Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
RSA® ARCHER ® I N S P I R E E V E R Y O N E T O O W N R I S K
2
© Copyright 2016 EMC Corporation. All rights reserved.
Executive Priorities
25% Technology
initiatives are second
priority
Business Growth & Technology
Growth
is the highest
priority
54%
From Gartner’s report “The 2015 CEO and Senior Executive Survey: ‘Committing to Digital’
3
© Copyright 2016 EMC Corporation. All rights reserved.
Executive Perspectives on Risk
According to Gartner’s report “The 2015 CEO and Senior Executive Survey: ‘Committing to Digital’:
77% 65% 83%
New risks
challenge the business
Risk Management
is falling behind
Agility
is increasingly important
7
© Copyright 2016 EMC Corporation. All rights reserved.
Risk Convergence
The business relies on technology
like never before
Business and Digital strategies are
intertwined
Technology risk is a board level
topic
To be successful in today’s market,
organizations must address
cyber risk and business risk together
8
© Copyright 2016 EMC Corporation. All rights reserved.
Decision Makers Need Insight…
What controls
need to be
implemented?
Where do we
allocate
resources?
How can
investments be
arranged?
Who owns this
risk?
When do we
have to be
ready?
9
© Copyright 2016 EMC Corporation. All rights reserved.
Is Your GRC Program Ready?
10
© Copyright 2016 EMC Corporation. All rights reserved.
The Challenge R
esults
Reach
Resource overload
High rate of change
Lack of resources
Lack of business context
Compliance Risk
Opportunity
11
© Copyright 2016 EMC Corporation. All rights reserved.
Inspire Everyone to Own Risk R
esults
Reach
Compliance Risk
Opportunity
Risk management is the key to protecting your competitive advantage.
Transform Harness
Exploit
12
© Copyright 2016 EMC Corporation. All rights reserved.
RSA Archer: Risk Management for the Modern Enterprise
Risk is
multi-dimensional
Constant vigilance is
necessary to keep up
with risk
The pressure is on to
manage risk
Adapt your program at the
speed of risk
Empower a common risk
conversation
Tap into collective
knowledge
13
© Copyright 2016 EMC Corporation. All rights reserved.
Risk Is Multi-Dimensional Empower a Common Risk Conversation
‘Most companies do not have a consistent way of assessing risk across the
enterprise. 20% of companies say there is no process to develop and aggregate
a risk profile and a further 38% rely on a self-assessment by the business units.
Almost half profess difficulties in understanding their enterprise-wide risk
exposure.’
- Global Risk Survey: Expectations of Risk Management Outpacing Capabilities—It’s Time for Action, KPMG,
2013.
• Broadest suite of integrated solutions
• Rapid implementation
• Business context
14
© Copyright 2016 EMC Corporation. All rights reserved.
Constant Vigilance is Necessary Adapt at the Speed of Risk
• Configurable system administration
• Configurable reporting engine
• Upgradable
‘73% of companies have seen the volume and complexity of risks increase over
the past five years, and 20% of companies have seen the volume and
complexity of risks extensively increase over that same period.’
- Current State of Enterprise Risk Oversight: Progress is Occurring but Opportunities for Improvement Remain,
July 2012, ERM Initiative at North Carolina State University on behalf of the American Institute of CPAs Business,
Industry & Government Team.
15
© Copyright 2016 EMC Corporation. All rights reserved.
Pressure to Get Your Program Right
‘98% of company Boards or Board-level risk committees regularly
review risk management reports, an increase from 85 percent in 2010.’
- Setting a Higher Bar, Deloitte, 2013
• Largest GRC peer community
• Collaborative partner ecosystem
• Partner with the industry leader
Tap into Collective Knowledge
16
© Copyright 2016 EMC Corporation. All rights reserved.
Industry Leadership
1300 + deployments 43 + countries 25 + industries
Leader in Ops Risk MQ 2015
Leader in IT Risk MQ 2015
Leader in IT Vendor Management 2016
Leader in BCM MQ 2014
59 Fortune 100
Leader in Forrester GRC Wave
Quoted as “the most mature offering in
many occasions”
148 Fortune 500 125 Global 500 10 Out of 10 Biggest U.S.
Banks*
* bankrate.com
17
© Copyright 2016 EMC Corporation. All rights reserved.
Take Command of Your Journey
Siloed compliance focus, disconnected
risk, basic reporting
Reduce compliance cost
Compliance
Managed automated compliance,
expanded risk focus, improved analysis/metrics
Manage Known & unknown risks
Risk
Tra
nsit
ion
Advantaged fully risk aware, exploit
opportunity
Identify new business opportunities
Opportunity
Tra
nsfo
rm
RSA ARCHER SOLUTIONS
19 19
RSA Archer Solutions and Use Cases Risk Catalog
Bottom-Up Risk Assessment
Key Indicator Management
Loss Event Management
Top-Down Risk Assessment
Operational Risk Management
Third Party Catalog
Third Party Risk Assessment
Third Party Engagement
Third Party Governance
Issues Management
Audit Engagement & Workpapers
Audit Planning & Quality
Plan of Action & Milestones (POA&Ms)
Assessment & Authorization (A&A)
Continuous Monitoring
Business Impact Analysis
Incident Management
Business Continuity and IT Disaster Recovery Planning
Resiliency Management
Corporate Obligations Management
Policy Program Management
Controls Assurance Program Management
Controls Monitoring Program Management
IT and Security Policy Program Management
IT Controls Assurance
IT Security Vulnerabilities Program
IT Risk Management
PCI Management
Security Incident Management
Security Operations and Breach Management
IT Regulatory Management
Information Security Management System (ISMS)
Use Case list as of Q2 2016 (subject to change)
20 20
IT & Security Risk Management Use Cases
IT and Security Policy Program Management
IT Controls Assurance
IT Security Vulnerabilities Program
IT Risk Management
PCI Management
Security Incident Management
Security Operations and Breach Management
IT Regulatory Management
Information Security Management System (ISMS)
Use Case list as of Q2 2016 (subject to change)
21
IT & Security Risk Management Stage 1 Stage 2 Stage 3 Stage 4 Stage 5
Advantaged Transform Managed Transition Siloed
Security Incident Management
Ke
y D
rive
rs:
Secu
rity
in
cid
ents
V
uln
erab
iliti
es
Issues Management
Co
mp
lian
ce is
sues
IT Security Vulnerabilities Program
IT Risk Management
Security Operations & Breach Management
Po
licy/
Stan
dar
ds
IT & Security Policy Program Management
Policies Standards Procedures
IT Regulatory Management
Regulatory Intel Regulatory Change
Risk & Threat assessments
Risk Register & KRIs
Vulnerability Scans
Vulnerability Intel
Ad-hoc Response
Measured Response
Breach Assessment
24x7 Staffing & Operations
Findings + Remediation Plans
IT Controls Assurance Manual assessments Automated assessments Continuous Controls Monitoring
PCI Management Information Security Management System
22
Issues Management
Before Scenarios
Scattered lists of issues and findings in various documents
No consolidated view of outstanding issues related to security audits, IT compliance or IT/security risk assessments
Limited documentation on current and planned remediation efforts to address open risks
No list of approved and accepted risks (unapproved exceptions)
Key Features
Consolidated issue management process
Consolidated list of findings from IT and security audits and assessments
Consolidated list of remediation plans for IT & security issues
Exception management and governance through appropriate risk acceptance and sign-off
23
IT & Security Policy Program Management Before Scenarios
Scattered repositories of policies, standards and controls
with ambiguity between compliance/business requirements
and internal controls
Limited documentation of operational procedures (controls)
Manual tracking of policy changes or policies falling out of
step with business changes
Key Features
Framework and taxonomy for governance content (policies,
standards, controls)
Workflow and change management tracking
Best practice baseline IT & security content library
24
IT Regulatory Management Before Scenarios
No workflow or defined process to monitor changes to
regulations or laws
Disjointed strategy to manage changes to data protection
standards
Outdated controls based on old requirements or haphazard
approach to adjusting controls based on changing business
requirements
Key Features
Regulatory intelligence feeds with workflow for impact
analysis and change management tracking
Issue management for changes related to regulations and
other corporate obligations
Managed exceptions with appropriate risk sign-
off/acceptance
25
IT Controls Assurance
Before Scenarios
Duplicative efforts for measuring IT compliance based on
reacting to emerging regulatory and business requirements
individually
Limited to no consolidated visibility into IT compliance levels
across the enterprise with extensive manual testing and
reporting cycles
Haphazard approach to managing issues related to
compliance testing, audits and assessments
Key Features
Asset catalog, control repository and taxonomy for
compliance processes
Multiple testing approaches (automated and manual) for a
wide variety of IT controls including Integration with
testing/assessment technologies
Integrated issues management to manage reporting and
remediation of control gaps
26
IT Security Vulnerabilities Program Before Scenarios
Multiple scanners producing too much data to be actually helpful in
managing security risk
Poor handoff (if any) to IT operations to address security vulnerability
Limited to no visibility into remediation efforts to close security
vulnerabilities
Vulnerability scanning solely for compliance purposes and limited added
value for the effort
No prioritization of security vulnerabilities
Key Features
Central repository and taxonomy for vulnerability
Integration with multiple scanning technologies
Large data/high volume storage of vulnerability scanning results
IT asset catalog with business context
Reporting and researching platform
Rules based issues management
27
IT Risk Management
Before Scenarios
No consolidated definition of IT risk, e.g. taxonomy, catalog,
ownership, accountability relying on manual processes to
perform IT risk assessments
Limited to no visibility into a consolidated view of IT risks
Haphazard approach to managing Issues related to risk
identification
Key Features
Asset catalog for risk processes and reporting
IT Risk Register and Control repository and taxonomy
Consistent risk and threat assessment processes with pre-
built content
Integrated issues management to report and track
remediation of risks identified during risk assessments
28
Security Incident Management Before Scenarios
SIEM infrastructure producing too much data and
overwhelming security team with limited or no prioritization
of security events
Manual/ad-hoc documentation of security incident handling
Poor handoff (if any) to IT operations to address security
incident issues and limited to no visibility into remediation
efforts to close security incidents
Key Features
Central repository and taxonomy for security alerts w/
integration with SIEM/log/packet capture infrastructure with
an IT asset catalog with business context
Integrated incident management workflow with escalation,
investigation documentation and response procedures
29
Security Operations & Breach Management Before Scenarios
Security operations managed by spreadsheet, email,
SharePoint or other point solutions
No consistent operational procedures for handling security
incidents or breaches
Manual processes for managing shifts in the SOC,
emergency notifications and data breach handling
Key Features
Central repository and taxonomy for security alerts with
integration with SIEM/log/packet capture infrastructure
IT asset catalog with business context for reporting and
researching platform for incident rates
Shift and staffing management
30
PCI Management
Before Scenarios
Ad-hoc PCI compliance process
Inconsistent stakeholder accountability
Manual processes for gathering & reporting evidence
No consistent methods for handling compliance gaps and
ongoing assessment
Key Features
Project workflows to manage CDE (cardholder data
environment) scoping and ongoing assessments
Structured content libraries link the PCI-DSS to an extensive
control testing repository
Persona-driven dashboards and questionnaires
Centralized issues management
One-click reporting template for creating a properly
formatted Report on Compliance (ROC)
31
Information Security Management System (ISMS)
Before Scenarios
No consolidated repository of assets, risks, and security
controls
No workflow or defined process to perform IT risk
assessments
No systematic approach to map IT risks to IT controls
Key Features
Scope your ISMS and document your Statement of
Applicability
Catalog resources related to your ISMS, including
information assets, applications, business processes,
devices and facilities
Document and maintain an information security risk register
Establish policies and standards in support of your ISMS
Manage issues related to ISMS assessment processes
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.