for an Effective GRC Program Steven G Jensen VPChief Information Security Officer Carlson Wagonlit Travel Who are we x0000 CWT is the global leader specializing in business travel management ID: 827455
Download Pdf The PPT/PDF document "Strategies and Processes" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Strategies and Processes for an Effecti
Strategies and Processes for an Effective GRC ProgramSteven G. JensenVP/Chief Information Security OfficerCarlson Wagonlit TravelWho are we?�CWT is the global leader specializing in business travel management.�CWT is dedicated to helping companies of all siz
es, government institutions and non-g
es, government institutions and non-government organizations, optimize their travel program and provide best-in-class service and assistance to travelers.�By leveraging the talents and know-how of its people and providing leading-edge technology, CWT helps clie
nts around the world drive savings, wh
nts around the world drive savings, while delivering service and enhancing security and sustainability.�We have key business in Travel and Transaction Services (TTS), Safety and Security, Meetings and Events, Program Optimization and Energy Services.Where are we?•
TBDGovernance, Risk and ComplianceWha
TBDGovernance, Risk and ComplianceWhat is the role of GRC?•Governanceis a processby which business decisions are made to achieve objectives.•Riskmanagement is the analysis which provides necessary backgroundto support an informeddecision making process.•Comp
liancehelps establish the frameworkof
liancehelps establish the frameworkof risk-based decision making. Lack of compliance is also a risk in and of itself.“A ship in port is safe, but that’s not what ships are built for.”–U.S. Navy Admiral Grace Murray HopperStrategies and Processes foran Effective
GRC Program1.Align your security team
GRC Program1.Align your security team with how the business drives decisions2.Engage the business in the process–Create relationships–Understand business drivers3.Get agreement on how decisions are to be made–What is the process?–Who makes the decision?4.Fac
ilitate the processInformation Security
ilitate the processInformation Security AlignmentAmericas Regional Security OfficerEMEA Regional Security OfficerAPAC Regional Security OfficerUS M&G Security OfficerGlobal Identity and Access ManagementGlobal Threat and Vulnerability ManagementGlobal Governance, Ris
k and ComplianceREGIONALFUNC
k and ComplianceREGIONALFUNCTIONALGRC FrameworkLeadership and EngagementCWT Security GRCFrameworkGovern, Assess & ManageSecurity Policies, Standards and TrainingInformation Security & Compliance MetricsVendor Security AssurancePCI and Other Regulat
ory ComplianceSecurity Risk Assessmen
ory ComplianceSecurity Risk Assessments Information Security CouncilExecutive Steering CommitteeAudit CommitteeExecutive Board OversightGRC ProcessIdentify or Assess RiskTranslate or Contextualize Provide RecommendationDrive GovernanceFollow-upExample #1Risk
AssessmentsGovernance Process -Policy
AssessmentsGovernance Process -Policy WaiverRisk Management -“PADU”Preferred Acceptable Discouraged UnacceptableOrganizational Impact5Catastrophic109874Severe98763Noticeable87652Minor7654Very HighHighMediumLow5432Likelihood to Explo
itNot Mitigated = 0Impact + Likelihood
itNot Mitigated = 0Impact + Likelihood –Mitigation = PADUImpact + Likelihood –Mitigation = PADUOrganizational Impact5Catastrophic10987Organizational Impact5Catastrophic98764Severe98764Severe87653Noticeable87653Noticeable76542Minor
76542Minor6543Very HighHigh
76542Minor6543Very HighHighMediumLowVery HighHighMediumLow54325432Likelihood to ExploitLikelihood to ExploitNot Mitigated = 0Partially Mitigated = 1Organizational Impact5Catastrophic7654Organizational Impact5Catastrophic65434Severe6
5434Severe54323Noticeable54
5434Severe54323Noticeable54323Noticeable43212Minor43212Minor3210Very HighHighMediumLowVery HighHighMediumLow54325432Likelihood to ExploitLikelihood to ExploitMostly Mitigated = 3Fully Mitigated = 4Risk Management -“PADU”Pre
ferred Acceptable Discouraged Unac
ferred Acceptable Discouraged UnacceptableExample #2Managing Scope of PCIGoal: Reduce the # of PCI ApplicationsCritical points:•Removing credit cards from some systems, and even the retirement of others, is a strategy we needed to adopt.–The cost to make a syste
m compliant is significant–Once a sy
m compliant is significant–Once a system reaches a compliant state, the costs of keeping the system compliant are also significant•The final decisions to remediate, remove, or retire applications needed to be escalated to the PCI Program Executive Steering Committee for r
eview and approval.Compliance Scope As
eview and approval.Compliance Scope AssessmentStepOptions2a.Retirement2b. Removal from PCI scope2c. RemediationHas the least expensive decision been selected?Is the decision retirement, and has the decision to retire an application already been made for
other reasons?NoYesYesNoPrepare te
other reasons?NoYesYesNoPrepare technical or business justification for your option selectionIs the option selected within range of the least costly decision?NoYesProceed to Step 3 with selected optionProceed to step 3 with selected optionProceed with justi
fication to step # 3Application Owner
fication to step # 3Application Owner Recommends RemediationLEVEL 1 Low Cost RemediationInitial remediation $xxx USDLEVEL 2Mid Cost RemediationInitial remediation � $xxx but $yyy USDLEVEL 3High Cost RemediationInitial remediation � $yyy USDIT and Busi
ness Owner can authorize remediation
ness Owner can authorize remediation Regional President authorization requiredESC authorization required3Cost LevelRequired ApprovalWas business or IT justification required in Step 2?YesNoApproved?YesMove forward with approved pathNoReturn to step 2Level 2
or Level 3 approval is required. Lev
or Level 3 approval is required. Level 1 is not allowed.Go to appropriate required approval based on cost levelGovernance ProcessExample #3Access on Need to Know BasisData Gathering in Technical TermsSA_ACCTRECCLKSAS_CML_GROUP_6CARSVIEWApplication-Centr
ic Translation•SAP Accounts Receivab
ic Translation•SAP Accounts Receivable Clerk Access•Compliance Audit Review & Reporting System (CARS) -View AccessEnterprise-Centric TranslationAccounts Receivable ClerkAccess AttestationBusiness Engagement in IAM•The role of Accounts Receivable Clerk has t
he following access:–SAP: Accounts
he following access:–SAP: Accounts Receivable Clerk Access–CARS: View Access•The following individuals are in the Accounts Receivable Clerk role:–John Doe–Jane Doe–Pete PetersThank You!Steven G. JensenVP/Chief Information Security OfficerCarlson Wagon