SlideShare ist ein Scribd-Unternehmen logo

The RSA GRC Reference Architecture

E
EMC

This paper is a primer on the RSA GRC Reference Architecture, a visual representation of the GRC framework needed within an organization to meet today's governance, risk, and compliance needs. The architecture provides a starting vision of how an organization should view GRC, its guiding principles, and its final objectives.

TechnologieBusinessWirtschaft & Finanzen
1 von 12
Downloaden Sie, um offline zu lesen
The RSA GRC Reference Architecture Abstract This paper is a primer on the RSA GRC Reference Architecture – a visual representation of the GRC framework needed within an organization to meet today’s governance, risk and compliance needs. The architecture provides a starting vision of how an organization should view GRC, its guiding principles and its final objectives. Date: June 2013 Version: June 2013 Page 1
Contents Introduction to the RSA GRC Reference Architecture .................................................................................. 3 GRC’s Guiding Principles ............................................................................................................................... 3 The RSA GRC Reference Architecture ........................................................................................................... 5 Business Optimization............................................................................................................................... 6 The Value Layer ......................................................................................................................................... 6 The GRC Core ............................................................................................................................................ 6 Governance ........................................................................................................................................... 7 Risk ........................................................................................................................................................ 7 Compliance ........................................................................................................................................... 7 The Organizational Stack .......................................................................................................................... 7 Management ......................................................................................................................................... 7 Functions ............................................................................................................................................... 8 Operations ............................................................................................................................................ 8 Transactions and Infrastructure................................................................................................................ 9 The GRC Lifecycle ...................................................................................................................................... 9 Key Objectives of a GRC Architecture ......................................................................................................... 10 Conclusion ................................................................................................................................................... 11 Version: June 2013 Page 2
Introduction to the RSA GRC Reference Architecture Governance, Risk and Compliance (GRC) represents a business oriented approach to establishing ownership and accountability throughout the organization to improve decision making. Governance is the act of directing, controlling and evaluating the culture, policies, processes, laws, and institutions that define the structure by which organizations are directed and managed. Risk is the negative effect of uncertainty on achieving objectives; Risk Management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events. Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as organizational policies and procedures. While these definitions may seem straightforward, establishing a GRC program within an organization is not a simple task. It is also not a new concept. Companies have been focused on improving compliance and managing risk for years. Since GRC programs have many moving parts, organizations are implementing an overarching vision of how things fit together to maximize value. This vision not only should clarify the objectives of a GRC program – but also give context to how the organization executes this strategic initiative. The RSA GRC Reference Architecture provides a simple illustration to bring context to the discussion. It can serve as a backdrop as an organization plans out its strategy and delivers the core value message to the executives or simply as a method to start the dialogue. GRC is a complex topic and while no illustration will completely sum up the many facets of the effort, the GRC Reference Architecture provides a foundation upon which to drive the conversation. GRC’s Guiding Principles Certain tenets should guide an organization’s strategy for governance, risk and compliance. These guiding principles should be the foundation of the strategy and be part of the fabric of the GRC program. A GRC strategy is not a one-time effort; it is the establishment of a cultural shift in how an organization conducts business. The GRC program must define the elements necessary for governance, risk and compliance for an organization to meet its strategic objectives. A one-time effort will not meet that demand. These principles must be ingrained into the GRC strategy:  Ownership. The organization needs to hold individuals responsible for their actions and empower them to positively impact the organization. Management of risk and compliance issues cannot just be thrown over the transom. This includes not only establishing executive roles but clear responsibilities down to the front line employee. Version: June 2013 Page 3
 Security and Peace of Mind. At the end of the day, good governance, strong risk management and effective compliance efforts should bring positive assurance to the executives, shareholders, employees and applicable regulatory bodies. Risk and compliance efforts should focus on “what keeps people awake at night” as well as the many threats that could hinder the organization from achieving its objectives.  Sustainability. GRC takes a persistent commitment to sustain the effort and achieve the strategic benefits. This has to be factored in when designing the program. For instance, while the effort to comply with an individual regulation may be at an acceptable level right now, the processes impacted by that regulation have a tendency to evolve and can quickly grow outside their original boundaries or intent. GRC must acknowledge this change and be considered a long term venture.  Consistency. One can think of GRC as a big playbook the organization uses to manage risks and compliance issues. The GRC program involves many different processes – from overarching enterprise processes to daily operational processes. The GRC architecture should bring order to this large effort and get employees on the same page with a common framework and strategy.  Proficiency. Once the business is executing using common frameworks and processes, the organization should then make sure that those efforts are as well-organized as possible as the organization becomes proficient in execution of risk and compliance management. GRC should invoke the concepts of continuous improvement and elimination of redundant efforts. Adjustments of processes to meet multiple goals can result in significant efficiency gains – generally more than initially estimated.  Balanced Effort and Reward. The GRC program should be an effort with long term balance between the rewards of embarking on the journey and the costs associated with the journey. Organizations need to be smart and calculated in the way, level or extent that GRC activities are implemented. Organizations should be thoughtful about the cost vs. benefit of each incremental step in the execution of a GRC strategy.  Agility. Given most organizations are in a constant state of motion, the GRC program must enable agile processes to react, respond and address changes to the business. Regulatory changes, new business opportunities, technology shifts and other factors will constantly barrage an organization and the risk and compliance implications must be managed in a manner that permits the business to adjust.  Transparency. Finally, the concept of transparency should permeate the GRC program. Transparency means delivering the right information to the right stakeholders within timeframes necessary to enable proper governance. This transparency extends to both internal and external stakeholders and includes overall visibility into the structure of the program and the activities documented and managed within the program such as the status of strategies, business processes, risks, controls, and compliance with internal and external obligations. It is through the transparency of the GRC program that positive assurance of its effectiveness is demonstrated. The bottom line for every organization is to make better and more consistent decisions across the enterprise that improves the likelihood that the organization will achieve its objectives. Along the way, Version: June 2013 Page 4
the organization becomes more certain that the activities managed within its GRC framework are aligned with the organization’s objectives. This positive assurance of effective governance is reflected in a greater understanding of:  where and how the organization is subject to risk,  the amount of the risk accepted by the business,  how risk-taking is aligned with the organization’s risk appetite,  how risk is not over or under controlled, and  processes that exist to ensure that changes in risk profile are being adequately monitored and anticipated. Along the way, the organization begins to find the equilibrium between risk taking and rewards; compliance spending and regulatory obligations; costs of security and the value of the assets and the other very important balancing acts challenging organizations today. The RSA GRC Reference Architecture The following illustration is the RSA GRC Reference Architecture: Figure 1: RSA GRC Reference Architecture Version: June 2013 Page 5
Business Optimization Starting at the top of the illustration, the end goal of any GRC program is Business Optimization. GRC is a means to an end – not the end itself. Management and the Board of Directors are focused on making decisions that are more likely to result in desired outcomes for the organization. The GRC program should be part of the mechanism that empowers executives to keep this attention on the growth, constant improvement and optimization of the business. GRC programs should enable executives to understand risks to make the decisions that will mitigate, reduce or avoid risks or exploit opportunities to gain strategic advantages and drive the organization forward. The GRC effort of an organization should strive towards this final objective – optimizing the efforts of the business to bring stronger stakeholder return and value. The Value Layer The Value Layer depicts the outputs of the GRC program that lead to this Business Optimization. GRC programs deliver Visibility, Efficiency, Accountability and Collaboration through reporting, process enablement, ownership and collective, integrated strategies. Visibility: The Board of Directors and executive management should be intimately involved in driving the overall vision for the GRC program. This vision should identify the necessary outputs needed to make the “big” decisions that ultimately drive the organization. The icon symbolizes the ability to connect the data together to see the overall picture and zoom in to track key risks or issues. Efficiency: Through common processes, aligned goals and defined objectives, the organization should be marching together to optimize risk and compliance processes. The efficiencies should manifest in tangible (e.g. time savings/cost reductions) and intangible (e.g. anecdotal evidence) benefits of improved operations as illustrated by the icon. Accountability: As the icon in the illustration denotes, the GRC program should make it evident who is stepping forward to own, manage, monitor and address risks and compliance issues. Establishing ownership and stewardship of risk and compliance is one of the most important values of the GRC program. Collaboration: Collaboration is not just getting people to meetings to discuss the issues but also put the pieces together to see the big picture. The icon denotes that collectively, the organization can assemble a multi-faceted, organized view of risk and compliance, identify gaps and fill them in appropriately. The GRC Core Along the top of the “cylinder” in the illustration, represented by the red disc, are the core GRC Processes and Capabilities. Core GRC Processes are the large, end-to-end, multi-faceted processes that facilitate the GRC program and enable the change within business operations needed to establish governance, manage risk and meet compliance obligations. For example, Policy Management – how policies are documented, rationalized and communicated – should be part of each domain and would be placed in the “Governance” layer of GRC. These Processes provide the frameworks and guidance across Version: June 2013 Page 6
the functions to build common approaches and consistency. The RSA GRC Reference Architecture uses the following as definitions for Core GRC Processes. Governance Policy Management – establishment of corporate policies, standards and supporting operating procedures based on business and regulatory requirements. Enterprise Management – management of organizational assets, relationships and hierarchy. Strategy Management – management of activities that connect strategic objectives to business plans and measures performance toward those objectives while factoring in risks and compliance obligations. Risk Enterprise Risk Management- establishment of a common risk management approach and framework to identify, catalog and monitor risks to the business. Third Party Management – management of all external parties that support business operations. Event Management – management of all situations (incidents, business disruptions, crises, etc.) that could adversely impact business operations. Compliance Compliance Management – management of activities related to measuring compliance of business operations to defined business practices and standards including adherence to external legal and regulatory obligations. Audit Management – management of programs that provide an independent or objective measurement of the business operations and execution The Organizational Stack The cylinder within the Architecture depicts the multiple layers of structure and processes of the organization. One core understanding in GRC is that processes are not executed in a vacuum and may depend heavily on each other. For example, Risk Management cannot be discussed without some inclusion of controls based on corporate policy. Subsequently, the Compliance Management process should focus on those controls and thus inform the Risk Management process on the state of the controls. The Organizational Stack should be viewed as representing a continuum of people, strategies, methodologies and processes that work together for greater benefit. Management The Management layer represents the executive level of the organization and the overall driving strategy of the GRC program. Management in this context depicts the part of the organization that cuts across the company and represents the major work streams that are common across each function. Management – through common objectives, defined roles and responsibilities and shared technology enablers – guide business processes in the framework of the overall program goals. Version: June 2013 Page 7
Functions The Functions layer represents the different business activities within the organization that will drive and benefit from a cohesive GRC strategy. Every organization may have different definitions of this layer as multiple parts of the business will play a role in the GRC program and the Functions included in the illustration are indicative of common segments of the business. The dotted lines in the illustration depict the fact that GRC is breaking down the silos that traditionally have remained separate or, at a minimum, are disconnected. For purposes of this document, three major functions will be used as examples:  Information technology  Finance  Legal The Information Technology function focuses on the business platforms and systems that support the overall technological infrastructure of the organization. Governance aspects of this domain include IT policies and procedures, roles and responsibilities for IT staff and the overall strategy to provide IT services. Key risks include data security, system reliability and capacity, disaster recovery and IT service delivery. Compliance aspects include the various data security regulations such as HIPAA or GLBA, support for financial systems for Sarbanes-Oxley (SOX) and the variety of individual industry requirements. The Finance function focuses on the financial aspects of the organization including financial reporting and monitoring for impacts to the organization’s bottom line. Governance aspects of this domain include financial reporting policies and procedures, accounting practices and roles and responsibilities for accounting and finance related employees. Key risks include any risk that can impact revenue and the financial standing or viability of the organization as well as financial reporting risks. Compliance aspects include adherence to accounting standards and financial reporting requirements including SOX. The Legal function focuses on the adherence to the legal obligations of the organization as defined by laws, regulations and industry standards. Governance aspects include the structure of the legal counsel, regulations review and research and interaction between the business and external regulatory parties. Key risks include discovery acts or other litigation related activities, class action suits or any other action that could result in the organization being in “legal” hot water. Compliance activities are many as the legal domain is one of the key components to identify and interpret regulatory requirements for the organization and ensure proper practices are defined for the business operations. Operations The Operations layer represents the execution elements that assess and assign requirements to individual stakeholders, perform operational tasks, identify and respond to risk and compliance issues and promote an overall culture of accountability and code of acceptable conduct. As the bottom line in the chain of processes, activities within the processes will be guided by the Management and Functions. Version: June 2013 Page 8
Transactions and Infrastructure Finally Transactions and Infrastructure cut across the bottom of the architecture and symbolize the daily operational events and technical fabric of the organization. Transactions signifies the importance of the millions of individual events that could impact the state of the business. The organization must be mindful of all of the types of events that could impact the organization such as a change in a contract, a modification to a law, IT system and security events or even the establishment of a business relationship. Infrastructure denotes the vast physical and technical foundation of the organization. Companies today depend so much on the technical infrastructure that any business process is going to have some touch point with technology. These elements sit below the processes in the architecture since risk and compliance will be directly impacted by individual transactions or components of the infrastructure. The GRC Lifecycle The arrows within the cylinder denote the GRC Lifecycle. Outputs from Management level GRC processes, such as policies, controls and guidance, will drive functional and operational processes. Inputs into GRC processes from the day-to-day business (denoted in the Transactions and Infrastructure) will be collected, aggregated, summarized and “bubbled up” to provide information to management to support business decisions. The arrows depict on ongoing process that refines, improves and optimizes operations based on this flow of information. As GRC guides operational processes, data from operational processes informs “upwards” for management visibility. Based on that data, GRC processes should then help adjust and improve the operations. For example, policies and control requirements will flow from a Core GRC processes such as Policy Management, and define management expectations for business operations. Then, compliance to that guidance, and the state of risk associated to the guidance at any given time will be dependent on many factors – many of them tied to operational processes, individual transactions and infrastructure – that will flow back into the GRC program. For example,  The level of compliance to ethics obligations is dependent on actions taken by employees on a daily basis within operational processes.  The level of compliance to financial regulations will be dependent on transactions processed via finance systems.  The level of IT Security risk is dependent on the security events occurring on IT systems. As Management sees the information flowing back “up the stack”, the organization can then adjust the business to close gaps, better utilize resources, build efficiencies or improve effective operations. This constant flow of information drives the Business Optimization that is the overall goal of the program. Version: June 2013 Page 9
Key Objectives of a GRC Architecture The GRC Reference Architecture depicts that there will be many moving parts to the overall program. Any effort that has so many critical objectives is bound to have multiple facets. This underscores the need for a strategic approach. Additionally, GRC is touching many parts of the organization. The web of stakeholders with varying requirements introduces a complex tug-of-war with opposing priorities. However, the scenario is not so grim. Significant redundancy in requirements, technologies and processes can be addressed by a common architecture and process approach to GRC. To manage the web of stakeholders, processes and objectives, we can use some common elements to guide our GRC strategy:  Unified. The GRC architecture should strive to bring together related and common business activities into one cohesive approach. Most organizations have built governance processes within specific stovepipes in the organization. For instance, for SOX compliance, the financial organization has defined specific controls for financial reporting and the process is driven within the domain of Finance. With an enterprise approach, the organization can learn from this effort and apply control approaches across the organization to reduce risk and provide cross-discipline input into GRC efforts. The GRC program provides a structure for conversations to create a common language across the company for risk and compliance.  Automated. Automation is critical to any GRC architecture. Due to the volume of data and information (represented by the Transactions and Infrastructure) involved in the risk and compliance processes, manual administration is impossible to contemplate. Automation will come in many forms – from correlating business data into consolidated views to automating risk and compliance management processes. Automation will also drive efficiencies and consistency throughout the program.  Information Integration. A lot of time is wasted in connecting the dots across multiple risk and compliance efforts. For example, correlating manual controls during the financial reporting process with access control rules in the financial applications is a difficult task. The Enterprise GRC architectures should look to connect those dots in a meaningful way. In this example, understanding who can access financial data can add a new dimension to understanding manual procedural controls.  End to End. Many times organizations will start or stop risk and compliance efforts mid-stream. For example, the organization may have identified security configurations for IT systems but fail to follow that through to look at the actual deployment strategies utilized within IT or the audit process used by internal audit to assess IT platforms. When an effort is initiated within an Enterprise GRC architecture, it has to be viewed from start to finish and the resulting approach has to be an end-to-end cycle that covers the risk or compliance requirement from inception to resolution.  Easy to Use. GRC tasks are not generally the sole focus of the employee. Very few employees will or should have GRC in their job titles. An accounts payable clerk is just that – an accounts payable clerk – not a GRC accounts payable clerk. The Enterprise GRC architecture should account for the fact that controls must be inserted into the daily tasks of the employee in a way that allows him or her to get their job done without worrying about some GRC overhead or Version: June 2013 Page 10
having to check the GRC box. The Enterprise GRC architecture must talk to the employees in their own daily vernacular and make the tasks actionable and clear.  Flexible. It does not take much imagination or experience to know that the core drivers of GRC involve many changes and transformations of business over time. The Enterprise GRC architecture must be adaptive in order to evolve as the business evolves. Furthermore, business users must be empowered to make changes without relying on costly, time-intensive reengineering or re-development. As an organization contemplates a comprehensive GRC Strategy – or even a portion of the GRC universe such as Enterprise Risk Management – these objectives should be embedded into the efforts. Core Processes, as depicted in the Reference Architecture, should complement and supplement each other and ultimately, come together into a cohesive strategy. Conclusion Governance, Risk and Compliance is an evolving field of focus for organizations today. In the past few years, it has grown in both criticality and value to organizations looking to deal with shifting business environments. The definition of GRC has matured in response to the changing regulatory and corporate governance needs. GRC initiatives can impact the entire the organization and has been a lightning rod to pull together functions within an organization that rarely collaborated in the past. The RSA GRC Reference Architecture provides a common illustration to discuss GRC strategies, articulate the many different levels and objectives of the initiative and give context for the high level vision. Version: June 2013 Page 11
CONTACT US To learn more about how EMC products, services, and solutions can help solve your business and IT challenges, contact your local representative or authorized reseller—or visit us at www.EMC.com/rsa www.EMC.com/rsa EMC2, EMC, the EMC logo, RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. © Copyright 2012 EMC Corporation. All rights reserved. Published in the USA. <insert date MM/YY> EMC Perspective <insert part number as H####> EMC believes the information in this document is accurate as of its publication date. The information is subject to change without notice. Version: June 2013 Page 12

Empfohlen

Pm600 1103 a-02-schwappach-loren-p4-t4
Pm600 1103 a-02-schwappach-loren-p4-t4Pm600 1103 a-02-schwappach-loren-p4-t4
Pm600 1103 a-02-schwappach-loren-p4-t4Loren Schwappach
 
Topic3 2
Topic3 2Topic3 2
Topic3 2kim rae KI
 
Strategic long question1 (1) (1)
Strategic long question1 (1) (1)Strategic long question1 (1) (1)
Strategic long question1 (1) (1)Dr.Trilochan Nayak
 
Strategic management Notes
Strategic management Notes Strategic management Notes
Strategic management Notes Nikita Sharma
 
oracle-hbr-campaign-brochure-eb3-v7-2288406
oracle-hbr-campaign-brochure-eb3-v7-2288406oracle-hbr-campaign-brochure-eb3-v7-2288406
oracle-hbr-campaign-brochure-eb3-v7-2288406Mike Metcalf
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management OverviewFlevy.com Best Practices
 
Strategic Knowledge Management for Monitoring and Evaluation Teams
Strategic Knowledge Management for Monitoring and Evaluation TeamsStrategic Knowledge Management for Monitoring and Evaluation Teams
Strategic Knowledge Management for Monitoring and Evaluation TeamsLeah D. Wyatt
 
Mezzanine Strategic &amp; Tactical Planning White Paper
Mezzanine Strategic &amp; Tactical Planning White PaperMezzanine Strategic &amp; Tactical Planning White Paper
Mezzanine Strategic &amp; Tactical Planning White Papermeredithlow
 

Empfohlen

Pm600 1103 a-02-schwappach-loren-p4-t4
Pm600 1103 a-02-schwappach-loren-p4-t4Pm600 1103 a-02-schwappach-loren-p4-t4
Pm600 1103 a-02-schwappach-loren-p4-t4Loren Schwappach
 
Topic3 2
Topic3 2Topic3 2
Topic3 2kim rae KI
 
Strategic long question1 (1) (1)
Strategic long question1 (1) (1)Strategic long question1 (1) (1)
Strategic long question1 (1) (1)Dr.Trilochan Nayak
 
Strategic management Notes
Strategic management Notes Strategic management Notes
Strategic management Notes Nikita Sharma
 
oracle-hbr-campaign-brochure-eb3-v7-2288406
oracle-hbr-campaign-brochure-eb3-v7-2288406oracle-hbr-campaign-brochure-eb3-v7-2288406
oracle-hbr-campaign-brochure-eb3-v7-2288406Mike Metcalf
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management OverviewFlevy.com Best Practices
 
Strategic Knowledge Management for Monitoring and Evaluation Teams
Strategic Knowledge Management for Monitoring and Evaluation TeamsStrategic Knowledge Management for Monitoring and Evaluation Teams
Strategic Knowledge Management for Monitoring and Evaluation TeamsLeah D. Wyatt
 
Mezzanine Strategic &amp; Tactical Planning White Paper
Mezzanine Strategic &amp; Tactical Planning White PaperMezzanine Strategic &amp; Tactical Planning White Paper
Mezzanine Strategic &amp; Tactical Planning White Papermeredithlow
 
Proposal To Chairman For Risk Management Services
Proposal To Chairman For Risk Management ServicesProposal To Chairman For Risk Management Services
Proposal To Chairman For Risk Management ServicesRahul Bhan (CA, CIA, MBA)
 
Proposal To Chairman For Risk Management Services
Proposal To Chairman For Risk Management ServicesProposal To Chairman For Risk Management Services
Proposal To Chairman For Risk Management ServicesRahul Bhan (CA, CIA, MBA)
 
Strtegic management
Strtegic managementStrtegic management
Strtegic managementAshish Gupta
 
Iso 9001 2015 clause 4 context of the organization
Iso 9001 2015 clause 4 context of the organizationIso 9001 2015 clause 4 context of the organization
Iso 9001 2015 clause 4 context of the organizationPratap Biswas
 
Evaluating performance management systems
Evaluating performance management systemsEvaluating performance management systems
Evaluating performance management systemstunbugang
 
Project prioritization becomes more strategic
Project prioritization becomes more strategicProject prioritization becomes more strategic
Project prioritization becomes more strategici-nexus
 
1307526415145 corporate strategy--andrews
1307526415145 corporate strategy--andrews1307526415145 corporate strategy--andrews
1307526415145 corporate strategy--andrewsKushal Mishra
 
Strategy Execution - Introduction to Strategy Performance Management
Strategy Execution - Introduction to Strategy Performance ManagementStrategy Execution - Introduction to Strategy Performance Management
Strategy Execution - Introduction to Strategy Performance ManagementLeah Williams
 
Strategicmanagementandstrategicplanningprocess chapter
Strategicmanagementandstrategicplanningprocess chapterStrategicmanagementandstrategicplanningprocess chapter
Strategicmanagementandstrategicplanningprocess chapterronieADUANA2
 
Kuis 1, an overview of strategic management
Kuis 1, an overview of strategic managementKuis 1, an overview of strategic management
Kuis 1, an overview of strategic managementwinniewien
 
Handout linking-the-ceos--strategic-plan-to-the-ends
Handout linking-the-ceos--strategic-plan-to-the-endsHandout linking-the-ceos--strategic-plan-to-the-ends
Handout linking-the-ceos--strategic-plan-to-the-endsAmbrosius Tierspoor
 
Breakthrough Trust Overview
Breakthrough Trust OverviewBreakthrough Trust Overview
Breakthrough Trust OverviewMark_Rivers
 
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...Flevy.com Best Practices
 
M&AI Seven Tenets Jul14
M&AI Seven Tenets Jul14M&AI Seven Tenets Jul14
M&AI Seven Tenets Jul14Mike Sum
 
Unit i intro
Unit i introUnit i intro
Unit i introDeborah Sharon
 
Balanced scorecard orientation (intro public)
Balanced scorecard orientation (intro public)Balanced scorecard orientation (intro public)
Balanced scorecard orientation (intro public)ParCon Consulting, LLC
 
describe the vital role managers play in implementing strategies to achieve o...
describe the vital role managers play in implementing strategies to achieve o...describe the vital role managers play in implementing strategies to achieve o...
describe the vital role managers play in implementing strategies to achieve o...ramil santocildes
 
Mba iii (business policy and strategic analysis)
Mba iii (business policy and strategic analysis)Mba iii (business policy and strategic analysis)
Mba iii (business policy and strategic analysis)Ankit Rautela
 
Presentation 2
Presentation 2Presentation 2
Presentation 2MadhumithaPrakash2
 
Why Computational/Applied Mathematics?
Why Computational/Applied Mathematics?Why Computational/Applied Mathematics?
Why Computational/Applied Mathematics?Jon Ernstberger
 
The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionThe Mathematics of RSA Encryption
The Mathematics of RSA EncryptionNathan F. Dunn
 
A NETWORK SECURITY APPROACH USING RSA.
A NETWORK SECURITY APPROACH USING RSA.A NETWORK SECURITY APPROACH USING RSA.
A NETWORK SECURITY APPROACH USING RSA.Tuhin_Das
 

Weitere ähnliche Inhalte

Was ist angesagt?

Proposal To Chairman For Risk Management Services
Proposal To Chairman For Risk Management ServicesProposal To Chairman For Risk Management Services
Proposal To Chairman For Risk Management ServicesRahul Bhan (CA, CIA, MBA)
 
Proposal To Chairman For Risk Management Services
Proposal To Chairman For Risk Management ServicesProposal To Chairman For Risk Management Services
Proposal To Chairman For Risk Management ServicesRahul Bhan (CA, CIA, MBA)
 
Strtegic management
Strtegic managementStrtegic management
Strtegic managementAshish Gupta
 
Iso 9001 2015 clause 4 context of the organization
Iso 9001 2015 clause 4 context of the organizationIso 9001 2015 clause 4 context of the organization
Iso 9001 2015 clause 4 context of the organizationPratap Biswas
 
Evaluating performance management systems
Evaluating performance management systemsEvaluating performance management systems
Evaluating performance management systemstunbugang
 
Project prioritization becomes more strategic
Project prioritization becomes more strategicProject prioritization becomes more strategic
Project prioritization becomes more strategici-nexus
 
1307526415145 corporate strategy--andrews
1307526415145 corporate strategy--andrews1307526415145 corporate strategy--andrews
1307526415145 corporate strategy--andrewsKushal Mishra
 
Strategy Execution - Introduction to Strategy Performance Management
Strategy Execution - Introduction to Strategy Performance ManagementStrategy Execution - Introduction to Strategy Performance Management
Strategy Execution - Introduction to Strategy Performance ManagementLeah Williams
 
Strategicmanagementandstrategicplanningprocess chapter
Strategicmanagementandstrategicplanningprocess chapterStrategicmanagementandstrategicplanningprocess chapter
Strategicmanagementandstrategicplanningprocess chapterronieADUANA2
 
Kuis 1, an overview of strategic management
Kuis 1, an overview of strategic managementKuis 1, an overview of strategic management
Kuis 1, an overview of strategic managementwinniewien
 
Handout linking-the-ceos--strategic-plan-to-the-ends
Handout linking-the-ceos--strategic-plan-to-the-endsHandout linking-the-ceos--strategic-plan-to-the-ends
Handout linking-the-ceos--strategic-plan-to-the-endsAmbrosius Tierspoor
 
Breakthrough Trust Overview
Breakthrough Trust OverviewBreakthrough Trust Overview
Breakthrough Trust OverviewMark_Rivers
 
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...Flevy.com Best Practices
 
M&AI Seven Tenets Jul14
M&AI Seven Tenets Jul14M&AI Seven Tenets Jul14
M&AI Seven Tenets Jul14Mike Sum
 
Balanced scorecard orientation (intro public)
Balanced scorecard orientation (intro public)Balanced scorecard orientation (intro public)
Balanced scorecard orientation (intro public)ParCon Consulting, LLC
 
describe the vital role managers play in implementing strategies to achieve o...
describe the vital role managers play in implementing strategies to achieve o...describe the vital role managers play in implementing strategies to achieve o...
describe the vital role managers play in implementing strategies to achieve o...ramil santocildes
 
Mba iii (business policy and strategic analysis)
Mba iii (business policy and strategic analysis)Mba iii (business policy and strategic analysis)
Mba iii (business policy and strategic analysis)Ankit Rautela
 

Was ist angesagt? (19)

Proposal To Chairman For Risk Management Services
Proposal To Chairman For Risk Management ServicesProposal To Chairman For Risk Management Services
Proposal To Chairman For Risk Management Services
 
Proposal To Chairman For Risk Management Services
Proposal To Chairman For Risk Management ServicesProposal To Chairman For Risk Management Services
Proposal To Chairman For Risk Management Services
 
Strtegic management
Strtegic managementStrtegic management
Strtegic management
 
Iso 9001 2015 clause 4 context of the organization
Iso 9001 2015 clause 4 context of the organizationIso 9001 2015 clause 4 context of the organization
Iso 9001 2015 clause 4 context of the organization
 
Evaluating performance management systems
Evaluating performance management systemsEvaluating performance management systems
Evaluating performance management systems
 
Project prioritization becomes more strategic
Project prioritization becomes more strategicProject prioritization becomes more strategic
Project prioritization becomes more strategic
 
1307526415145 corporate strategy--andrews
1307526415145 corporate strategy--andrews1307526415145 corporate strategy--andrews
1307526415145 corporate strategy--andrews
 
Strategy Execution - Introduction to Strategy Performance Management
Strategy Execution - Introduction to Strategy Performance ManagementStrategy Execution - Introduction to Strategy Performance Management
Strategy Execution - Introduction to Strategy Performance Management
 
Strategicmanagementandstrategicplanningprocess chapter
Strategicmanagementandstrategicplanningprocess chapterStrategicmanagementandstrategicplanningprocess chapter
Strategicmanagementandstrategicplanningprocess chapter
 
Kuis 1, an overview of strategic management
Kuis 1, an overview of strategic managementKuis 1, an overview of strategic management
Kuis 1, an overview of strategic management
 
Handout linking-the-ceos--strategic-plan-to-the-ends
Handout linking-the-ceos--strategic-plan-to-the-endsHandout linking-the-ceos--strategic-plan-to-the-ends
Handout linking-the-ceos--strategic-plan-to-the-ends
 
Breakthrough Trust Overview
Breakthrough Trust OverviewBreakthrough Trust Overview
Breakthrough Trust Overview
 
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
 
M&AI Seven Tenets Jul14
M&AI Seven Tenets Jul14M&AI Seven Tenets Jul14
M&AI Seven Tenets Jul14
 
Unit i intro
Unit i introUnit i intro
Unit i intro
 
Balanced scorecard orientation (intro public)
Balanced scorecard orientation (intro public)Balanced scorecard orientation (intro public)
Balanced scorecard orientation (intro public)
 
describe the vital role managers play in implementing strategies to achieve o...
describe the vital role managers play in implementing strategies to achieve o...describe the vital role managers play in implementing strategies to achieve o...
describe the vital role managers play in implementing strategies to achieve o...
 
Mba iii (business policy and strategic analysis)
Mba iii (business policy and strategic analysis)Mba iii (business policy and strategic analysis)
Mba iii (business policy and strategic analysis)
 
Presentation 2
Presentation 2Presentation 2
Presentation 2
 

Andere mochten auch

Why Computational/Applied Mathematics?
Why Computational/Applied Mathematics?Why Computational/Applied Mathematics?
Why Computational/Applied Mathematics?Jon Ernstberger
 
The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionThe Mathematics of RSA Encryption
The Mathematics of RSA EncryptionNathan F. Dunn
 
A NETWORK SECURITY APPROACH USING RSA.
A NETWORK SECURITY APPROACH USING RSA.A NETWORK SECURITY APPROACH USING RSA.
A NETWORK SECURITY APPROACH USING RSA.Tuhin_Das
 
Computer Graphics Introduction
Computer Graphics IntroductionComputer Graphics Introduction
Computer Graphics IntroductionGhaffar Khan
 
Introduction to computer graphics
Introduction to computer graphicsIntroduction to computer graphics
Introduction to computer graphicsPartnered Health
 
Digital Signature Recognition using RSA Algorithm
Digital Signature Recognition using RSA AlgorithmDigital Signature Recognition using RSA Algorithm
Digital Signature Recognition using RSA AlgorithmVinayak Raja
 
Linear Algebra: Application to Chemistry
Linear Algebra: Application to ChemistryLinear Algebra: Application to Chemistry
Linear Algebra: Application to Chemistryrasen58
 
Educational research need concept and types by purpose
Educational research need concept and types by purposeEducational research need concept and types by purpose
Educational research need concept and types by purposeInam Jahangir
 
Introduction to Computer graphics
Introduction to Computer graphics Introduction to Computer graphics
Introduction to Computer graphics PrathimaBaliga
 
Applications of linear algebra
Applications of linear algebraApplications of linear algebra
Applications of linear algebraPrerak Trivedi
 
Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
CBSE XII Boolean Algebra
CBSE XII Boolean AlgebraCBSE XII Boolean Algebra
CBSE XII Boolean AlgebraGuru Ji
 
TECHNIQUES TO KEEP MEN AND WOMEN YOUNG, SEXY AND HAPPY FOR PEACE AND PROSPERI...
TECHNIQUES TO KEEP MEN AND WOMEN YOUNG, SEXY AND HAPPY FOR PEACE AND PROSPERI...TECHNIQUES TO KEEP MEN AND WOMEN YOUNG, SEXY AND HAPPY FOR PEACE AND PROSPERI...
TECHNIQUES TO KEEP MEN AND WOMEN YOUNG, SEXY AND HAPPY FOR PEACE AND PROSPERI...Dr. Raju M. Mathew
 

Andere mochten auch (20)

Why Computational/Applied Mathematics?
Why Computational/Applied Mathematics?Why Computational/Applied Mathematics?
Why Computational/Applied Mathematics?
 
The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionThe Mathematics of RSA Encryption
The Mathematics of RSA Encryption
 
A NETWORK SECURITY APPROACH USING RSA.
A NETWORK SECURITY APPROACH USING RSA.A NETWORK SECURITY APPROACH USING RSA.
A NETWORK SECURITY APPROACH USING RSA.
 
Computer Graphics Introduction
Computer Graphics IntroductionComputer Graphics Introduction
Computer Graphics Introduction
 
SSL
SSLSSL
SSL
 
Introduction to computer graphics
Introduction to computer graphicsIntroduction to computer graphics
Introduction to computer graphics
 
Digital Signature Recognition using RSA Algorithm
Digital Signature Recognition using RSA AlgorithmDigital Signature Recognition using RSA Algorithm
Digital Signature Recognition using RSA Algorithm
 
Linear Algebra: Application to Chemistry
Linear Algebra: Application to ChemistryLinear Algebra: Application to Chemistry
Linear Algebra: Application to Chemistry
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
 
Rsa Algorithm
Rsa AlgorithmRsa Algorithm
Rsa Algorithm
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Educational research need concept and types by purpose
Educational research need concept and types by purposeEducational research need concept and types by purpose
Educational research need concept and types by purpose
 
BOOLEAN ALGEBRA & LOGIC GATE
BOOLEAN ALGEBRA & LOGIC GATEBOOLEAN ALGEBRA & LOGIC GATE
BOOLEAN ALGEBRA & LOGIC GATE
 
Introduction to Computer graphics
Introduction to Computer graphics Introduction to Computer graphics
Introduction to Computer graphics
 
Applications of linear algebra
Applications of linear algebraApplications of linear algebra
Applications of linear algebra
 
Boolean algebra
Boolean algebraBoolean algebra
Boolean algebra
 
Network Security
Network SecurityNetwork Security
Network Security
 
CBSE XII Boolean Algebra
CBSE XII Boolean AlgebraCBSE XII Boolean Algebra
CBSE XII Boolean Algebra
 
TECHNIQUES TO KEEP MEN AND WOMEN YOUNG, SEXY AND HAPPY FOR PEACE AND PROSPERI...
TECHNIQUES TO KEEP MEN AND WOMEN YOUNG, SEXY AND HAPPY FOR PEACE AND PROSPERI...TECHNIQUES TO KEEP MEN AND WOMEN YOUNG, SEXY AND HAPPY FOR PEACE AND PROSPERI...
TECHNIQUES TO KEEP MEN AND WOMEN YOUNG, SEXY AND HAPPY FOR PEACE AND PROSPERI...
 

Ähnlich wie The RSA GRC Reference Architecture

Insights on grc grc technology au1488
Insights on grc grc technology au1488Insights on grc grc technology au1488
Insights on grc grc technology au1488Ashwin Kumar
 
A New Era of Compliance: Innovations in ServiceNow GRC 
A New Era of Compliance: Innovations in ServiceNow GRC A New Era of Compliance: Innovations in ServiceNow GRC 
A New Era of Compliance: Innovations in ServiceNow GRC Aelum Consulting
 
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance StrategyQuekelsBaro
 
Governance Risk Compliance Framework.pptx
Governance Risk Compliance Framework.pptxGovernance Risk Compliance Framework.pptx
Governance Risk Compliance Framework.pptxIsorobot
 
An industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsAn industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsGrant Thornton LLP
 
Exploring the Impact of Governance Risk and Compliance
Exploring the Impact of Governance Risk and ComplianceExploring the Impact of Governance Risk and Compliance
Exploring the Impact of Governance Risk and ComplianceINTERCERT
 
GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__
GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__
GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__susanta subudhi
 
GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__
GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__
GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__susanta subudhi
 
Building The Case For Supplier Relationship Management
Building The Case For Supplier Relationship ManagementBuilding The Case For Supplier Relationship Management
Building The Case For Supplier Relationship ManagementSource One Management Services
 
138 مبادرة #تواصل_تطوير المحاضرة ال 138 من المبادرة دكتور مهندس / أكرم حسن اس...
138 مبادرة #تواصل_تطوير المحاضرة ال 138 من المبادرة دكتور مهندس / أكرم حسن اس...138 مبادرة #تواصل_تطوير المحاضرة ال 138 من المبادرة دكتور مهندس / أكرم حسن اس...
138 مبادرة #تواصل_تطوير المحاضرة ال 138 من المبادرة دكتور مهندس / أكرم حسن اس...Egyptian Engineers Association
 
Internal Audit’s Evolving Role in Corporate GRC Strategy
Internal Audit’s Evolving Role in Corporate GRC StrategyInternal Audit’s Evolving Role in Corporate GRC Strategy
Internal Audit’s Evolving Role in Corporate GRC StrategyDavid Fernandes
 
7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)GBBLUME
 
Montana-Paula-Krecicki
Montana-Paula-KrecickiMontana-Paula-Krecicki
Montana-Paula-KrecickiDaniel Paula
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Integrc: Turning GRC vision into reality
Integrc: Turning GRC vision into realityIntegrc: Turning GRC vision into reality
Integrc: Turning GRC vision into realityIntegrc
 
GRC Strategies in a Business_ Trends and Challenges.pdf
GRC Strategies in a Business_ Trends and Challenges.pdfGRC Strategies in a Business_ Trends and Challenges.pdf
GRC Strategies in a Business_ Trends and Challenges.pdfbasilmph
 

Ähnlich wie The RSA GRC Reference Architecture (20)

Integrated_GRC
Integrated_GRCIntegrated_GRC
Integrated_GRC
 
Insights on grc grc technology au1488
Insights on grc grc technology au1488Insights on grc grc technology au1488
Insights on grc grc technology au1488
 
GRC.docx
GRC.docxGRC.docx
GRC.docx
 
A New Era of Compliance: Innovations in ServiceNow GRC 
A New Era of Compliance: Innovations in ServiceNow GRC A New Era of Compliance: Innovations in ServiceNow GRC 
A New Era of Compliance: Innovations in ServiceNow GRC 
 
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy
 
task 1
task 1task 1
task 1
 
Governance Risk Compliance Framework.pptx
Governance Risk Compliance Framework.pptxGovernance Risk Compliance Framework.pptx
Governance Risk Compliance Framework.pptx
 
An industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsAn industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessments
 
Exploring the Impact of Governance Risk and Compliance
Exploring the Impact of Governance Risk and ComplianceExploring the Impact of Governance Risk and Compliance
Exploring the Impact of Governance Risk and Compliance
 
GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__
GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__
GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__
 
GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__
GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__
GRC_Strategic_Agenda__The_Value_Proposition_of_Goverance,_Risk,_and_Compliance__
 
Building The Case For Supplier Relationship Management
Building The Case For Supplier Relationship ManagementBuilding The Case For Supplier Relationship Management
Building The Case For Supplier Relationship Management
 
138 مبادرة #تواصل_تطوير المحاضرة ال 138 من المبادرة دكتور مهندس / أكرم حسن اس...
138 مبادرة #تواصل_تطوير المحاضرة ال 138 من المبادرة دكتور مهندس / أكرم حسن اس...138 مبادرة #تواصل_تطوير المحاضرة ال 138 من المبادرة دكتور مهندس / أكرم حسن اس...
138 مبادرة #تواصل_تطوير المحاضرة ال 138 من المبادرة دكتور مهندس / أكرم حسن اس...
 
Internal Audit’s Evolving Role in Corporate GRC Strategy
Internal Audit’s Evolving Role in Corporate GRC StrategyInternal Audit’s Evolving Role in Corporate GRC Strategy
Internal Audit’s Evolving Role in Corporate GRC Strategy
 
7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)
 
Montana-Paula-Krecicki
Montana-Paula-KrecickiMontana-Paula-Krecicki
Montana-Paula-Krecicki
 
Auditing your grc programs
Auditing your grc programsAuditing your grc programs
Auditing your grc programs
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
Integrc: Turning GRC vision into reality
Integrc: Turning GRC vision into realityIntegrc: Turning GRC vision into reality
Integrc: Turning GRC vision into reality
 
GRC Strategies in a Business_ Trends and Challenges.pdf
GRC Strategies in a Business_ Trends and Challenges.pdfGRC Strategies in a Business_ Trends and Challenges.pdf
GRC Strategies in a Business_ Trends and Challenges.pdf
 

Mehr von EMC

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDEMC
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote EMC
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOEMC
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremioEMC
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lakeEMC
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereEMC
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History EMC
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewEMC
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeEMC
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic EMC
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityEMC
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeEMC
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015EMC
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesEMC
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsEMC
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookEMC
 

Mehr von EMC (20)

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop Elsewhere
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical Review
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or Foe
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for Security
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure Age
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere Environments
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBook
 

Kürzlich hochgeladen

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Kürzlich hochgeladen (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

The RSA GRC Reference Architecture

  • 1. The RSA GRC Reference Architecture Abstract This paper is a primer on the RSA GRC Reference Architecture – a visual representation of the GRC framework needed within an organization to meet today’s governance, risk and compliance needs. The architecture provides a starting vision of how an organization should view GRC, its guiding principles and its final objectives. Date: June 2013 Version: June 2013 Page 1
  • 2. Contents Introduction to the RSA GRC Reference Architecture .................................................................................. 3 GRC’s Guiding Principles ............................................................................................................................... 3 The RSA GRC Reference Architecture ........................................................................................................... 5 Business Optimization............................................................................................................................... 6 The Value Layer ......................................................................................................................................... 6 The GRC Core ............................................................................................................................................ 6 Governance ........................................................................................................................................... 7 Risk ........................................................................................................................................................ 7 Compliance ........................................................................................................................................... 7 The Organizational Stack .......................................................................................................................... 7 Management ......................................................................................................................................... 7 Functions ............................................................................................................................................... 8 Operations ............................................................................................................................................ 8 Transactions and Infrastructure................................................................................................................ 9 The GRC Lifecycle ...................................................................................................................................... 9 Key Objectives of a GRC Architecture ......................................................................................................... 10 Conclusion ................................................................................................................................................... 11 Version: June 2013 Page 2
  • 3. Introduction to the RSA GRC Reference Architecture Governance, Risk and Compliance (GRC) represents a business oriented approach to establishing ownership and accountability throughout the organization to improve decision making. Governance is the act of directing, controlling and evaluating the culture, policies, processes, laws, and institutions that define the structure by which organizations are directed and managed. Risk is the negative effect of uncertainty on achieving objectives; Risk Management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events. Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as organizational policies and procedures. While these definitions may seem straightforward, establishing a GRC program within an organization is not a simple task. It is also not a new concept. Companies have been focused on improving compliance and managing risk for years. Since GRC programs have many moving parts, organizations are implementing an overarching vision of how things fit together to maximize value. This vision not only should clarify the objectives of a GRC program – but also give context to how the organization executes this strategic initiative. The RSA GRC Reference Architecture provides a simple illustration to bring context to the discussion. It can serve as a backdrop as an organization plans out its strategy and delivers the core value message to the executives or simply as a method to start the dialogue. GRC is a complex topic and while no illustration will completely sum up the many facets of the effort, the GRC Reference Architecture provides a foundation upon which to drive the conversation. GRC’s Guiding Principles Certain tenets should guide an organization’s strategy for governance, risk and compliance. These guiding principles should be the foundation of the strategy and be part of the fabric of the GRC program. A GRC strategy is not a one-time effort; it is the establishment of a cultural shift in how an organization conducts business. The GRC program must define the elements necessary for governance, risk and compliance for an organization to meet its strategic objectives. A one-time effort will not meet that demand. These principles must be ingrained into the GRC strategy:  Ownership. The organization needs to hold individuals responsible for their actions and empower them to positively impact the organization. Management of risk and compliance issues cannot just be thrown over the transom. This includes not only establishing executive roles but clear responsibilities down to the front line employee. Version: June 2013 Page 3
  • 4.  Security and Peace of Mind. At the end of the day, good governance, strong risk management and effective compliance efforts should bring positive assurance to the executives, shareholders, employees and applicable regulatory bodies. Risk and compliance efforts should focus on “what keeps people awake at night” as well as the many threats that could hinder the organization from achieving its objectives.  Sustainability. GRC takes a persistent commitment to sustain the effort and achieve the strategic benefits. This has to be factored in when designing the program. For instance, while the effort to comply with an individual regulation may be at an acceptable level right now, the processes impacted by that regulation have a tendency to evolve and can quickly grow outside their original boundaries or intent. GRC must acknowledge this change and be considered a long term venture.  Consistency. One can think of GRC as a big playbook the organization uses to manage risks and compliance issues. The GRC program involves many different processes – from overarching enterprise processes to daily operational processes. The GRC architecture should bring order to this large effort and get employees on the same page with a common framework and strategy.  Proficiency. Once the business is executing using common frameworks and processes, the organization should then make sure that those efforts are as well-organized as possible as the organization becomes proficient in execution of risk and compliance management. GRC should invoke the concepts of continuous improvement and elimination of redundant efforts. Adjustments of processes to meet multiple goals can result in significant efficiency gains – generally more than initially estimated.  Balanced Effort and Reward. The GRC program should be an effort with long term balance between the rewards of embarking on the journey and the costs associated with the journey. Organizations need to be smart and calculated in the way, level or extent that GRC activities are implemented. Organizations should be thoughtful about the cost vs. benefit of each incremental step in the execution of a GRC strategy.  Agility. Given most organizations are in a constant state of motion, the GRC program must enable agile processes to react, respond and address changes to the business. Regulatory changes, new business opportunities, technology shifts and other factors will constantly barrage an organization and the risk and compliance implications must be managed in a manner that permits the business to adjust.  Transparency. Finally, the concept of transparency should permeate the GRC program. Transparency means delivering the right information to the right stakeholders within timeframes necessary to enable proper governance. This transparency extends to both internal and external stakeholders and includes overall visibility into the structure of the program and the activities documented and managed within the program such as the status of strategies, business processes, risks, controls, and compliance with internal and external obligations. It is through the transparency of the GRC program that positive assurance of its effectiveness is demonstrated. The bottom line for every organization is to make better and more consistent decisions across the enterprise that improves the likelihood that the organization will achieve its objectives. Along the way, Version: June 2013 Page 4
  • 5. the organization becomes more certain that the activities managed within its GRC framework are aligned with the organization’s objectives. This positive assurance of effective governance is reflected in a greater understanding of:  where and how the organization is subject to risk,  the amount of the risk accepted by the business,  how risk-taking is aligned with the organization’s risk appetite,  how risk is not over or under controlled, and  processes that exist to ensure that changes in risk profile are being adequately monitored and anticipated. Along the way, the organization begins to find the equilibrium between risk taking and rewards; compliance spending and regulatory obligations; costs of security and the value of the assets and the other very important balancing acts challenging organizations today. The RSA GRC Reference Architecture The following illustration is the RSA GRC Reference Architecture: Figure 1: RSA GRC Reference Architecture Version: June 2013 Page 5
  • 6. Business Optimization Starting at the top of the illustration, the end goal of any GRC program is Business Optimization. GRC is a means to an end – not the end itself. Management and the Board of Directors are focused on making decisions that are more likely to result in desired outcomes for the organization. The GRC program should be part of the mechanism that empowers executives to keep this attention on the growth, constant improvement and optimization of the business. GRC programs should enable executives to understand risks to make the decisions that will mitigate, reduce or avoid risks or exploit opportunities to gain strategic advantages and drive the organization forward. The GRC effort of an organization should strive towards this final objective – optimizing the efforts of the business to bring stronger stakeholder return and value. The Value Layer The Value Layer depicts the outputs of the GRC program that lead to this Business Optimization. GRC programs deliver Visibility, Efficiency, Accountability and Collaboration through reporting, process enablement, ownership and collective, integrated strategies. Visibility: The Board of Directors and executive management should be intimately involved in driving the overall vision for the GRC program. This vision should identify the necessary outputs needed to make the “big” decisions that ultimately drive the organization. The icon symbolizes the ability to connect the data together to see the overall picture and zoom in to track key risks or issues. Efficiency: Through common processes, aligned goals and defined objectives, the organization should be marching together to optimize risk and compliance processes. The efficiencies should manifest in tangible (e.g. time savings/cost reductions) and intangible (e.g. anecdotal evidence) benefits of improved operations as illustrated by the icon. Accountability: As the icon in the illustration denotes, the GRC program should make it evident who is stepping forward to own, manage, monitor and address risks and compliance issues. Establishing ownership and stewardship of risk and compliance is one of the most important values of the GRC program. Collaboration: Collaboration is not just getting people to meetings to discuss the issues but also put the pieces together to see the big picture. The icon denotes that collectively, the organization can assemble a multi-faceted, organized view of risk and compliance, identify gaps and fill them in appropriately. The GRC Core Along the top of the “cylinder” in the illustration, represented by the red disc, are the core GRC Processes and Capabilities. Core GRC Processes are the large, end-to-end, multi-faceted processes that facilitate the GRC program and enable the change within business operations needed to establish governance, manage risk and meet compliance obligations. For example, Policy Management – how policies are documented, rationalized and communicated – should be part of each domain and would be placed in the “Governance” layer of GRC. These Processes provide the frameworks and guidance across Version: June 2013 Page 6
  • 7. the functions to build common approaches and consistency. The RSA GRC Reference Architecture uses the following as definitions for Core GRC Processes. Governance Policy Management – establishment of corporate policies, standards and supporting operating procedures based on business and regulatory requirements. Enterprise Management – management of organizational assets, relationships and hierarchy. Strategy Management – management of activities that connect strategic objectives to business plans and measures performance toward those objectives while factoring in risks and compliance obligations. Risk Enterprise Risk Management- establishment of a common risk management approach and framework to identify, catalog and monitor risks to the business. Third Party Management – management of all external parties that support business operations. Event Management – management of all situations (incidents, business disruptions, crises, etc.) that could adversely impact business operations. Compliance Compliance Management – management of activities related to measuring compliance of business operations to defined business practices and standards including adherence to external legal and regulatory obligations. Audit Management – management of programs that provide an independent or objective measurement of the business operations and execution The Organizational Stack The cylinder within the Architecture depicts the multiple layers of structure and processes of the organization. One core understanding in GRC is that processes are not executed in a vacuum and may depend heavily on each other. For example, Risk Management cannot be discussed without some inclusion of controls based on corporate policy. Subsequently, the Compliance Management process should focus on those controls and thus inform the Risk Management process on the state of the controls. The Organizational Stack should be viewed as representing a continuum of people, strategies, methodologies and processes that work together for greater benefit. Management The Management layer represents the executive level of the organization and the overall driving strategy of the GRC program. Management in this context depicts the part of the organization that cuts across the company and represents the major work streams that are common across each function. Management – through common objectives, defined roles and responsibilities and shared technology enablers – guide business processes in the framework of the overall program goals. Version: June 2013 Page 7
  • 8. Functions The Functions layer represents the different business activities within the organization that will drive and benefit from a cohesive GRC strategy. Every organization may have different definitions of this layer as multiple parts of the business will play a role in the GRC program and the Functions included in the illustration are indicative of common segments of the business. The dotted lines in the illustration depict the fact that GRC is breaking down the silos that traditionally have remained separate or, at a minimum, are disconnected. For purposes of this document, three major functions will be used as examples:  Information technology  Finance  Legal The Information Technology function focuses on the business platforms and systems that support the overall technological infrastructure of the organization. Governance aspects of this domain include IT policies and procedures, roles and responsibilities for IT staff and the overall strategy to provide IT services. Key risks include data security, system reliability and capacity, disaster recovery and IT service delivery. Compliance aspects include the various data security regulations such as HIPAA or GLBA, support for financial systems for Sarbanes-Oxley (SOX) and the variety of individual industry requirements. The Finance function focuses on the financial aspects of the organization including financial reporting and monitoring for impacts to the organization’s bottom line. Governance aspects of this domain include financial reporting policies and procedures, accounting practices and roles and responsibilities for accounting and finance related employees. Key risks include any risk that can impact revenue and the financial standing or viability of the organization as well as financial reporting risks. Compliance aspects include adherence to accounting standards and financial reporting requirements including SOX. The Legal function focuses on the adherence to the legal obligations of the organization as defined by laws, regulations and industry standards. Governance aspects include the structure of the legal counsel, regulations review and research and interaction between the business and external regulatory parties. Key risks include discovery acts or other litigation related activities, class action suits or any other action that could result in the organization being in “legal” hot water. Compliance activities are many as the legal domain is one of the key components to identify and interpret regulatory requirements for the organization and ensure proper practices are defined for the business operations. Operations The Operations layer represents the execution elements that assess and assign requirements to individual stakeholders, perform operational tasks, identify and respond to risk and compliance issues and promote an overall culture of accountability and code of acceptable conduct. As the bottom line in the chain of processes, activities within the processes will be guided by the Management and Functions. Version: June 2013 Page 8
  • 9. Transactions and Infrastructure Finally Transactions and Infrastructure cut across the bottom of the architecture and symbolize the daily operational events and technical fabric of the organization. Transactions signifies the importance of the millions of individual events that could impact the state of the business. The organization must be mindful of all of the types of events that could impact the organization such as a change in a contract, a modification to a law, IT system and security events or even the establishment of a business relationship. Infrastructure denotes the vast physical and technical foundation of the organization. Companies today depend so much on the technical infrastructure that any business process is going to have some touch point with technology. These elements sit below the processes in the architecture since risk and compliance will be directly impacted by individual transactions or components of the infrastructure. The GRC Lifecycle The arrows within the cylinder denote the GRC Lifecycle. Outputs from Management level GRC processes, such as policies, controls and guidance, will drive functional and operational processes. Inputs into GRC processes from the day-to-day business (denoted in the Transactions and Infrastructure) will be collected, aggregated, summarized and “bubbled up” to provide information to management to support business decisions. The arrows depict on ongoing process that refines, improves and optimizes operations based on this flow of information. As GRC guides operational processes, data from operational processes informs “upwards” for management visibility. Based on that data, GRC processes should then help adjust and improve the operations. For example, policies and control requirements will flow from a Core GRC processes such as Policy Management, and define management expectations for business operations. Then, compliance to that guidance, and the state of risk associated to the guidance at any given time will be dependent on many factors – many of them tied to operational processes, individual transactions and infrastructure – that will flow back into the GRC program. For example,  The level of compliance to ethics obligations is dependent on actions taken by employees on a daily basis within operational processes.  The level of compliance to financial regulations will be dependent on transactions processed via finance systems.  The level of IT Security risk is dependent on the security events occurring on IT systems. As Management sees the information flowing back “up the stack”, the organization can then adjust the business to close gaps, better utilize resources, build efficiencies or improve effective operations. This constant flow of information drives the Business Optimization that is the overall goal of the program. Version: June 2013 Page 9
  • 10. Key Objectives of a GRC Architecture The GRC Reference Architecture depicts that there will be many moving parts to the overall program. Any effort that has so many critical objectives is bound to have multiple facets. This underscores the need for a strategic approach. Additionally, GRC is touching many parts of the organization. The web of stakeholders with varying requirements introduces a complex tug-of-war with opposing priorities. However, the scenario is not so grim. Significant redundancy in requirements, technologies and processes can be addressed by a common architecture and process approach to GRC. To manage the web of stakeholders, processes and objectives, we can use some common elements to guide our GRC strategy:  Unified. The GRC architecture should strive to bring together related and common business activities into one cohesive approach. Most organizations have built governance processes within specific stovepipes in the organization. For instance, for SOX compliance, the financial organization has defined specific controls for financial reporting and the process is driven within the domain of Finance. With an enterprise approach, the organization can learn from this effort and apply control approaches across the organization to reduce risk and provide cross-discipline input into GRC efforts. The GRC program provides a structure for conversations to create a common language across the company for risk and compliance.  Automated. Automation is critical to any GRC architecture. Due to the volume of data and information (represented by the Transactions and Infrastructure) involved in the risk and compliance processes, manual administration is impossible to contemplate. Automation will come in many forms – from correlating business data into consolidated views to automating risk and compliance management processes. Automation will also drive efficiencies and consistency throughout the program.  Information Integration. A lot of time is wasted in connecting the dots across multiple risk and compliance efforts. For example, correlating manual controls during the financial reporting process with access control rules in the financial applications is a difficult task. The Enterprise GRC architectures should look to connect those dots in a meaningful way. In this example, understanding who can access financial data can add a new dimension to understanding manual procedural controls.  End to End. Many times organizations will start or stop risk and compliance efforts mid-stream. For example, the organization may have identified security configurations for IT systems but fail to follow that through to look at the actual deployment strategies utilized within IT or the audit process used by internal audit to assess IT platforms. When an effort is initiated within an Enterprise GRC architecture, it has to be viewed from start to finish and the resulting approach has to be an end-to-end cycle that covers the risk or compliance requirement from inception to resolution.  Easy to Use. GRC tasks are not generally the sole focus of the employee. Very few employees will or should have GRC in their job titles. An accounts payable clerk is just that – an accounts payable clerk – not a GRC accounts payable clerk. The Enterprise GRC architecture should account for the fact that controls must be inserted into the daily tasks of the employee in a way that allows him or her to get their job done without worrying about some GRC overhead or Version: June 2013 Page 10
  • 11. having to check the GRC box. The Enterprise GRC architecture must talk to the employees in their own daily vernacular and make the tasks actionable and clear.  Flexible. It does not take much imagination or experience to know that the core drivers of GRC involve many changes and transformations of business over time. The Enterprise GRC architecture must be adaptive in order to evolve as the business evolves. Furthermore, business users must be empowered to make changes without relying on costly, time-intensive reengineering or re-development. As an organization contemplates a comprehensive GRC Strategy – or even a portion of the GRC universe such as Enterprise Risk Management – these objectives should be embedded into the efforts. Core Processes, as depicted in the Reference Architecture, should complement and supplement each other and ultimately, come together into a cohesive strategy. Conclusion Governance, Risk and Compliance is an evolving field of focus for organizations today. In the past few years, it has grown in both criticality and value to organizations looking to deal with shifting business environments. The definition of GRC has matured in response to the changing regulatory and corporate governance needs. GRC initiatives can impact the entire the organization and has been a lightning rod to pull together functions within an organization that rarely collaborated in the past. The RSA GRC Reference Architecture provides a common illustration to discuss GRC strategies, articulate the many different levels and objectives of the initiative and give context for the high level vision. Version: June 2013 Page 11
  • 12. CONTACT US To learn more about how EMC products, services, and solutions can help solve your business and IT challenges, contact your local representative or authorized reseller—or visit us at www.EMC.com/rsa www.EMC.com/rsa EMC2, EMC, the EMC logo, RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. © Copyright 2012 EMC Corporation. All rights reserved. Published in the USA. <insert date MM/YY> EMC Perspective <insert part number as H####> EMC believes the information in this document is accurate as of its publication date. The information is subject to change without notice. Version: June 2013 Page 12