Integrated Risk Management: Providing an Actionable view of IT and Operational Risk to the C-Suite

1. Integrated Risk Management: Providing an Actionable view of IT and Operational Risk to the C-Suite ISACA 2012 North America Information Security and Risk Management Conference Las Vegas November 14-15, 2012

2. Company Company Profile • Global presence: North and South America, EMEA, APAC • 400+ employees • 80+ partners in 25+ countries • Integration capability with 40+ products • Version 8 scheduled for Q1 2013 Modulo is a premier global provider of Security and Risk Management solutions across IT/eGRC, operations, infrastructure and mobile/social domain Offering Sample Customers • Platform and modules including 16 distinct solutions covering Risk, Compliance, Enterprise, BCP, Ops, Physical, Mobile • 431+ Knowledge bases with 18,095+ controls and 3,145+ built-in data collectors

4. Risk Management: challenges • Progress-tracking and monitoring with “messy” spreadsheets and emails • Prioritizing and remediating findings • Harmonizing risk scores from many sources • Reporting risk assessment results across LOB’s & applications

5. Solutions: assessment framework, aggregation framework • Automate key elements of risk assessment • Marry real business relevance with IT assets, compliance needs, and findings • Capture data and harmonize findings from multiple risk management tools • Rapid and complete reporting on results of enterprise IT & Compliance checks

6. Integrated Risk Management Platform

7. Automated Risk Management Reports Uses: Integrated risk & compliance dashboard; reports for audit; policy management Assessments Uses: automated collections; surveys; questionnaires with guidelines on meeting control requirements Monitoring & Planning Uses: Continuous monitoring; build long-term business plans to maintain ongoing compliance and reduce risk Risk Data Collection Uses: Map compensatory controls; incorporate vulnerabilities, app-scan results, and more; map application configuration data to risk findings

8. Build a comprehensive GRC program Risk Management NERC - SCADA HIPAA Compliance Vendor Management Policy Management ISO 27001 Certification Incident & Remediation Management Compliance Management PCI Assessment Vulnerability Management Continuous Monitoring SAP ABAP Code

9. Integrations facilitate all stages of risk management & assessment TREATMENT INVENTORY EVALUATION • ANALYSIS

11. Automatically import & manually input your assets Active Directory Import RM Project Manager RM@client.com Crucial Server End User eu@client.com Controls & Legal Frameworks

12. Identifyassets in scope

13. Selectrelevant frameworks & controls Processes HIPAA – NIST 800-66 HITECH Change Management Data and System Backup Systems Continuity Management Contracts with Vendors Business Process Information Flow IT Security Organization ISO 27001 CobiT 4.1 - IT Process Maturity FISMA – NIST 800-53 PCI Data Security Standard BITs - FISAP – AUP and SIG People IT Technician Senior Manager Security Officers Area or Process Manager End User Technologies Cisco Router Oracle Microsoft SQL Server Unix Solaris Microsoft IIS SAP Apache Windows Linux Access Point - WLAN Application System in Production Check Point VPN 1/Firewall 1 NG IBM Lotus Notes R5 Microsoft ISA Server PDA Firewalls Physical Controls Datacenter Office

14. Maplegal frameworkstocontrols User-defined project scoping

15. Reportassets in scope • Dashboard: Organizational overview of assets, type (OS, Vendor, Network, Database, etc.) & quantity

16. Map asset locations

17. Assign Business Relevance to Assets, Apps, & Departments IT Department Finance Health Records Risk Manager Customer Service IT Laws OrderEntry Windows 2008 Security Officer Legal Requirements End User Windows 7 Oracle 10 G CFO

18. Report risk findings on the fly

20. Data collection processes Options for automated data collection speed & improve analysis 1. Questionnaires 2. Surveys 3. Automated collections 4. Vulnerabilities 5. Mobile applications

21. 1. Questionnaires Security Officer HIPAA project manager

22. 2. Surveys Security Officer End User CISO

23. 3. Agent-less Automated Collectors • Modulo Open Distributed SCAPInfrastructure Collector (modSIC): Open Source collection and assessment service for technology assets based on the open SCAP (Security Content Automation Protocol) standard.

24. 4. Vulnerability Scanner Integration

25. 5. Mobile Apps

26. Tools for monitoring & efficient project management Keep track of assessment status Quickly identify lagging assessment efforts

28. Compliancelevels • Dashboard: Snapshot of level of compliance to HIPAA & other frameworks

29. RiskLevels • Dashboard: Gauge risk by department, process, and threat

30. Prioritize Risk Set appropriate remediation priorities by business relevance Human Resources HIPAA Requirements Crucial Server Crucial Server

31. Risk Calculation Relevance Business-related (Get from Mgmt) Risk Probability Severity Control-related (Defaults from Security Lab) Risk = P . S . R

32. Prioritize remediation efforts CONTROL RISK APPETITE

33. Track assessment status Review gap analysis Quickly view progress of evaluation

35. Monitor Workflow • Dashboard: Manage workflow by open events, cost of fix, event status, event type, relevance, and more

36. Flexible remediation workflow Security Officer End User CFO End User Add extra steps … Approved $$$ Added

37. Workflow Gateway Security Officer

38. Closely Monitor the Remediation Activities

39. Events x Mitigation Cost Opportunities to accept or create an exception Should be evaluated carefully Event 28 Event 19 Event 5 Event 14 Event 2 Event 12 Mitigation Cost $ Event 42 Event 5 Event 7 High priority on the treatment Event 8 Event 1 Opportunities for remediation andreductionof overall risk Risk

41. Variety of reporting options integrated throughout assessment Word Templates Integrated Overview Detail Excel Grids Geographic Reports Dashboards

42. Create reports for management groups & audit

43. Build on assessments for complete GRC solution State Federal # Controls & Laws Internal Policies ISO2700x COBIT PCI # Assets

44. Transparency and sharing across projects Security Risk Compliance State ? # Controls & Laws Internal Policies ISO27001 COBIT PCI # Assets

45. Manual Risk Management Process Real Company Risk Reduction 15% 25% 35% 25%

46. Automated Process First Year 15% 45% 35% 5%

47. Automated Process Second Year 5% 25% 65% 5%

48. Thank YouArti Ramanarti.raman@modulo.comPortia Millsportia.mills@modulo.comwww.modulo.com