Upload
jpkush
View
314
Download
0
Embed Size (px)
Citation preview
Muni Chatarpal, CISM, CISSP, CEHSecurity and Risk ManagementEnbridge Energy PartnersJune 15, 2010
Considerations for Implementing IT GRC
Meeting Agenda
Problem Statement Our Solution Our Roadmap Key Discoveries Immediate Benefits Path Forward
2
Problem Statement
Complex Process Inefficient Process Poor Quality High Cost of Effort Lack of Visibility
3
Our Solution
People, Process ,Technology Stakeholder Analysis – Create RACI, Identify
Ambassadors Develop process and implement phased approach Easy <10% effort
Establish and adopted a common framework Map controls to assets Request evidence for critical assets
Scope Challenge – ‘don’t boil the ocean’ IT Asset Repository
4
ITRM Compliance
Process
Inventory
Plan and scope
Analyze and Report
Treat or Accept
Our Solution
Communication Awareness Compliance Specialists, Control Owners, ASs
Align Methodologies RM strategies with audit methodologies Develop evidence collection guidelines to build
synergies with existing collection methods
Start with basic assessment functionalities and Automate where possible
Utilized web-based questionnaires instead of manual assessment techniques to automate self assessment process
Provide capability to capture evidence
5
Q1: 2009 ITRM policy
adopted
Q3 2009: Compliance process developed
Q4 2009:
ITRM Solution implemented
Ris
k M
anag
emen
t C
apab
ilit
y
Q1 2010: Assessment completed
Jan 2011:
121 IT assets
checked for
ITRM compliance
Full reports
produced
Q1-Q4 2010:
Assessments in
progress. Quarterly
reports.
2011: Phase IIEnhanced reporting &
Risk Assessments
6
Our 2010 Roadmap
Key Discoveries
Don’t overwhelm Control Owners Enable Control Owners by using automation Quality Control the first assessment Audit is an enabler Asset repository can be challenging Incremental approach Train and engage
7
Immediate Benefits
Improved quality of assessments Increased efficiency though utilization of
consistent processes Control Owners engagement Compliance reporting
8
Path Forward
Integration with other areas and compliance mandates (SOX, PCI, NERC/FERC, TSA PSG, API 1164, PIPEDA, etc)
Integration of TRA (Threat Risk Assessments) Remediation Tracking and exception management Leverage integration with 3rd party tools (VA,
Ticketing) Improved Reporting
9
Questions
10