An Intelligence Driven GRC model provides organizations with comprehensive visibility and context across their digital assets, processes, and relationships. It enables prioritization of risks based on their potential business impact and streamlines remediation. By collecting and analyzing data in real time, an Intelligence Driven GRC strategy reveals insights into critical risks and compliance issues and facilitates coordinated responses across security, risk management, and compliance functions.
1. INTELLIGENCE DRIVEN GRC FOR SECURITY
RSA Whitepaper
OVERVIEW
Organizations today strive to keep their business and technology infrastructure
organized, controllable, and understandable, not only to have the ability to run a
profitable business, but because a variety of governance, security, and compliance
needs demand it. Every effort to keep things in harmony is tested by the increasing
complexities in the types and volume of data required to effectively run a company;
the chaotic changes in regulations, laws, and policies; and the addition of vendors,
partners, and consumers who need access in the face of an ever-growing landscape of
unpredictable threats and system attacks.
Many companies have, over time, tried to address the issues in governance, risk
management, and compliance (GRC), as they occur, with a siloed approach that address
tactical requirements on an ad hoc basis. This leaves IT staff struggling to implement
solutions for point problems and management with an inadequate overview of the
information required to make the best business decisions. Organizations are operating
at an unacceptable level of uncertainty on both the business and technology aspects of
their business.
Implementing a GRC strategy in today’s competitive landscape must go far beyond
quick fixes like adding software or introducing new polices. By enabling an Intelligence
Driven GRC model, an organization can prioritize its assets in an informed manner;
understand the relationships, interconnections, and accountability of business and IT
staff; and incorporate the unpredictable behaviors of third parties that will inevitably
need access to the organization’s infrastructure.
2. Intelligence Driven GRC for Security
CONTENTS
Overview..................................................................................................................... 1
Comprehensive GRC Strategy Strengthens Enterprise Ties............................................. 3
Improving Visibility...................................................................................................... 3
Think Outside the Infrastructure...................................................................................4
Revealing Insights.......................................................................................................4
Putting Plans into Action............................................................................................. 5
Conclusion..................................................................................................................6
Intelligence Driven GRC Solutions from RSA..................................................................6
page 2
3. Intelligence Driven GRC for Security
COMPREHENSIVE GRC STRATEGY STRENGTHENS ENTERPRISE TIES
The goal of Intelligence Driven GRC is to create an efficient, collaborative enterprise
governance, risk, and compliance strategy across IT, finance, operations, and legal
areas. This holistic approach provides the ability to manage risks, demonstrate
compliance, and automate business processes, while directing the ongoing lifecycle of
corporate policies, assessing and responding to risks, and reporting compliance with
internal controls and regulatory requirements across the enterprise.
Intelligence Driven GRC provides a model that layers the prioritization of assets, the
streamlining of processes and the automating of reporting on top of an organization’s
essential security functions. This model is based on three fundamentals that enable
businesses to balance risk, costs, and third-party access. First, Intelligence Driven GRC
provides immediate external visibility and context across all online digital channels
bolstered by the prioritization of assets, processes, and accountabilities. Second, this
increased visibility extends analysis capabilities to quickly assess risk tolerances and
appetites of business units and address which issues are most damaging. Finally, an
Intelligence Driven GRC strategy designates the corrective action to mitigate any specific
concerns at hand, quickly and efficiently.
IMPROVING VISIBILITY
With the enormous amount of digital assets that need to be monitored, safeguarded,
and reported on, security teams can find more risks than can practically be remediated.
Traditionally, security teams react as quickly as possible to potential intrusions without
an understanding of which risks have the greatest possibility of having a negative
business impact. Lack of visibility into where business risks exist means spending time
and money on security, governance, and compliance without seeing results.
An Intelligence Driven GRC model is able to increase visibility into which security threats
or compliance issues can be most damaging because risks have been prioritized ahead
of time based on an estimate of their severity and the impact on the business. This
increased priority-enabled visibility lets security teams handle attacks in a balanced
manner that reflects their organization’s risk tolerance and ensures they limit damage
from significant threats without wasting time and resources putting out unnecessary fires.
Creating a single repository with prioritized assets within an Intelligence Driven GRC
framework simplifies the process of identifying digital assets and building relationships
between those assets and the people, processes, applications, and infrastructure that
surround them. It becomes easy to tie data to the business units that own it, the
processes that use the data, the facilities and devices that store it, the applications that
apply it, and the people accountable for it. This gives an organization the ability to track
risk and compliance of products, services, and business processes; assign
accountability to facilitate distribution of compliance assessments and tasks; and
report on compliance activities at company, division, or business unit level to support
informed decision making.
page 3
4. Intelligence Driven GRC for Security
A consolidated look into activities provides efficiencies by demonstrating compliance
with multiple regulations at the same time
THINK OUTSIDE THE INFRASTRUCTURE
Increased visibility extends beyond internal assets with an Intelligence Driven GRC
strategy. Managing relationships outside of the enterprise requires the same
prioritization as internal assets. For example, prospective partners need to be evaluated
for unnecessary risk and managed along metrics that are important to the specific
organization such as vendor profiles, contacts, financial and insurance statements, and
contracts.
Within an Intelligence Driven GRC framework, visibility into compliance obligations and
their scope is transformed by automating a large part of the evidence-gathering
process. As compliance regulations often overlap, eliminating redundant data and
process information and providing consistent, repeatable definitions reduces effort and
cost and remediates areas of non-compliance.
REVEALING INSIGHTS
Collecting data in real time and prioritizing it across all the metrics that are important to
the business is vital, but the ability to quickly and efficiently analyze this information is
key to delivering business insights. Communicating security and compliance issues
among teams is often difficult; Intelligence Driven GRC transforms data into information
that is accessible and understandable to both security and business professionals.
An Intelligence Driven GRC model holds best practices, reports, and polices that are
tailored to specific compliance requirements. When incidents happen they must be
detected and analyzed quickly and action taken to resolve them and limit damage. As
records are collected, correlated, analyzed, and retained from systems across an
organization, incidents are identified and prioritized in real time. This process shows
not only data that has been compromised, but also the seriousness of the incident and
how critical it is to the overall business.
Analyzing a single organization’s volumes of data is already big job, but today
companies operate in an extended enterprise that includes vendors, suppliers,
partners, and customers using devices that are not under the organization’s direct
control. With an Intelligence Driven GRC model, vendor risk assessments are
streamlined to evaluate inherent and residual risk across compliance, security,
financial, sustainability, and resiliency metrics. Automating risk assessments and
page 4
5. Intelligence Driven GRC for Security
compliance ratings provides the ability to determine the type and status of any findings
including vendor responses as well as track the status of remediation. This analysis can
be extended to include key performance indicators, SLA objectives, and the status of
deliverables. By comparing performance with pre-defined metrics, an Intelligence
Driven GRC strategy helps an organization understand vendor-based risk exposure and
quickly deliver real-time information to other staff.
An Intelligence Driven GRC framework provides effective policies and policy
management that allows distinctions to be made for specific departments, people,
applications, and accountability. These distinctions are initiated during the policy
management set up process, which outlines who needs to approve, review or change
risk assessment levels. This approach allows expansion to other parts of the
organization because it contains content-like digital assets, third parties, regulatory
requirements, and knowledge of structure, i.e., user roles, and hierarchy in the
organization. This results in simplified sharing of already-created process descriptors or
critical system items, saving time and money.
Enabling users in different parts of an organization’s operations, IT, and finance
infrastructure to collaborate and align across common information
PUTTING PLANS INTO ACTION
Identifying and prioritizing incidents is only part of a GRC process. Without an
Intelligence Driven GRC strategy, communicating incidents to those best qualified and
authorized to handle needs to be done efficiently. The common process of manually
updating spreadsheets and emails to track and inform are time consuming, and they
ultimately are an ineffective way to address business risk in a timely fashion.
Intelligence Driven GRC is set up to document incidents and assign response teams
based on business impact and compliance requirements.
Built-in dashboards and reports provide insight and help report on trends, losses, and
recovery efforts and provide an incident history and audit trail. This eliminates the data
and process silos that prevent necessary communication between groups and allows
quick and easy reporting with an automated rollup of risk and compliance information
across the entire business hierarchy and operational infrastructure.
page 5
6. Intelligence Driven GRC for Security
An Intelligence Driven GRC strategy works across all components of the compliance
process. For example, companies have audit plans to address frequent audit-related
activities. By having control of the complete audit lifecycle, the entire process can be
streamlined allowing teams to focus on prioritized issues while integrating with risk and
control functions. This approach maximizes efficiency based on a dynamic view of risk.
For example, compliance management is often handled by two different groups, the IT
team and compliance officers at the business level. Eliminating the disconnect between
the tools and processes used by these two groups, Intelligence Driven GRC maps
compliance reports generated by the security team to GRC workflows that give auditors
the ability to easily manage compliance reports and track findings.
To further support actionable responses, tailoring a GRC system to unique business
parameters is an efficient way to deal with continual and fast-moving changes. Both IT
and non-technical users should be able to automate processes, streamline workflows,
control user access, tailor user interfaces, and report in real-time with an easy to use
point-and-click interface.
Business continuity is a critical component of an Intelligence Driven GRC strategy and
allows a centralized, automated approach to business continuity and disaster recovery
planning that enables quick responses in a crisis situations. As with compliance and
risk issues, this model assesses which business processes are most critical and builds
business continuity and disaster recovery plans using automated workflow for testing
and approval. It also manages plan execution and communication in a crisis to
minimize damage to an organization’s employees, customers, reputation, and
operations.
CONCLUSION
A comprehensive Intelligence Driven GRC model extends visibility into data and
processes, provides in-depth analysis of risks and compliance issues, and provides a
clear path of action and accountability for companies that need to balance corporate
risk appetites with the responsibilities of risk oversight and ownership. Aligning data
and process prioritization, infrastructure, people, and business performance
measurement provides the ability to anticipate, respond, and continuously adapt in a
rapidly changing landscape.
INTELLIGENCE DRIVEN GRC SOLUTIONS FROM RSA
RSA®
IT Security Risk Management solution enables security teams to develop a
framework for Information Security Risk by managing security policies, establishing
business context of IT assets, and effectively investigating and responding to threats
posed by security incidents and vulnerabilities. By leveraging out-of-the-box content
from RSA Archer, security teams can measure compliance risk against IT security
frameworks as COBIT, NIST, and ISO as well as regulatory authoritative sources as SOX,
PCI, and HIPAA. Additionally, with real-time visibility into vulnerabilities through RSA
Vulnerability Risk Management (VRM) and security incidents through Security
Operations Management (SecOps), security teams can prioritize with business context
and effectively investigate, respond, and remediate threats that pose the biggest risk to
their organization. RSA IT Security Risk Management solution helps the CISO and their
security teams to proactively put in place effective security policies, prevent issues with
vulnerabilities, and effectively respond to security incidents to protect the IT assets of
an organization and minimize information security risk.
page 6