Solutions


“Assessing application security risk and complying with US and international regulations are key IT imperatives for State Street Corporation. After a rigorous selection process we chose Agiliance IT-GRC to streamline our information security risk-assessment practices.”
E. Moskowitz
Corporate Information Security
State Street Corporation

IT Governance, Risk and Compliance


What is IT Governance, Risk and Compliance Automating the IT GRC Business Process IT GRC Platform Automation Solutions

What is IT Governance, Risk and Compliance?

Agiliance has developed the first purpose-built software solution to automate the interdependent and complementary functions of IT governance, risk and compliance.

IT Governance ensures strategic goals and objectives for IT are set respective to acceptable levels of risk in relation to stakeholders, including industry mandates and government regulations.

Risk Management is a process that assesses, measures and monitors IT operational and security risk in relation to strategic goals and objectives, including assessment of risks and controls required to protect IT assets and the business.

Compliance Management ensures appropriate actions are taken to execute governance objectives based on stated risk tolerance for the business. Compliance tests the effectiveness of technical and business controls in meeting internal policy as well as industry and regulatory requirements.

1

Top of Page

Automating the IT GRC Business Process

At Agiliance, we transform the enterprise IT GRC process into a strategic asset. Leaders in financial services, health care, insurance, high technology, government, and other industries use Agiliance IT-GRC 3.0 to automate their unique IT GRC processes to dramatically decrease risk and IT spend. These leaders all use Agiliance IT-GRC 3.0 to address each of five fundamental steps (click image to enlarge):

Flow

An effective IT GRC process continuously calculates and reports on consolidated risk and compliance scores for targeted assets. It provides executive management visibility into the relationship between risk and compliance across geographies, business units and functional departments.

Automating each step of the process adds distinct value:

1) Prioritize the environment – by identifying where critical IT assets are—how many servers and applications for example, who uses and manages them, and the type of data processed and stored on them. Agiliance IT-GRC imports asset data from Active Directory, vulnerability scanners, change management and other systems to:

  • Organize assets by business units, geographies, data centers, product lines, or other groups
  • Add new assets as IT infrastructure and assessment needs change.

2) Identify risks and policies – by using various risk methodologies and the most powerful common control framework available including:

  • Current operational risk and control status: involves understanding the current “state” of IT risk and application of controls throughout organization, not just as of the last audit, but in real or near-real time.  
  • Past performance,key risk indicator (KRI) trending: involves monitoring of chosen key risks such as the number of security events, changes in network configuration, or the availability of qualified IT staff.
  • Potential threats, enterprise risk management (ERM) for IT: involves leveraging the collective knowledge of managers and specialists in the organization to identify and monitor future potential threats, their likelihood and controls appropriate for mitigating them.

3)  Test controls and identify gaps - for most organizations, control testing is typically a tedious, expensive process involving project management across two key disciplines:

  • Survey questionnaires distributed to IT server and application owners.
  • Automated data gathering from vulnerability scanners, security incident logs and network change management systems.

Agiliance IT-GRC provides the ability to test once and comply with multiple regulations thereby eliminating multiple requests for reporting on the same control, lost time, and wasted budgets.

4) Optimize mitigation – for most organizations, mitigation costs are as much as ten times the cost of testing controls. Inefficiencies typically arise from:

  • Requests for mitigation coming from multiple sources – one from the SOX team, another from the PCI team.
  • Knowing which control to implement or how to implement one control that satisfies both requirements.

Agiliance IT-GRC streamlines the mitigation process by establishing a custom “common control framework” for the organization using standardized controls for all regulatory requirements and mandates, prioritized by asset criticality and control-risk scoring.

5)  Continuously report and monitor
How efficiently and effectively companies, auditors, and regulators monitor and report can distinguish industry leaders from laggards. Many regulations are moving in the direction of determining compliance not as a function of the last audit, but whether proper controls were in place and working at the time of a violation. Agiliance IT-GRC provides organizations with:

  • Real or near-real time risk and compliance status dashboards
  • Trending using key risk indicators (KRIs) to alert before risk thresholds are exceeded
  • Standard audit reports for all major regulations and mandates
  • Custom reports for internal audits and management

Top of Page

IT GRC Platform Automation Solutions


Arc_slide2

The Agiliance IT-GRC platform is used to streamline and automate various risk and compliance initiatives within the organization including:

  • IT Risk Management – dramatically reduce time and cost to assess applications, systems and processes to meet internal regulations and mandates and internal policy requirements.
     
  • Policy and Compliance Management – automate data collection processes for PCI, FISMA, GLBA, SOX 404, BASEL II, NERC/FERC, any other regulations, mandates, or internal policies using powerful test once, comply-to-many capabilities for major cost and time savings.
     
  • Automated IT Controls – streamline and automate the compliance and audit controls testing process by taking a risk-based, “test once, comply with many” approach to controls testing and enforcement down to the OS, application and database record levels.
     
  • Vendor/Partner Risk Management – streamline and automate the vendor risk assessment process for large-scale risk assessments and controls monitoring of the entire delivery eco-system.
  • Enterprise Risk Management (ERM) – apply forward-looking, standard business risk methodologies (COSO, AZ/NZ4360) to large IT organizations within the enterprise or more broadly across all enterprise functions for IT-intensive organizations.
     
  • Key Risk Indicator (KRI) Dashboards – measure past performance to provide real time decision making based on what matters most to your organization through dashboards that alert users of acceptable-risk threshold violations.

Top of Page

Live Demo Sign Up