IT organisations operate in a complex, vulnerable, and rapidly changing environment. Their mandate spans from managing business critical processes, a multitude of technologies, to operating in a virtual ‘Cloud’ environment. This complexity, together with cost reduction imperatives, has driven many organisations to outsource part of their services, where data, processing, or even the services themselves are managed by a third party. This distribution of roles, those inter-connections, and the exposure to growing cyber-attacks adds tremendous levels of risk. What used to be manageable by a single person in charge of “security”, may now require more than 10 different experts. On top of that, regulators now publish high impact directives forcing IT departments to invest a lot of time and money in compliance measures they will have to evidence in front of the auditors.

A bottom-up approach whereby individuals manage risks at their level, has unfortunately reached its limits. Whilst the most natural and easy approach, it actually does not guarantee an integrated view and governance of all IT risks. The collection of information is painful and tedious. Collaboration tools are also often inefficient in identifying new risks or assessing a risk increase and its impact. Michael Rasmussen, the GRC Pundit, pointed out that “A reactive approach leads to more exposure and vulnerability”. This results in a negative impact to the business, which, in turn, can mean higher costs or even public disclosure from the failure.

Many organisations have called for IT Consulting firms to help them understand the nature and magnitude of their risks. The outcome is often that IT organisations need to implement a real “IT governance” framework, sustainable, integrated, agile.

www.oxial.com

Cost is inversely proportional to the added value of new tools necessary to react to new threats.

ACTIVE DEFENSE

INTELLIGENCE

OFFENSE

PASSIVE DEFENSE

ARCHITECTURE

COST

VALUE

IT GRC Solution Overview

Over the past twenty years, Information Technology (IT) has become more and more central to business.

Source: SANS Institute, 2015, The Sliding Scale of Cyber Security

www.oxial.com

Because IT risks are now business risks, with business consequences, organisations must adapt the way they manage those risks. This is not an “IT Department” contained matter. This requires an effective risk management capability, a common language, a common framework for decisions and controls, thus reducing fires to fight, reducing costs, re-focusing on more productive activities such as creating business value. Specifically, businesses need to take a business risk management centric approach, one that incorporates IT GRC into an integrated, responsive, company-wide, GRC system. This puts IT risks alongside other GRC risk factors, allowing decision makers to implement solutions that can tackle any vulnerabilities stemming from the interaction of IT and other GRC risks. In other words, by incorporating IT GRC into a company’s overall GRC framework, employee interactions are moulded from the bottom up,

IT RISK MANAGEMENT STARTS WITH EFFECTIVE GOVERNANCEwith checks at all levels and types of access points.Sticking plaster solutions on existing IT frameworks that do not incorporate GRC considerations are no longer the preferred solution. Another advantage to organising IT GRC in this manner is that it makes securing resources for IT frameworks and security budgeting easier. Management then views IT GRC as a fundamental consideration that affects operations, that in turn enable synergy between management and IT departments. This business risk management-centric approach is better than the common technology-centric approach which sees management delegate all IT issues (and therefore all potential IT GRC issues) to technology departments. These departments firmly operate on a technology-centric, patchwork solution level, thus only further exacerbating any system-wide IT GRC vulnerabilities.

THE SOLUTIONBased on years of experience in managing IT systems, and in collaborating with information security experts, Oxial IT GRC solution combines disciplines to guarantee a better level of security and performance.

Taking advantage of Oxial GRC experience and innovative algorythms, Oxial IT GRC provides powerful features to manage IT priorities in line with business expectations.

Oxial IT GRC reduces audit preparation by providing integrated data repository, and offers an innovative top down approach by providing a holistic view of the IT landscape.

Oxial IT GRC can be implemented progressively and constraint-free, to adapt to organisations’ cost and ROI imperatives.

KEY BENEFITS

OXIAL IT GRC has been designed to provide the following benefits:

Manage unified compliance framework with pre formatted regulations / methodologies / frameworks and security policies (Cyber, GDPR, ISO2700, NIST CSF,…).

Allow to map regulation / methodology / framework points to measures you want to implement.

Assign measures to teams or individuals, follow up on actions, manage delays.

Manage security control catalog based on best practices. Provide a flexible issue management system.

Produce in seconds dynamic compliance reports.

Assess your environment by using best in class audit programs.

Compare year on year trends. Link assets to entities to business and IT processes.

Load external audit programs, remarks, recommendations & actions.

Monitor.

End to end data protection using best in class encryption management system (Global Data Sentinel).

Use watchdog technology to identify inappropriate behavior.

GOVERNANCE AUDIT MONITORING

DOMAINS COVERED BY OXIAL IT GRCiT governance.IT control assessment and measurement.IT third party management.SaaS solution provider GDPR/Cyber assessment.IT risk assessment.IT external audit recommendation follow up.IT internal audit outsourcing.IT regulations, frameworks & policy documentation.