Archive for July, 2009|Monthly archive page
Earl Perkins of Gartner defines “policy”
Pravin Kothari
It seems Earl Perkins of Gartner also has issue with confusing and over used terms. Here is his recent blog covering the many definitions of “policy” in security and GRC. It is very true that we technology professionals often just assume others speak our language. This is not the case even for people within the small community of security and GRC professionals.
Forrester’s blog on compatibility of IT Risk and ERM
Filed under: Uncategorized | Tags: enterprise risk, ERM, Forrester, IT risk, Risk Management
Leave a Comment Pravin Kothari
Chris McClean of Forrester posted an interested blog on the compatibility of IT Risk and ERM applications. He made a great observation that traditional ERM tools don’t do a good job for IT risk. A true “enterprise-wide” risk management platform needs to handle both types of risks equally well. This is certainly a very good point for us to drill down here on this blog. I will pick up this topic right after I’m done with the current series on automation… if Chris doens’t do it first 
Ian Glazer’s Privacy Mirror experiment in Facebook
Filed under: Uncategorized | Tags: Burton Group, privacy, social networking
Leave a Comment
Pravin Kothari
Canada’s Assistant Privacy Commissioner Elizabeth Denham released a report on privacy concerns against Facebook recently. This report was covered by many reporters and bloggers, so I won’t attempt to summarize it again. You can always follow the link to read more. Ian Glazer, an analyst from Burton Group covering privacy has done an interesting experiment on Facebook testing out these concerns using a custom application. The findings are not surprising, but still interesting. You can find Ian’s blog here: tuesdaynight
Pravin Kothari
Collaboration and….. why not SharePoint?
Filed under: Technology | Tags: Automation, collaboration, document management, process automation, workflow
Comments (2) Pravin Kothari
Collaboration is the last part of process automation. We briefly touched on it when we discussed assessment. Collaboration is an essential part of GRC because GRC is hardly black and white. GRC is all about different shades of gray. Each organization has to decide for itself which shade of gray is appropriate in each case, whether the topic is compliance level, acceptable risk, or compensating control. The process of coming up with an agreement around policy, procedures, controls, and risk require collaboration among different stakeholders including process owners from the business side.
Collaboration is a mature product category in its own right. Lotus Notes was probably the first major software that started the category as we know it today. In the last few years with the emergence of social networking and the maturity of portal technologies, many of the major software vendors started to use the term Enterprise 2.0 to describe a combination of collaboration, social networking, content management, unified communication and portal technologies. It’s not the best use of our time here to do a deep dive on the various collaboration technologies. You can read Wikipedia or Oracle and IBM’s middleware web sites as well as I can. Instead, let’s dive into 2 questions specific to GRC and collaboration technologies:
- What is unique to collaboration technologies when applied to GRC?
- Why is a generic collaboration tools like SharePoint not sufficient for GRC use? Why does a GRC tool requires integrated collaboration capabilities?
Collaboration and workflow are two separate technologies, even with workflow’s new fancy term “business process automation”. Collaboration technologies are typically used where lots of people are involved and their interactions are more free formed. There is usually no well defined end-to-end process involved, and there is little structure around task and data ownership. In many cases, there are not even clearly defined objectives for the collaboration. Wiki is a good example of that. On the other hand, workflow is used for structure processes. There is usually at least one well defined path for how different tasks and events should happen, who is responsible for each step in the workflow, and each workflow has a start and an end. Workflow naturally fits into many of the business processes, especially transaction centric ones in most ERP applications. In addition to collaboration and workflow, there is a third leg to this stool: document management. Document management is for gathering, managing the lifecycle, and sharing documents for policies, process narratives, procedures and evidences.
GRC use cases require these three technologies to be equally well developed and integrated. They need to work well together, not separately. Most of the processes in GRC are procedural in nature, thus workflow is important; for example: incident management, control assessment, and policy approval. However, many of the tasks or groups of tasks in these processes require a more collaborative interaction; for example: policy authoring, assessment of control, and determination of criticality and business impact. In order to have a good user experience, a good GRC tool needs to integrate collaboration and workflow technologies together well. Since many of these processes also involve documents such as policy and compliance reports, document management is also intertwined. This is fairly unique among enterprise applications. Only a few other applications have this unique combination of requirements. Contract management and Product Lifecycle Management products come to mind. So if you are shopping for a GRC application, look for good integration between workflow, collaboration, and document management capabilities. As to what qualifies as “good” integration, that is a loaded question and require getting into the weeds on feature design. We will selectively discuss various features going forward.
One of the most common questions I get is from SharePoint customers asking why they need GRC solutions when they already have SharePoint deployed. This is especially the case when customer is looking at policy management use cases. SharePoint is a generic content management and collaboration application. This makes it a great tool for getting all your documents and evidences collected and shared. SharePoint has rudimentary workflow capabilities, but more importantly, lacks the context of assessment and stakeholders associated with each process and assessment. It would be difficult to use SharePoint to enforce any formal risk and compliance assessment process. This bring us back to the point that GRC is one of the few unique applications that require a tight integration between document management, collaboration and workflow, so a generic collaboration or workflow platform alone cannot meet the use cases well. Any attempt to address the use cases using generic tools would result in significant custom integration work.
We’ll discuss control automation next time.
Privacy salience and the social networking sites
Pravin Kothari
This article from the Guardian summarizes a very interesting study done by the Carnegie Mellon University demonstrating the concept of “privacy salience” and its implication on the social networking sites. Privacy salience is the concept that reassuring people about privacy makes them more, not less, concerned. This is strong testimonial for the importance of privacy and security policy awareness programs. Just by simply educating and reminding employees, customers and business partners about privacy and security policies can yield good results. Policy management applications may not have the most fancy technologies, it can still be an extremely effective tool.
Mitigation
Filed under: Technology | Tags: Automation, mitigation, process automation
Leave a Comment Pravin Kothari
Let’s continue our discussion on process automation.
Once an assessment is done, if certain gaps or weaknesses need to be corrected, we go into the mitigation process. Mitigation does not always have to be remediation – for example it could be simply transferring risk or describing compensating control. In terms of process automation, mitigation has three sub-components:
- analysis, prioritization, and decision making
- review and approval
- generate request
Following mitigation, any actionable request must be assigned to an owner to carry out the action. In IT, this is often someone doing manual work based on a helpdesk ticket, but for many systems, the correction action can be fully automated using system management and provisioning products. Companies like HP, BMC and Cisco have many such products, often under the product category of Business Service Automation or Data Center Management. This is often referred to as Remediation Automation. We’ll discuss that later.
First part of mitigation is to figure out what action needs to be taken if any. This involves analyzing the gap or issue identified or a reported incident. This usually involves an analyst doing analysis using reports, dashboards and other form of contextual data. For common and straight forward issues, the decision making process can be automated using rules. For example, if a database doesn’t have the latest security patch, then the simple decision is to apply the latest patch with a priority based on criticality of the database and severity of the patch. For more complicated issues, we still need human doing analysis and making the decision on what needs to be done, when and with what priority. Besides simple reports, dashboards, metrics and logs, the interesting technology here is simulation and risk modeling. Mitigation decisions often are not black and white. For some of the issues, analyst may decide to simply accept them and not do any mitigation if they may not pose enough risk. How much should be done requires balancing cost vs. risk. Using a GRC application, an organization can build risk models to measure and quantify (and even monetize) the risk from the gaps. A good risk model enables the user to build scenarios and do simulations to see how the cost compares with the benefit for different mitigation options. The organization can make an informed decision on how much mitigation makes sense if any. Risk modeling techniques are very interesting and extensive topic in its own right. We’ll certainly be talking about that in depth later.
Once a mitigation plan has been determined, it often needs to be reviewed or approved in the context of the whole assessment. This obviously requires workflow and collaboration capabilities from the GRC application. We’ll discuss collaboration more in detail when we discuss the third component of process automation in the next blog.
The third and last part of mitigation is to generate an actionable request once the mitigation decision is done and approved. Some of the mitigations may generate a ticket or notification of some sort. Most organizations have at least one ticketing system in place. The most common ones are BMC Remedy and HP Open View Service Center (Peregrine). For some of the mitigations the GRC application should be able to automatically create a ticket into the enterprise’s ticketing system and be able to pull in updates when the ticket status is changed. To achieve this, the GRC application needs to have connectors to the ticketing systems, as well as flexible integration architecture to enable easy configuration. The flexibility and ease of configuration is very important because ticket format and list of fields in a ticket varies greatly from company to company. Issues such as required fields and dependent fields can make the integration fragile if not done correctly. In cases where the mitigation is not executed through a ticketing system, then the GRC applications should have basic abilities to manage mitigation actions, send out email alerts, a user interface to let users view the alerts and record the actions taken.
Next time we’ll talk about collaboration and finish up our thread on process automation.
10 Things Your Auditor Isn’t Telling You
Pravin Kothari
I hope everyone had a great 4th of July long weekend.
This following blog is not about technology, but it’s too insightful not to pass along.
