1 / 48

Integrated Risk Management: Providing an Actionable view of IT and Operational Risk to the C-Suite

Integrated Risk Management: Providing an Actionable view of IT and Operational Risk to the C-Suite. ISACA 2012 North America Information Security and Risk Management Conference Las Vegas November 14-15, 2012. Company. Company. Profile. Global presence: North and South America, EMEA, APAC

stash
Download Presentation

Integrated Risk Management: Providing an Actionable view of IT and Operational Risk to the C-Suite

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Integrated Risk Management: Providing an Actionable view of IT and Operational Risk to the C-Suite ISACA 2012 North America Information Security and Risk Management Conference Las Vegas November 14-15, 2012

  2. Company Company Profile • Global presence: North and South America, EMEA, APAC • 400+ employees • 80+ partners in 25+ countries • Integration capability with 40+ products • Version 8 scheduled for Q1 2013 Modulo is a premier global provider of Security and Risk Management solutions across IT/eGRC, operations, infrastructure and mobile/social domain Offering Sample Customers • Platform and modules including 16 distinct solutions covering Risk, Compliance, Enterprise, BCP, Ops, Physical, Mobile • 431+ Knowledge bases with 18,095+ controls and 3,145+ built-in data collectors

  3. Risk Management: challenges • Progress-tracking and monitoring with “messy” spreadsheets and emails • Prioritizing and remediating findings • Harmonizing risk scores from many sources • Reporting risk assessment results across LOB’s & applications

  4. Solutions: assessment framework, aggregation framework • Automate key elements of risk assessment • Marry real business relevance with IT assets, compliance needs, and findings • Capture data and harmonize findings from multiple risk management tools • Rapid and complete reporting on results of enterprise IT & Compliance checks

  5. Integrated Risk Management Platform

  6. Automated Risk Management Reports Uses: Integrated risk & compliance dashboard; reports for audit; policy management Assessments Uses: automated collections; surveys; questionnaires with guidelines on meeting control requirements Monitoring & Planning Uses: Continuous monitoring; build long-term business plans to maintain ongoing compliance and reduce risk Risk Data Collection Uses: Map compensatory controls; incorporate vulnerabilities, app-scan results, and more; map application configuration data to risk findings

  7. Build a comprehensive GRC program Risk Management NERC - SCADA HIPAA Compliance Vendor Management Policy Management ISO 27001 Certification Incident & Remediation Management Compliance Management PCI Assessment Vulnerability Management Continuous Monitoring SAP ABAP Code

  8. Integrations facilitate all stages of risk management & assessment TREATMENT INVENTORY EVALUATION • ANALYSIS

  9. Automatically import & manually input your assets Active Directory Import RM Project Manager RM@client.com Crucial Server End User eu@client.com Controls & Legal Frameworks

  10. Identifyassets in scope

  11. Selectrelevant frameworks & controls Processes HIPAA – NIST 800-66 HITECH Change Management Data and System Backup Systems Continuity Management Contracts with Vendors Business Process Information Flow IT Security Organization ISO 27001 CobiT 4.1 - IT Process Maturity FISMA – NIST 800-53 PCI Data Security Standard BITs - FISAP – AUP and SIG People IT Technician Senior Manager Security Officers Area or Process Manager End User Technologies Cisco Router Oracle Microsoft SQL Server Unix Solaris Microsoft IIS SAP Apache Windows Linux Access Point - WLAN Application System in Production Check Point VPN 1/Firewall 1 NG IBM Lotus Notes R5 Microsoft ISA Server PDA Firewalls Physical Controls Datacenter Office

  12. Maplegal frameworkstocontrols User-defined project scoping

  13. Reportassets in scope • Dashboard: Organizational overview of assets, type (OS, Vendor, Network, Database, etc.) & quantity

  14. Map asset locations

  15. Assign Business Relevance to Assets, Apps, & Departments IT Department Finance Health Records Risk Manager Customer Service IT Laws OrderEntry Windows 2008 Security Officer Legal Requirements End User Windows 7 Oracle 10 G CFO

  16. Report risk findings on the fly

  17. Data collection processes Options for automated data collection speed & improve analysis 1. Questionnaires 2. Surveys 3. Automated collections 4. Vulnerabilities 5. Mobile applications

  18. 1. Questionnaires Security Officer HIPAA project manager

  19. 2. Surveys Security Officer End User CISO

  20. 3. Agent-less Automated Collectors • Modulo Open Distributed SCAPInfrastructure Collector (modSIC): Open Source collection and assessment service for technology assets based on the open SCAP (Security Content Automation Protocol) standard.

  21. 4. Vulnerability Scanner Integration

  22. 5. Mobile Apps

  23. Tools for monitoring & efficient project management Keep track of assessment status Quickly identify lagging assessment efforts

  24. Compliancelevels • Dashboard: Snapshot of level of compliance to HIPAA & other frameworks

  25. RiskLevels • Dashboard: Gauge risk by department, process, and threat

  26. Prioritize Risk Set appropriate remediation priorities by business relevance Human Resources HIPAA Requirements Crucial Server Crucial Server

  27. Risk Calculation Relevance Business-related (Get from Mgmt) Risk Probability Severity Control-related (Defaults from Security Lab) Risk = P . S . R

  28. Prioritize remediation efforts CONTROL RISK APPETITE

  29. Track assessment status Review gap analysis Quickly view progress of evaluation

  30. Monitor Workflow • Dashboard: Manage workflow by open events, cost of fix, event status, event type, relevance, and more

  31. Flexible remediation workflow Security Officer End User CFO End User Add extra steps … Approved $$$ Added

  32. Workflow Gateway Security Officer

  33. Closely Monitor the Remediation Activities

  34. Events x Mitigation Cost Opportunities to accept or create an exception Should be evaluated carefully Event 28 Event 19 Event 5 Event 14 Event 2 Event 12 Mitigation Cost $ Event 42 Event 5 Event 7 High priority on the treatment Event 8 Event 1 Opportunities for remediation andreductionof overall risk Risk

  35. Variety of reporting options integrated throughout assessment Word Templates Integrated Overview Detail Excel Grids Geographic Reports Dashboards

  36. Create reports for management groups & audit

  37. Build on assessments for complete GRC solution State Federal # Controls & Laws Internal Policies ISO2700x COBIT PCI # Assets

  38. Transparency and sharing across projects Security Risk Compliance State ? # Controls & Laws Internal Policies ISO27001 COBIT PCI # Assets

  39. Manual Risk Management Process Real Company Risk Reduction 15% 25% 35% 25%

  40. Automated Process First Year 15% 45% 35% 5%

  41. Automated Process Second Year 5% 25% 65% 5%

  42. Thank YouArti Ramanarti.raman@modulo.comPortia Millsportia.mills@modulo.comwww.modulo.com

More Related