Upload
andres-byram
View
222
Download
5
Tags:
Embed Size (px)
Citation preview
Microsoft
Governance, Risk and Compliance Management Suite
Marilee Byers Director, Corporate Finance
Jerry Leishman Senior Program Manager Compliance Solutions
MICROSOFT CONFIDENTIAL
Presentation GoalsWhat is Microsoft GRC StoryRisk and Compliance Management Suite OverviewDemoHow to get involved?Q&A
Regulatory Compliance & Controls
Risk Analytics & Reporting
Security & Privacy
Business Continuity
Document& Records
Management
Microsoft GRC Solution Areas
Excel Server 2007
Bit Locker
CONNECTORS
Asset Management
Self Service IT Business Intelligence
Service Manager - The Power is in the Integration
Automate and Deploy
Capacity and
Utilization
Inventory and Usage
Alert Manageme
nt
Incident and Problem
Workflows
Knowledge Base Data WarehouseCMDB
Active Directory
Change
Compliance and Risk
MICROSOFT CONFIDENTIAL
GRC TaxonomyTerminology Example
GRC Authority Document
SOX, HIPAA, PCI, EUDPD, ISO, GLBA, corporate policy, etc
Unified Compliance Framework
Hierarchical Framework that harmonizes (consolidates) compliance requirements from hundreds of Authority documents into the smallest possible set of unique requirements
Program Logical grouping containing compliance data (COs/CAs), risks, automated tests, and applicable scope of assets. Includes remediation and reporting across program.
Ex: East Coast Sarbanes Oxley ProgramControl Objective (CO)
A harmonized statement of expectations from GRC Authority Documents containing requirements. These can be people, process or Technology controls. Basically “What” needs to be accomplished.
Ex: CO 04544: Synchronize system clocksControl Activity (CA) Guidance containing instructions and parameters to meet
expectations of Control Objectives. Usually, specific to a technology, business process, or organization.Ex:CCA: Configure Windows Time Service OCA: Monitor Windows Time ServicePCA: Network Time Protocol Policy
Control Activity Test Windows Foundation Workflows that apply parameters, thresholds, and scope to data collected with System Center products to validate that associated CAs remain within expected parameters. These can be manual or automated.Ex:• Ensure the Windows Time Service is running• Ensure the NtpClient has an accurate source of time• Ensure the required policy has been specified and remains available
Library (Reusable) Compliance information stored as templates which can be instantiated with specific values and parameters in a program
Ex: Microsoft Control Activity Library.XML (Management Pack)
Program
System Center
WS 2008 Windows 7
GRC Authority Docs(Requirements – Sox, eSox PCI, ITIL, HIPAA, Cobit, etc)
Control Activities
Governance, Risk & Compliance
PROBLEM / OPPORTUNITY
CONTROL OBJECTIVES(People, Process,
Technology)
Test Automation
GRC Incident
/Issue
GRCDashboa
rd
GRCReport
Reporting & Corrective Actions
Harmonized Framework
Policy Churn Tech Churn
$1 Trillion (US)
Compliance & Risk PMP & IT Compliance Mgmt ToolkitBusiness Risks &
Objectives(The What/Requirement- e.g. Complex Password)
Technical Goal(The How)Validation
MS and Non-MS Technology
~ 350 Authority Docs in UCF ~24K Requirements
~ 2400Unique Controls
~139Satisfied by WS
Continuous Monitoring & Reporting
Compliance and Risk PMP
• OOB PMP for Svc Mgr that offers:− GRC Program Management− Control Management− Risk Management− Policy & Procedure Mgmt− GRC Incident Management− Excel, SharePoint integration
• By extending Service Manager with:− New item classes and relations− Forms, views, dashboards− Reports− Web parts
• And acts as a host for:− UCF controls & mappings
(built-in for IT GRC)− 3rd party control activities and workflows, such as:
− Microsoft IT Compliance Mgmt Library
− Partner knowledge libraries
Control activities in the library are like templates, they are copied and customized by the customer. Copies apply to a collection of hosts or services in their environment.
SM Data Warehouse
Compliance and Risk Process Management Pack
IT Compliance Management Library (MS, customer or partner)
Configuration Management
Change Management
Problem Management
Incident Management
Compliance ManagersSvc Mgr Console
Risk Management
Program Management
C&R PMP IT Library
Knowledge Library
UCFControl Library
System Center
Document Management
Doc Types: Authority Docs Policy Docs
GRC Incident Management
Control Management
Partner Knowledge Libraries
MS, Customer & Partner Knowledge Libraries
Co
nn
ect
ors
(L
inki
ng
Fx
)
Targ
et
Ho
sts
GRC Config Packs
GRC MgmtPacks
SharePoint PortalCompliance Users
Compliance and Risk Reports
Control Activity Library
Test Automation Framework
Policy Library
Risk LibraryRisk Library
GRC Management Suite Architecture
GRC LOB
Packs
SAP, Oracle, etc
GRC InfraPacks
Linux, Unix, Etc
Co
nn
ect
or
Risk Library
Business Partner Perspective
• Objectives Support Compliance Programs Improve integration with automated controls Migrate to one GRC platform to leverage compliance efforts across the company
• Engagement Provide business requirements Provide iterative input to design and configuration Balance Microsoft specifics against more general needs Anticipate pilot program in FY11
Demo
Currently in Public BetaBased on Service Manager Beta 2
FutureRelease Candidate - April 2010RTW Target –60 days after Service Manager RTM
(CY2010-Q3)
Product Release Schedule
Provide feedback directly to Microsoft Download and Evaluate Solution Join TAP and RDP ProgramsMS Demo to your organization Schedule 1 Hour Live MeetingParticipate in MS GRC Summits Provide Customer voice and influence MS
Opportunities to get Involved
1. Download and Evaluate Solution https
://connect.microsoft.com/SelfNomination.aspx?ProgramID=2733&pageType=1&SiteID=446
2. Join the RDP early adopter program Contact Jerry Leishman ([email protected])
3. Become a GRC Partner (ISV, SI, Consultant, Trainer)
Contact Jerry Leishman ([email protected])
How to Get Connected?
Questions?