Business Continuity: How to Apply Enterprise Risk Management to Your BCM Planning Efforts…and Vice Versa!

by Patrick Potter, RSA Archer GRC Solutions Business Continuity Management (BCM) programs typically do a good job of evaluating business criticality through performing Business Impact Analyses (BIAs) to determine recovery priorities.  However, how many BCM and IT Disaster Recovery (DR) programs adequately assess risks starting at the overall program level down to the process or…

The Threat of the Threat Itself

Some colleagues and I were discussing DDoS attacks earlier this week: who is waging DDoS attacks, what techniques they’re using and how to deal with attacks when they occur. While discussing the value of advance warning of such attacks, one person said offhandedly, “the problem with advance warning is that the threat may be just the threat of the attack, not the attack itself.” It was an interesting and valuable insight, one that deserves some exploration.

Starting with the End in Mind: the Need for Security Governance

Under the leadership of CyLab Adjunct Distinguished Fellow, Jody Westby, the CyLab team gathered information from CEOs, CFOs, CROs and board members of the Forbes Global 2000 regarding security governance practices in their companies. The results showed significant gaps in security governance in more than half the respondents. Even for someone like me who tends to see the glass as half-full, this is a major concern in a world of increasing threats to information security.

The Marriage of Legal and IT

In Dr. Larry Ponemon’s recent eGRC and Data Privacy study, the Ponemon Institute, LLC independently surveyed 190 Archer eGRC Community members to examine the challenges they face in meeting eGRC and data protection objectives. One of the challenges that Dr. Ponemon notes is the need for collaboration between the Legal and IT teams to handle incidents as well as validate compliance to ever-changing regulations.

Putting Together the Pieces in Europe

I recently returned from Berlin after attending the EMEA RSA Channel Partner Council with the purpose of discussing RSA’s Security Management and GRC strategies within Europe. For many of the RSA channel partners, this was their first exposure to these concepts. Channel partners have a unique perspective because they are on the front lines selling products and providing implementation services Their success is directly influenced by RSA’s ability to provide the right training, messaging and tools to make them effective.

Top-to-Bottom, Side-to-side

I’ll start with the bottom line: for eGRC to work it has to be true at all Human and system levels of abstraction in an organization and it must have common elements across all function in a company. With the release of the most recent study by the Ponemon Institute (with EMC) , there are some clear pointers to the need for more strategic and, frankly, systemic mechanisms for managing enterprise governance, risk and compliance. Let’s cover a few ideas before coming back to those.

The Art of Tracing Footsteps (through the infrastructure)

The question of “why” EMC has acquired NetWitness will no doubt come up (beyond the fact that they are the obvious market leader with awesome technology) and how do they fit? Over the next few months that will become increasingly clear and in fact obvious if it isn’t already, but I thought I’d start with a simple analogy that I will connect first with RSA enVision (i.e. with Security Information and Event Management or “SIEM”) and then with RSA Archer (i.e. with Governance Risk and Compliance or “GRC”).

GRC and Trust in the Cloud: The Right Tools for the Right Jobs

It’s been a year now, or a little more, since To The Heart of the Matter, and this year we’re stepping up the governance, risk and compliance (GRC) stakes in a big way with a new EMC/RSA initiative around enterprise GRC. At the same time, the race to the cloud continues; so it’s time to look at enterprise GRC in the context of Trust and in context of the Cloud anew for 2011. Before we dive into that subject, let’s start with a little more on tools and tasks though by looking at innovation in historical Japan.

The 12 Days of GRC – Happy Holidays!

On the first day of 2010 my big boss gave to me: a project called G-R-C.
On the second day of 2010 my big boss gave to me: two BCPs and a project called G-R-C.
On the third day of 2010 my big boss gave to me: Three new laws, Two BCPs and a project called G-R-C.
On the fourth day of 2010 my big boss gave to me: Four calling auditors, Three new laws, Two BCPs and a project called G-R-C.
On the fifth day of 2010 my big boss gave to me: FIVE LOSS EVENTS…Four calling auditors, Three new laws, Two BCPs and a project called G-R-C.