competitive advantage

through better visibility,

enhanced analysis, and

improved metrics

to drive intelligent, stream-lined actions;

enabling the business to move quickly and

(14)

Intelligence driven actions gives you priority, results and

progress.

Intelligence Driven GRC

Analysis

Visibility + Analysis =

Priority

Metrics

Results + Metrics =

Progress

Visibility

Priority + Action =

Results

Action

(15)

Opportunity

Harnessing Risks…

What you

have to do

Got it

covered

“Must

Haves”

What your

market wants

What you want

to do

What you are

good at

1

1

Core to Business;

Vital to Success

2

2

Market Table Stakes;

Vital for Growth

Reputation

Ethics

Safety

Security

Resiliency

The HIGH RISK

Wedge

3

3

Everything else…

4

4

Safety Net

(16)

The HIGH RISK

Wedge

Exploiting Opportunity

What you are

good at

Obligated Differentiators

• Obligated Differentiators: Build and support the Business Case

Elective Differentiators

• Elective Differentiators: Freed up resources to build on core competencies

• Improvement Wedge: Streamline processes, free up resources, encourage and enable continuous improvement

Improvement Wedge

• Opportunity Landscape

• Protect the Innovation Frontier (Opportunities adjacent to what you are good at) through reduction of risk in new products, services and market initiatives

Innovation Frontier

• High Risk Wedge

• Drive through the Risk Frontier (“Must haves” adjacent to what you are good at) with Quick Wins and steady progress

Risk Frontier

(17)

The Journey

(18)

IT

Business

Building Risk Intelligence

 Security threats

 IT disruptions

 Poor misaligned IT practices

 Regulatory violations and fines

 Business disruptions

 Poor misaligned business practices

 Poor internal controls and governance

 Risks inherited from outside providers

 Harmful operational events

 Operational compliance failures

 Unknown, unidentified risks

 Significant business crises

Board Business Operations Managers CISO

RSA Archer

Risk Intelligence

LOB Executives CIO

(19)

Manage the lifecycle of 3rd

party

relationships Identify & meet regulatory

obligations Implement and Monitor

Controls

Prepare for & recover from IT Detect & respond

to attacks Identify & resolve

security deficiencies

Independently review & assure management actions

Identify & prepare business resumption strategies

Manage crisis &

Establish IT policies & standards

Establish business policies &

standards Identify, assess & track

emerging & operational risks

Building Risk Intelligence

Security Threats

IT Disruptions Inherited risks from external

parties Operational compliance failures Unknown, unidentified risks Significant business crises Business disruptions Poor misaligned business &

IT practices

Regulatory violations & failures

Poor internal controls and governance

Harmful incidents & events

(20)

Manage the lifecycle of 3rd

party

relationships Identify & meet regulatory

obligations Implement and Monitor

Controls

Prepare for & recover from IT outages

Detect & respond to attacks Identify & resolve

security deficiencies

Independently review & assure management actions

Identify & prepare business resumption strategies

Manage crisis &

communications Catalog & resolve operational incidents

Establish IT policies & standards

Establish business policies &

standards Identify, assess & track

emerging & operational risks

Building Risk Intelligence

Business Resiliency Management IT Security Risk Management Regulatory & Corporate Compliance Management Operational Risk Management Third Party Management Audit Management

(21)

Drivers…

Business Resiliency Management IT Security Risk Management Regulatory & Corporate Compliance Management Operational Risk Management Third Party Management Audit Management PCI Compliance Anti-Money Laundering ISMS Foundation

Regulatory Change Management

Environmental Health & Safety

Foreign Corrupt Practices Act (FCPA)

Code of Federal Regulations

Unified Compliance Framework

Model Risk Management

Market Conduct Management Stakeholders Evaluation

Privacy Program Management Legal Matters Management

Conflict Minerals

Key & Certificate Management Access Risk Management

WhiteHat Security Sentinel Qualys Guard

RedSeal Networks

McAfee Vulnerability Manager Veracode Security Review

(22)

Manage the lifecycle of 3rd

party

relationships Identify & meet regulatory

obligations Implement and Monitor

Controls

Prepare for & recover from IT outages

Detect & respond to attacks Identify & resolve

security deficiencies

Independently review & assure management actions

Identify & prepare business resumption strategies

Manage crisis &

communications Catalog & resolve operational incidents

Establish IT policies & standards

Establish business policies &

standards Identify, assess & track

emerging & operational risks

Persona-centric

Security Threats

IT Disruptions

Inherited risks from external parties Operational compliance failures Unknown, unidentified risks Significant business crises Business disruptions Poor misaligned business & IT practices Regulatory violations & failures Poor internal controls and governance Harmful incidents & events Business Resiliency Management IT Security Risk Management Regulatory & Corporate Compliance Management Operational Risk Management Third Party Management Audit Management Chief Risk Officer

(23)

Manage the lifecycle of 3rd

party

relationships Identify & meet regulatory

obligations Implement and Monitor

Controls

Prepare for & recover from IT

Detect & respond to attacks Identify & resolve

security deficiencies

Independently review & assure management actions

Identify & prepare business resumption strategies

Manage crisis &

Establish IT policies & standards

Establish business policies &

standards Identify, assess & track

emerging & operational risks

Issue-centric

Security Threats

IT Disruptions Inherited risks from

external parties Operational compliance failures Unknown, unidentified risks Significant business crises Business disruptions Poor misaligned business & IT practices Regulatory violations & failures Poor internal controls and governance Harmful incidents & events Business Resiliency Management IT Security Risk Management Regulatory & Corporate Compliance Management Operational Risk Management Third Party Management Audit Management Supply Chain Resiliency

(24)

Benefits of a Risk Intelligence Approach

Better, more predictable

decision-making

Comprehensive Business Context

Prioritized Decisions Based on

Impact

Predictable Outcomes

Greater business

opportunity

Embrace Known Risks to Exploit

Opportunity

Transition from Defense to

Offense

Better business

performance

Improved Allocation of

Resources/Budget

Align Risk Objectives to Business

(25)

Planning Your Journey

Compliance

Risk

Opportunity

Siloed

compliance focus, disconnected risk, basic

reporting

Managed

automated compliance, expanded risk focus, improved analysis/metrics

Advantaged

fully risk aware, exploit opportunity

Reduce

(26)

Siloed

The CEO & CISO ride the elevator…

So how’s security these

days? We rolled out the last

Microsoft security patches in less than 30 days, we shut down 50 virus infections and we passed our quarterly vulnerability

scan for PCI. Soooo….that’s all good

(27)

Managed

The CEO & CISO ride the elevator…

So how’s security these

days? We did an end to end

review of customer record processing, found a few issues but

resolved them. We also rolled out some

special controls to support “Project Barracuda” – which I

know is one of your key objectives.

(28)

Advantaged

The CEO & CISO ride the elevator…

So how’s security these

days? I have a great idea

on how to give customers secure

access to their information that will

blow the socks off our competition. Let’s talk about it

(29)

Enterprise Risk

(30)

Market Observations & Trends - ERM

The level of maturity of ERM programs

varies greatly by industry and by

company within the same industry

Agreement on taxonomy, framework,

and approach remains a challenge

Getting all silos / stakeholders on-board

and working together is never ending

process

Regulated companies are under

increasing pressure to demonstrate risk

management capabilities

(31)

The Perfect World

Liquidity Risk Operational Risk Market Risk Credit Risk Strategic Risk

IT Risk ORM Risk Area #2

ORM Risk Area #3

ORM Risk Area #4

ORM Risk Area #5

ORM Risk Area #6

ORM Dashboard

Third Party Risk Resiliency Service Levels Security IT Operations ComplianceIT

IT Risk Dashboard

Network Security Application Security Physical Threat Intelligence Security Incidents Vulnerability

(32)

Desire to better anticipate and predict risk

Historical event analysis alone not adequate future

predictor

What-if scenario analysis and “black swan”

identification

Growing use of metrics (breadth, collection speed, &

governance)

Identification of leading causal indicators

Data trending (metrics, meta-data, unstructured data)

Capturing changes in risk profile on on-going basis

More sophisticated risk assessment

Use of quantitative and qualitative risk assessment

Advanced analytics

(33)

Key Archer Capabilities

Questionnaires

Target asset types and identify

common risks across assets

Risk Register

Catalog risks and track

inherent/residual risks

KRIs and Metrics

Issues and Control

Compliance

“Calculated Residual Risk”

Loss Events and Incidents

Rollups and Reporting

Risk Specific Monitoring

Security Operations

Vulnerability Risk

Resiliency Risk

Compliance Risk

(34)

RSA Archer and ISO:31000

Dashboards

and Reports

Enterprise Management

Workflow and Notifications

KRIs/Metrics

Loss Events

Questionnaires

Risk Register

Controls and Issues

Management

(35)

Introduction to RSA

Archer

(36)

RSA GRC Reference

Architecture

(37)

RSA Archer Ecosystem

50+ Partners

Technology

Advisory

Service

Platform

Data Exchange

Business Fundamentals

Business Logic

RSA Archer GRC Foundation

Solutions

100+ Use Cases

Workflows

Content & Reports

Expert Services

Online

Summit

Executive Forums

Solution Exchange

Partners

Community

(38)

All key components required to lay a strong foundation for your

enterprise wide GRC program

RSA Archer Foundation

 Business Process

 Business Objectives

 Products & Services

 Facilities & Locations

 IT Infrastructure  Applications  Information Assets  Organizational Hierarchy  Organizational Units & Departments

Business Context Solution Configuration Common Data Model

Data Integration

GRC Foundation

 Visualization  Branding  Workflow  Roles/Responsibilities  Calculations

 Search & Reporting

 Questionnaires  Mobile Access  Consolidated Data  Central Repository  System Auditing  Data Management

 Role Based Access

 Common Taxonomies  Data Import  Integration APIs  Data Mapping  Pre-built Data Connectors  Multiple Transport Modes

 Scheduled Data Feeds

 Data Publication

(39)

RSA Archer Solutions

Business Continuity

Audit

Compliance

Vulnerability Risk

Risk

Vendor

Policy

Security Operations

Incident

Core Modules

RSA Archer GRC Foundation

Regulatory Change Mgmt

UCF

Key & Certificate Mgmt

Stakeholder Evaluations

ISMS

Anti-Money Laundering

Environmental Health & Safety

PCI

Code of Federal Regulations

(40)

Manage the lifecycle of 3rd

party

relationships Identify & meet regulatory

obligations Implement and Monitor

Controls

Prepare for & recover from IT outages

Detect & respond to attacks Identify & resolve

security deficiencies

Independently review & assure management actions

Identify & prepare business resumption strategies

Manage crisis &

communications Catalog & resolve operational incidents

Establish IT policies & standards

Establish business policies &

standards Identify, assess & track

emerging & operational risks

RSA Archer Solutions

Business Resiliency Management IT Security Risk Management Regulatory & Corporate Compliance Management Operational Risk Management Third Party Management Audit Management

(41)

Extending Solutions

Business Resiliency Management IT Security Risk Management Regulatory & Corporate Compliance Management Operational Risk Management Third Party Management Audit Management PCI Compliance Anti-Money Laundering ISMS Foundation

Regulatory Change Management

Environmental Health & Safety

Foreign Corrupt Practices Act (FCPA)

Code of Federal Regulations

Unified Compliance Framework

Model Risk Management

Market Conduct Management Stakeholders Evaluation

Privacy Program Management Legal Matters Management

Conflict Minerals

Key & Certificate Management Access Risk Management

WhiteHat Security Sentinel Qualys Guard

RedSeal Networks

McAfee Vulnerability Manager Veracode Security Review

(42)

RSA Archer Partner Ecosystem

50

+

Partners for data transfer,

(43)

• 120+ sessions

• Annual event since 2003

• Peer best practice sessions • Peer to peer networking • Access to GRC content • Certified new apps

• Executive Forum • Key Finding Reports

• 10,000+ Archer members • Interactive online community

• Birds-of-a-feather groups • Periodic meet ups

• Customer Advisory Council • Available at a city near you • Annual event since 2007 • Plug-ins and integrations • Services, ideas and more • 800+ GRC practitioners

• F2F access to product experts • Access to expert content • Ideas, requests and more

• Influence product roadmap • Facilitated by Archer and / or

Working

Customer

Advocacy

Roadshows

Exchange

Online

Community

GRC

Summit

(44)

Critical Criteria

Automation of

tasks

Code-free

configuration

Flexible

deployment

Technology

partners

Solution libraries

Customer

advocacy

Communities

Out-of-the-box

functionality

Start small grow

fast

Mature service

offering

(45)

Industry Leadership

850

+

customers

43

25

Leader in eGRC MQ for 2013

Leader in BCM MQ for 2013

Leader in IT GRC MS for 2013

50

Leader in Forrester GRC Wave

Quoted as “the most mature

(46)

References

Related documents

Similar to nocodazole, treatment with cholchicine and vinblastine disrupted the microtubules-like fibriforms (Fig.  4B , panels b–d), and markedly impaired the capsid formation of

There- fore, exercise training in people with dust-related pleural and interstitial respiratory diseases yielded a similar im- provement in endurance exercise capacity as those

Level of difficulty Santa Cruz Trekking: Simple Level of difficulty Yanapaccha: Average From 9 th to 14 th October 2013... Casa

 Engineering students CAN incorporate a global experience in their undergraduate career.  There are multiple programs with flexible options to explore with regard to program

Dietary weight loss has been associated with a depletion of this liver enzyme [37] irrespective of the type of diet [38], which agrees with the present study, where both control

1) Determinar os macronutrientes e compostos bioativos do jambo-vermelho e avaliar a sua capacidade antioxidante. 2) Verificar os efeitos de dietas normo e hiperlipídicas

• Impulse steam turbine stage consists as usual from stator which known as the nozzle and rotor or moving blades.. • Impulse turbine are characterized by the that most or all

System Configuration Model Description Model Description Model Description Model Description Part Number Part Number Part Number Part Number HP E5300 12TB LFF MDL SAS Messaging System