IT organisations operate in a complex, vulnerable, and rapidly changing environment. Their mandate spans from managing business critical processes, a multitude of technologies, to operating in a virtual ‘Cloud’ environment. This complexity, together with costreduction imperatives, has driven many organisations to outsource part of their services, where data, processing, or even the services themselves are managed by a third party. This distribution of roles, those inter-connections, and the exposure to growing cyber-attacks adds tremendous levels of risk. What used to be manageable by a single person in charge of “security”, may now require 10 diff erent experts.

A bottom-up approach whereby individuals manage risks at their level, has unfortunately reached its limits. Whilst the most natural and easy approach, it actually does not guarantee an integrated view and governance of all IT risks. The collection of information is painful and tedious. Collaboration tools are also often ineffi cient in identifying new risks or assessing a risk increase and its impact. Michael Rasmussen, the GRC Pundit, pointed out that “A reactive approach leads to more exposure and vulnerability”. This results in a negative impact to the business, which in turn can mean higher costs or even public disclosure from the failure.

Many organisations have called for IT Consulting firms to help them understand the nature and magnitude of their risks. The outcome is often that IT organisations need to implement a real “IT governance” framework, sustainable, integrated, agile,

www.oxial.com

Cost is inversely proportional to the added value of new tools necessary to react to new threats.

ACTIVE DEFENSE

INTELLIGENCE

OFFENSE

PASSIVE DEFENSE

ARCHITECTURE

COST

VALUE

IT GRC Solution Overview

Over the past twenty years, Information Technology (IT) has become more and more central to business.

Source: SANS Institute, 2015,The Sliding Scale of Cyber Security

www.oxial.com

Because IT risks are now business risks, with business consequences, organisations must adapt the way they manage those risks. This is not an “IT Department” contained matter. This requires an effective risk management capability, a common language, a common framework for decisions and controls. Thus, reducing fires to fight, reducing costs, re-focusing on more productive activities such as creating business value. Specifically, businesses need to take a business risk management centric approach, one that incorporates IT GRC into an integrated, responsive, companywide, GRC system. This puts IT risks alongside other GRC risk factors, allowing decision makers to implement solutions that can tackle any vulnerabilities stemming from the interaction of IT and other GRC risks. In other words, by incorporating IT GRC into a company’s overall GRC framework, employee interactions are moulded from the bottom up,

IT RISK MANAGEMENT STARTS WITHEFFECTIVE GOVERNANCE:

with checks at all levels and types of access points. Sticking plaster solutions on existing IT frameworks that do not incorporate GRC considerations are no longer the preferred solution. Another advantage to organising IT GRC in this manner is that it makes securing resources for IT frameworks and security budgeting easier. Management then views IT GRC as a fundamental consideration that affects operations that in turn enables synergy between management and IT departments. This business risk management centric approach is better than the common technology-centric approach which sees management delegate all IT issues (and therefore all potential IT GRC issues) to technology departments. These departments firmly operate on a technology-centric, patch-work solution level, thus only further exacerbating any system-wide IT GRC vulnerabilities.

THE SOLUTIONThat is why OXIAL developed a new version of its “IT GRC” solution, based on years of experience managing IT systems, and collaborating with Information Security Experts, including Cyber Security experts. The OXIAL solution proposes an innovative approach covering the best practices of the industry, and exclusively focused on IT risks & needs, to help Executives and Management make better more informed risk-adjusted decisions. Conscious of the imperatives of costs and Return-on-Investment, our solution can be implemented progressively and constraint-free. It is based on COBIT IT Framework, and it is also COSO compliant. Specially designed with IT departments and IT services companies in mind, OXIAL IT GRC offers “Risk”, “Audit” and “Control” modules, or “Information Security” modules focused on a IT Governance approach, for either the Financial Services or Insurance Industry. It allows quantitative and qualitative measurement of the risks and their financial impact, thus reducing human errors, fraud, or quality issues.

KEY BENEFITS

OXIAL IT GRC has been designed to provide the following benefits:

Gives your organisation a real-time and integrated view of all risks, including IT risks.Establishes a common taxonomy across the company via the shared libraries of definitions.Harmonises IT controls reducing duplication of effort and overheads.Measures and quantifies IT risks, informing decisions regarding risk transfer and insurance. Provides guidance from end-to-end on how to manage IT-related risks.Integrates with the overall risk and compliance structures within the enterprise.Realises up to 70% saving in time and effort when using existing tools to address business risks.Reduces the control workload by 25% and also the control incidents by up to 70%.

RISK AUDIT CONTROL

OXIAL SA 111 rue de Lyon 1203 Geneva Switzerland +41 (0)22 591 19 70

OXIAL UK 60 Cannon Street London EC4N 6NP UK +44 (0)20 3289 4206

Oxial Morocco Immeuble ABROUN Rue Oued Beht Agdal 10000 Rabat, Morocco +212(0)5 38 00 86 31

OXIAL France 100 Avenue Charles de Gaulle 92200 Neuilly-sur-Seine France +33 (0)9 73 63 32 97

FUNCTIONAL COVERAGE

OXIAL GRC provides a balanced view of an enterprise’s IT-related business risks: it brings together all aspects of IT risk including, availability, security, project management and disaster recovery. Providing links with enterprise wide risk management concepts and approaches, such as COSO and COBIT. Offers a single, comprehensive view of IT-related business risks, which can cost companies literally millions annually in lost revenues and opportunities. Reports and dashboards allow you to keep a 360-degree view of your risk and compliance processes.

All processes and reports/data are stored in one single repository.It can import and export data from and to 3rd party solutions for accurate consolidation of reports concerning compliance and risks.Links to business risk management approaches.Uses an end-to end business process performance approach.Integrates silos of technology risk management.Provides practical stand-alone guidance; leverages COBIT and COSO.Includes a Risk Management framework and best practice guidance.

Follow up the entire control processes from an IT point of view.

Access registrationFirewall intrusionsCapacity planningIT productionResources Supervision and managementControl of Suppliers and Service providersIT Project Management risksComplaintsInformation Security Module (Requires additional module).Organisational management (workflows).Resources management- People- Groups- ProcessesRisk register managementRisk measurement (qualitative and quantitative)Action plan management and follow upsAudit Follow upInternal and external AuditFollow up of Audit recommendations

Swiss company, Oxial is seen by Analysts as a “New Generation GRC Solution” that meets the needs of the changing market paradigm in Governance, Risk, Compliance software market. Oxial has offices in Switzerland, United Kingdom, France and Morocco and meets the needs of over 40 customers already in Europe and Africa ranging from Financial Services to Manufacturing. Top Advisory firms such as Ernst & Young, CGI and PwC have chosen OXIAL for their customers.

WHAT CUSTOMERS AND PARTNERS SAY

Paul Bonhomme PwC

“Oxial IT GRC solution offers one single repository of controls best practices based on a best of breed of ISO27005 and COBIT 4.1 controls.”

Michael Rasmussen GRC Pundit

“I have long argued that IT GRC is much more than security. You are putting more into the G of IT GRC than others are in this context.”

ABOUT OXIAL