Skip navigation
All Places > Products > RSA Archer Suite > Blog > Authors Marshall Toburen
1 2 3 4 Previous Next

RSA Archer Suite

59 Posts authored by: Marshall Toburen Employee

What is Third Party Governance?

RSA Archer Third Party Governance provides organizations the capability to monitor and manage the performance of the third parties with whom they do business.

 Why is the proper management of Third Party performance so important?

Organizations are increasingly using third parties to support their operations and to deliver products and services to their clients. Every organization entering into a third party relationship has expectations regarding how the third party’s product and services should perform.  It is particularly critical that third parties provide satisfactory performance wherever they are supporting customer-facing activities or contribute to the organization achieving its key objectives. Often performance expectations are formalized via contract by way of agreed-upon service level metrics unique to the product or service being delivered by the third party.   While contractually establishing service level metrics is a best practice, it is only the first step.  Organization’s need to monitor performance metrics throughout the life of each third party relationship and manage deteriorating third party relationships at the earliest possible time.  While an organization may have created some contractual recourse should a third party fail to perform, litigation and financial compensation do not solve the problems posed by underperforming third parties.  The best outcome is represented by third parties that live up to or exceed performance expectations.

 

RSA Archer Third Party Governance

RSA Archer Third Party Governance provides the capability to track the performance of individual third party engagements and to measure the performance of third parties across all of the engagements they are delivering to your organization. Third Party Governance provides the ability to document and track service level agreement metrics, and utilize a metrics library to promote consistency in assigning service level metrics to similar engagements.  Once performance metrics are established, actual performance data can be collected from named individuals or automatically via systems of record.  Stakeholders can be automatically notified if a third party’s performance begins to fall outside acceptable boundaries so that third party performance can be coached back to acceptable levels or remediation and contingency plans created and executed should the third party’s performance become irreparable.

 

Key features include:

  • Define and document performance metrics for third parties
  • Track all contractual service level agreement (SLA) metrics
  • Uncover deteriorating third party performance
  • Capture and monitor remediation plans until performance problems are resolved
  • Create performance metrics and associate them with individual product and service engagements
  • Capture performance metric data on an ongoing basis and score performance based on data collected
  • Report on performance of individual product and service engagements
  • Roll up engagement level performance to obtain overall third party performance profile

 

RSA Archer Third Party Governance enables organizations to:

  • Create and capture performance metrics and associate them with individual product and service engagements on an ongoing basis
  • Report on performance of individual product and service engagements and roll up engagement level performance to obtain an overall third party performance profile
  • Uncover deteriorating vendor performance and quickly resolve third party performance problems
  • More frequently exercise contract remedies due to poor performance
  • Avoid third party-related surprises and losses, and spend less time and money on third party performance remediation
  • Demonstrate the effectiveness of third party performance management programs to executive management and regulators

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  RSA Archer Third Governance is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth through an extended ecosystem strategy, your third party risk and performance management program must evolve and manage risk more holistically, with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

What is Third Party Engagement?

A third party is any entity with which your organization has an actual or implied contractual relationship for the receipt of goods and services.  Besides being called a third party, these relationships may also be known as vendors or suppliers.  An Engagement refers to the actual product or service being received by way of a contract with a third party. 

 

RSA Archer Third Party Engagement provides organizations the capability to inventory all of the product and service engagements they are receiving from third parties.  Engagements can be mapped to the third parties supplying the product or service, and to the organization’s business units and business processes they support. Third party contacts can be documented and accountability for third party engagements can be established by named individual and by the business units that own the relationship. If you are utilizing the RSA Archer Third Party Engagement, Risk Management, and Governance use cases then the risk and performance of individual engagements can be established and risk and performance information can be rolled-up across all products and services delivered by a third party; and depicting it in aggregate at the appropriate third party organizational level.

 

Why is the proper management of Third Party Engagements so important?

Third parties may relate, to some degree, with every aspect of an organization.  They may impact your organization’s objectives and they support, in one way or another, the products and services your organization delivers.  They support business processes, introduce risk and affect and supplement the extended internal control environment of your organization.  They may provide assets and inputs to the organization such as hardware, software, physical space, and product inputs.  Acting as an agent of your extended organization, they are subject to your regulatory obligations and policies, and they may directly supplement your human resources through consultants and temporary labor, or extend your human resources by the nature of the services that they are providing.  You may have third parties that touch on every one of these elements of your business. 

There are numerous reasons organizations choose to engage third parties.  These include competing better; benefiting from a vendor’s expertise that you don’t have in-house; optimizing resources, acquiring resources (often more cheaply), transferring risk such as under insurance, and expanding market share by capitalizing on the third party’s presence in a market where you don’t currently have a presence, or by offering a more attractive product or service because of the third party’s expertise and capabilities.

Third parties are an extension of your business and, in the end, third parties introduce the same risk to your organization as if you internalized the activities.  In most cases, it is impossible to eliminate the risk altogether.  The best you can do is understand the risk and manage it within acceptable levels.

 

RSA Archer Third Party Engagement

RSA Archer offers the Third Party Engagement use case to consolidate the list of third party products and services your organization uses.

 

Key features include:

  • Catalog third parties, their business hierarchy, and the product and services engagements they deliver to your organization
  • Map third party products and services to the business processes they support
  • Roll up engagement risk assessments to obtain an overall third party risk profile
  • Catalog contracts and master services agreements associated with engagements
  • Execute contract risk assessments utilizing standardized questionnaires focused on minimum required contract language to mitigate and transfer risk
  • Capture the third party’s proof of insurance and evaluate the adequacy of the insurance relative to all of the engagements being delivered
  • Integrate the results of your business process impact analysis into your assessment of the inherent resiliency risk of each third party
  • Establish accountability for each third party engagement
  • Document and monitor remediation plans to bring risk within acceptable tolerance
  • Track exceptions related to third party engagements

 

With RSA Archer Third Party Engagement, you can:

  • Establish efficient management of your third party relationships
  • Know where, how, and why third parties are being used throughout your organization, and who is responsible
  • Identify inherently high risk third party products, services, and relationships
  • Better understand the adequacy of each third party’s proof of insurance,
  • Have fewer third party-related audit and regulatory findings
  • Establish the basis for an effective third party risk management program and allocation of scarce resources based on the most significant priorities
  • Provide transparency into third party relationships using robust notifications and reporting
  • Provide positive assurance to senior management, the Board, and regulators regarding the adequacy of the organization’s third party governance program

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  The RSA Archer Third Party Engagement is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leadership with the most holistic understanding of risk facing the organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce the most effective return to the organization.

 

As your company drives business growth through an extended business ecosystem strategy, your risk management program must evolve and manage risk with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

What is Third Party Risk Management?

A third party is any entity with which your organization has an actual or implied contractual relationship for the receipt of goods and services.  Besides being called a third party, these relationships may also be known as vendors or suppliers.  An Engagement refers to the actual product or service being received by way of a contract with a third party. 

 

RSA Archer Third Party Risk Management provides organizations the capability to assess and manage the risks associated with their third party engagements.

 

Why is the proper management of Third Party Risk so important?

Organizations are increasingly using third parties to support their operations and deliver products and services to their clients. While it is possible to outsource many business activities to third parties, organizations retain the risks associated with their third party relationships. Many of these risks can be significant including regulatory compliance violations, customer and shareholder litigation, information security breaches, financial losses from errors, fraud and business interruption, reputation damage, and impediment to strategic objectives. Organizations need to understand the risks third party relationships pose to their organization and the adequacy of controls that their third party providers have in place to manage risk within acceptable boundaries.

 

RSA Archer Third Party Risk Management

RSA Archer Third Party Risk Management employs a series of risk assessment questionnaires to be completed by a third party to assess the third party’s internal control environment and collect relevant supporting documentation for further analysis. The results of these questionnaires are factored into a determination of the residual risk of each third party engagement across several risk categories (compliance/litigation, financial, information security, reputation, resiliency, strategic, sustainability, and fourth party risk).  Risk results are depicted for each engagement and are rolled up to the third party to depict their overall risk across all of the engagements they deliver to the organization. Risk assessment findings can be automatically captured and managed as exceptions and remediation plans can be established, assigned to accountable individuals, and monitored to resolution.

 

Key features include:

  • Consistent risk assessment and evaluation of third party controls
  • Capture and store supplemental documents such as SSAE-16s, financial statements, and PCI assessments, and monitor when refreshed documents are due
  • Capture declared critical fourth party relationships and understand the quality of governance your third party applies to their own third party relationships
  • Depiction of risk of overall third party relationship, across all engagements being delivered to your organization
  • Consolidated view into known issues
  • Organized, managed process to escalate issues
  • Visibility into known risks and efforts to close/address risks
  • Efficient program management and understanding of program status

 

RSA Archer Third Party Risk Management provides:

  • Methodical and standardized approach to risk assessment
  • Management and mitigation of identified issues and reduced time to resolution
  • Stronger, quicker response to emerging risks
  • Fewer third party related incidents and losses
  • Reduced program administration costs
  • Reduction of overall third party risk
  • Reduced repeat audit and regulatory findings
  • Better understanding of how third parties are used throughout the organization and the risks they pose

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  RSA Archer Third Party Risk Management is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leadership with the most holistic understanding of risk facing the organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization.

 

As your company drives business growth through an extended business ecosystem strategy, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

In their ongoing effort to clarify the concepts of integrated risk management (IRM) and digital risk management (DRM), Gartner has begun to discuss the interconnection of IRM and DRM with enterprise risk management (ERM).

 

 

Source: https://blogs.gartner.com/john-wheeler/irm-is-essential-for-digital-transformation-success/

 

I certainly agree with Gartner’s statement in their recent blog: “To keep pace with the increasing risk associated with digital transformation, organizations require an integrated approach to risk management. Not only is it essential to invest in integrated risk management (IRM) technology to enable this approach, it is also imperative to focus on the convergence of technology and operational risk. This convergence represents a key IRM use case called ‘digital risk management.’ Digital risk management (DRM) technology integrates the management of risks of digital business components — such as cloud, mobile, social and big data — and third-party technologies, such as artificial intelligence and machine learning, operational technology (OT), and the Internet of Things (IoT). DRM helps bridge the gap between the Chief Risk Officer (CRO), the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO).”

 

ENTERPRISE RISK MANAGEMENT IS THE FOCUS

While Gartner introduced IRM and DRM concepts some time ago as part of operational risk management, what appears new in Gartner’s most recent IRM discussion is the explicit connection to ERM.  The ascendency of ERM as a business focus is not new.  In 2014, I reported on RIMS declaration that the practice of ERM had reached critical mass. This is borne out by our customers in the financial services industry, of whom 81% stated in a survey conducted last year that they were already using the RSA Archer Suite to support their ERM program!  That’s right, 81% of financial services customers surveyed are already integrating cyber risks with other kinds of operational risks, with their organization’s financial risks and risks to their strategies and objectives.  As RIMS stated in 2013 of ERM, “value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return, goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.”

 

THE FUTURE OF ERM?

I think it’s safe to assume, as with most things risk management-related, organizations vary in their approach to ERM.  We know that approaches to risk identification, risk assessment, risk evaluation and treatment, and monitoring all vary, as does the scope and granularity around the use of performance, risk, and control indicators.  And that’s fine. Everyone executes to their own unique risk management roadmap given the objectives of their management team, board of directors, and available human and capital resources.

Yet, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (remember this is the group that drove the Sarbanes-Oxley Act?) has laid out their goal and roadmap for ERM, as well.  In their 2016 update to the COSO ERM framework, they represented the complex interrelationship between risk profile, performance, and risk appetite in this one graphic:

 

                                          Source: Figure 4.2, COSO ERM Public Exposure Draft, June 2016

 

I’ll leave a discussion of the relationship of each of these variables and how an organization might go about generating this kind of understanding for themselves in one graphical representation for another time. For now, I think it is enough to consider some of the questions that must be answered to achieve the goal laid out by COSO ERM 2016:

  • How do I come up with a risk appetite statement that consistently encompasses all types of risk?
  • If risk capacity is that level of risk that would put my organization out of business, which risks are those and how do I assess them in a way to compare them to my risk capacity?
  • How do I aggregate all of my risks to generate a risk profile?
  • How do I measure target performance?
  • How do I correlate risk profile to performance, let alone visually depict the relationship?

 

Please add a comment.  I would love to hear from you and how you think these questions can be answered.

What is a Third Party Catalog?

The RSA Archer Third Party Catalog provides organizations the capability to inventory all of the third parties with whom they do business and to document their third parties in accordance with their organizational structure (parent company, subsidiary, sub-subsidiary). Third party contacts can be documented and accountability for third party relationships can be established by named individual and by the business units that own the relationship. If you are utilizing the RSA Archer Third Party Engagement, Risk Management, and Governance solutions then risk and performance information can be rolled-up across all products and services delivered by the third party and depicted in aggregate at the appropriate third party organizational level.

 

Why is the proper management of Third Parties so important?

A third party is any entity with which your organization has an actual or implied contractual relationship for the receipt of goods and services.  Besides being called a third party, these relationships are also known as vendor or supplier relationships. 

 

Third parties may relate, to some degree, with every aspect of an organization.  They may impact your organization’s objectives and they support, in one way or another, the products and services an organization delivers.  They support business processes, introduce risk and affect and supplement the extended internal control environment of your organization.  They may provide assets and inputs to the organization such as hardware, software, physical space, and product inputs.  Acting as an agent of the extended organization, they are subject to your regulatory obligations and policies, and they may directly supplement your human resources through consultants and temporary labor, or extend your human resources by the nature of the services that they are providing.  You may have third parties that touch on every one of these elements. 

 

There are numerous reasons organizations choose to engage third parties.  These include competing better; benefiting from a vendor’s expertise that you don’t have in-house; optimizing resources, acquiring resources (often more cheaply), transferring risk such as under insurance, and expanding market share by capitalizing on the third party’s presence in a market where you don’t currently have a presence or by offering a more attractive product or service because of the third party’s contributions.

 

Third parties are an extension of your business and, in the end, third parties introduce the same risk to your organization as if you internalized the activities.  In most cases, it is impossible to eliminate the risk altogether.  The best you can do is understand it and manage it down to an acceptable level.

 

RSA Archer Third Party Catalog

RSA Archer offers the Third Party Catalog use case as the starting point to consolidate your third party dependencies.

 

Key features include:

  • Catalog suppliers, partners, service providers and other third parties
  • Capture important details related to third parties, including contracts
  • Map internal business units to third parties
  • Manage contacts with third parties
  • Efficiently manage your third party relationships
  • Establish accountability for each third party relationship
  • Track exceptions related to third party relationships

 

With RSA Archer Third Party Catalog, you can:

  • Obtain an awareness of all third party relationships throughout the organization
  • Reduce time identifying third party relationships and contracts
  • Establish Accountability for individual supplier relationships and quickly identify relationship owners
  • Track contract terms, including notification of key contract events such as contract obligations, and renewal and expiration dates 

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  The RSA Archer Third Party Catalog is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leadership with the most holistic understanding of risk facing the organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce the most effective return to the organization.

 

As your company drives business growth through an extended business ecosystem strategy, your risk management program must evolve and manage risk with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

Privacy Discussion Begins

I had the distinct pleasure Tuesday to sit in on a livestream of NIST Privacy Framework: Workshop #1.   Hosted by the National Institute of Science and Technology (NIST), Workshop #1 was the kick off of an initiative NIST is leading to develop a voluntary privacy framework.  Although the NIST Cyber Security Framework has been hugely popular across industries, NIST feels that it does not adequately address Privacy.  NIST’s objective is to establish “a voluntary Enterprise Risk Management tool that organizations can pick up and use to manage privacy risk.”  They have lofty goals that include producing a tool that can be used long into the future; encompasses emerging and unknown future technologies and uses of information; is as useful as NIST CSF; and to make the framework broad enough to be consistent with existing privacy and risk management standards, where practical! 

 

NIST recorded the three hour workshop and is going to make the recording available to anyone that wants to watch it.  I encourage you to do so as a lot of REALLY interesting concepts were discussed by some seriously qualified thought leaders in this space.  I’m super “geeked out” about this material and excited to share with you what I found most interesting.  None of this is final in any way but represents some of the conversations I found most compelling.

  • Privacy is defined by the harm, if any, inflicted upon an individual by the way their information is handled.
  • Harm is defined by each individual and may change over time.
  • One individual’s harm may be different than another individual’s harm and is almost certainly different from the harm to the business that was the source of the privacy-related harm to the individual.

I personally think it is brilliant to be defining privacy in terms of the harm that it presents to an individual.  However, it has significant risk management ramifications that will need to be worked out in the privacy framework.

 

Risk Management Ramifications of the NIST Privacy Framework 

Identification of Privacy Risk

Organizations will need to know everywhere they have information about individuals.  The use of scanning tools will increase in order to find information across the enterprise.  But the information you are looking for may not be the obvious: name, address, account number, account balance, health information, etc., The question may be: what information do we have about an individual that could be used in a way that could bring about harm to an individual? You also have to ask, if we give any individual’s information to a third party, what could the third party intentionally or unintentionally do with the information that could harm an individual?  Will third party assessments begin to include questions to find out what other information third parties might have that can be combined with the information you are sharing with them, that could cause harm to an individual?

 

Inherent Risk Assessments

Defining privacy in terms of harm to an individual will make inherent risk assessments more challenging and scenario-based.  You will most certainly need to think outside the box to consider all the different ways information you collect and handle could harm an individual. How will you determine whether your information collection, information handling and sharing with third parties, potential breaches and incident response will harm any individual and by how much?  Will you need to start asking individuals how they would feel if their information was breached or used in an unintended manner?  Will your organization need to periodically refresh its understanding of individual harm, particularly as new technologies and uses of information emerge?

 

You will need to stay abreast of every new and changed way information is collected, managed, shared with a third party, destroyed, etc. In each of these cases you will no doubt need to document what and why information is being collected, the information lifecycle from collection to destruction, the intended use of the information, and the numerous possible uses of the information that could cause harm to an individual, including through your extended third party ecosystem. 

If you do conclude that information you handle could cause harm to individuals, how will you rate the risk?  What is the measure of harm – anything from financial loss, embarrassment, harassment, loss of time from unwanted marketing, black mail, psycho-social manipulation, even physical harm and death? Many of these kinds of harms do not readily translate in financial terms.

 

Residual Risk Assessments

With cyber security risk you apply appropriate organizational and technical measures to reduce the likelihood and / or impact of unauthorized access, alteration, or destruction of the information.  Defining privacy risk as harm to an individual(s), you aren’t solely concerned with unauthorized access, alteration, and destruction.  Your intended and unintended use of the information could cause harm. At a minimum, organizational controls will take on a relatively greater importance to ensure you are effectively capturing and controlling residual risk.

 

Risk Evaluation

Let’s say that you do find a way to rate residual risk in terms of harm to individual(s).  Mature organizations that manage risk against risk appetites and tolerances will have to go back and look at those values and somehow incorporate harm to individuals.  How much harm and what type(s) of harm to individuals will organizations be comfortable with?

Summary

NIST is just beginning the process to come up with a Privacy Framework and nothing is set in stone yet.  The privacy conversation is just beginning but it benefits each of us and our organizations to try and shape the conversation so any privacy framework published by NIST provides meaningful value without undue complexity and implementation heart burn. 

2018 Gartner Integrated Risk Management

 

Gartner has named Dell / RSA Archer a Leader in its inaugural Integrated Risk Management Magic Quadrant published on July 16, 2018. This is just the latest in RSA Archer’s long history of a Leaders quadrant designation in Gartner Magic Quadrant reports, most recently including:

 

Shifting to Integrated Risk Management

In recent years, particularly among more mature GRC implementations, we believe Gartner had seen organizations were increasingly implementing multiple use cases to establish enterprise-wide risk management programs. In 2017, we observed that Gartner began reframing their assessment of the GRC market and risk and compliance management-related solutions in the context of Integrated Risk Management.

 

Gartner believes that “integrated risk management enables simplification, automation and integration of strategic, operational and IT risk management processes and data.” We feel Gartner’s depiction of integrated risk management brings together Digital Risk Management (DRM), Vendor Risk Management (VRM), Business Continuity Management (BCM), Audit Management (AM), Corporate Compliance Oversight (CCO), Enterprise Legal Management (ELM), IT Risk Management, and Strategic Risk Management, all around the hub of Operational Risk Management.

 Leaders Quadrant for RSA Archer

One of the greatest strengths of the RSA Archer Suite is enabling a customer to bring together and effectively integrate multiple use cases.  So to us it is no surprise that, among 16 vendors evaluated, Dell Technologies (RSA) was placed in the Leaders quadrant by Gartner. RSA is pleased to be positioned – yet again -- as a Leader in -- yet another – Gartner Magic Quadrant.  We believe this Integrated Risk Management MQ report shows a very positive evaluation of the RSA Archer Suite. 

 

 

Thank You to Our Customers!

We know that this Leader position could not have been achieved without the help and support of our customers, acting as critical references  in Gartner’s evaluation of the RSA Archer suite. Our sincerest thanks to all of you that have acted as a reference on our behalf!

 

The Future of GRC

The term ”governance, risk, and compliance” has been fading in relevance over the past several years as organizations have matured their risk management programs.  Many of our customers have already implemented integrated risk management or enterprise risk management programs.  RSA, too, has embraced integrated risk management as a representation of how organizations should mature their risk management programs. We have long acknowledged that information security professionals cannot be truly effective in their roles without embracing business risk management – and integrated risk management is a further evolution ofthis idea. In the end, GRC is not dying – rather, it is evolving into IRM, a more meaningful approach to bring the whole organization together to consistently and effectively identify, assess, evaluate, treat, and monitor risk.

 

Magic Quadrant for Integrated Risk Management; Published: 16 July 2018; Analyst(s): John Wheeler, Jie Zhang, Earl Perkins

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from 2018 Gartner Magic Quadrant for Integrated Risk Management Solutions

 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Remember the hullabaloo around GDPR?  Well, it went into effect a little over a month ago and already there is litigation pending with Supervisory Authorities in 4 EU countries!  The first complaints filed pertaining privacy concerns affected by the EU regulation is aimed at several major companies, all of which are U.S. based.

 

The First GDPR Complaints

Complaints have been filed against several U.S. based companies.  The suits range in size from one litigant to class actions, representing 9,000 to 10,000 EU data subjects.  As these stories unfold,  no one knows how the lawsuits will progress or whether any of these companies will be fined by an EU Supervisory Authority.   However, GDPR continues to be an initiative affecting many companies. 

 

What we do know from these early lawsuits are three things:

 

  • U.S. companies are not going to be immune to GDPR litigation
  • Even if no fines are levied, each of these companies must devote expensive legal resources to defending against these suits.
  • If you are a U.S. based company handling information about EU data subjects, you need to make sure you are ready for GDPR, including being able to demonstrate your compliance should an EU Supervisory Authority make an inquiry.

 

GDPR Preparation Basics

Every company has to consider the impact of the GDPR on its own business requirements and operations.  There are some basics that stand out as good fundamentals for GDPR efforts and privacy programs, in general.

 

Security Risk Assessment: Article 32 of the GDPR outlines appropriate elements of a security risk assessment process to ensure controls and risk are appropriately designed and implemented. An effective risk assessment process accelerates the identification of the linkage between risks and internal controls, reducing GDPR compliance gaps and improving risk mitigation strategies.

Breach Response: Article 33 of the GDPR outlines specific requirements for notification of a personal data breach to the supervisory authority. Obviously, the goal of any security team is to prevent these kinds of breaches, but breaches can still occur.  Accomplishing this objective will require a combination of processes and technical capabilities including security incident management, security operations and breach management, as well as tools for deep monitoring and analysis of system related security data, such as system events, coupled with strong forensics capabilities.

Data Governance: The GDPR highlights that data governance is a crucial element of effective data management practices.  Organizations must protect personal data in a number of different ways, and must be able to demonstrate due diligence in keeping accurate records of processing activities.  A basic element of data governance is controlling who has access to personal data within the organization.  These requirements are in keeping with Identity and Access Management (IAM) and Data Governance best practices.

Compliance Program Management:  At the end of the day, GDPR is a regulatory issue.  A compliance program should provide the framework for establishing a scalable and flexible environment to document, manage and test your organization’s policies and procedures to comply with the GDPR.

Organizations with these basics in place can have a stronger foundation to address emerging issues, creating a more proactive and resilient environment while reducing the cost of GDPR compliance.

For more information, check out RSA's resources on GDPR - specifically this paper on GDPR Compliance.  For RSA Archer Community members, we have several Practitioner Tours highlighting the RSA Archer privacy use cases - Data Governance and Privacy Program Management.

The California Consumer Privacy Act is the latest addition to the privacy regulatory world and it is stirring the conversation about protecting personal data even more.  I’ve been a huge fan of Saturday Night Live since the first time I saw it on TV.  One of its iconic reoccurring skits was “The Californians”, whose primary theme was explaining how to get from one place to another by using different California roads and highways.  As of last week, real Californians have a new topic to discuss that's a lot more serious: Information Privacy!   And the route by which organizations may need to proceed could have as many twists and turns as those classic SNL Californian skits.

 

What is the California Consumer Privacy Act?

On June 28, “The California Consumer Privacy Act of 2018” was signed into law extending Californian’s right to privacy.  This law strengthens rights of California residents already in place.  In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. According to the California Consumer Privacy Act, “fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.” 

 

Beginning January 1, 2020, the law provides for:

  • The right of Californians to know what personal information is being collected about them.
  • The right of Californians to know whether their personal information is sold or disclosed and to whom.
  • The right of Californians to say no to the sale of personal information.
  • The right of Californians to access their personal information.
  • The right of Californians to equal service and price, even if they exercise their privacy rights.
  • Businesses that collect consumer personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used and shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice.
  • A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer and the business shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
  • Businesses that suffer a breach of security shall be deemed to have violated the Act and may be held liable if the business has failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the personal information from unauthorized disclosure.

What does the new California Privacy Law mean to businesses?

The first step, as with all new regulatory changes, is to engage with legal counsel to see how the law may affect your business.  According to the law, businesses that do not comply are subject to litigation and sanctions.  Any consumer whose nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of the business failing to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

  • To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
  • Injunctive or declaratory relief.
  • Any other relief the court deems proper.

In assessing damages, the court shall consider any one or more of the relevant circumstances, including, but not limited to, the nature and seriousness of the misconduct; the number of violations; the persistence of the misconduct; the length of time over which the misconduct occurred; the willfulness of the defendant's misconduct; and the defendant's assets, liabilities, and net worth.

 

In addition, any person, business, or service provider that intentionally violates the Act may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation.

 

While the amounts involved may appear relatively immaterial, they will certainly be impactful in aggregate as the size of a breach grows.  Further, the ill will and reputation risk associated with breaches will be magnified due to press coverage around violating this Act.

 

Consumer Privacy

The concept that consumers own their information and have the right to control it is the front and center tenant of the California Consumer Privacy Act.  Businesses subject to this regulation have much work to do to ready themselves to accommodate consumer rights to receive notice; to inquire about the information; to refuse sharing; and to delete information.  At the same time, businesses handling consumer information must establish a program designed to ensure that reasonable security procedures and practices are implemented and maintained appropriate to the nature of the information to protect it from unauthorized disclosure.  As with most privacy-related regulations, the California Consumer Privacy Act will prompt businesses to adopt an on-going, risk-based information security program across their extended enterprise.

 

No, this Act isn’t funny like SNL’s “The Californians” but it is already being touted as groundbreaking, and the most sweeping privacy legislation passed in the U.S. to date.

 

Check out RSA Archer's use cases that are designed to help organizations with privacy challenges:  Data Governance and Privacy Program Management in the RSA Archer Regulatory and Corporate Compliance solution

The Labor Shortage

If you haven’t noticed yet, the U.S. Economy is booming!  The U.S. unemployment rate reported for May  stood at 3.8%.  Not too many years ago, 5% unemployment was considered by most economists as full employment. For information security teams, this translates into a huge labor shortage.  The Wall Street Journal recently reported the “…demand for cybersecurity workers is outpacing supply by so much that by 2022, North America will have 265,000 more data-security jobs than skilled workers”   And it’s not just in North America.  Australian press has reported there is a serious talent war over the shallow pool of risk managers in Australia. While in the EU and U.K., the rise of the data protection officer is the hottest tech ticket in town as a result of the EU General Data Protection Regulation.

 

Going up: Data Breaches and Vulnerabilities

All of this demand for information security professionals coincides with a massive information security workload.

 

(1) The Breach Level Index indicates that breaches are continuing to grow nearly 100% per year:

 

 

(2) According to the NIST National Vulnerability Database statistics, vulnerabilities continue to increase dramatically in number and severity.

 

Accelerated Change

Executive leadership is rabid to go digital fast, and information security teams have to figure out how to keep up in order to protect the organization.  According to the KMPG 2018 Global CEO Outlook Survey

  • Only 37% of companies, across all industries, have on average, converted to digital. That means there’s still 63% to go.
  • 91% of U.S. CEOs are personally ready to lead a radical operating model transformation
  • 59% believe agility is the new currency of business

 

Information Security Governance Changing

The information tech talent shortage coupled with increasing breaches, increasing vulnerabilities and accelerated change have largely undermined the confidence CEOs have in their organization’s information security programs.

 

 

These forces have led to greater scrutiny of information security by Executives and Boards of Directors, who are now mostly requiring that IT Security budgets be approved by them directly, while CTOs, CIOs, and CISOs appear to no longer have much autonomy over their budgets.

 

Not only is budget approval of information security programs being escalated higher in the organization but leaders and boards want to know that the money they are allocating is having a positive impact. A recent Deloitte poll of more than 1,130 C-suite and other executives indicated that 62.7% believe Board of Directors will expect better reporting on the effectiveness of their cyber security program.

 

Where are all of the Security Professionals?

All of these factors are congealing into what I would call a mega trend for information security professionals.  The technical and human resource challenges of information security must be countered with smarter and more efficient risk management.  Risk management teams must adopt business context-based information security risk management to prioritize initiatives and communicate with the C-Suite and Board (RSA calls this Business Driven Security); and they must implement tools across all aspects of information security risk management and governance that efficiently recaptures precious time from each team member so that it can be reallocated to more important problems.  It is only in this way that information security leaders stand a chance to survive this mega trend.

In my previous blog about cyber risk quantification and privacy, I suggested that there is a role for assessing risk using cyber risk quantification and assessing risk from a privacy orientation.  Let me explain further.  Cyber risk quantification is hugely important to an organization!  Cyber risk quantification is used to answer these kinds of questions:

  • What would be the monetary impact on the organization, if it experienced a cyber breach?
  • How much, in monetary terms, is risk reduced if a particular control is implemented?
  • What’s the monetary value of implementing this control over that control?
  • How much cyber insurance should be purchased to cover the organization’s cyber risk (what should be the dollar limit of the insurance policy on a single and aggregate loss basis)?

These are extremely important questions that every organization needs to answer.  When these questions can be answered in monetary terms, it is much easier for executives and the board to prioritize the allocation of scarce human and capital resources in the management and transfer of risk.

Privacy laws change the orientation of risk assessment from the impact of a cyber incident on the organization to an assessment of how the cyber incident would impact an individual.  Originally, privacy laws were very prescriptive about the obligations to individuals, as can be seen in these two regulatory obligations:    

  • The Australian Privacy Principles state that an “entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorized access, modification or disclosure.”
  • Section 501 of the U.S. Gramm-Leach Bliley Act states that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.

Contrast these rather prescriptive requirements with the EU General Data Protection Regulation, effective this May.

  • The EU-GDPR was designed to “protect [the] fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”

The EU General Data Protection Regulation broke from the older, more prescriptive, requirements of the Australian Privacy Principles and the U.S. GLBA, and expanded the scope to include “fundamental rights” of EU citizens.  In the United States, this would be analogous to equating GLBA with the Declaration of Independence, where you might end up with a privacy statement like “institutions have an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information so as to not infringe upon the individual’s unalienable right to life, liberty, and the pursuit of happiness.”

As I said, The EU-GDPR was designed to “protect [the] fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”  There happen to be fifty fundamental rights identified in the Charter of Fundamental Rights of the European Union.   Not all 50 of these fundamental rights could be infringed by poor information security but a thorough risk assessment requires the assessor to evaluate the likelihood and impact that an information security incident could have on the individual’s fundamental rights.

The change in orientation from assessing the impact of a breach to the organization to one of assessing the impact on the individual ultimately influences an organization’s cyber risk appetite too.  An organization may have an appetite for $10 million in cyber breach-related costs but zero tolerance for an information security breach that could compromise the life and safety of employees.  Both risk appetite statements are perfectly logical. However, to assess the risk requires two different but complimentary approaches: Cyber Risk Quantification and Privacy Risk Assessment.

I have been obsessing over the question of whether cyber risk quantification, as we understand it today, can serve as a reasonable proxy in assessing risk associated with privacy regulations such as the EU General Data Protection Regulation.  The EU-GDPR says the obligation of companies is to “protect[s] fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”  Article 6 of the Charter of Fundamental Rights of the European Union states that one “fundamental right[s] is the right to Liberty", which encompasses the concept of self-determination.

 

I am not at all confident that traditional cyber risk quantification is a suitable proxy for an individual’s privacy risk related to this fundamental right.  For example, a company might perform a quantified risk assessment of non-compliance with the EU-GDPR that concludes there is an 80% probability of a fine of 4% of global revenue + 10 million Euros of customer litigation.  This is a great approach if you need to understand the potential monetary impact to the organization for non-compliance but, if your intent is to truly comply with the law, it seems to me that you may have to take an individual-focused approach to risk assessment. 

 

In short, what is the risk to an individual's fundamental rights if they are subject to psychographic profiling by a company like Cambridge Analytica, for the purpose of manipulating public opinion that undermines the individual's right to self-determination?

 

After pondering this with a number of people, I think the answer is that different risk assessment approaches must be employed.  In those circumstances where you want to understand the monetary impact to the organization, you would use cyber risk quantification.  In those circumstances where you want to understand the impact to an individual, you must do the assessment from the individual's perspective.  This bifurcated approach will no doubt leave many organizations faced with circumstances where they have determined that the risk to the individual is great but to the organization, comparatively small.  

 

What do you think?

 

Here we are again, looking forward to another GREAT RSA Archer Summit, this time in Nashville, Tennessee, August 15-17, 2018.  Registration is already open and we would love to have you sign-up to attend but what we would love even more is for you to make a presentation at the conference so other customers can learn from you and your experiences using Archer to improve risk and compliance management.  You see, this is what really makes the RSA Archer Summit successful every year, customers like you who are willing to share proven best practices and techniques using Archer.  Download the form now to make a presentation!

 

Don’t forget, this is taking place in Nashville, TN!  I had the pleasure of attending a family reunion in Nashville a couple of years ago.  It was a blast.  Besides me vouching for Nashville, here are a few tidbits to further pique your interest:

 

In Downtown Nashville in 1971, workers excavating the foundation of the First American Bank came across a cave system from the prehistoric era. This cave system had remains of a foreleg from Smilodon Fatalis along with a nine-inch fang.  This is why the Nashville Predators Ice Hockey team’s mascot is a Saber tooth tiger!

 

The Nashville Visitor website quoted Condé Nast Traveler as saying "There's enough going on [in Nashville] food-wise to warrant a trip solely for eating"   For example, the Pancake Pantry restaurant has a  menu listing more than 20 melt-in-your-mouth pancake selections. 

 

Lastly, the Nashville Chamber of Commerce states on their website: “With live music of every genre being performed any night of the week, more than 180 recording studios, and some 5,000 working musicians, Nashville is known the world over as Music City.” 

 

I’m here to tell you, between August 15-17, Nashville is going to be known the world over for something more than Music City.  It’s going to be known as the biggest and best Risk Management & GRC Summit in the world!

 

Be a part of the best Risk Management & GRC Summit by answering this call for speakers.  By presenting, you receive a complimentary pass to attend the Summit.  Sign-up today – for more info see the RSA Archer Summit 2018 - Call for Speakers is Now Open blog.

 

I’ve been grappling the past couple of weeks over the definition of a third party.  Typically, we would say that a third party is an organization with whom you have entered into a contract to provide your organization a product or service.  In this sense the credit bureau, Equifax, is a third party to Financial Institutions (FIs) because the credit bureau is providing consumer credit scores to the FIs so they can make decisions on whether to extend credit to consumers.  And while most every FI regularly reports to credit bureaus on the status of their customer’s loan repayments (on time, past due, amount of credit extended, opening a new account, etc.), I would venture to guess that not many FIs seriously contemplated the broader threat they posed.  Similarly, all publicly traded companies were supplying confidential financial information to the SEC but probably didn’t seriously consider the threats that extended beyond the simple delivery of financial information.

 

The significant risk emerging from these two scenarios is not that the FI’s customer information supplied to Equifax was breached or that the publicly traded company’s financial information was breached.  Rather, that if a credit bureau was breached, the probability and impact increased of future loan charge-offs from fraudulent loans and depositor reimbursements from unauthorized account takeover.  And, in the case of the SEC, the real risk was not the unauthorized access of financial information but the effect of front-running on stock prices.

 

Are these examples of a new third party risk management paradigm, black swans, or just a call for more comprehensive third party risk assessment?  Both of these examples present information security risk but in the case of the credit bureau, it presents greater future credit and fraud risk; and in the case of the SEC presents greater stock price risk.  If risk managers are to anticipate these kinds of risk, they need to apply broad brush scenario analysis to understand the breadth and magnitude of risk.  Perhaps no longer is a simple questionnaire good enough to scope the range of risks to be considered when evaluating a third party.  As these examples illustrate, information security risk can be much more than unauthorized access to customer and company information.  It is the related business risk that emerges from the unauthorized access.  Let me know what you think.

Since 1930, the official State motto of Texas has been “Friendship”.  This is an apt description of the largest GRC user group in the world, RSA Charge, being held in Dallas, Texas, October 17 – 19. In a previous blog, Steve Schlarman shared an overview and highlights of this year’s event.

 

One of the event tracks this year is “Inspiring Everyone to Own Risk”.  This track brings together risk management practitioners across various industries and geographies to discuss challenges and successes they have experienced managing risk using the RSA Archer Suite of solutions.  This track includes a representative sampling of subjects from each of the Enterprise and Operational Risk Management challenges including: Issues Management, Establishing and maintaining a risk taxonomy and risk register, Self-assessments, Engaging the lines of defense, Third-party risk and performance management, and Business continuity management.

 

We had a great pool of speaker submissions this year.  In some cases, like Issues management and Third-party risk management, we had so many submissions we turned them into panel discussions so that you can benefit from the collective knowledge of multiple experts in these fields.

 

Combined with tracks at RSA Charge focused on regulatory and corporate compliance and information security management, practitioners have an opportunity to learn about each of the most important topics facing Operational Risk Managers today, including how to transform technology risk into Business-Driven Security.  In addition, you will have the opportunity to share ideas and learn from your peers, thought leaders, and specialists in these areas as well as see demonstrations of the RSA Archer Suite.  

 

For those of you that haven’t looked at the complete Agenda, you will find it full of great sessions. We have over 200 submissions from customers and partners, representing over 70 companies from a wide range of industries and geographies, along with a great representation of government agencies.

 

Yes, hosting RSA Charge in the State of Friendship is very apropos.  You will create and renew friendships with attendees with similar challenges and governance perspectives; learn new and innovative risk management methods; and affirm your best practice approaches.

 

We are looking forward to seeing you in Dallas!  If you haven’t registered, do so today.

 

RSA Charge 2017, the premier event on RSA® Business-Driven Security™ solutions, unites an elite community of customers, partners and industry experts dedicated to tackling the most pressing issues across cybersecurity and business risk management. Through a powerful combination of keynote speeches, break-out sessions and hands-on demos, you’ll discover how to implement a Business-Driven Security strategy to help your organization thrive in an increasingly uncertain, high-risk world. Join us October 17 – 19 at the Hilton Anatole in Dallas, Texas.

Filter Blog

By date: By tag: