High Technology and Manufacturing
High technology and manufacturing enterprises must promote and protect the integrity of the business ecosystem they utilize to deliver value to their customers. From proprietary information and financial performance information, to vendor and partner information and customer information, competitive advantage is contingent in significant part on how efficiently these companies compete on risk. Competing on risk requires driving efficiencies into every process in the enterprise, including IT risk management and compliance.
Key questions for these enterprises include:
- IT Governance, Risk and Compliance process: Do we have one?
- Quality: Are we obtaining reliable results?
- Cycle Time: How long does it take to get reports?
- Cost: How much is it costing us?
- Resiliency: Can the process adapt to change?
The Challenge
High technology and manufacturing enterprises must deal with intense competitive pressures on the world stage. It's a huge challenge to know where sensitive data is stored, as well as what controls are already in place to protect the data. Ongoing risk assessments require regular tests of those controls. Geographic distribution of offices, data centers, business units, the ongoing process of mergers and acquisitions, and data intensive business processes all compound the challenge of managing IT risk and compliance programs. The many high value suppliers used further blur the lines of data ownership and protection.
Key IT-related risk and compliance regulations and mandates that high technology and manufacturing enterprises must comply with include:
- SOX 404 (Sarbanes-Oxley Act, section 404) – requires publicly traded companies to protect the integrity of financial reporting information
- PCI DSS (Payment Card Industry Data Security Standard) – ensures ongoing risk assessments to protect personal credit card data
- RoHS and WEEE - requirements include ensuring that the component history cannot be tampered with through unauthorized access.
- California SB 1386 – also requiring protection of personal information, this law is on track to become a federal law
- EU Data Protection Directive – requires protection of personal information for businesses operating in EU countries
- Basel II – requires operational risk plans in relation to information security threats and related controls
The Solution
Agiliance IT-GRC 3.0 provides high technology and manufacturing enterprises with the ability to:
- Establish a resilient IT-GRC business process providing a holistic, real time view into risk and compliance across the enterprise, including partners and vendors
- Implement a robust operational IT risk program including conducting eSurveys throughout the organization, developing key risk indicators for IT, and assessing threats using COSO and AS/NZ 3460 standard methodologies
- Demonstrate continuous multi-regulatory compliance with a “test once, comply with many” capability, dramatically reducing the cost, quality and cycle time of testing and reporting
- Integrate and automate technical controls by leveraging existing IT investments in security and change management systems by taking in data from vulnerability scanners, CMDBs, IdM systems, Segregation of Duty systems, and other systems, to automatically generate reports, drill down to critical controls, and establish priorities based on areas with the highest risk
- Migrate over time to standard control frameworks such as ISO 17799/27001, CobiT, NIST and FFIEC
- Create enforceable policies and monitor controls across functional and geographical boundaries