Inv306 going social in a world of grc v.1.1
-
date post
19-Oct-2014 -
Category
Technology
-
view
843 -
download
0
description
Transcript of Inv306 going social in a world of grc v.1.1
© 2012 IBM Corporation
INV306 Going Social in a world ofGovernance, Risk Management, and Compliance (GRC)
Arthur Fontaine | Program Director | IBM Collaboration Solutions
2 | © 2012 IBM Corporation
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
3 | © 2012 IBM Corporation
Agenda■ GRC – What is it, and why is it important?
■ Collaboration in a GRC world
■ Functional perspectives to GRC
| © 2012 IBM Corporation
Limiting actions to within risk tolerance
RiskManagement
Confirming adherence to policies
Compliance
Setting policies for risk in the organization
Governance
Focus● Regulations● Contractual Duties● Business Strategy
Focus● Education/certification● Security and Defense● Information Lifecycle
Focus● Audit● Ediscovery● Documentation
| © 2012 IBM Corporation
Role
ChiefLegalOfficer
ChiefRiskOfficer
ChiefFinancialOfficer
ChiefInformationOfficer
ChiefInformationSecurityOfficer
ChiefComplianceOfficer
Goal Reduce legal exposure
Quantify and reduce risk exposure
Manage Risk-adjusted forecasting and allocation
Reduce IT expense Reduce IT risk exposure
Ensure regulatory compliance
Concerns ● Identifying legal risks ● Reducing exposure from retention of unnecessary information ● Anticipating and managing discovery tasks
● Integrated view of risk across financial, operational and other domains ● Anticipating and avoiding unexpected loss
● Financial risk management● Regulatory requirements● Financial reporting (e.g. SOX)
● Guarding against intrusions and malware● Reducing storage and admin costs● Ensure business continuity
● Anticipating and avoiding threats and breaches ● Managing records lifecycles in IT systems● Driving content policies
● Adherence to policy and procedures● Managing regulatory exams, audits and requests● Reducing cost for compliance management
A role-based approach to GRC
| © 2012 IBM Corporation
GRC Framework
| © 2012 IBM Corporation
GRC – IBM Reference Architecture
Inte
rnal
Aud
it
Fina
ncia
l R
epor
ting
Polic
y &
Com
plia
nce
Vend
or R
isk
Bus
ines
s C
ontin
uity
IT S
ecur
ity R
isk
IT R
isk
Ope
ratio
nal
Ris
k
ALM
&
Liqu
idity
Ris
k
Mar
ket R
isk
C
redi
t Ris
k
GRC Management*
Dat
abas
e
App
licat
ions
Net
wor
k
End
poin
t
Acc
ess
and
IM
KR
I Mgm
t
Loss
Eve
nt D
ata
Indu
stry
Con
tentTrusted Risk
Information Warehouse
Consolidated Risk Data
Results Datamart
Whi
stle
Blo
wer
Lega
l cas
e M
gmt
Ass
et M
gmt
Rec
ords
Mgm
t
Trai
ning
Seg
of D
utie
s
Frau
d M
onito
ring
Cnt
ll M
onito
ring
AM
L
GRC Execution
CRO CIO CCO CFO
Operational Systems
GRC Analytics*
StrategicGRC
Consulting
GRCImplement-
ationServices
OperationalChange
MgmtServices
GTS
,GB
S
SW
G-L
ab
GB
S/B
AO
Ser
vice
s
Info
rmat
ion
Life
cycl
e G
over
nanc
e
Ope
ratio
ns L
ifecy
cle
Man
agem
ent
8 | © 2012 IBM Corporation
Agenda■ GRC – What is it, and why is it important?
■ Collaboration in a GRC world
■ Functional perspectives to GRC
| © 2012 IBM Corporation
IBM Social Business Capabilities
Social Networking Social Content Social Analytics
Open Standards
Workload-Optimized Systems
Envision Enable Adopt Optimize
Rea
ch
Eng
age
Dis
cove
r
Inte
grat
e
Owned social networks
Identity systems Social network connectors
Content services
Engagement apps & svcs.
Monitoring
Optimization
Analytics
Communication channels
Governance and LifecycleInformation ManagementProcess Management
Social BPM
Connectors MDM
Information integration Info. lifecycle gov.Rules
ESB Data warehousing
Security
Community gov. Mobile
10 | © 2012 IBM Corporation
“Dynamic Tension”Social Business and GRC impacts
Benefits of Social Business
Impacts on Governance, Risk, and Compliance
C-level roles impacted
Instant access to professional experts and networks
● Directly conflicts with regulatory “internal firewall” requirements
CFO, CRO, CCO, CISO
Multi-modal communications● Multiplies the channels, volume, and velocity that have to be monitored, logged, audited, discovered.● Complicates identity and access management
CIO, CISO, CLO
Access to public data sources and applications
● Creates risk of releasing or procuring information improperly● Adds threat exposures
CLO, CRO, CCO, CIO
Mobile access to enterprise 'big data'
● Places core enterprise IP in uncontrolled environments CIO, CISO
Rich information about people and projects
● Allows better targeted threats● Updates can be studied to reveal patterns and clues CISO, CCO, CRO
Common customer request:“How can you help us deploy your social business solutions in a way that doesn't break the GRC regime we've constructed over the years?”
| © 2012 IBM Corporation
Enterprises understand unique GRC issues
Customer statements
We lack an overall social business policy for our enterprise
Expands the universe of things I need enforce policy on (monitor, retain, discover, and dispose)
Raises challenges of managing within regulated industries
Raises risk and velocity of content leaks
Breaks existing security / compliance regimes such as internal firewalls
Creates new vectors of attack and raises risk of social engineering exploits
Representative IBM Offerings
● Atlas Policy Federation Framework● Atlas Global Retention Policy and
Schedule Management
● Actiance Vantage for Connections and Sametime
● IBM Content Collector, IBM eDiscovery Manager
● Atlas Governance for IT
● Atlas Governance for IT● Tivoli Identity Manager● Tivoli Content Manager
● Qradar SIEM/Risk Manager ● Lotus Protector● InfoSphere Guardium db Security● Infosphere Optim Data Masking
● Atlas Policy Federation Framework ● IBM Information Lifecycle Governance● Lotus Protector ICAPI
● Tivoli Network Intrusion Prevention● Tivoli Endpoint Manager
Develop an enterprise-wide social business policy & governance model
Expanded policy management and enforcement tools to modify behaviors, raise risk awareness
Identity/access management tools need to be extended to social applications
Content inspection solutions must prevent leaks, flag inappropriate behaviors
Tools must reuse and extend existing security/compliance regimes for social content
Security systems must identify, and protect against, social business attacks and exploits
Issue Mitigation
| © 2012 IBM Corporation
IBM Information Lifecycle Governance (ILG)
12
The ILG solution portfolio enables customers to:effectively retain and archive informationefficiently meet eDiscovery obligations defensibly dispose of informationto lower both cost and risk.
| © 2012 IBM Corporation
Information Lifecycle – it is a process...Of all the information and content generated in any organization only the right information has to be retained. But which is the right one?
AnalyzeCreate Collect Archive
Dispose
Discover
Risk: Cost of lost evidenceInability to comply with regulatory requirements
Risk: Cost of storage
14 | © 2012 IBM Corporation
Agenda■ GRC – What is it, and why is it important?
■ Collaboration in a GRC world
■ Functional perspectives to GRC
| © 2012 IBM Corporation
Use Case: Chief Legal Officer
Chief Legal Officer
KEY OBJECTIVES● Identifying legal risks ● Reducing exposure from retention of unnecessary information ● Anticipating and managing legal discovery tasks
Impacts of Social Business● Increased opportunities for legal risks, due to new communication modes and unlimited ad hoc interactions● New data sources and types that constitute business records (must be discoverable per FRCP)● Greater complexity of business records, including data hosted on external applications/platforms
Strategies / Tools / Services from IBM● Actiance Vantage for Connections and Sametime – Brings Connections/Sametime content into enterprise data corpus● IBM Content Collector, IBM eDiscovery Manager – Enables cross-enterprise legal discovery of data and content● Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to reduce expense and exposure in legal cases● Atlas Retention for Employees – Brings business knowledge into the retention process, to inform system of data that contains (or does not contain) business value or duty● Atlas eDiscovery Process Management – Helps automate the workflows in legal discovery activities
GOAL: REDUCE LEGAL EXPOSURE
| © 2012 IBM Corporation
Use Case: Chief Risk Officer
KEY OBJECTIVES● Integrated view of risk across financial, operational and other domains ● Anticipating and avoiding unexpected loss
Impacts of Social Business● Increased opportunities for financial or IP disclosure● New entry vectors for attacks, including social engineering exploits● Frictionless collaboration with attendant information velocity
Strategies / Tools / Services from IBM● GBS Social Business GRC offering – Identify risks and apply mitigation strategies● Atlas Policy Federation Framework and Connectors – Brings business knowledge into the retention process, to inform system of data that contains (or does not contain) business value or duty● IBM Content Collector, IBM eDiscovery Manager – Enables cross-enterprise legal discovery of data and content● IBM Content Analytics and Classification – Provides enhanced view of information and content, for improved risk awareness
GOAL: QUANTIFY AND REDUCE RISK EXPOSURE
Chief Risk Officer
| © 2012 IBM Corporation
Use Case: Chief Financial Officer
KEY OBJECTIVES● Financial risk management● Regulatory requirements● Financial reporting (e.g. SOX)
Impacts of Social Business● Increased opportunities for financial disclosure (e.g., “ Quarter looks great!”)● Rapid and unconstrained data growth may impact IT budget
Strategies / Tools / Services from IBM● GBS Social Business GRC offering – Design policies based on role or identity, content, and mode● Actiance Vantage for Connections and Sametime – Brings Connections/Sametime content into enterprise data corpus for ● IBM Content Analytics, IBM Classification Module – Enables analysis● Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to reduce IT expense
Chief Financial Officer
GOAL: RISK-ADJUSTED FORECASTING AND ALLOCATION
| © 2012 IBM Corporation
Use Case: Chief Information / Security Officer
Chief Information / Security Officer
KEY OBJECTIVES● Ensuring regulatory compliance in IT systems● Reducing storage and admin costs● Business continuity risk● Vendor risk
Impacts of Social Business● Increased opportunities for noncompliance in IT systems, with greater complexity of user/role access management● Data growth that's difficult to apply lifecycle controls against, due to ad hoc/unstructured nature of data● New vectors for attack, including social engineering and public social platform vulnerabilities
Strategies / Tools / Services from IBM● Actiance Vantage for Connections and Sametime – Brings Connections content into enterprise data corpus● Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to minimize IT expense● Atlas Retention for Employees – Brings business knowledge into the retention process, to inform system of data that contains (or does not contain) business value or duty● IBM Security Services components/controls (Tivoli, Q1) – Protects against intrusions and threats originating from social vectors
GOAL: REDUCING IT EXPENSE AND RISK EXPOSURE
| © 2012 IBM Corporation
Use Case: Chief Compliance Officer
KEY OBJECTIVES● Adherence to policy and procedures● Managing regulatory exams, audits and requests● Reducing cost for policy and control management
Impacts of Social Business● Increased opportunities for noncompliance, with new modalities and unlimited ad hoc interactions● New data sources and types that constitute business records, applicable to regulatory activities● Greater complexity of business records, including data hosted on external applications
Strategies / Tools / Services from IBM● Actiance Vantage for Connections and Sametime – Brings Connections content into enterprise data corpus● Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to minimize expense and exposure in compliance actions● IBM Content Collector, IBM eDiscovery Manager – Enables cross-enterprise discovery of data and content for compliance actions● Atlas eDiscovery Process Management – Helps automate the workflows in discovery activities for compliance actions● Atlas Retention for Employees – Brings business knowledge into the retention process, to inform system of data that contains (or does not contain) business value or duty
GOAL: ENSURING REGULATORY COMPLIANCE
Chief Compliance Officer
| © 2012 IBM Corporation
Summary
■ GRC is a cross-functional imperative that addresses risks through policy, active management, and audit
■ Social Business offers unique challenges to GRC, but ultimately must be addressed within the larger GRC framework
■ Roles-based GRC analysis is needed to design comprehensive, lasting GRC programs
| © 2012 IBM Corporation
Thank you!
Please remember to fill out your evaluations
Arthur [email protected]
22 | © 2012 IBM Corporation
Legal disclaimer
© IBM Corporation 2012. All Rights Reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.