Microsoft

Governance, Risk and Compliance Management Suite

Marilee Byers Director, Corporate Finance

Jerry Leishman Senior Program Manager Compliance Solutions

MICROSOFT CONFIDENTIAL

Presentation GoalsWhat is Microsoft GRC StoryRisk and Compliance Management Suite OverviewDemoHow to get involved?Q&A

Regulatory Compliance & Controls

Risk Analytics & Reporting

Security & Privacy

Business Continuity

Document& Records

Management

Microsoft GRC Solution Areas

Excel Server 2007

Bit Locker

CONNECTORS

Asset Management

Self Service IT Business Intelligence

Service Manager - The Power is in the Integration

Automate and Deploy

Capacity and

Utilization

Inventory and Usage

Alert Manageme

nt

Incident and Problem

Workflows

Knowledge Base Data WarehouseCMDB

Active Directory

Change

Compliance and Risk

MICROSOFT CONFIDENTIAL

GRC TaxonomyTerminology Example

GRC Authority Document

SOX, HIPAA, PCI, EUDPD, ISO, GLBA, corporate policy, etc

Unified Compliance Framework

Hierarchical Framework that harmonizes (consolidates) compliance requirements from hundreds of Authority documents into the smallest possible set of unique requirements

Program Logical grouping containing compliance data (COs/CAs), risks, automated tests, and applicable scope of assets. Includes remediation and reporting across program.

Ex: East Coast Sarbanes Oxley ProgramControl Objective (CO)

A harmonized statement of expectations from GRC Authority Documents containing requirements. These can be people, process or Technology controls. Basically “What” needs to be accomplished.

Ex: CO 04544: Synchronize system clocksControl Activity (CA) Guidance containing instructions and parameters to meet

expectations of Control Objectives. Usually, specific to a technology, business process, or organization.Ex:CCA: Configure Windows Time Service OCA: Monitor Windows Time ServicePCA: Network Time Protocol Policy

Control Activity Test Windows Foundation Workflows that apply parameters, thresholds, and scope to data collected with System Center products to validate that associated CAs remain within expected parameters. These can be manual or automated.Ex:• Ensure the Windows Time Service is running• Ensure the NtpClient has an accurate source of time• Ensure the required policy has been specified and remains available

Library (Reusable) Compliance information stored as templates which can be instantiated with specific values and parameters in a program

Ex: Microsoft Control Activity Library.XML (Management Pack)

Program

System Center

WS 2008 Windows 7

GRC Authority Docs(Requirements – Sox, eSox PCI, ITIL, HIPAA, Cobit, etc)

Control Activities

Governance, Risk & Compliance

PROBLEM / OPPORTUNITY

CONTROL OBJECTIVES(People, Process,

Technology)

Test Automation

GRC Incident

/Issue

GRCDashboa

rd

GRCReport

Reporting & Corrective Actions

Harmonized Framework

Policy Churn Tech Churn

$1 Trillion (US)

Compliance & Risk PMP & IT Compliance Mgmt ToolkitBusiness Risks &

Objectives(The What/Requirement- e.g. Complex Password)

Technical Goal(The How)Validation

MS and Non-MS Technology

~ 350 Authority Docs in UCF ~24K Requirements

~ 2400Unique Controls

~139Satisfied by WS

Continuous Monitoring & Reporting

Compliance and Risk PMP

• OOB PMP for Svc Mgr that offers:− GRC Program Management− Control Management− Risk Management− Policy & Procedure Mgmt− GRC Incident Management− Excel, SharePoint integration

• By extending Service Manager with:− New item classes and relations− Forms, views, dashboards− Reports− Web parts

• And acts as a host for:− UCF controls & mappings

(built-in for IT GRC)− 3rd party control activities and workflows, such as:

− Microsoft IT Compliance Mgmt Library

− Partner knowledge libraries

Control activities in the library are like templates, they are copied and customized by the customer. Copies apply to a collection of hosts or services in their environment.

SM Data Warehouse

Compliance and Risk Process Management Pack

IT Compliance Management Library (MS, customer or partner)

Configuration Management

Change Management

Problem Management

Incident Management

Compliance ManagersSvc Mgr Console

Risk Management

Program Management

C&R PMP IT Library

Knowledge Library

UCFControl Library

System Center

Document Management

Doc Types: Authority Docs Policy Docs

GRC Incident Management

Control Management

Partner Knowledge Libraries

MS, Customer & Partner Knowledge Libraries

Co

nn

ect

ors

(L

inki

ng

Fx

)

Targ

et

Ho

sts

GRC Config Packs

GRC MgmtPacks

SharePoint PortalCompliance Users

Compliance and Risk Reports

Control Activity Library

Test Automation Framework

Policy Library

Risk LibraryRisk Library

GRC Management Suite Architecture

GRC LOB

Packs

SAP, Oracle, etc

GRC InfraPacks

Linux, Unix, Etc

Co

nn

ect

or

Risk Library

Business Partner Perspective

• Objectives Support Compliance Programs Improve integration with automated controls Migrate to one GRC platform to leverage compliance efforts across the company

• Engagement Provide business requirements Provide iterative input to design and configuration Balance Microsoft specifics against more general needs Anticipate pilot program in FY11

Demo

Currently in Public BetaBased on Service Manager Beta 2

FutureRelease Candidate - April 2010RTW Target –60 days after Service Manager RTM

(CY2010-Q3)

Product Release Schedule

Provide feedback directly to Microsoft Download and Evaluate Solution Join TAP and RDP ProgramsMS Demo to your organization Schedule 1 Hour Live MeetingParticipate in MS GRC Summits Provide Customer voice and influence MS

Opportunities to get Involved

1. Download and Evaluate Solution https

://connect.microsoft.com/SelfNomination.aspx?ProgramID=2733&pageType=1&SiteID=446

2. Join the RDP early adopter program Contact Jerry Leishman (jerryle@microsoft.com)

3. Become a GRC Partner (ISV, SI, Consultant, Trainer)

Contact Jerry Leishman (jerryle@microsoft.com)

How to Get Connected?

Questions?