SlideShare ist ein Scribd-Unternehmen logo

Strategy to Design / Implement a GRC Sys

P
pangel4

Description of the majority of Design and Implementation elements to Help Implement a GRC System (like ARCHER, R-SAM, etc) within an Org. REF - Slides GRC Strategy 2013_Aug12

Technologie
1 von 25
Downloaden Sie, um offline zu lesen
Strategy to Implement a GRC Software Solution (Governance, Risk, and Compliance)
Keys to Success in Implementing a GRC Software Solution  Identify VP Level Sponsor & local Department Champions  Implement in Phases – guarantee some ‘WINs’  Develop and Publish a RACI Matrix – explain who does what…?  Identify Minimum Workflows and Decision‐points  Data‐Migration – identify key‐data to import and ‘cleanse’ before usage  Normalize (Key) Roles based on importance, build‐in SoD Security  Leverage the 80/20 Rule – ok to have exceptions  Develop a ‘Virtual Org‐Chart’ for system  Use/ Leverage the ‘SandBox’ Environment – to ‘Test‐Drive’ the system and ‘get your feet wet…’  Create ‘simple’ End‐user Documentation / Training Guides  Implementation Plan – validate the right‐people are free for ‘Go‐Live’  Document decisions and Configuration values as you go…  Communicate Goals and ‘sell’ Benefits / ROI to company “we didn’t Plan to Fail…. we Failed to Plan…” For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Identify Sponsor / Champions Reason for Most‐Common Failure – Lack of Support & ‘Buy‐in’… • Enterprise‐Level Projects (like GRC rollouts) will fail without CxO Sponsorship, • GRC Projects will require a ‘champion’ from every key Dept / Line‐function to serve as liaison and assist in implementation, training • Regular Communication is essential with all the Stakeholders, throughout the Project’s life • Weekly Communication should include – Status, % Complete, Issues/Risks, and Key Dates For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Implement the GRC system in ‘Phases’ Guaranteeing some ‘Wins’ will guarantee overall ‘Success’ • Grab the ‘low‐hanging fruit’ (simple functions like SURVEYs) to show progress, quick ‘wins’ and results, begin to engage the users, • Phased approach is the ‘safest’ and progress is easily measured, • Engage the end‐user to review (and sign‐off) on all Major changes / updates to GRC System, • Engage Line‐Management to review / assist in developing Training Material and format (e.g. CBT vs Live/In‐person), & take ownership For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Create a RACI Matrix during Design Give all Users some guidance on ‘who does what’… • R – responsible • A – Accountable • C – Consulted • I ‐ Informed For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA® R e q u e s t E x e c u t i o n M a n a g e S c a n n i n g S c h e d u l e C o l l e c t D a t a & A n a l y s i s d o c s / U p l o a d f o r T e s t i n g C o n d u c t S u r v e y s / E x e c u t e S c a n C o l l e c t s / R e v i e w s O u t p u t M e e t i n g ‐ R e v i e w R e s u l t s A d d r e s s / R e m e d i a t e / R e s o l v e I s s u e s S u b m i t D o c s , U p d a t e / c l e a n s e , R e I s s u e R e p o r t R e T e s t / V a l i d a t e F i x e s p e r R e m e d i a t i o n CxO / Executive R C I I C Business Owner R R C R R/A Program Mgr (Angel) I R / A R R/A C Developer / Tech SME C I C R R/A Process Owner C R R R C Department SME I C R/A ‐‐ ‐‐ Line Manager I C R/A ‐‐ ‐‐
Data‐Migration and ‘Cleansing’ If you don’t need it… don’t pack it up and take it with you. • Identify Core‐Data and plan to migrate only ‘Key Data’ to the new system • Take this as an opportunity to ‘cleanse’ your data / formats – don’t move your old Dirt… • Focus on the ‘minimum necessary data’ to integrate into your GRC System (you can add more later) • Plan to have your data ‘cleansed’ and ready to migrate 1 month before ‘Go‐Live’ For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Workflows and Required Use‐Cases (minimum) Implement ‘most‐needed’ / Common Functions 1st – biggest ‘bang’ • Self‐Service User – Password Reset / Change • Login (access) as Manager • View (staff) Reports, by Manager • View Assigned Roles and Available Roles, • Request basic (minimum) account –Email, Active Dir, etc. • Provision / Request access to Role – Add (new) user • Update / Change user access to (role) • De‐Provision – Remove (delete/terminate) user • Route Approval‐Request • Approve Request(s) • Reject Request(s) • Request additional info on Request Integrate Separation‐of‐Duties (SoD) into design of (New) Roles For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Use standard Workflows Success in GRC depends on – People / Process / Technology You are in charge of your People… and You acquired the Technology… but is your Process documented … before you Automate it?… For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Leverage the “80/20” Rule It’s ok to have ‘exceptions’ as long as they don’t become the Rule • Should be able to Normalize 80% of the Roles using only 20% of the overall ‘effort’ • Remaining 20% of the Roles will require the balance (80%) of the ‘effort’ to standardize… • Pick your Battles – what Roles are important to have as ‘exceptions’ – Mgmt / Oversight…? – Require Line‐Mgmt to ‘defend’ need for exceptions • GRC will always have ‘exceptions’ – which ones are important to you / company….? For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Develop a Virtual Org‐Chart Who is Important in the Company (to use the GRC System) ? • CxO’s and Legal Dept • Line‐Management • Audit / Compliance • SME’s (subject‐matter experts) • I/T Support – but …not everybody needs to be included.. For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Create / use the ‘SandBox’ Environment Let the Users / Mgmt get a feel for the system in a ‘safe’ place… • Allows for Real‐Time Feedback on system, • Provide Logins for all SME’s and Key Stakeholders to explore the system, • Safe‐Environment permits faster adoption of system • Allow end‐users way to identify problems and updates required before Go‐Live, • Create Action‐List for system‐updates / fixes, For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Make it easy to Read / Understand / Follow – using R‐SAM For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Use screen‐shots of system’s actual screens to help users navigate and use the software Make it easy to Read / Understand / Follow – using R‐SAM For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Make it easy to Read / Understand / Follow‐ MetricStream For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Make it easy to Read / Understand / Follow‐ MetricStream For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Make it easy to Read / Understand / Follow‐ MetricStream For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Make it easy to Read / Understand / Follow – AVATIER / AIMS For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Documentation / Training Guide Create a CBT (computer) version for the Remote office / Country staff For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Integrate Risk‐Analysis Process Automate the Manual Process of Analyzing Risk For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Document Config‐Values and Decisions Ensure you meet Regulatory / Compliance Requirements as you go… • Document all Configuration / setup Values ‘as you go’ when setting up GRC System, – At minimum, use screen‐prints in a Word file to track entries and values, will need it later on • Document all (Key) Decisions by both Tech Staff and CxO / Management (including Emails), • Save, backup, and store in duplicate, and • Will be required for Maintenance / Support / Regulatory and Compliance‐discussions. For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Implementation Plan for ‘Go‐Live’ A Migration‐Plan will keep the ship heading in the right direction • Verify your Key people will be available during the ‘Go‐Live’ period (e.g. vacation / holidays) • Sync up the GRC Migration with the current Maintenance Windows calendar • Confirm Dependency‐Milestone‐dates will be completed prior to Migration (critical‐path) • Conduct Desk‐walkthrough of the Migration Plan to avoid obvious mistakes / oversights, • Validate that the Target‐Environment is set up the same as the Test / Sandbox Environment For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Sell Benefits / ROI and Communicate Facilitate acceptance by selling benefits / communicating Goals to company / Staff • Leverage Status Reports to ‘spread the word’… • Document efficiency gained via Usage by SME’s, • Communicate to all Stakeholders about new Functionality and Milestones completed, • Create Login ID’s for all major Stakeholders so they can ‘see and touch’ the system, • Use Vendor WhitePapers to impress the overall Benefits of using the new GRC System, • Hold company‐wide ‘Kick‐Off’ Announcement For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Role‐Management Governance (and Review) Process Start Provisioning Security‐Mgmt / Network‐Mgmt Bi‐Annual / QTR Review Exceptions Consider Creation of a New Role Document Mgmt‐Approval and Signoff END Send Request for New Role to IdM Roles‐Admin ROLE‐GOVERNANCE BOARD • C I S O / Director of Security • Information Security • Provisioning Staff / Supv • I/T Service‐Desk • Human Resources • Dept Head (s) Evaluate Individual Cases and Compare Exceptions to Existing Roles How Frequently are New Roles Requested ? How Close is New Role to Existing Roles ? How Important is New Role to Org ? Add New Role to Roles List and Distribute REPORT Exceptions & Problems Develop a Process to (regularly) Review / Maintain Key Roles For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
Patrick Angel Roles: Asst CISO / GRC-Implementation Prog Mgr Director PMO / Enterprise I/T Security-Architect Areas: R-SAM / MetricStream / AVATIER (AIMS), COBIT Framework / ISO-27002 Controls Testing Education Bachelors in Information Systems (MIS) Masters Business Administration (MBA) Years of Experience 20+ years in Information Systems 15+ years of SDLC and Governance, Risk and Compliance Hands-on Software Developer, Application-Testing, I-T Auditing Certifications and Associations include - (In-progress)
Get Started Now… ‘…Chance favors the prepared Mind’ For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA® www.RandomAccessTechnology.com (214) 826‐3812

Empfohlen

GRC Software Implementation Strategy
GRC Software Implementation StrategyGRC Software Implementation Strategy
GRC Software Implementation StrategyPatrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
 
Espion and SureSkills Presentation - Your Journey To A Secure Cloud
Espion and SureSkills Presentation - Your Journey To A Secure CloudEspion and SureSkills Presentation - Your Journey To A Secure Cloud
Espion and SureSkills Presentation - Your Journey To A Secure CloudGoogle
 
Elite mindz introduction
Elite mindz introductionElite mindz introduction
Elite mindz introductionSimerjeet Singh
 
EliteMindz: Who are we? Where do we serve ? What are our products & services?
EliteMindz: Who are we? Where do we serve ? What are our products & services?EliteMindz: Who are we? Where do we serve ? What are our products & services?
EliteMindz: Who are we? Where do we serve ? What are our products & services?Simerjeet Singh
 
Hunter Fan + EAC Presentation
Hunter Fan + EAC PresentationHunter Fan + EAC Presentation
Hunter Fan + EAC PresentationAddison9
 
EAC Hunter Fan Presentation
EAC Hunter Fan PresentationEAC Hunter Fan Presentation
EAC Hunter Fan PresentationAddison9
 
Cloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST HighlightCloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST HighlightCAST
 
Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...
Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...
Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...eG Innovations
 

Empfohlen

GRC Software Implementation Strategy
GRC Software Implementation StrategyGRC Software Implementation Strategy
GRC Software Implementation StrategyPatrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
 
Espion and SureSkills Presentation - Your Journey To A Secure Cloud
Espion and SureSkills Presentation - Your Journey To A Secure CloudEspion and SureSkills Presentation - Your Journey To A Secure Cloud
Espion and SureSkills Presentation - Your Journey To A Secure CloudGoogle
 
Elite mindz introduction
Elite mindz introductionElite mindz introduction
Elite mindz introductionSimerjeet Singh
 
EliteMindz: Who are we? Where do we serve ? What are our products & services?
EliteMindz: Who are we? Where do we serve ? What are our products & services?EliteMindz: Who are we? Where do we serve ? What are our products & services?
EliteMindz: Who are we? Where do we serve ? What are our products & services?Simerjeet Singh
 
Hunter Fan + EAC Presentation
Hunter Fan + EAC PresentationHunter Fan + EAC Presentation
Hunter Fan + EAC PresentationAddison9
 
EAC Hunter Fan Presentation
EAC Hunter Fan PresentationEAC Hunter Fan Presentation
EAC Hunter Fan PresentationAddison9
 
Cloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST HighlightCloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST HighlightCAST
 
Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...
Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...
Choosing a citrix monitoring strategy key capabilities needed and pitfalls to...eG Innovations
 
DCE - IBM Blueworks LIVE
DCE - IBM Blueworks LIVEDCE - IBM Blueworks LIVE
DCE - IBM Blueworks LIVEKellton Tech Solutions Ltd
 
ITAM Tools Day, November 2015 - Concorde
ITAM Tools Day, November 2015 - ConcordeITAM Tools Day, November 2015 - Concorde
ITAM Tools Day, November 2015 - ConcordeMartin Thompson
 
Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...
Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...
Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...Nous Infosystems
 
WSO2Con USA 2015: The Needs of Next Generation Giants
WSO2Con USA 2015: The Needs of Next Generation GiantsWSO2Con USA 2015: The Needs of Next Generation Giants
WSO2Con USA 2015: The Needs of Next Generation GiantsWSO2
 
SAP License Services by Crayon Software Experts
SAP License Services by Crayon Software ExpertsSAP License Services by Crayon Software Experts
SAP License Services by Crayon Software Expertsm. gravesteijn ? create & connect
 
ClearCase Version Importer - a migration tool to Rational Team Concert SCM
ClearCase Version Importer - a migration tool to Rational Team Concert SCMClearCase Version Importer - a migration tool to Rational Team Concert SCM
ClearCase Version Importer - a migration tool to Rational Team Concert SCMIBM Rational software
 
Saas challenges and solutions
Saas challenges and solutionsSaas challenges and solutions
Saas challenges and solutionskanimozhin
 
AJC Brochure
AJC BrochureAJC Brochure
AJC BrochureSara Kindlan-Arnison
 
Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...
Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...
Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...Click Earn Grow
 
Accelerating Application Development and Rollout for Business
Accelerating Application Development and Rollout for BusinessAccelerating Application Development and Rollout for Business
Accelerating Application Development and Rollout for BusinessCA Technologies
 
D365 crm on-premise to d365 online migration
D365 crm on-premise to d365 online migrationD365 crm on-premise to d365 online migration
D365 crm on-premise to d365 online migrationSydd365ug
 
Presentation on six sigma
Presentation on six sigmaPresentation on six sigma
Presentation on six sigmaMANOJ ARORA
 
Building a scalable and profitable saa s business model
Building a scalable and profitable saa s business modelBuilding a scalable and profitable saa s business model
Building a scalable and profitable saa s business modelkanimozhin
 
Slcm webinar
Slcm webinarSlcm webinar
Slcm webinarkanimozhin
 
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptxS4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptxITAdmin28
 
Impact 2012 1640 - BPM Design considerations when optimizing business process...
Impact 2012 1640 - BPM Design considerations when optimizing business process...Impact 2012 1640 - BPM Design considerations when optimizing business process...
Impact 2012 1640 - BPM Design considerations when optimizing business process...Brian Petrini
 
Sell Security Programs To Sr Mgt
Sell Security Programs To Sr MgtSell Security Programs To Sr Mgt
Sell Security Programs To Sr MgtPatrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
 
Crm implementation (oracle)
Crm implementation (oracle)Crm implementation (oracle)
Crm implementation (oracle)Lauren Taylor
 
Linkedin presentation
Linkedin presentationLinkedin presentation
Linkedin presentationJohn Dailey
 
Hiran Hari_CV
Hiran Hari_CVHiran Hari_CV
Hiran Hari_CVHiran Hari
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Weitere ähnliche Inhalte

Ähnlich wie Strategy to Design / Implement a GRC Sys

ITAM Tools Day, November 2015 - Concorde
ITAM Tools Day, November 2015 - ConcordeITAM Tools Day, November 2015 - Concorde
ITAM Tools Day, November 2015 - ConcordeMartin Thompson
 
Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...
Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...
Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...Nous Infosystems
 
WSO2Con USA 2015: The Needs of Next Generation Giants
WSO2Con USA 2015: The Needs of Next Generation GiantsWSO2Con USA 2015: The Needs of Next Generation Giants
WSO2Con USA 2015: The Needs of Next Generation GiantsWSO2
 
ClearCase Version Importer - a migration tool to Rational Team Concert SCM
ClearCase Version Importer - a migration tool to Rational Team Concert SCMClearCase Version Importer - a migration tool to Rational Team Concert SCM
ClearCase Version Importer - a migration tool to Rational Team Concert SCMIBM Rational software
 
Saas challenges and solutions
Saas challenges and solutionsSaas challenges and solutions
Saas challenges and solutionskanimozhin
 
Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...
Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...
Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...Click Earn Grow
 
Accelerating Application Development and Rollout for Business
Accelerating Application Development and Rollout for BusinessAccelerating Application Development and Rollout for Business
Accelerating Application Development and Rollout for BusinessCA Technologies
 
D365 crm on-premise to d365 online migration
D365 crm on-premise to d365 online migrationD365 crm on-premise to d365 online migration
D365 crm on-premise to d365 online migrationSydd365ug
 
Presentation on six sigma
Presentation on six sigmaPresentation on six sigma
Presentation on six sigmaMANOJ ARORA
 
Building a scalable and profitable saa s business model
Building a scalable and profitable saa s business modelBuilding a scalable and profitable saa s business model
Building a scalable and profitable saa s business modelkanimozhin
 
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptxS4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptxITAdmin28
 
Impact 2012 1640 - BPM Design considerations when optimizing business process...
Impact 2012 1640 - BPM Design considerations when optimizing business process...Impact 2012 1640 - BPM Design considerations when optimizing business process...
Impact 2012 1640 - BPM Design considerations when optimizing business process...Brian Petrini
 
Crm implementation (oracle)
Crm implementation (oracle)Crm implementation (oracle)
Crm implementation (oracle)Lauren Taylor
 
Linkedin presentation
Linkedin presentationLinkedin presentation
Linkedin presentationJohn Dailey
 

Ähnlich wie Strategy to Design / Implement a GRC Sys (20)

DCE - IBM Blueworks LIVE
DCE - IBM Blueworks LIVEDCE - IBM Blueworks LIVE
DCE - IBM Blueworks LIVE
 
ITAM Tools Day, November 2015 - Concorde
ITAM Tools Day, November 2015 - ConcordeITAM Tools Day, November 2015 - Concorde
ITAM Tools Day, November 2015 - Concorde
 
Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...
Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...
Webinar- Leveraging Reporting-As-A-Service to Improve Agility and Reduce Unit...
 
WSO2Con USA 2015: The Needs of Next Generation Giants
WSO2Con USA 2015: The Needs of Next Generation GiantsWSO2Con USA 2015: The Needs of Next Generation Giants
WSO2Con USA 2015: The Needs of Next Generation Giants
 
SAP License Services by Crayon Software Experts
SAP License Services by Crayon Software ExpertsSAP License Services by Crayon Software Experts
SAP License Services by Crayon Software Experts
 
ClearCase Version Importer - a migration tool to Rational Team Concert SCM
ClearCase Version Importer - a migration tool to Rational Team Concert SCMClearCase Version Importer - a migration tool to Rational Team Concert SCM
ClearCase Version Importer - a migration tool to Rational Team Concert SCM
 
Saas challenges and solutions
Saas challenges and solutionsSaas challenges and solutions
Saas challenges and solutions
 
AJC Brochure
AJC BrochureAJC Brochure
AJC Brochure
 
Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...
Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...
Click Earn Grow 2009 Original Concept Next Generation Online Betting Technolo...
 
Accelerating Application Development and Rollout for Business
Accelerating Application Development and Rollout for BusinessAccelerating Application Development and Rollout for Business
Accelerating Application Development and Rollout for Business
 
D365 crm on-premise to d365 online migration
D365 crm on-premise to d365 online migrationD365 crm on-premise to d365 online migration
D365 crm on-premise to d365 online migration
 
Presentation on six sigma
Presentation on six sigmaPresentation on six sigma
Presentation on six sigma
 
Building a scalable and profitable saa s business model
Building a scalable and profitable saa s business modelBuilding a scalable and profitable saa s business model
Building a scalable and profitable saa s business model
 
Slcm webinar
Slcm webinarSlcm webinar
Slcm webinar
 
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptxS4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
 
Impact 2012 1640 - BPM Design considerations when optimizing business process...
Impact 2012 1640 - BPM Design considerations when optimizing business process...Impact 2012 1640 - BPM Design considerations when optimizing business process...
Impact 2012 1640 - BPM Design considerations when optimizing business process...
 
Sell Security Programs To Sr Mgt
Sell Security Programs To Sr MgtSell Security Programs To Sr Mgt
Sell Security Programs To Sr Mgt
 
Crm implementation (oracle)
Crm implementation (oracle)Crm implementation (oracle)
Crm implementation (oracle)
 
Linkedin presentation
Linkedin presentationLinkedin presentation
Linkedin presentation
 
Hiran Hari_CV
Hiran Hari_CVHiran Hari_CV
Hiran Hari_CV
 

Kürzlich hochgeladen

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Strategy to Design / Implement a GRC Sys

  • 1. Strategy to Implement a GRC Software Solution (Governance, Risk, and Compliance)
  • 2. Keys to Success in Implementing a GRC Software Solution  Identify VP Level Sponsor & local Department Champions  Implement in Phases – guarantee some ‘WINs’  Develop and Publish a RACI Matrix – explain who does what…?  Identify Minimum Workflows and Decision‐points  Data‐Migration – identify key‐data to import and ‘cleanse’ before usage  Normalize (Key) Roles based on importance, build‐in SoD Security  Leverage the 80/20 Rule – ok to have exceptions  Develop a ‘Virtual Org‐Chart’ for system  Use/ Leverage the ‘SandBox’ Environment – to ‘Test‐Drive’ the system and ‘get your feet wet…’  Create ‘simple’ End‐user Documentation / Training Guides  Implementation Plan – validate the right‐people are free for ‘Go‐Live’  Document decisions and Configuration values as you go…  Communicate Goals and ‘sell’ Benefits / ROI to company “we didn’t Plan to Fail…. we Failed to Plan…” For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 3. Identify Sponsor / Champions Reason for Most‐Common Failure – Lack of Support & ‘Buy‐in’… • Enterprise‐Level Projects (like GRC rollouts) will fail without CxO Sponsorship, • GRC Projects will require a ‘champion’ from every key Dept / Line‐function to serve as liaison and assist in implementation, training • Regular Communication is essential with all the Stakeholders, throughout the Project’s life • Weekly Communication should include – Status, % Complete, Issues/Risks, and Key Dates For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 4. Implement the GRC system in ‘Phases’ Guaranteeing some ‘Wins’ will guarantee overall ‘Success’ • Grab the ‘low‐hanging fruit’ (simple functions like SURVEYs) to show progress, quick ‘wins’ and results, begin to engage the users, • Phased approach is the ‘safest’ and progress is easily measured, • Engage the end‐user to review (and sign‐off) on all Major changes / updates to GRC System, • Engage Line‐Management to review / assist in developing Training Material and format (e.g. CBT vs Live/In‐person), & take ownership For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 5. Create a RACI Matrix during Design Give all Users some guidance on ‘who does what’… • R – responsible • A – Accountable • C – Consulted • I ‐ Informed For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA® R e q u e s t E x e c u t i o n M a n a g e S c a n n i n g S c h e d u l e C o l l e c t D a t a & A n a l y s i s d o c s / U p l o a d f o r T e s t i n g C o n d u c t S u r v e y s / E x e c u t e S c a n C o l l e c t s / R e v i e w s O u t p u t M e e t i n g ‐ R e v i e w R e s u l t s A d d r e s s / R e m e d i a t e / R e s o l v e I s s u e s S u b m i t D o c s , U p d a t e / c l e a n s e , R e I s s u e R e p o r t R e T e s t / V a l i d a t e F i x e s p e r R e m e d i a t i o n CxO / Executive R C I I C Business Owner R R C R R/A Program Mgr (Angel) I R / A R R/A C Developer / Tech SME C I C R R/A Process Owner C R R R C Department SME I C R/A ‐‐ ‐‐ Line Manager I C R/A ‐‐ ‐‐
  • 6. Data‐Migration and ‘Cleansing’ If you don’t need it… don’t pack it up and take it with you. • Identify Core‐Data and plan to migrate only ‘Key Data’ to the new system • Take this as an opportunity to ‘cleanse’ your data / formats – don’t move your old Dirt… • Focus on the ‘minimum necessary data’ to integrate into your GRC System (you can add more later) • Plan to have your data ‘cleansed’ and ready to migrate 1 month before ‘Go‐Live’ For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 7. Workflows and Required Use‐Cases (minimum) Implement ‘most‐needed’ / Common Functions 1st – biggest ‘bang’ • Self‐Service User – Password Reset / Change • Login (access) as Manager • View (staff) Reports, by Manager • View Assigned Roles and Available Roles, • Request basic (minimum) account –Email, Active Dir, etc. • Provision / Request access to Role – Add (new) user • Update / Change user access to (role) • De‐Provision – Remove (delete/terminate) user • Route Approval‐Request • Approve Request(s) • Reject Request(s) • Request additional info on Request Integrate Separation‐of‐Duties (SoD) into design of (New) Roles For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 8. Use standard Workflows Success in GRC depends on – People / Process / Technology You are in charge of your People… and You acquired the Technology… but is your Process documented … before you Automate it?… For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 9. Leverage the “80/20” Rule It’s ok to have ‘exceptions’ as long as they don’t become the Rule • Should be able to Normalize 80% of the Roles using only 20% of the overall ‘effort’ • Remaining 20% of the Roles will require the balance (80%) of the ‘effort’ to standardize… • Pick your Battles – what Roles are important to have as ‘exceptions’ – Mgmt / Oversight…? – Require Line‐Mgmt to ‘defend’ need for exceptions • GRC will always have ‘exceptions’ – which ones are important to you / company….? For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 10. Develop a Virtual Org‐Chart Who is Important in the Company (to use the GRC System) ? • CxO’s and Legal Dept • Line‐Management • Audit / Compliance • SME’s (subject‐matter experts) • I/T Support – but …not everybody needs to be included.. For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 11. Create / use the ‘SandBox’ Environment Let the Users / Mgmt get a feel for the system in a ‘safe’ place… • Allows for Real‐Time Feedback on system, • Provide Logins for all SME’s and Key Stakeholders to explore the system, • Safe‐Environment permits faster adoption of system • Allow end‐users way to identify problems and updates required before Go‐Live, • Create Action‐List for system‐updates / fixes, For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 12. Documentation / Training Guide Make it easy to Read / Understand / Follow – using R‐SAM For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 13. Documentation / Training Guide Use screen‐shots of system’s actual screens to help users navigate and use the software Make it easy to Read / Understand / Follow – using R‐SAM For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 14. Documentation / Training Guide Make it easy to Read / Understand / Follow‐ MetricStream For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 15. Documentation / Training Guide Make it easy to Read / Understand / Follow‐ MetricStream For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 16. Documentation / Training Guide Make it easy to Read / Understand / Follow‐ MetricStream For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 17. Documentation / Training Guide Make it easy to Read / Understand / Follow – AVATIER / AIMS For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 18. Documentation / Training Guide Create a CBT (computer) version for the Remote office / Country staff For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 19. Integrate Risk‐Analysis Process Automate the Manual Process of Analyzing Risk For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 20. Document Config‐Values and Decisions Ensure you meet Regulatory / Compliance Requirements as you go… • Document all Configuration / setup Values ‘as you go’ when setting up GRC System, – At minimum, use screen‐prints in a Word file to track entries and values, will need it later on • Document all (Key) Decisions by both Tech Staff and CxO / Management (including Emails), • Save, backup, and store in duplicate, and • Will be required for Maintenance / Support / Regulatory and Compliance‐discussions. For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 21. Implementation Plan for ‘Go‐Live’ A Migration‐Plan will keep the ship heading in the right direction • Verify your Key people will be available during the ‘Go‐Live’ period (e.g. vacation / holidays) • Sync up the GRC Migration with the current Maintenance Windows calendar • Confirm Dependency‐Milestone‐dates will be completed prior to Migration (critical‐path) • Conduct Desk‐walkthrough of the Migration Plan to avoid obvious mistakes / oversights, • Validate that the Target‐Environment is set up the same as the Test / Sandbox Environment For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 22. Sell Benefits / ROI and Communicate Facilitate acceptance by selling benefits / communicating Goals to company / Staff • Leverage Status Reports to ‘spread the word’… • Document efficiency gained via Usage by SME’s, • Communicate to all Stakeholders about new Functionality and Milestones completed, • Create Login ID’s for all major Stakeholders so they can ‘see and touch’ the system, • Use Vendor WhitePapers to impress the overall Benefits of using the new GRC System, • Hold company‐wide ‘Kick‐Off’ Announcement For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 23. Role‐Management Governance (and Review) Process Start Provisioning Security‐Mgmt / Network‐Mgmt Bi‐Annual / QTR Review Exceptions Consider Creation of a New Role Document Mgmt‐Approval and Signoff END Send Request for New Role to IdM Roles‐Admin ROLE‐GOVERNANCE BOARD • C I S O / Director of Security • Information Security • Provisioning Staff / Supv • I/T Service‐Desk • Human Resources • Dept Head (s) Evaluate Individual Cases and Compare Exceptions to Existing Roles How Frequently are New Roles Requested ? How Close is New Role to Existing Roles ? How Important is New Role to Org ? Add New Role to Roles List and Distribute REPORT Exceptions & Problems Develop a Process to (regularly) Review / Maintain Key Roles For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA®
  • 24. Patrick Angel Roles: Asst CISO / GRC-Implementation Prog Mgr Director PMO / Enterprise I/T Security-Architect Areas: R-SAM / MetricStream / AVATIER (AIMS), COBIT Framework / ISO-27002 Controls Testing Education Bachelors in Information Systems (MIS) Masters Business Administration (MBA) Years of Experience 20+ years in Information Systems 15+ years of SDLC and Governance, Risk and Compliance Hands-on Software Developer, Application-Testing, I-T Auditing Certifications and Associations include - (In-progress)
  • 25. Get Started Now… ‘…Chance favors the prepared Mind’ For customers of Random Access Technologies, Inc. only ‐ Patrick Angel, CISM® CRISC® CISA® www.RandomAccessTechnology.com (214) 826‐3812