On the heels of Forrester’s GRC Market Overview last month, this week we published my Governance, Risk, And Compliance Predictions: 2011 And Beyond report. Based on our research with GRC vendors, buyers, and users, this paper highlights the aggressive regulatory environment and greater attention to risk management as drivers for change
Together they form what I’d call the “privacy GRC” market, where GRC stands for “governance, risk and compliance.” GRC makes up most of what privacy people do.
It’s not a big market. To put things into perspective, Gartner is only in its third year of analyzing the nascent IT GRC market. The privacy GRC market is at the moment no more than just a subset of that.
via Privacy software: Who are the early leaders? – software, security, privacy, ControlCase, Consult2Comply, brinQa, Avior Computing, Archer, applications, Agiliance – Security & Email – PC World Business.
# The organization must understand which frameworks or framework elements are needed to address, at a minimum, the critical security concerns. When addressing control requirements, more is not necessarily better, and each additional control entity represents an investment in time, money, and effort.
# Choose a base framework to use. An organization should identify a base framework to contain the additional controls. This framework should be as broad as is viable, allowing for only minimal, more specific needs to be addressed.
# Break the identified framework elements down according to functional areas and combine controls into like families or tiers. Different frameworks often contain equivalent controls under different headings or focus areas. By understanding where the controls map to one another, existing controls can often simply be enhanced rather than having to add completely different compliance needs.
# Identify critical controls that address the most restrictive requirements. In many situations, there will be control objectives that must be accomplished, intermingled with additional categories that are simply “good-to-have”. The action items that are required for compliance needs should be categorized as more critical.
# Define control “numbering system” and nomenclature. For ease of evaluation and tracking, the combined framework elements should be indexed in a way that allows them to be viewed as parts of a whole. In addition, a formalized control language should be used to address concepts across the new framework, avoiding confusion as compliance efforts begin.
# Identify affected data. Just as it was necessary in the first step to identify which controls and frameworks were needed, it becomes necessary to reverse the process, ensuring that all elements of data that are subject to the collected controls. The majority of this information was known at the start of the exercise, but a second glance after consolidating the requirements often identifies additional data sources, repositories, and systems.
# Understand data flows. As critical as it is to understand the affected data elements, it is just as important to understand where those data elements reside and why. How the information is collected, processed, stored, and transmitted is essential to determining in-scope systems, applications, and processes that must adhere to the new framework.
# Formally define scope of data controlled by the frameworks. After identifying the data flow patterns and practices, a consolidated list of servers, systems, applications, processes, and governance items must be created and then reviewed against expected values.
# Reduce data scope aggressively. Each data control element is an investment in time, money, and effort. The same can be said for each element of the in-scope data that is addressed by the combined framework. Existing business processes and needs should be used to determine if data is being used or retained in inappropriate or unneeded areas. Where possible, data should be consolidated and purged, reducing the overall scope of control coverage, especially critical control requirements such as those brought on by legal or regulatory provisions. (Editor’s note: see Ben Rothke and David Mundhenk’s guidance on reducing PCI scope.)
# Classify affected data according to impact. Some controls will be identified as more critical, and the data elements associated with these will likewise be viewed as more sensitive. These classes of information assets should be classified and labeled to ensure that adequate attention is applied.
# Define data lifecycle elements based upon classification levels and requirements identified by various standards and practices. Once the combined framework controls are in place; the data is identified, scoped, and minimized; and classification levels have been established, a comprehensive data lifecycle program should be implemented. Through this process, end users can manage data elements, complying with the chosen control framework requirements without having to conduct extensive research into sometimes arcane control sets.
# Review existing infrastructure, policy, and procedure against the consolidated framework and data lifecycle requirements. Governance and operational resources must be reviewed against the newly developed framework and associated lifecycle elements. Where needed, changes should be made to support the new controls system.
# Implement consistent solutions across all data elements located within the tier. The supporting processes that enable the controls effectiveness should be viewed from the perspective of consistent, modular growth. Networks, systems, and management tools should be designed to scale or be replaced easily. Consolidated security programs (such as incident response, vulnerability management, and change management) and scheduled requirements (audits, penetration testing, vulnerability assessments, risk assessments, and reports) should be updated to address all required controls across the entire framework, resulting in a consistent, singular approach to compliance and readiness.
eGestalt has announced the availability of SecureGRC, a solution that provides an end-to-end integration of security monitoring with IT-Governance, Risk Management and Compliance (IT-GRC) management solutions using a cloud-based delivery model.
In my ongoing work with clients, I try as often as possible to stress the importance of flexibility in GRC programs. Internal processes and technology implementations must be able to accommodate the perpetually fluctuating aspects of business, compliance requirements, and risk factors. If GRC investments are made without consideration for likely requirements 1 to 2 years down the road, decision makers aren’t doing their job. And if vendors don’t offer that flexibility, they shouldn’t be on the shortlist.
In particular, the new rules require disclosures in proxy and information statements about:
* The relationship of a company’s compensation policies and practices to risk management.
The Department of the Interior has once again failed to comply with the Federal Information Security Act in fiscal 2009, the department’s inspector general said last week. A new IG report blamed a decentralized organization structure, fragmented IT governance processes, lack of oversight, bureau resistance to departmental guidance and use of under-qualified personnel to perform significant IT securities duties.
The role of the IT security professional has expanded from securing an enterprise’s information to also managing the associated risk. ISACA has responded by offering the new Information Security and Risk Management Conference, which combines the most timely material from two of ISACA’s well-regarded security-related conferences.
ISACA, a nonprofit association serving 86,000 IT governance professionals, will host the Information Security and Risk Management Conference in Las Vegas, Nevada, USA, on 28-30 September 2009. The all-encompassing event is designed for all levels of IT security professionals.
Top contenders in the IT governance, risk, and compliance market merged on Tuesday as Archer Technologies announced it is acquiring Brabeion Software. Forrester projected consolidation as a key GRC market trend for 2009, and we explored the issue further for IT GRC vendors in our report, “Consolidation Looms for the IT GRC Market.”
This was a strong move for Archer, as other, larger vendors are closely eying the IT GRC space for acquisition potential. Along with the acquisition of Paisley by Thomson Reuters last month in the Enterprise GRC space, this is just the beginning of what’s to come over the next 12-18 months. The GRC market as a whole is extremely broad and ripe for growth, but it is also crowded with niche vendors. Market leaders and enormous outsiders will be eager to scoop up as much of the pie as possible, which means more deals are on the way.
Mumbai, December 5, 2008 (AllPayNews.com) : PayMate, a pioneer in introducing innovations in the m-commerce sector, was upgraded from the PCI DSS 1.1 certification awarded last year, to the PCI DSS 1.2 certification by leading PCI DSS QSA, ControlCase. PayMate achieved the latest certification post a rigorous audit process for its undivided focus in offering m-commerce customers a safe ecosystem for mobile transactions.
Data security is typically a concern for customers making payments over the mobile platform. The PayMate service however, enables consumers to shop with their mobile phones in a highly secure manner, whether across the counter, online or remotely. Each PayMate transaction over automated IVR is secured by a stringent 2-factor authentication, the mobile number and the m-PIN. Upgrading to the PCI DSS 1.2 certification demonstrates PayMate’s continued commitment to protection and security of customer account data throughout the transaction process as well as in storage.
Ajay Adiseshann, MD and Founder, PayMate, said “Being in the payments industry, it is imperative that we maintain the highest data and security standards at all times. More importantly, it is crucial that we update ourselves periodically to remain compliant with the changing policies and guidelines of the payments industry. With the PCI-DSS 1.2 certification, we can continue aggressively with our national and global expansion plans by providing our customers and partners with a highly secure and robust payments platform.”
Commenting on the achievement by PayMate, Mr. Erik Winkler, Senior VP – ControlCase mentioned that “our involvement with PayMate as QSA (Qualified Security Assessors) for PCI DSS for the last two years has been extremely satisfying as PayMate have demonstrated their commitment at all levels in not only maintaining PCI DSS but have taken actions to ensure that they are continuously compliant to new changes and any updates to the standard.”
“Becoming compliant to PCI DSS 1.2 is a testament that PayMate has advanced methodology for Corporate Governance”, said Suresh Dadlani COO of ControlCase.
The PayMate service enables consumers to shop with their mobile phones in a convenient and safe manner, either across the counter, online, remotely, over automated IVR.
PayMate India is a Mumbai-based wireless transactions platform provider, the first-of-its-kind mobile payment service in India. PayMate is an innovative, easy, secure and convenient mode of making payments through the mobile phone.
PayMate has created a viable ecosystem that enables wireless transactions connecting banks, switches, merchants and customers using a simple, secure and seamless technology. It is an IVR-based solution that transforms your phone into a wallet. It works on any handset without the need to upgrade the SIM or GPRS connectivity.
PayMate is accepted at over 13,000 merchants in India, which include online portals, voice portals, travel services, utilities, retail outlets and restaurants. PayMate has not just created one of the world’s largest m-payment eco-systems but has also won several globally coveted awards for its success with innovative initiatives. PayMate has been acknowledged as one of the top 100 most innovative companies by Red Herring Asia for two consecutive years. More so, PayMate’s list of security certifications includes the most advanced and stringent of compliances such as PCI DSS 1.2, certifying our systems and infrastructure among the best in the world.
PayMate has tied up with a number of business entities like Standard Chartered Bank, ABN AMRO Bank, Bank of Ceylon, Citibank, Euronet, Corporation Bank and US based leading service provider – Infonox. It is steadily broadening its portfolio with several other MNC and PSU banks and retail merchants. PayMate has already tied up with over 12 banks to offer its services in India, USA, Sri Lanka, Nepal and Dubai.
PayMate has reversed the outsourcing trend by offering its unique patented wireless application suite to empower one of the largest electronic transaction processing companies in the US.
For more information log on to www.paymate.co.in
For further information please contact:
Aakash Shah @ Perfect Relations, Tel: 9819182755