Muni chatarpal considerations for grc

Muni Chatarpal, CISM, CISSP, CEHSecurity and Risk ManagementEnbridge Energy PartnersJune 15, 2010

Considerations for Implementing IT GRC

Meeting Agenda

Problem Statement Our Solution Our Roadmap Key Discoveries Immediate Benefits Path Forward

2

Problem Statement

Complex Process Inefficient Process Poor Quality High Cost of Effort Lack of Visibility

3

http://www.google.com/imgres?imgurl=http://therealestatecoconut.com/wp-content/blogs.dir/178/files/2008/08/pullinghairout.jpg&imgrefurl=http://therealestatecoconut.com/2008/08/page/2/&usg=__JsppC28a0wRbHtmIaJ3OkEP4KPw=&h=299&w=401&sz=198&hl=en&start=12&itbs=1&tbnid=Zgwm5NTC7Bx5NM:&tbnh=92&tbnw=124&prev=/images%3Fq%3Dman%2Bpulling%2Bout%2Bhis%2Bhair%26hl%3Den%26sa%3DG%26gbv%3D2%26tbs%3Disch:1

Our Solution

People, Process ,Technology Stakeholder Analysis – Create RACI, Identify

Ambassadors Develop process and implement phased approach Easy <10% effort

Establish and adopted a common framework Map controls to assets Request evidence for critical assets

Scope Challenge – ‘don’t boil the ocean’ IT Asset Repository

4

ITRM Compliance

Process

Inventory

Plan and scope

Analyze and Report

Treat or Accept

Our Solution

Communication Awareness Compliance Specialists, Control Owners, ASs

Align Methodologies RM strategies with audit methodologies Develop evidence collection guidelines to build

synergies with existing collection methods

Start with basic assessment functionalities and Automate where possible

Utilized web-based questionnaires instead of manual assessment techniques to automate self assessment process

Provide capability to capture evidence

5

Q1: 2009 ITRM policy

adopted

Q3 2009: Compliance process developed

Q4 2009:

ITRM Solution implemented

Ris

k M

anag

emen

t C

apab

ilit

y

Q1 2010: Assessment completed

Jan 2011:

121 IT assets

checked for

ITRM compliance

Full reports

produced

Q1-Q4 2010:

Assessments in

progress. Quarterly

reports.

2011: Phase IIEnhanced reporting &

Risk Assessments

6

Our 2010 Roadmap

Key Discoveries

Don’t overwhelm Control Owners Enable Control Owners by using automation Quality Control the first assessment Audit is an enabler Asset repository can be challenging Incremental approach Train and engage

7

Immediate Benefits

Improved quality of assessments Increased efficiency though utilization of

consistent processes Control Owners engagement Compliance reporting

8

Path Forward

Integration with other areas and compliance mandates (SOX, PCI, NERC/FERC, TSA PSG, API 1164, PIPEDA, etc)

Integration of TRA (Threat Risk Assessments) Remediation Tracking and exception management Leverage integration with 3rd party tools (VA,

Ticketing) Improved Reporting

9

Questions

10