2. Delivering Risk Intelligence
David
Pearson
CTO
&
SENIOR
GRC
CONSULTANT
Travis
Giff
SENIOR
GRC
ARCHITECT
&
DEVELOPER
Today’s
presenters
About
Iceberg
ü 100%
focus
on
Governance,
Risk
Management
&
Compliance
(GRC)
ü Staff
includes
25+
full-‐Xme
GRC
consultants
&
cerXfied
developers
ü Customers
include
top
financials,
insurance,
health
care,
manufacturers,
retail,
government
in
North
America.
3. Delivering Risk Intelligence
“Trusted,
aggregated
and
transparent
risk
data
enabling
organizations
to
make
more
informed,
con:ident
and
effective
business
decisions.”
Delivering
Risk
Intelligence
Disconnected
risk
&
business
data
Aggregated
&
integrated
for
context
Analyzed
&
interpreted
Be_er
business
decisions
&
acXons
4. Delivering Risk Intelligence
A
full
lifecycle
of
GRC
services
Management
Workshops
Visioning
&
Alignment
CMO/FMO
KRI/KxI
Professional
Services
ImplementaXon
&
IntegraXon
SoluXon
Lifecycle
Management
Iceberg
APS
Post-‐ProducXon
Support
Mentoring,
Coaching
&
Skills
Development
Sandboxes
Risk
Intelligence
Academy
Case
Studies
Best
PracXces
Webinars
GRC
InnovaCon
ReporXng
/
Dashboards
Toolkits
&
Enhancements
5. Delivering Risk Intelligence
Demo
Company
Pro-ile
Ø SaaS
for
markeXng/comms
Ø 1,000
employees
Ø 6
million
users
worldwide
Ø 75
customers
in
the
the
Fortune
100
6. Delivering Risk Intelligence
Challenges
1
ExisXng
internal
control
structure
based
on
SOC2;
need
to
leverage/adapt
to
include
FedRAMP,
GDPR,
and
other
regulaXons
2
Current
SOC2
a_estaXon
process
done
with
spreadsheets
/
email.
Time
consuming
+
lack
of
transparency
3
Poor
coordinaXon
of
acXviXes
between
Control
Owners
and
Auditors
for
collecXon
of
evidence
and
tracking
remediaXons.
7. Delivering Risk Intelligence
Project
Goals
1
Demonstrate
that
internal
controls
conform
to
regulatory
requirements
2
Simplify
the
a_estaXon
process
(make
it
easier
for
users)
3
Provide
greater
visibility
into
the
a_estaXon
process,
and
track
the
state
of
evidence
collecXon
4
Simplify
interacXon
with
external
auditor
for
collecXon
of
evidence
8. ServiceNow
Governance,
Risk,
and
Compliance
(GRC)
Source:
Unified
Compliance
Framework
Rs
Research
Sites
Ad
Authority
Docs
Ct
CitaXons
Ac
Acronyms
Gl
Glossary
Cd
cDocs
Ro
Roles
Me
Metrics
Ce
Controls
As
Assets
Re
Rec
Examples
Ci
Config
Items
Cm
Config
Methods
Ve
Vendors
Rc
Record
Category
Ot
Org
Tasks
Of
Org
FuncXons
Au
Audit
Ev
Events
Content
Provider
(UCF)
ServiceNow
Reference
Content
Objects
Authority
Documents
CitaXons
Policy
Statements
Policies
POLICY & COMPLIANCE
MANAGEMENT RISK MANAGEMENT AUDIT MANAGEMENT VENDOR RISK MANAGEMENT
9. Delivering Risk Intelligence
Key
AcCviCes
• Manage
Authority
Documents,
CitaXons,
Policy
Statements
• Assign
Control
Owners
• Manage
Policy
ExcepXons
• Set
up
Indicators
for
ConXnuous
Monitoring
Compliance
Manager
“As
a
Compliance
Manager
of
XYZ
Company
I
need
to
manage
my
organizaBons
internal
policies
and
ensure
my
organizaBon
is
compliant
with
the
various
regulatory
frameworks.”
10. Delivering Risk Intelligence
Key
AcCviCes
• Complete
Control
A_estaXons
• Respond
to
Ad
Hoc
Evidence
Requests
• Follow
up
with
any
Issues
and
RemediaXon
Tasks
Control
Owner
“As
a
Control
Owner
of
XYZ
Company
I
need
to
ensure
the
proper
controls
are
in
place
by
reviewing
the
control
guidance,
implemenBng
the
control
and
by
providing
sufficient
evidence
of
the
control
being
in
place.”
11. Delivering Risk Intelligence
Key
AcCviCes
• Manage
my
Audit
Engagements
• Manage
my
team
• Maximize
Control
TesXng
Efforts
• Follow
up
with
any
Issues
and
RemediaXon
Tasks
Audit
Manager
“As
a
Audit
Manager
I
need
to
manage
task
assignment
to
my
internal
and
external
audit
staff,
ensure
all
controls
that
are
in
place
are
designed
and
operaBng
effecBvely,
and
follow
up
with
issues
and
remediaBon
tasks
for
non-‐
compliant
controls.
“
13. Delivering Risk Intelligence
Driving
Outcomes
1
CONSOLIDATE
MulXple
regulatory
frameworks,
control
structure
&
evidence
now
in
one
central
repository
2
MANAGE
&
AUTOMATE
Visibility
into
a_estaXon
process,
lower
burden
on
resources
3
COLLABORATE
Between
audit
and
control
owners,
and
with
external
audit
14. Delivering Risk Intelligence
Implementation
details
8-‐week
implementaXon
Most
effort
in
implementaCon
is
NOT
configuraCon
it’s
understanding
the
structure
of
data,
roles
&
access,
reporXng
requirements,
workflows
&
lifecycle
15. Delivering Risk Intelligence
What’s
next?
ü Use
CI’s
created
for
this
project
as
a
foundaXon
for
a
more
comprehensive
CMDB
ü Layer
on
risk
management,
including
risk
assessments
ü Incorporate
more
regulaXons
and
internal
policies
into
the
exisXng
framework
ü Compliance
as
a
compeXXve
edge:
showcase
maturity
&
best
pracXces
to
customers