contents Strategies forUnderstanding GRC

2 GRC Complexity

8 Compliance Intersection

18 Federated GRC

22 Governance Frameworks

26 Resources

GRCGovernance, risk and compliance frameworks,

tools, and strategies are essential to the successof today’s corporate information security programs.

BY INFORMATION SECURITY AND SEARCHSECURITY.COM

Understanding

S PO N S O R E D BY

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 2

These productsare extraordinarilyvaried in the typeof functionalitythey provide, thearea(s) in whichthey excel, andthe aspects of thecomplete GRCpicture wherethey have utility.

GRC is about more than governance,risk and compliance; it’s aboutintegration and streamlinedmanagement.

emember the last time you wentshopping for a car? You likely hadan inkling of what type of car youwanted, and shopped at theappropriate showroom. If you

prefer trucks, you’re not shopping at a Minidealership, and if you’re after a high-endsports car, you’re not stopping by theHummer dealer.

But what if every dealership advertisedgeneric “vehicles,” and “vehicle” meant

anything from cars to skateboards to loco-motives? What if you couldn’t tell who soldwhat because the product space was sobig you couldn’t differentiate one from theother? How would start making a decision?

This is the position buyers are in withgovernance, risk and compliance (GRC)products.

MASTERING THE SPIN CYCLEGRC is a huge market with many vendors,each with their own GRC story. These prod-ucts are extraordinarily varied in the type offunctionality they provide, the area(s) inwhich they excel, and the aspects of thecomplete GRC picture where they haveutility. And the way they’re being sold? Well,saying it’s difficult to tell which vendor doeswhat is one whopper of an understatement.

GRC

Buyer Beware: The Complexitiesof Evaluating GRC BY ED MOYLE

R

And it’s not made any easier by the factthat there are multiple types of GRC:IT GRC, financial GRC, enterprise riskmanagement, etc.

Vendors are spinning their products—everything from document management totechnical control validation, risk analysis andidentity management—to claim a slice of theGRC pie. IT and security managers withbuying power are left confused and unsureabout where to spend their GRC dollars.And, at the end of the day, confusion is badfor everyone. For vendors, it means reducedadoption, and a more difficult sales pitch.And for practitioners, it’s an obstacle to aworkmanlike approach to information securitymanagement and an obstacle to gettinginternal traction for a GRC deployment.Confusion is, as is usually the case in IT,the enemy.

Not only the market, but GRC as a prod-uct is huge. Breaking it down, governanceis the ability of management to ensure thatactivities are performed according to set,defined processes; risk management isabout identifying and quantifying risk, andmaking sure the organization operates withinits risk tolerance; and compliance is theprocess by which the organization operates

on the appropriateside of the law,industry regulationand policy.

Looking at it logi-cally, vendors couldmake the argumentthat an identity man-agement solution isIT GRC becauseit enforces gover-nance, i.e., it helpsensure personnelfollow the policiesand procedures setdown by manage-ment. Antivirus?Sure, why not? AVsoftware that moni-tors its signatureversion and providesfeedback about whatmachines don’t havethe softwareinstalled is policy enforcement at its finest. Infact, someone could make the argument thatevery security product plays in the GRCspace to one degree or another—and they’dbe correct.

GRC Marketplace

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 3

BUSINESS DRIVERMultiple overlapping regulations

Demonstration of regulatorycompliance to management/auditorsDifficulty managing numerouscontrols across multipleenvironments

Complexity of business makesrisk evaluation difficult

Burdensome tracking of policyexceptions including exceptionexpirationInefficient, complicated orexpensive security programmanagement

GRC “PROMISE”Regulatory framework constructionallows multiple regulations to bemapped to one set of controlsMapping of policy to controls andregulatory requirements allows youto keep track of compliance activitiesMonitoring tools for technical con-trols; ability to record what controlsare implemented at what locations(and to satisfy what requirements)Ability to assign risk based on criti-cality of components and sensitivityof stored data. Ability to correlatechanges in environment and controlsto overall riskAbility to track policy exceptions,owners of components in exceptionscopeAbility to automate workflow forsecurity program tasks such asexception approval, policyauthorship and incidents

‘PROMISING’ PRODUCTSMapping GRC’s claims to your company’s requirements.

But the point of GRC isn’t just to govern,manage risk, and comply; in fact, you’reprobably doing them all already. The point isinstead how you do those three things. It’sabout transparency and integration—ulti-mately, by sharing a common vocabulary,these aspects of management can becomemore measurable, repeatable, and in thebest case efficient.

It’s an evolution away from managementprocesses that grew organically over timeand a movement toward more streamlined,integrated and manageable processes thatbetter serve the needs of your business. It’snot about doing something new, it’s abouttaking what you already do and refining it.And, it doesn’t take any particular product(or set of products) to get there.

In fact, many customers may not even real-ize that they can get pretty far along in theirGRC goals in-house without relying on aparticular vendor. All it takes is an under-standing of their requirements, a bit oforganization, and some planning.

So in the interest of doing more with less,let’s look at what you can do with tools youalready have and try to move toward GRCnirvana. Once you know what you need andhave started to chart out how far you can go

without making a purchase, filling in thegaps with the products in the marketbecomes a totally different experience.Once you change your discussions withvendors from “What does your product do?”to “Does your product do this?”, the processbecomes much less stressful, less time con-suming, and ultimately easier to figure out.

DESIGN, THEN BUILDThe first step to implementing GRC is tounderstand how you’re currently runningthese aspects of your business and specifi-cally how you’d like to improve, and for whatpurpose. And figuring this out should be agroup effort—what you’re doing should havea broad impact on the whole organizationand should be about integration—so this isnot the time to create new silos. Reach outto all the stakeholders: IT; compliance; busi-ness; risk management; internal audit; andcounsel; and get them on board to helpdefine requirements.

Some questions to ask in each aspectof GRC:Governance: How are you currently

organizing and publishing your policies andprocedures? Do you even have policies andprocedures? How are you enforcing that

Reach out to allthe stakeholders:IT; compliance;business; riskmanagement;internal audit;and counsel;and get themon board to helpdefine require-ments.

GRC Marketplace

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 4

they’re followed throughout the organiza-tion? Are you interested in just one particu-lar set of polices and procedures, or is yourinterest more general–for example, are youjust interested in IT or are you interested inbusiness processes as well?

Risk Management: What is your currentprocess for identifying, classifying and treat-ing risk? Are you using a formalizedapproach or an ad-hoc one? Is that methodquantitative or qualitative? Are you interestedin just IT risk, or are you interested in otherareas such as operational or financial risk?

Compliance: What is the extent of whatyou currently do for compliance? Are youcurrently using a compliance frameworkapproach or have all your efforts gone intotargeting one or two specific regulations?Are you in a heavily regulated industry suchas health care or financial services?

Coming to a quick and dirty understand-ing of where you are in each of these areasis a good first step, and can give you valu-able insight on where you might see themost benefit from your investment. Forexample, if you’re a health care provider and

you’ve already spent more than a few dollarson risk assessment (i.e., to comply with theHIPAA security rule), maybe risk manage-ment in your firm is in pretty good shape.Whereas if you’re a small retailer, you mightnot have any formalized risk management inplace—and so you can benefit more frominvestment in this area. On the other hand,that same health care provider might havespent quite a bit of time and energy target-ing HIPAA, and might not have a broadapproach to compliance that covers otherregulations that have developed sinceHIPAA was introduced. So maybe dollarsare better spent expanding the complianceapproach instead of concentrating on riskmanagement.

Be honest with yourself about where youare and your maturity in these areas. If you’relooking to move beyond a quick and dirtyanalysis, and are looking for something alittle bit more formal, take a look at the OpenCompliance and Ethics Group (OCEG)“GRC Capability Model” (the Red Book).This document provides a systematic (andhighly detailed) outline for organizationslooking to refine their overall GRC postureand seeking to implement these conceptswithin their organizations.

GRC Marketplace

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 5

If you’re lookingto move beyonda quick and dirtyanalysis, and arelooking for some-thing a little bitmore formal, takea look at theOpen Complianceand Ethics Group(OCEG) “GRCCapability Model”(the Red Book).

But at the end of the day, if it’s a choicebetween setting the bar high and not makingprogress versus setting the bar low andmoving forward, set the bar low. If you havethe time, funding and patience for a thor-ough, formal and rigorous approach, somuch the better. But if you don’t, it’s betterto do something than nothing. The IT PolicyCompliance Group (ITPC) in its 2008 annualreport draws a direct parallel between ITGRC maturity and a firm’s revenue; specifi-cally, firms on the highest end of the IT GRCmaturity spectrum have 17 percent higherrevenue than those at the lowest end. Mean-ing, it’s in the best interest of your bottomline to do something.

REPACKAGE AND REPURPOSEOnce you have some idea of where youneed help, determine whether there aretools in one area that you can expand tocover other areas. Remember again that thepoint of GRC is integration, so use this asan opportunity to find out what’s workingwell and bring it into a broader fold. Forexample, maybe that tool that you’re usingjust for the internal audit crowd might beuseful in other areas as well. Or maybe theIT tool that you’re using to manage technical

compliance could be repackaged for report-ing outside of just IT.

If you’re a large organization, don’t skimpon figuring out what you already have(chances are good that you already havesomething somewhere). This could includecommercial tools that you’ve already pur-chased—for example, auditing-centric toolsused to drive risk management, policy-authorship and publication tools, manage-ment reporting tools, or any number of othercommercial products that have an impact inany of these categories. Technical tools thatprovide feedback on whether or not individ-ual machines and user accounts are in linewith defined policy are in scope as well.Take a thorough inventory of what you’vealready purchased so you don’t buy some-thing new with overlapping functionality (orso that you can at least decide purposefullythat you’re going to replicate functionalityrather than discovering it after the fact), andso that you can integrate what you alreadyhave into the broader scope of what you’retrying to do.

Include also in-house tools that you mayhave developed. This could be an in-housetool with all the bells and whistles, but itcould also be more humble tools such as the

Take a thoroughinventory of whatyou’ve alreadypurchased soyou don’t buysomething newwith overlappingfunctionality.

GRC Marketplace

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 6

spreadsheets and reports that are currentlyprovided for tasks such as reporting the sta-tus of audit items, tracking compliance withindustry regulation, or just about anythingelse that gathers or packages data aboutcontrol effectiveness. If you’ve already builta compliance framework based on a stan-dards such the ISO 27000 series, NIST SP800-53, COBIT, or any other baseline, foldthat process and documentation in as well.If you haven’t done that already, that’s finetoo, but if you have, making sure that yourapproach reuses what you’ve already donewill save time in the long run and avoidstepping on toes.

THINGS TO REMEMBERAfter you’ve done these things, you’ll prob-ably realize a few things about your organi-zation. No. 1, you’re probably more interest-ed in some areas of GRC versus othersbased on your particular needs, and No. 2,you’ve probably already spent a dump truckfull of money on tools and processes to helpautomate certain aspects of a completeGRC picture. You may also realize that thereare some areas where you haven’t spentmuch in the way of time, effort or resources.Now you’re ready to come up with a pur-

chasing strategy for tools. And you shouldhave a pretty clear idea about where a toolwould be the most valuable.

Are you just interested in IT? Do you havemostly manual processes currently in place?Maybe a turnkey technical solution is foryou? When you shop around (and pilotthose systems), you’ll find out pretty rapidlythat a vendor focused solely on risk manage-ment absent control validation is probablynot the right choice.

Do you have fairly sophisticated technicalprocesses but a heap of regulations to com-ply with (and not much in the way of compli-ance spending to-date)? Maybe the vendorselling the technically focused solution isn’tthe right pick.

Take a cue from the Oracle in the Matrixand “know thyself.” Knowing what productsyou need before you invite the vendors in isthe only way GRC will make any sense.m

Ed Moyle is founding partner of consultancySecurity Curve.

If you’ve alreadybuilt a complianceframework basedon a standardssuch the ISO 27kseries, NIST SP800-53, COBIT,or any otherbaseline, foldthat process anddocumentationin as well.

GRC Marketplace

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 7

Companies are finding innovative,all-encompassing ways to satisfymultiple regulations.

f you’re responsible for security, riskmanagement and/or compliance for aglobal pharmaceutical distributor, a largedata provider or a small municipality,you’re at the cross-section of federal

and industry regulatory compliance.Regulation bombards you from every

direction. Failure to meet federal and statemandates such as Sarbanes-Oxley and statedata breach notification acts threatens thereputation of your corporate brand and thepersonal freedom of your executive officers.Falling short on industry requirements suchas HIPAA, PCI, the Fair Credit ReportingAct or even state law enforcement accredi-

tation puts in jeopardy your company’s abilityto do business as well as your customers’personally identifiable information.

As an information security and risk profes-sional, you’ve been thrust during the lasthalf-decade into the crosshairs of anincreasingly regulated business environ-ment. Frameworks, audits, automation andGRC are the fabric of your being.

Redundancy cannot be.“What you don’t want to do is implement

or test the same control three, four, fivetimes over,” says Marc Othersen, senioranalyst in the security and risk managementpractice at Forrester Research.

So how are businesses managing multipleregulations without a massive duplication ofefforts? Is there a catch-all framework thatsatisfies all the overlap?

Three enterprises servicing three differentmarkets are building their version of a com-pliance “easy button,” drawing on a multi-

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 8

As an informationsecurity and riskprofessional,you’ve been thrustduring the lasthalf-decade intothe crosshairs ofan increasinglyregulated busi-ness environment.

GRC

Push-button ComplianceBY MICHAEL S. MIMOSO

I

tude of resources to create a repeatableset of processes that would satisfy thegrumpiest auditor.

MENDED SOX LEADS WAY“It’s definitely our approach to create astrategy that will be all-encompassing,” saysJohn Sapp, senior manager, IT governance,risk and compliance at McKesson Corp., thecountry’s largest pharmaceutical distributor.“Whether it’s regulatory compliance or com-pliance with our own internal policies, it’sbasically building that big picture first, andthen deciding how we’re going to approachit and ensure that we’re doing it in a way thatallows us to be really integrated across-enterprise and move away from the siloedapproach that we so often see.”

McKesson, with $101.7 billion in revenuein FY2008, has a mature Sarbanes-Oxleycompliance program, and this is the modelSapp and his team are following to build aone-stop enterprise-wide compliance pro-gram.

Sapp, who has a development and projectmanagement background, says his organiza-tion isn’t unlike much of the Fortune 500in wanting to develop a set of repeatableprocesses to address compliance. He has

taken steps to identify and understandMcKesson’s IT environment, map out andautomate the testing of controls, assess andreport on risk and increase the overall matu-rity of the organization’s risk and complianceprogram. Right now, he says, McKesson isin an ad-hoc state, moving toward repeat-able, and eventually standardized andoptimized, processes.

“In three years, I would expect that we are

GRC Compliance intersection

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 9

MANAGEMENT

What’s in a Title?IT GRC may be suffering from some hype overload, but McKesson’s John Sappdoesn’t see it that way. In fact, he buys into the concept so much, he baked it intohis title: senior manager, IT governance, risk and compliance.Sapp is one of the first to hold a senior GRC title, though Colgate-Palmolive

has a manager in a similar position, and Apple Computer is advertising to fill asimilar role.Sapp formerly was senior consultant for risk services at McKesson, but as the

company dedicated more resources to GRC and its overall compliance initiatives,it needed a senior manager in the role.“Working with our VP of IT risk management, I wrote the job description and

title two months ago in response to the GRC movement,” Sapp says. “We foundwe wanted to create a single point of contact for all compliance and risk manage-ment activities, and be able to deliver some level of reporting—the governancepiece—to be able to monitor the entire program across the enterprise.”m

—MICHAEL S. MIMOSO

at a standardized state,” Sapp says. “That,for me, has us where we have a set of stan-dards, processes and controls that areapplied across the enterprise universallyand consistently, moving toward optimizedwhere we really almost get to a plug-and-play environment where regardless of whowe acquire, we can plug them in, or if wechoose to sell off an entity, it makes it aneasy process for us.”

Formerly, as McKesson’s senior consultantfor risk services (see “What’s in a Title?,”see p. 9), Sapp was business unit SOXcoordinator in charge of the IT controls forthe SOX program. Upon moving to hisbroader role, he quickly discovered howMcKesson’s numerous acquisitions hadcreated a situation where the companyoperated in silos, with precious little in theway of standardized processes or a lifecycleapproach for addressing regulatory man-dates. His goals quickly became clear: over-come the siloed approach and build a pro-gram that will allow him to drive corporateperformance through these activities.

McKesson’s SOX program leverages theISO 27001 standard for information securitymanagement and the COBIT framework forIT management and metrics.

Sapp says his organization has deployedBrabeion IT GRC suite to manage policiesand map multiple regulations, such as PCIand HIPAA, to control frameworks. But hebelieves a collaboration of tools will ultimate-ly meet McKesson's needs to get to integrat-ed GRC and he is evaluating several othertools such as asset management and config-uration management databases (CMDB).

SOX, PCI and HIPAA are McKesson’sthree largest compliance issues, and thecompany’s SAP environment, which it usesfor its financials, is the primary area ofconcern.

“We found many parallels where onepiece of ISO will satisfy parts of each oneof those regulations,” Sapp says. Accesscontrols, for example, are codicils of eachof those regulations. “ISO allows us to mapacross that and ensure by meeting that oneISO objective, I can test once, and certifymany [times]. If I’m using the same accesscontrol process across each one, then Ican reduce the amount of testing I do.That’s what I’ve been able to do with ourSOX program. I can drastically reduce theamount of time we spend in audits becausewe have improved our process so much.We’re getting through audits in what I would

“I can drasticallyreduce theamount of timewe spend inaudits becausewe have improvedour process somuch. We’regetting throughaudits in what Iwould call recordtime and withinour budget.”

John Sapp,senior manager,IT governance,

risk and compliance,McKesson Corp

GRC Compliance intersection

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 10

call record time and within our budget.”Sapp’s current evaluation of GRC tools,

he hopes, will further put out to pasture thetedious, laborious manual processes inplace for collecting data from business units,testing and mapping controls to particularregulations. With 200-plus controls applica-ble to the SOX program, Sapp says thatwas his first target for automation with theBrabeion tool.

“We looked to an automated tool to helpus be able to test the controls, attach theevidence and keep the user from going tothe next step,” he says. “I had one user tellme we’ve improved the quality of life here.We actually used SharePoint prior toautomation, but the workload isn’t therethat you get in these tools.”

Sapp says the GRC tools he’s seen do afine job of defining the assets and entitiesof an organization. He says they are solid foranalyzing workflow and creating dependen-cies; this kind of intelligence can be appliedoutside of GRC as well. He adds that thetools are sound for collecting asset informa-tion (e.g., identifying unsupported or expiringversions of software), which helps in a riskassessment. Finally, he says the dashboardfacilities are a strong means of providing a

risk picture to the C-level.In contrast, he says some tools try to do

too much, and don’t do very much very well.Products billed as turnkey, full-enterpriseGRC programs sometimes suffer from poorworkflow because of misguided focus. “Ven-dors sell hard on the tool rather than gettingyou to step back and look at process andstrategy,” Sapp says. “They don’t thinkprocess and strategy first; they throw thistoolset at you and say this will solve all yourproblems.”

Forrester’s Othersen says the tools attheir core address compliance well, map-ping sources, automating manual tests andproviding solid reporting. Where they fail isin not linking IT risk to business risk.

“They don’t have a business perspectivein their risk engines,” Othersen says. “All ofthem are IT focused, yet most risk happensin the line of business. If you lose credit cardnumbers, the line of business pays, not IT.Translating IT control failures into businessrisks is one of the biggest failings of thosepackages.”

He adds that they don’t address gover-nance, either. “It’s up to you as a CIO orsecurity manager to use the tool to collectand analyze data on your own.”

“Vendors sell hardon the tool ratherthan getting youto step back andlook at processand strategy.”

John Sapp,senior manager,IT governance,

risk and compliance,McKesson Corp

GRC Compliance intersection

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 11

A FERM TOUCHThe vagaries of regulatory compliance haveleft many information security professionalson an island. Your interpretation of regulationis often as important as the controls youimplement to meet the intent and rigor ofa federal law or industry mandate.

Isabelle Theisen, chief security officer forFirst Advantage Corp., deals with thesevagaries with a homegrown concoction ofestablished frameworks, processes andautomated tools that implement not only asolid compliance program, but sound busi-ness practices (see “Consistency Counts,”p. 16).

“Business sees anything having to do withcompliance as a necessary evil; they needit because they’re being told they need it,”Theisen says. “I’m trying to turn that aroundand say, ‘No, you can also use IT gover-nance, self compliance, business operationscompliance and security to actually be amarket differentiator against your competi-tors. You can turn it around and use it asa way of doing a better job against yourcompetitors.”

First Advantage is a data provider, servic-ing car dealers, mortgage services andemployers with credit reports, background

checks, skills assessments and more. TheCalifornia-based company is subject toSarbanes-Oxley, the Federal Credit ReportAct, Gramm-Leach-Bliley, PCI and statedata breach notification laws and privacylaws. Some of the regulations’ requirementsoverlap, and prescriptive advice is minimal.

In response, Theisen architected what shecalls the FERM (First Advantage EnterpriseRisk Management) program to identify con-trols to cover as many regulations as possi-ble. The framework is a blend of COBIT,ISO and NIST recommendations and a mixof manual processes to identify risk andcontrols and ultimately feed them into aGRC tool from ControlPath, which thecompany purchased 18 months ago.

“We implemented the tool across busi-ness units to perform assessment, identifica-tion, testing and remediation work to ensurewe meet compliance for all of our businessunits,” she says.

Theisen compared the manual processesin place prior to automation to typical auditwork—lots of face-to-face interviews, surveysand questionnaires to determine what wasin place in the different business units andinventory security, risk management, ITgovernance and other regulatory processes.

Your interpretationof regulation isoften as importantas the controlsyou implement tomeet the intentand rigor ofa federal law orindustry mandate.

Isabelle Theisen,chief security officer,

First Advantage Corp.,

GRC Compliance intersection

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 12

This information was kept in a spreadsheet—not practical, Theisen says. Now it is updatedinto the ControlPath tool.

“I would always recommend an automatedtool,” Theisen says. “You do have to have arepository of that information, even if youbuild an easy Access database. Otherwise,you’re going to ask the same questionsevery year to the businesses. How wouldyou build a baseline? It would be a night-mare to manage your compliance levelsmanually.”

Automation also helps with trendingand tracking of progress against controlobjectives.

Identification is the first of four deploymentphases of the FERM process. Inventory suchas service offerings and business unit assetsare gathered and uploaded to the tool.

Assessment is the next phase. Threats,vulnerabilities and risk that could impact aparticular service offering are assessed.Business impact analysis, data classificationand threat modeling are done against everyapplication that applies to a service offeringin a business unit. “Because we do a dataclassification, we can focus only on high-riskapplications for a service offering,” Theisensays. “Business management has been

extremely supportive because they know weare focusing on what is critical to them—high-risk applications within their service offering—and we don’t have to do everything.”

Those two phases are the most timeconsuming, she says, but are absolutelynecessary.

The third phase is testing. Havingestablished what the high-risk issues are,Theisen’s group can focus on what is criticalto a business unit. Application and infra-structure assessments are conducted priorto a controls analysis questionnaire. Thequestionnaire is tailored to the service offer-ing in question, Theisen says. ControlPathbuilds a master controls library mapped toall the controls relevant to First Advantage,enabling it to build customized question-naires for each business unit.

“It’s where automation matters,” she says.Remediation is the final phase. Based on

the results of testing, Theisen has a list ofremediation items prioritized based on risk—all flowing from the organization’s businessimpact analysis and data classification.

Theisen says a major challenge involveskeeping up with the fluid changes in regula-tions where very little automation exists onthe front end to gather data. Often organiza-

“Businessmanagement hasbeen extremelysupportivebecause theyknow we arefocusing on whatis critical tothem—high-riskapplications with-in their serviceoffering—and wedon’t have to doeverything.”

Isabelle Theisen,chief security officer,

First Advantage Corp.,

GRC Compliance intersection

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 13

tions are forced to wait for vendors to updatetheir control libraries, or do it manually.

Another challenge is the narrow focus oncompliance versus doing what is right forthe business by implementing sound busi-ness practices to manage data.

“I try to stay away from talking about regu-lations,” Theisen says. “This is about soundbusiness practices.”

ITIL LEADS WAYPublic agencies may be exempt from thewhims of Wall Street, but that doesn’t easethe regulatory demands placed upon them.Their compliance pressures just come fromdifferent sources. For example, the city ofMiami Beach is bound to Florida Departmentof Law Enforcement (FDLE) accreditation,which is the barometer by which police inthe city may apply for federal funding. Andthen there’s PCI. With Joe Citizen payinghis taxes, driver’s license fees and parkingtickets with credit cards, the municipality,like most others, is bound to the industry’spayment card security standard.

Nelson Martinez, systems support manag-er for the city, tackles the intersection ofthese demands by centralizing the city’s ITinfrastructure and applying ITIL as a service

management platform and NIST standardsto address security. This centralizationbecomes more important in the comingmonths as the city implements its egovern-ment initiative, which essentially creates avirtual city hall online.

“Being public funded, there’s an ethicalissue there. We hold ourselves to a degreeof responsibility. We like to be in line withcertain industry-wide security policies,” Mar-tinez says. “We’re pretty much an ITIL shopand we do everything with change controlslike private industry. We track everything.We have SLAs.”

Martinez’s organization is responsible forthe city’s infrastructure—networks, servers,desktops, gateways, and even disasterrecovery. It supports departments with large-ly mobile workforces such as public safety,which must securely connect, for example,to state and federal databases for back-ground checks during traffic stops.

There are strict FDLE configuration guide-lines to which Martinez’s systems mustadhere, otherwise an incident could not onlyjeopardize sensitive public information, butendanger the department’s ability to procurefunding should it fail accreditation.

Standardization under ITIL is crucial,

“We’re prettymuch an ITILshop and we doeverything withchange controlslike privateindustry. Wetrack everything.We have SLAs.”

Nelson Martinez,systems support manager,

City of Miami Beach

GRC Compliance intersection

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 14

Martinez says. There is one IT departmentfor all city agencies in Miami Beach. “It’struly the only way I want to run an IT shop.Standards are in place. There’s a unifiedsecurity policy that dictates how things aredone,” Martinez says. “It’s the only way wehave adequate controls in a heterogeneousenvironment.”

Change controls are the biggest winITIL affords the security of Martinez’s shop.

“You still have to take the initiative to doyour scanning and your pen-tests, see whereyour issues are and fix those,” Martinez says.“Once you have established a baselinewhere you can say, ‘I’m for the most partsecure,’ the change control processes thatITIL says you need to have in place allowyou to track changes in your environment.”

Martinez says Miami Beach deployedSymantec Enterprise Security Manager tohandle its vulnerability scanning and moni-tor for policy deviations. The tool comeswith templates for NIST and NSA stan-dards, for example. Martinez relies on thesesecurity templates to map compliance withindustry regulations such as PCI and inter-nal policies for mobile connectivity. The cityalso uses eEye’s Blink for real-time IPS andIDS monitoring.

“Symantec ESM is very good at creatingour policy templates for servers and tells uswhether we’re in or out of compliance,” Mar-tinez says. “The tool is a good way of show-ing an auditor that we’re doing quarterlyaudit compliance runs against our machinesand remediating.”

In the event a security issue threatens thesafety of data (and compliance), Martinezsays he can resolve it by examining the rootcause. Using ITIL, he can determine whetherchanges in a server or firewall setting, forinstance, led to the particular issue.

“It helps you troubleshoot and get backto square one and figure out where thisproblem was introduced,” he says. “If you’vegot an SLA, how can I guarantee to mycustomer that I’m going to meet 5 9s forthat service?

I need to make sure I am controllingproactively the changes in the environmentor making sure those changes are reviewedprior to being implemented.”

Martinez says it’s vital that risks associatedwith any change area assessed prior toimplementation.

“Change has to be well thought-out,” hesays. “I believe it’s critical to the security andavailability of production environments. If you

“Symantec ESMis very good atcreating ourpolicy templatesfor servers andtells us whetherwe’re in or outof compliance.”

Nelson Martinez,systems support manager,

City of Miami Beach

GRC Compliance intersection

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 15

do not have adequate change control strate-gies in place, it’s a matter of time before youhave a major outage.”

Forrester’s Othersen says most organiza-tions are in similar straits to these threewhere they’re in the process of adoptingframeworks and on their way toward a nor-malized compliance environment.

“About 10 percent have achieved thatnirvana state where they’re normalized, their

frameworks are rationalized and automated,”Othersen says. “The rest are putting downframeworks, getting budgets. There’s noprocurement or engineering yet, but every-one is getting there. It’s just cost inefficientto run things the way they are today.”m

Michael S. Mimoso is editor of Information Security.

GRC Compliance intersection

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 16

BEST PRACTICES

Consistency Counts BY RICHARD E. MACKEY

Organizations of all shapes and sizes face compliance requirements from all sides, whether from regulations such as HIPAA, state privacylaws or the Payment Card Industry’s Data Security Standard (PCI DSS). • The most efficient and effective way to deal with the diverse setof requirements stemming from the growing array of regulations is to establish a framework of consistent processes and mechanisms.The individual processes can then be adjusted to meet specific regulatory requirements. Here are five best practices that can helporganizations fulfill compliance goals across multiple regulations.

Establish an information cataloging and classification process.At the heart of all regulatory requirements lies information. The informa-tion governed by regulations such as HIPAA, PCI and Gramm-Leach-Bliley needs to be protected from leakage and unauthorized access.To successfully protect information, an organization has to know whereit is, what makes it sensitive, and who should have access to it.Information cataloging identifies data sets and assigns ownership.Classification defines and documents what makes information sensitive

and how it must be handled. These allow an organization to defineprocesses for data handling (e.g., encryption), define process andmechanisms for access control, and establish bounds for what needsto be audited to prove compliance.

Establish a risk management process.Many regulations require organizations to formally assess and managerisk to protected information and systems. This process needs to be

CONTINUED ON P. 17

GRC Compliance intersection

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 17

applied at a high level when businesses change (e.g., in a merger oracquisition) and at a small scale (e.g., when new software or systemsare installed). Having a risk assessment and management frameworkbased on a recognized model, like OCTAVE from Carnegie MellonUniversity, can help organizations meet requirements from multipleregulations and justify strengthening (or weakening) controls.

Develop a consistent identity and access management process.Every regulation (and auditor) requires organizations to prove they havestrong processes controlling who is permitted access to protectedinformation and systems. While this may seem like a largely technicalproblem, it is primarily a process requirement. Regulations tend toemphasize the requirement that the appropriate people are involvedin approving access requests and that there be an audit trail for allrequests and approvals. Identity and access management technologiescan help with these activities, but they depend on you to develop theappropriate workflows and involve the appropriate players.

Develop a log review process and mechanism.All regulations require organizations to maintain and monitor logs.Done correctly, logging allows a company to track and prove whichusers had access to which information, and provides evidence thatregular maintenance took place, procedures were followed accordingto documentation, and certain protections were in place (e.g., firewalls

and antivirus). Unfortunately, the challenges facing organizations tryingto build and maintain a consistent logging scheme are many. Logsfrom different products have different formats, are stored in disparatesystems, and may include too little or too much information.Organizations need to analyze their logging needs, confront the com-plexity problem and evaluate event and log management products onthe market. The best of these understand log formats from multipleplatforms and products, can integrate logs from distributed locations,and can provide powerful analysis tools.

Document your administrative processes.All regulations require thoroughly documented administrative proce-dures. However, while many organizations view this requirement tobe a compliance burden, it just makes sense. Your organizationcannot afford to be placed at risk because the knowledge of howto complete critical administrative functions exists only in the headsof your administrators. There’s no shortcut here; the key is to docu-ment what you do and then make improvements. There will be atemptation to improve all your processes as you document. Thatway lies madness. If you want to achieve compliance, document,document, document.m

Richard E. Mackey is vice president of SystemExperts.

CONTINUED FROM P. 16

A well-executed GRC programreduces the risk of exposure of afirm and creates better businessperformance.

overnance, risk and compliance(GRC) are interrelated issuesaffecting organizations. In the past,financial service firms haveapproached areas of GRC as

silos—operational, legal and regulatory risks—operated autonomously of each other.

GRC IS ABOUTORGANIZATIONAL COLLABORATIONConversely, firms now strive to develop a

more integrated GRC strategy that perme-ates an organization’s processes, decisionsand culture. That change demands the shar-ing of information, assessments, metrics,risks, investigations and losses, all in aneffort to reduce business uncertainty andproduce predictable results.

This kind of “federated” GRC initiativeinvolves a number of professional roles—thecorporate secretary, legal, credit risk, marketrisk, operational risk, audit, compliance, IT,ethics, corporate social responsibility, andfinance. Initial success of a federated GRCprogram can be measured by the presenceof the following characteristics:• Sustainability. Firms demand a

sustainable process and infrastructure forGRC requirements that are becoming moresustained and onerous.

GRC

Key Characteristics of a Federated

GRC StrategyBY MICHAEL RASMUSSEN

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 18

“Federated” GRCinitiative involvesa number ofprofessional roles—the corporatesecretary, legal,credit risk, marketrisk, operationalrisk, audit, compli-ance, IT, ethics,corporate socialresponsibility,and finance.

G

Further, organizations must assess their riskand compliance management practices ona continuous basis; with the speed of busi-ness, point-in-time assessments are nolonger good enough and demands that anorganization address GRC collaborativelyand continuously.

• Consistency. Some firms require thatmultiple roles in the organization worktogether in an integrated framework. Thisrequires that a common framework be inplace so the varying business functions ina firm understand where they fit and howthey can share and collaborate data. GRCis getting everyone to play their differentpositions (roles within the enterprise) fromthe same playbook. Consistency provides aholistic picture of GRC so that the organiza-tion can draw attention to disasters andcapture opportunities.

• Efficiency. Redundant assessmentsand audit processes that look for similarinformation for different purposes are pre-venting enterprises from getting businessdone. GRC aims to ease the burden onbusiness areas by leveraging commonprocesses, assessments and information.

• Transparency. Financial service firmsrequire transparency across key perform-ance and risk indicators to monitor organiza-tional health, take advantage of opportunityand avert or mitigate disasters. Corporateperformance management is tightly relatedto risk management. When done correctly,performance and risk management are twosides of the same coin.

DEVELOPING A GRC VISIONOnce the above-mentioned points areused to determine the basic operationaleffectiveness of a GRC program, it’s timeto turn the focus toward long-term strategicplanning. The complexity of risk and regula-tory demands, as well as the nature ofextended and global business, require thatsome organizations reengineer how theyapproach silos of governance, risk, andcompliance by leveraging processes andinformation across GRC related businessprocesses.

Developing a successful, long-term feder-ated GRC program involves taking thefollowing steps:• Get executive sponsorship. Firms that

try to build their GRC strategy from thebowels of the organization face continual

GRC is gettingeveryone to playtheir differentpositions (roleswithin the enter-prise) from thesame playbook.

GRC Federated

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 19

struggles, typically in the form of internalpolitical issues where GRC becomes ahydra with multiple heads going in differentdirections. It comes down to a matter ofcontrol as these different political heads viefor a leadership position in the GRC strategy.Executive sponsorship alleviates this byestablishing a top-down direction. However,the bottom-up strategy still needs to be keptin perspective, as it is the people in thetrenches that ultimately need to work ina consistent approach to GRC.

• Define scope and roles. GRC is morethan enterprise and/or operational risk. Asuccessful GRC strategy is going to startconversations with all the stakeholders inGRC-related domains. Bringing these rolesto a collaborative discussion and approachto GRC is what federation is about. A suc-cessful GRC strategy starts with definingthe charter and vision for GRC and identify-ing the breadth of business processes androles that will be incorporated into the GRCstrategy.

• Inventory current systems andprocesses. Getting the roles of GRCtogether leads to the next step of under-

standing how disparate GRC processesand systems have been implemented. Firmsshould undertake a detailed inventory ofGRC-related processes, systems andtechnologies to identify where redundancyoccurs and establish points of integration.

• Build your roadmap. This means identi-fying short-term and long-term action plans.In the short-term, focus on easy wins toshow the value of GRC, as well as pressingGRC issues that the organization is upagainst (e.g., Basel II, Solvency II, MiFID).For the long-term, develop a plan to inte-grate the siloed areas of GRC that are notas pressing, such as Sarbanes-Oxley oroperational risk.

CONCLUSIONIgnoring a federated view of GRC intoday’s environment results in businessprocesses, partners, employees, andsystems behaving like leaves blowing inthe wind. Without a GRC strategy, differentparts of the organization end up going indifferent directions in their respective GRCsilos. This leads to wasted resources, ineffi-ciency, a lack of transparency, and signifi-cant exposure to the organization. GRC

GRC Federated

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 20

A successfulGRC strategyis going to startconversationswith all the stake-holders in GRC-related domains.

aligns them to be more efficient and man-ageable. Inefficiencies, errors and potentialrisks can be identified, averted or contained.This reduces the risk exposure of the firmand creates better business performance.m

Michael Rasmussen (mrasmussen@corp-integrity.com) is with Corporate Integrity, LLC. Michael isthe authority in understanding governance, risk andcompliance (GRC) and is noted for being the firstanalyst to define and model the GRC market fortechnology and professional services.

GRC Federated

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 21

Without a GRCstrategy, differentparts of theorganization endup going in differ-ent directions intheir respectiveGRC silos.

Organizations need to considermany resources and criteria inbuilding a security framework.

he concept of an information secu-rity framework is somewhat amor-phous, in part because even thephrase “information security” itselfcan be surprisingly subject to inter-

pretation. At a minimum, a sound frameworkshould provide a blueprint for how informa-tion security is governed, define the role ofpolicy and procedure, identify applicablelegal or regulatory requirements and supportdata classification standards and databreach response criteria.

How such frameworks are interpreted and

implemented within companies remainswildly varied. For instance, are the controlsaround sensitive system IDs and passwordspart of information security or part of a largercontrol framework? Is oversight of third par-ties part of information security or a largervendor management framework? The lackof clear boundaries creates the challenge.

The answer is both. Information securitymust be highly integrated into many otheroperations and control frameworks withininstitutions.

This tip will briefly describe some of thekey principles to consider when buildinga framework and evaluating a number ofstandard industry resources against theseprinciples.

MAJOR PRINCIPLESWhen evaluating any reference materialsfor information security governance, the

GRC

Outlining GovernanceFrameworks BY ERIC HOLMQUIST

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 22

A sound frame-work should pro-vide a blueprintfor how informa-tion security isgoverned, definethe role of policyand procedure,identify applicablelegal or regulatoryrequirements andsupport dataclassificationstandards anddata breachresponse criteria.

T

following principles should always be keptin mind.• Information security must be man-

aged as a business issue, not an IT issue.Unfortunately, many programs have theirroots in IT because IT manages the systemswith the most data. However, virtually allcompromises are ultimately caused bycareless people and poor procedure,not weak systems.

• It’s a team effort. The governanceprogram must have broad managementsupport, with involvement from seniormanagement, legal, human resources,compliance, audit, risk management and IT.

• Awareness is key. The more thatpeople are aware of the risks, rules and theirroles, the more they can make the gover-nance program stronger. Information securitycannot be managed by a team of experts; itmust be everyone’s responsibility.

With these principles in mind, we canbegin to evaluate the various referencesources that are available to firms to supporttheir own information security governanceprogram.

FFIEC guidelines: The materials given inthe interagency guidelines on informationsecurity are one of the best resources, andcertainly the gold standard for banks. Boththe material found in the IT ExaminationHandbook under Information Security (PDF)and the interagency guidelines are the bestavailable in terms of an overall “program”design and should be the main referencedocument for every financial institution.

ISO/IEC 27002 (formerly ISO 17799):The international standards document,created in 2000 and subsequently updatedin 2005 and 2007, has been an influentialtactical document since its creation. Theroots of it can be seen in the InformationSecurity section of the FFIEC’s IT examina-tion handbook. The cons of the ISO stan-dard are that it is too technology-centric,does not provide a governance frameworkand includes broader themes of availabilityand integrity. However, it does contain someof the best data-control categories availableand should be a standard-issue referencedocument for any information security officer.

PCI DSS: Created specifically for the pay-ment card industry, the PCI Data Security

The more thatpeople are awareof the risks, rulesand their roles,the more theycan make thegovernanceprogram stronger.

GRC Governance frameworks

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 23

Standard, like the ISO standard, does notprovide a governance framework and isheavily IT focused, but it does providebroader language regarding proceduralaspects (who has access to data and why).It also includes a detailed checklist thatcan be useful in designing an internalself-assessment process.

COBIT: While COBIT is a framework doc-ument by design, and a very good one, it isnot as strong when it comes to informationsecurity. It can be an excellent resource forbroad IT governance frameworks, but manyof the deeper elements of information securitymanagement will be found in the above-mentioned documents.

INFORMATION SECURITYGOVERNANCERegardless of which materials firmschoose as a primary reference, the followingconcepts are central and critical to buildinga successful information security gover-nance framework.Policy: The program should be grounded

in a clear, board-level information securitypolicy that positions it as a business issue,mandates the need for a comprehensiveprogram, delegates authority to the role of

an information security officer (preferablyNOT working in IT) and establishes clearreporting requirements back to the boardof directors.

Program: A comprehensive program doc-ument that defines: clear roles and responsi-bilities; discrete program elements; how theoverall program is governed; a risk assess-ment methodology; reporting requirementsand testing methodology.

Risk Assessment: A risk assessmentmethodology that evaluates inherent risks;controls and residual risk to systems; dataand physical records; and third parties. It isimportant to note that each of these fourareas will have specific and unique businessowners that all must participate in the riskassessment and risk mitigation process.

Policies and Training: The frameworkshould include clear operating polices thatoutline specific do’s and don’ts for managingdata, as well as a regular, comprehensivetraining curriculum that is mandatoryfor all staff.

Response: A clear and well-tested set ofprocedures to respond in the event of a data

The frameworkshould includeclear operatingpolices that out-line specific do’sand don’ts formanaging data

GRC Governance frameworks

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 24

breach that, like the program itself, includesboth operational and senior management.

The key to information security gover-nance is to remember that the goal is notabsolute data restriction. We live with datain motion every day and we cannot do ourjobs without the use of confidential data.The goal with information security gover-nance is to build superior resiliency in howdata is managed on a day-to-day basis and

in our ability to respond should somethinggo wrong.m

Eric Holmquist is the vice president and director ofoperations risk management at Advanta Bank Corp.He has more than 25 years experience in the finan-cial services industry and is a frequent industryauthor and speaker. He is responsible for thedevelopment and oversight of the bank’s operationalrisk management program.

The key to infor-mation securitygovernance is toremember thatthe goal is notabsolute datarestriction.

GRC Governance frameworks

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 25

Application SecurityPCI Compliance: Addressing Your Needs Via the Database & Grounding at theDatabase LevelRead about the proven framework for securing data against attack and tampering.

Sarbanes-Oxley (SOX) Compliance from the DatabaseDiscover how DbProtect can bolster SOX compliance efforts by grounding compliance in the database.

HIPAA Compliance and PHI ProtectionLearn how DbProtect can strengthen HIPAA compliance and PHI Protection efforts.

Top 5 Database Vulnerabilities Plaguing Federal AgenciesDiscover the top five vulnerabilities Federal agencies face and how to correct them.

Security and Compliance: Understand and Address Multiple RequirementsAddress PCI, SOX, NIST/FISMA, Basel II and others for greater compliance and reduced risk.

Beyond TrustEliminate Admin Rights—Learn more about BeyondTrust Privilege ManagerBeyondTrust enables enterprises to Eliminate Admin Rights and still allow end-users to run all requiredWindows applications, processes and ActiveX controls.

Locking Down Desktops by Applying the Security Best Practice of Least PrivilegeLearn about the security implications of users operating with admin privileges and the differentsolutions available for least privilege.

How to Build a Secure and Compliant Windows DesktopAuditors, regulators and business unit owners recognize the threat unsecured desktops pose. Discoverhow to remove admin rights and increase security and compliance.

Achieve Compliance with IT Audits, SOX, HIPPA, FDCC by Removing Admin RightsA common goal of many mandates and IT audits is the removal of administrator rights from end-users.

Eliminate Admin Rights—Free Best Practice Webinar SignupPlease join us for an exciting look at how you can eliminate the need to have users run withadministrative rights on their workstations.

GRC Resources from our sponsors

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 26

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 27

Lumension SecurityFederal Desktop Core Configuration: Achieving Compliance with the Lowest Total Costof Ownership

Going beyond HIPAA Compliance: Securing the Evolving Endpoint

The Best PCI Audit of Your Life: Are You Ready?

HIPAA and Beyond: How to Effectively Safeguard Electronic Protected HealthInformation

Endpoint Security Best Practices for Complying with FDCC Standards

MessageLabsBlock Evolving Spam, Secure Your Network

Choosing a Solution for Web-Filtering: Software, Appliance, Managed Service?

Email Security Buyer's Guide: Software, Appliance, Managed Service?

Employee Web Use and Misuse: Companies, Their Employees and the Internet

GRC Resources from our sponsors

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 28

thawteSecuring your Online Data Transfer with SSLThis white paper provides an introduction to SSL security covering the basics of how it operates andhow to deploy appropriate SSL certificates.

Securing your Apache Web Server with a thawte Digital CertificateRead this white paper and learn more about securing your Apache Web Server with thawte digitalcertificates.

Extended Validation (EV) SSL CertificatesThis white paper details the benefits of extended validation (EV) SSL certificates and how they canhelp your company.

Securing your Microsoft IIS Web Server with a thawte Digital CertificateIn this guide you will find out how to test, purchase, install and use a thawte Digital Certificate on yourMicrosoft Internet Information Services (MS IIS) web server.

The thawte Starter PKI ProgramRead this white paper and learn about the advantages and benefits of the thawte Starter PKI Program.

VaronisFISMA, SOX, HIPAA & PCI: Automate. Simplify. Move-on.Watch this webcast to learn benefits of automating reports on sensitive data to achieve compliance.

10 Things IT Should Be Doing (but isn't)Read this whitepaper to get the ten must-do actions for maximizing unstructured data protection.

Managing Unstructured Data: 10 Key RequirementsLearn about 10 key requirements to use when evaluating a DP solution for the enterprise.

How Varonis Helps in SharepointSharepoint is not designed to manage access controls to unstructured data. Varonis can help.

Fixing the "Everyone" Problem: How Restricting Access Can Increase Data SecurityRead about the solution that can take care of the "everyone" problem in a matter of mouse clicks.

GRC Resources from our sponsors

GRC Resources from our sponsors

• GRC COMPLEXITY • COMPLIANCEINTERSECTION

• FEDERATED GRC • GOVERNANCEFRAMEWORKS

• RESOURCES 29

WebsenseInformation Security: Meeting Today's Challenges

Controlling Access for File Server Compliance

Managing Email Server Compliance