Cutting the Cost of Compliance without Compromising Security |
Profile: Lumension is the leading provider of operational endpoint management and security solutions that help protect your vital information and manage your critical risk across network and endpoint assets.
pdf Five Ways to Reduce Your Audit Tax Taxes are certainly not fun, but there is something worse: an audit. Combine the two in a risk and compliance scenario and you have the onerous "audit tax," a figurative term used to describe the expenses a company incurs when deploying resources and manpower to satisfy the burgeoning set of internal and external compliance and audit mandates. The good news is that there are ways to reduce the audit tax burden. This whitepaper outlines five methods organizations should consider to streamline their compliance efforts and thereby reduce their audit tax.
pdf IT GRC: Managing Risk, Improving Visibility, and Reducing Operating Costs For all organizations with current or planned initiatives in the area of IT governance, risk management, and compliance (IT GRC), this report describes the policy, planning, process, and organizational elements of successful implementations. Companies with top results position themselves to make better-informed business decisions, in the context of the organization's requirements for compliance and also their appetite for risk.
pdf Reducing the Cost of Achieving PCI Compliance with Lumension® Compliance and IT Risk Management This whitepaper will examine PCI DSS and explain how Lumension® Compliance and IT Risk Management can help organizations reduce the cost of addressing compliance by streamlining and automating the IT audit process, unifying control and compliance frameworks, automating assessment and remediation processes, and enabling continuous monitoring of their compliance and IT risk management posture.
pdf Reduce the Cost of Achieving HIPPA Compliance with Lumension Solutions Healthcare organizations face a host of HIPAA Security Rule compliance challenges with the move to put patient medical records online.Lumension helps organizations address these compliance challenges by providing the proactive risk management and the required audit readiness to meet many aspects of the HIPAA Security Rule.
pdf Achieving NERC Cyber Security Standards Compliance with Lumension The North American Electric Reliability Corporation(NERC) is a non-profit corporation chartered to ensure that the bulk electric system in North America is reliable, adequate and secure. Lumension addresses NERC compliance challenges and ensures audit-readiness by delivering end-to-end vulnerability management, endpoint protection and data protection solutions.
pdf Massachusetts Data Protection Law By January 1, 2010, all organizations with operations and/or customers in the state of Massachusetts will be required to follow comprehensive information security requirements regarding both paper and electronic records containing personal information. These requirements include enforcing password security, encrypting all personal information stored on laptops and removable devices and ensuring up-to-date firewall protection, operating system patches and the latest versions of security agent software. Read this whitepaper to learn how your organization can meet the necessary requirements and improve its security practices.
Denise Vu Broady: Denise is SAP's VP of Strategic Applications. She runs the SAP CFO Center of Excellence, a cross-solution team responsible for enabling customers to use SAP technology and products to transform the Office of the CFO. She has business development responsibility for the entire CFO portfolio of solutions, including Governance, Risk & Compliance (GRC); Enterprise Performance Management (EPM); and Spend Optimization. Denise has over 11 years of SAP-related experience. At SAP she has specialized in bringing new products to market; Denise played a central role in the launch of xApps, NetWeaver, Payroll Change Management, GRC and EPM. She came to SAP via the acquisition of TopTier where she was Product Manager. Earlier in her career, Denise gained hands-on SAP experience as a consultant on multiple R/2 and R/3 technical and functional projects. Denise has a BS in Management Science and Marketing from Virginia Tech and resides in New York City.
Holly A. Roland: Holly is the vice president of marketing for SAP's Governance, Risk and Compliance (GRC) business unit. In this role, she is responsible for product strategy and marketing for SAP's GRC products. Holly created the industry-leading executive advisory board for GRC, composed of customers, partners, and SAP executives, which facilitates collaboration among business executives and industry leaders to identify common GRC challenges, develop GRC best practices, and conceive of supporting technology solutions. Holly was instrumental in the integration of Virsa Systems and the successful design and execution of SAP's GRC product launch in 2006. She publishes articles and serves as an expert speaker for international events and forums on GRC topics. Holly has more than 15 years of experience in financial accounting and reporting, regulatory compliance, business analytics, and enterprise software marketing and development. Prior to joining SAP, she led product strategy, marketing, and product management operations at Virsa Systems, Oracle Corporation, Hyperion Solutions, and Movaris. Holly also served as a public accountant for PriceWaterhouseCoopers where she audited large public companies and provided business consulting. Holly graduated cum laude from Santa Clara University with a BS in Commerce. She is based in SAP Labs in Palo Alto, California.
Introduction
About This Book1
Foolish Assumptions 2
How This Book Is Organized2
Part I: Governance, Risk, and Compliance Demystified 3
Part II: Diving into GRC 3
Part III: Going Green 3
Part IV: Managing the Flow of Information3
Part V: The Part of Tens4
Glossary4
Icons Used in This Book4
Where to Go from Here5
Part I: Governance, Risk, and Compliance Demystified 7
Chapter 1: The ABCs of GRC 9
Getting to Know GRC 9
Getting in the Business Drivers' Seat 11
Getting Motivated to Make the Most of GRC 14
Complying with financial regulations 14
Failing an audit 15
Experiencing a rude awakening17
Going from private to public17
Managing growth18
Taking out an insurance policy19
Managing risk19
Reducing costs19
Struggling with the high volume of compliance20
Introducing the GRC Stakeholders20
GRC stakeholders inside a company 21
GRC stakeholders outside a company21
Understanding GRC by the Letters 22
Governance 23
Risk23
Compliance 23
C Is for Compliance: Playing by the Rules 25
Controls: Mechanisms of compliance25
Domains of compliance 27
R Is for Risk: Creating Opportunity30
G Is for Governance: Keeping Focused and Current31
Hitting the Audit Trail
Designing Your Approach to GRC 33
After the rush to clean up 33
Stages of GRC adoption 34
What GRC Solutions Provide 35
Chapter 2: Risky Business: Turning Risks into Opportunities 39
Discovering Enterprise Risk Management39
Defining Risk 40
Ignoring Risk (At Your Peril)42
Sorting Through the Approaches to Risk Management 43
The ad hoc approach43
The fragmented approach43
The risk manager's job approach46
The systematic, enterprise-wide approach 46
A cultural approach 47
Identifying the Critical Components of a Successful
Risk Management Framework47
A culture that takes risk seriously, from the C-suite down 48
A risk management organization: Distributing
responsibility throughout the culture 50
A systematic framework in place 52
Technology that creates a risk picture53
Taking the Four Steps to Enterprise Risk Management 53
Risk planning54
Risk identification and analysis55
Risk response56
Risk monitoring 57
Analyzing What Went Wrong: When Risk Becomes Reality 57
Automating the Risk Management Cycle 58
Taking the SAP Approach: SAP GRC Risk Management 58
SAP GRC risk management and key risk indicators59
Monitoring risks and key risk indicators with
SAP GRC Risk Management 60
Using SAP GRC Risk Management: A Fictional Case Study61
Where should we produce?62
Using SAP Risk Management: An SAP Case Study 63
Gleaning the Benefits of SAP GRC Risk Management 64
Chapter 3: Governance: GRC in Action 67
Getting to Know Governance67
Gleaning the Benefits of Good Governance 69
Drafting Governance Blueprints70
Creating a Framework for Great Governance 71
Evaluating Your Governance Framework76
From a strategic and operational perspective 76
From a legal and regulatory compliance perspective
Hurdles to Instituting and Maintaining a Good Framework 78
Avoiding GRC silos 79
Making GRC strategic79
Justifying the cost of GRC 80
Applying GRC too narrowly81
Setting up checks and balances 82
Making the Argument for Automation82
The SAP Approach: Integrated Holistic IT for GRC83
Coming to Grips with Governance85
Part II: Diving into GRC87
Chapter 4: How Sarbanes and Oxley Changed Our Lives 89
Figuring Out Whether SOX Applies to You 90
Discovering Why SOX Became Necessary91
Who Are Sarbanes and Oxley, Anyway?92
Breaking Down SOX to the Basics93
Sections 302 and 906: Threatening management
with a big stick 93
Section 404: Ensuring a healthy immune system 96
What does Section 404 mean for business? 97
Information Technology: SOX in a Box98
IT frameworks: Your template for compliance 99
COSO's control framework99
The SOX ripple effect 100
Paying Up: What's SOX Going to Cost You? 100
SOX Costs Then 100
SOX Costs Now 101
Setting the Record Straight101
Other Laws You Need to Know About102
We're All In This Together: Convergence102
Japan's J-SOX 102
Australia's CLERP-9 103
Canada's C-11 103
Basel II103
Sorting Out the Benefits of SOX 103
Chapter 5: Fraud, Negligence, and Entropy:
What Can Go Wrong and How to Prevent It 105
Defining Fraud 106
Motivations for fraud 107
Sowing the seeds of fraud 107
Some common examples of fraud 108
The Barings Bank scandal: Operations risk extraordinaire
Negligence: More Likely Than Fraud 111
Entropy: Errors, Omissions, and Inefficiencies 111
Cleaning Up: The Mop-Up Operation112
Thinking like an auditor113
Making the computer your auditor113
Chapter 6: Access Control and the Role of Roles 115
Understanding Access Control and Roles115
Getting a Handle on Access Control 116
Users and permissions 117
The roles revolution118
How Access Control Got Messy 118
Every user is different118
Virtual things are hard to track 119
IT and business don't speak the same language 119
Exceptional circumstances dictate exceptional access 120
Large scale increases complexity120
Getting Clean 121
Figuring out where you stand 121
Staying Clean 123
Managing Exceptional Access 124
The SAP Approach: SAP GRC Access Control 125
Where Do You Go from Here? 126
Chapter 7: Taking Steps toward Better Internal Controls 127
Understanding Internal Controls 127
Exploring the Benefits of Better Controls 128
Benefit one: Business process improvement129
Benefit two: Management by exception 129
Benefit three: Real-time monitoring 129
Benefit four: Mindset changes 131
Seeing How Automating Controls Makes Things Easier131
Taking Five Steps to Better Internal Controls134
Documentation: The mapping exercise134
Testing: Real-time and historical 135
Remediation: Fixing the problem 135
Analysis: Reports for management 135
Optimization: Barring risk136
Getting to Know the SAP Approach: SAP GRC Process Control136
Single system of record 136
Continuous monitoring137
Out-of-the-box monitoring137
End-to-end internal controls
Chapter 8: It's a Small World: Effectively Managing Global Trade 141
Understanding Four Reasons Why Global Trade Is So Complex 142
Long supply chains 143
New regulations and security initiatives 144
Modernization of government IT systems 145
Increasing complexity of regulations146
Figuring Out the Complexities of Importing 148
Classifying an item: What is it? 148
Making way for the goods: Pre-clearance 149
Making it through: Clearing Customs 149
Reconciling value: The step most often missed149
Getting the lead out: Brand protection150
Making Sure You're Complying with All 19,391
Exporting Restrictions 150
Knowing who you're dealing with 150
Obtaining the right export licenses 151
Knowing how the product will be used 152
Taking Advantage of the System: Trade Preference Management153
Discovering the Different Ways to Manage Global Trade 153
Using the SAP Approach: SAP GRC Global Trade Services154
Part III: Going Green 157
Chapter 9: Making Your Company Environmentally Friendly 159
Discovering the Three Ps of Going Green: People,
Processes, and Products 160
Going Green: It's Not Just for Tree-Huggers Anymore161
Understanding Why Your Company Should Go Green162
Going Green Is Good Business164
Enhance your image164
Build trust with regulatory authorities 166
Influence future events 166
Implementing Green Practices 167
Trees matter167
Let there be (green) light!167
Water: To bottle or not to bottle?168
Reduce your risk 168
Going Green Is also the Law169
Compliance 169
Risks of noncompliance: Fines and public
relations nightmares 170
A Final Word About Going Green
Chapter 10: Keeping Employees Healthy and Safe 173
Keeping Your Employees Safe and Healthy: The Big Picture 174
Enabling and maintaining good health 175
Avoiding accidents 175
Healthy benefits equal employee recruitment retention 176
Moving Down the Road to Zero Accidents 177
Organizing and managing a comprehensive health
and safety program177
Assessing risks178
Standardizing your procedures 179
Managing accidents 180
Inspecting your sites and creating new safety measures181
Educating your employees182
Making the Case for Automation and Integration183
Taking the SAP Approach to Employee Health and Safety 184
The Occupational Health module 184
The Industrial Hygiene and Safety module 185
Chapter 11: Making Your Business Processes Environmentally Friendly 189
Discovering Ways in which All Companies Can Go Green190
Reducing Your Energy Use and Costs190
Building, Renovating, and Cleaning with Sustainable
Resources and Materials 192
Begin at the beginning with green design 192
Pick the right spot 192
Crunch your numbers193
Make friends with your site plan193
Reduce unnecessary strains on your HVAC194
Exploit the advantages of technology 194
Command the water194
Use green and recycled building materials194
Build smart, build green 196
Renovate green 196
Clean green196
Recycle197
Reducing travel198
Getting LEED Certified198
Assessing Your Environmental Risks201
Greening Manufacturing202
Green legislation202
EPA Clean Air Act203
EPA Clean Water Act204
Waste Electrical and Electronic Equipment (WEEE)206
Adopting Green Practices for Manufacturing208
Establish an energy management program208
Reduce emissions209
Reduce waste
Deal with hazardous substances210
Optimize occupational health 210
Promote industrial hygiene and safety211
Ensure product safety211
Taking the SAP Approach to Making Your Processes
Environmentally Friendly 211
SAP Environmental Compliance 212
SAP Waste Management: A core component of
SAP Environment, Health, and Safety215
Chapter 12: Making Your Products Environmentally Friendly 217
Discovering What It Takes to Make Products
Environmentally Friendly 218
Figuring Out What Your Materials Are and What They Do219
Defining hazardous materials 220
Defining dangerous goods221
Realizing the Benefits of Compliance 222
The benefits of complying223
The risks of failing to comply 224
Using Hazardous Materials Responsibly225
Customer compliance management 226
Supplier compliance management226
Compliance reporting 226
Comprehensive task management 226
Working with Hazardous Materials227
Packing227
Materials communications228
Transporting materials228
Keeping Up with Materials Legislation229
Toxic Substances Control Act (TSCA) 229
Registration, Evaluation, Authorization of
Chemicals (REACH)230
Reduction of Hazardous Substances (RoHS)234
Exploring the SAP Approach to Product Compliance 235
Compliance for Products by TechniData (CfP) 236
SAP EH&S238
Part IV: Managing the Flow of Information 243
Chapter 13: Sustainability and Corporate Social Responsibility 245
Discovering the Great Power and Responsibility of Big Companies246
Getting the Lowdown on Sustainability 247
Discovering Why Sustainability Is Good Business250
Managers recognize sustainability as a top priority 250
Stakeholders exert pressure 251
Sustainable businesses have better access to capital253
Government regulations increasingly require it
Sustainability helps you manage risk 254
CSR protects your brand image255
It helps you attract and keep the best employees256
CSR is ethical 256
It helps business planning and innovation 256
CSR increases profits 257
Discovering the Possible Downside of CSR 258
Managing Sustainability Performance258
The current reporting process is a mess 259
New tactics are required 259
Discovering Why an Automated Solution Is Needed260
Sustainability reporting is a recurring problem260
Huge amounts of data are involved 260
Integration is a plus261
Automation creates supply chain transparency 261
Automation means auditability 262
Automation yields analytics and benchmarks 262
An IT solution speeds distribution of data 263
Chapter 14: IT GRC 265
Getting a Handle on What IT GRC Is 266
Understanding IT Governance in Terms of Risk and Compliance 267
In terms of risk268
In terms of compliance 269
Keeping up with the pace of change271
Securing Your Software Applications 272
Taking basic application security measures272
Consolidating security solutions273
Making friends with the IT department274
Keeping the Kimono Closed: Data Privacy 275
Protecting Key Corporate Assets: Intellectual Property276
Cinching Up the Kimono276
Leveraging the network277
Other ways data can walk away 278
Protecting IT assets279
Communication 280
Chapter 15: Turning On the Lights with GRC and CPM 281
Turning On the Lights with CPM282
Making the Case for CPM and GRC Integration284
Understanding obstacles to integration285
Instrumenting the enterprise286
Collecting the payoff from CPM and GRC integration 287
Supplier concentration288
Loan processing
Seeing CPM and GRC Integration in Practice289
The intersection of actuals 289
Strategy, risk, and planning290
Governance and strategy 290
Discovering the Reusable Technology of GRC 291
Repository291
Document management291
Case management 292
Workflow292
Process modeling 292
Policy engine292
Rule engine293
Controls 293
Reporting293
Standardized interfaces to components 293
Composite apps on the platform294
Part V: The Part of Tens 295
Chapter 16: Top Ten GRC Strategies 297
Evaluate Which of the Most Prevalent GRC Issues Apply to You 297
Adopt Best Practices 298
Implement Key GRC Strategies299
Set Yourself Up for Success 299
Watch Out for Danger Signs299
Define GRC Roles and Responsibilities 300
Shake Down the People Who Know301
Move to Strategic Adoption of Automated Controls 302
Adopt Strategies for Cleaning Up Access Control 302
Getting Your GRC Project Going and Keeping It Going 303
Chapter 17: Ten Best Practices in Global Trade 305
Automate or Else305
Don't Go to Pieces305
Make Sure You Can Trust Your Partners306
Avoid Importing Delays306
Get On Board with the Government's High-Tech
Documenting Processes 306
Know Who is Allowed at the Party 307
Know Who You're Shipping to307
Get the Right Licenses307
Take the Free Money307
Leave a Paper Trail
Chapter 18: Ten Groups of GRC Thought Leadership Resources 309
GRC Resources 309
Web sites 309
Blogs310
Online journals 310
Risk Resources 311
Web sites 311
Blogs311
Books 311
SOX Resources 312
Web sites and forums312
Books 312
Financial Compliance Resources 312
J-SOX 313
Basel II313
Foreign Corrupt Practices Act 313
Access Control and Process Control Resources314
Web sites 314
Articles314
Wikis314
IT GRC Resources315
Blogs315
Global Trade Resources 315
Web sites 315
Blogs316
Employee Health and Safety Resources316
Web sites and online journals317
Blogs317
Articles317
Going Green Resources 317
Web sites 317
Wikis318
Articles318
Blogs319
Books 319
Sustainability Resources 319
Web sites 319
Articles320
Blogs and books 320
Glossary 321
Index
.