Inv306 going social in a world of grc v.1.1

© 2012 IBM Corporation

INV306 Going Social in a world ofGovernance, Risk Management, and Compliance (GRC)

Arthur Fontaine | Program Director | IBM Collaboration Solutions

2 | © 2012 IBM Corporation

IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.


Agenda■ GRC – What is it, and why is it important?

■ Collaboration in a GRC world

■ Functional perspectives to GRC

| © 2012 IBM Corporation

Limiting actions to within risk tolerance

RiskManagement

Confirming adherence to policies

Compliance

Setting policies for risk in the organization

Governance

Focus● Regulations● Contractual Duties● Business Strategy

Focus● Education/certification● Security and Defense● Information Lifecycle

Focus● Audit● Ediscovery● Documentation


Role

ChiefLegalOfficer

ChiefRiskOfficer

ChiefFinancialOfficer

ChiefInformationOfficer

ChiefInformationSecurityOfficer

ChiefComplianceOfficer

Goal Reduce legal exposure

Quantify and reduce risk exposure

Manage Risk-adjusted forecasting and allocation

Reduce IT expense Reduce IT risk exposure

Ensure regulatory compliance

Concerns ● Identifying legal risks ● Reducing exposure from retention of unnecessary information ● Anticipating and managing discovery tasks

● Integrated view of risk across financial, operational and other domains ● Anticipating and avoiding unexpected loss

● Financial risk management● Regulatory requirements● Financial reporting (e.g. SOX)

● Guarding against intrusions and malware● Reducing storage and admin costs● Ensure business continuity

● Anticipating and avoiding threats and breaches ● Managing records lifecycles in IT systems● Driving content policies

● Adherence to policy and procedures● Managing regulatory exams, audits and requests● Reducing cost for compliance management

A role-based approach to GRC


GRC Framework


GRC – IBM Reference Architecture

Inte

rnal

Aud

it

Fina

ncia

l R

epor

ting

Polic

y &

Com

plia

nce

Vend

or R

isk

Bus

ines

s C

ontin

uity

IT S

ecur

ity R

isk

IT R

isk

Ope

ratio

nal

Ris

k

ALM

&

Liqu

idity

Ris

k

Mar

ket R

isk

C

redi

t Ris

k

GRC Management*

Dat

abas

e

App

licat

ions

Net

wor

k

End

poin

t

Acc

ess

and

IM

KR

I Mgm

t

Loss

Eve

nt D

ata

Indu

stry

Con

tentTrusted Risk

Information Warehouse

Consolidated Risk Data

Results Datamart

Whi

stle

Blo

wer

Lega

l cas

e M

gmt

Ass

et M

gmt

Rec

ords

Mgm

t

Trai

ning

Seg

of D

utie

s

Frau

d M

onito

ring

Cnt

ll M

onito

ring

AM

L

GRC Execution

CRO CIO CCO CFO

Operational Systems

GRC Analytics*

StrategicGRC

Consulting

GRCImplement-

ationServices

OperationalChange

MgmtServices

GTS

,GB

S

SW

G-L

ab

GB

S/B

AO

Ser

vice

s

Info

rmat

ion

Life

cycl

e G

over

nanc

e

Ope

ratio

ns L

ifecy

cle

Man

agem

ent


IBM Social Business Capabilities

Social Networking Social Content Social Analytics

Open Standards

Workload-Optimized Systems

Envision Enable Adopt Optimize

Rea

ch

Eng

age

Dis

cove

r

Inte

grat

e

Owned social networks

Identity systems Social network connectors

Content services

Engagement apps & svcs.

Monitoring

Optimization

Analytics

Communication channels

Governance and LifecycleInformation ManagementProcess Management

Social BPM

Connectors MDM

Information integration Info. lifecycle gov.Rules

ESB Data warehousing

Security

Community gov. Mobile


“Dynamic Tension”Social Business and GRC impacts

Benefits of Social Business

Impacts on Governance, Risk, and Compliance

C-level roles impacted

Instant access to professional experts and networks

● Directly conflicts with regulatory “internal firewall” requirements

CFO, CRO, CCO, CISO

Multi-modal communications● Multiplies the channels, volume, and velocity that have to be monitored, logged, audited, discovered.● Complicates identity and access management

CIO, CISO, CLO

Access to public data sources and applications

● Creates risk of releasing or procuring information improperly● Adds threat exposures

CLO, CRO, CCO, CIO

Mobile access to enterprise 'big data'

● Places core enterprise IP in uncontrolled environments CIO, CISO

Rich information about people and projects

● Allows better targeted threats● Updates can be studied to reveal patterns and clues CISO, CCO, CRO

Common customer request:“How can you help us deploy your social business solutions in a way that doesn't break the GRC regime we've constructed over the years?”


Enterprises understand unique GRC issues

Customer statements

We lack an overall social business policy for our enterprise

Expands the universe of things I need enforce policy on (monitor, retain, discover, and dispose)

Raises challenges of managing within regulated industries

Raises risk and velocity of content leaks

Breaks existing security / compliance regimes such as internal firewalls

Creates new vectors of attack and raises risk of social engineering exploits

Representative IBM Offerings

● Atlas Policy Federation Framework● Atlas Global Retention Policy and

Schedule Management

● Actiance Vantage for Connections and Sametime

● IBM Content Collector, IBM eDiscovery Manager

● Atlas Governance for IT

● Atlas Governance for IT● Tivoli Identity Manager● Tivoli Content Manager

● Qradar SIEM/Risk Manager ● Lotus Protector● InfoSphere Guardium db Security● Infosphere Optim Data Masking

● Atlas Policy Federation Framework ● IBM Information Lifecycle Governance● Lotus Protector ICAPI

● Tivoli Network Intrusion Prevention● Tivoli Endpoint Manager

Develop an enterprise-wide social business policy & governance model

Expanded policy management and enforcement tools to modify behaviors, raise risk awareness

Identity/access management tools need to be extended to social applications

Content inspection solutions must prevent leaks, flag inappropriate behaviors

Tools must reuse and extend existing security/compliance regimes for social content

Security systems must identify, and protect against, social business attacks and exploits

Issue Mitigation


IBM Information Lifecycle Governance (ILG)

12

The ILG solution portfolio enables customers to:effectively retain and archive informationefficiently meet eDiscovery obligations defensibly dispose of informationto lower both cost and risk.


Information Lifecycle – it is a process...Of all the information and content generated in any organization only the right information has to be retained. But which is the right one?

AnalyzeCreate Collect Archive

Dispose

Discover

Risk: Cost of lost evidenceInability to comply with regulatory requirements

Risk: Cost of storage


Use Case: Chief Legal Officer

Chief Legal Officer

KEY OBJECTIVES● Identifying legal risks ● Reducing exposure from retention of unnecessary information ● Anticipating and managing legal discovery tasks

Impacts of Social Business● Increased opportunities for legal risks, due to new communication modes and unlimited ad hoc interactions● New data sources and types that constitute business records (must be discoverable per FRCP)● Greater complexity of business records, including data hosted on external applications/platforms

Strategies / Tools / Services from IBM● Actiance Vantage for Connections and Sametime – Brings Connections/Sametime content into enterprise data corpus● IBM Content Collector, IBM eDiscovery Manager – Enables cross-enterprise legal discovery of data and content● Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to reduce expense and exposure in legal cases● Atlas Retention for Employees – Brings business knowledge into the retention process, to inform system of data that contains (or does not contain) business value or duty● Atlas eDiscovery Process Management – Helps automate the workflows in legal discovery activities

GOAL: REDUCE LEGAL EXPOSURE


Use Case: Chief Risk Officer

KEY OBJECTIVES● Integrated view of risk across financial, operational and other domains ● Anticipating and avoiding unexpected loss

Impacts of Social Business● Increased opportunities for financial or IP disclosure● New entry vectors for attacks, including social engineering exploits● Frictionless collaboration with attendant information velocity

Strategies / Tools / Services from IBM● GBS Social Business GRC offering – Identify risks and apply mitigation strategies● Atlas Policy Federation Framework and Connectors – Brings business knowledge into the retention process, to inform system of data that contains (or does not contain) business value or duty● IBM Content Collector, IBM eDiscovery Manager – Enables cross-enterprise legal discovery of data and content● IBM Content Analytics and Classification – Provides enhanced view of information and content, for improved risk awareness

GOAL: QUANTIFY AND REDUCE RISK EXPOSURE

Chief Risk Officer


Use Case: Chief Financial Officer

KEY OBJECTIVES● Financial risk management● Regulatory requirements● Financial reporting (e.g. SOX)

Impacts of Social Business● Increased opportunities for financial disclosure (e.g., “ Quarter looks great!”)● Rapid and unconstrained data growth may impact IT budget

Strategies / Tools / Services from IBM● GBS Social Business GRC offering – Design policies based on role or identity, content, and mode● Actiance Vantage for Connections and Sametime – Brings Connections/Sametime content into enterprise data corpus for ● IBM Content Analytics, IBM Classification Module – Enables analysis● Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to reduce IT expense

Chief Financial Officer

GOAL: RISK-ADJUSTED FORECASTING AND ALLOCATION


Use Case: Chief Information / Security Officer

Chief Information / Security Officer

KEY OBJECTIVES● Ensuring regulatory compliance in IT systems● Reducing storage and admin costs● Business continuity risk● Vendor risk

Impacts of Social Business● Increased opportunities for noncompliance in IT systems, with greater complexity of user/role access management● Data growth that's difficult to apply lifecycle controls against, due to ad hoc/unstructured nature of data● New vectors for attack, including social engineering and public social platform vulnerabilities

Strategies / Tools / Services from IBM● Actiance Vantage for Connections and Sametime – Brings Connections content into enterprise data corpus● Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to minimize IT expense● Atlas Retention for Employees – Brings business knowledge into the retention process, to inform system of data that contains (or does not contain) business value or duty● IBM Security Services components/controls (Tivoli, Q1) – Protects against intrusions and threats originating from social vectors

GOAL: REDUCING IT EXPENSE AND RISK EXPOSURE


Use Case: Chief Compliance Officer

KEY OBJECTIVES● Adherence to policy and procedures● Managing regulatory exams, audits and requests● Reducing cost for policy and control management

Impacts of Social Business● Increased opportunities for noncompliance, with new modalities and unlimited ad hoc interactions● New data sources and types that constitute business records, applicable to regulatory activities● Greater complexity of business records, including data hosted on external applications

Strategies / Tools / Services from IBM● Actiance Vantage for Connections and Sametime – Brings Connections content into enterprise data corpus● Atlas Global Retention Policy and Schedule Management – Manages enterprise policies for retention and deletion, to minimize expense and exposure in compliance actions● IBM Content Collector, IBM eDiscovery Manager – Enables cross-enterprise discovery of data and content for compliance actions● Atlas eDiscovery Process Management – Helps automate the workflows in discovery activities for compliance actions● Atlas Retention for Employees – Brings business knowledge into the retention process, to inform system of data that contains (or does not contain) business value or duty

GOAL: ENSURING REGULATORY COMPLIANCE

Chief Compliance Officer


Summary

■ GRC is a cross-functional imperative that addresses risks through policy, active management, and audit

■ Social Business offers unique challenges to GRC, but ultimately must be addressed within the larger GRC framework

■ Roles-based GRC analysis is needed to design comprehensive, lasting GRC programs


Thank you!

Please remember to fill out your evaluations

Arthur [email protected]

mailto:[email protected]


Legal disclaimer

© IBM Corporation 2012. All Rights Reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.

Inv306 going social in a world of grc v.1.1

Technology

Transcript of Inv306 going social in a world of grc v.1.1