by Steve Schlarman – September 1, 2010

This week, the industry celebrates one of the most influential and explosive technologies influencing the world of information systems: Virtualization. At VMworld 2010, the focus on virtualization across the enterprise and cloud computing highlights some of the most interesting and impactful technologies that our industry is utilizing. We have had several previous blog posts regarding the cloud computing trend in terms of Governance, Risk and Compliance. The combination of traditional physical data center structures, virtual data centers and cloud services is something that we, as GRC professionals, need to continue to expand our knowledge on. The VMworld conference is one of those opportunities where we get glimpses into the future of information systems and are challenged with maturing our GRC processes and approaches to help our organizations leverage this exciting technology while keeping those risks inherent in all new business opportunities in check.

One of the major challenges of virtualization is in the definition of controls that are cognizant of the nuances and dimensions of the new virtual world. In conjunction with our RSA, EMC and VMware colleagues, we have just completed the documentation of technical control procedures for VMware as part of the RSA Archer eGRC Content Library. Technical control procedures for the VMware platform were developed based on the vSphere 4.0 Security Hardening Guide April 2010 and other generally accepted industry best practices.

The approximately 130 controls and associated Question Library content provide a comprehensive, end-to-end framework for providing a baseline secure configuration of a virtualized infrastructure and, where possible, automating and reporting upon the measurement of that configuration. This configuration baseline status monitoring may be complemented with relevant security events should the RSA enVision SIEM product be deployed also. The controls were developed by a team of platform experts from EMC, RSA and VMware. In addition to these control procedures, the team is extending the controls into automated testing scripts and other tools to drive the controls all the way through testing and verification.

The definition of technical controls—documented configuration settings and baselines—is a key part of the IT-GRC process. These controls define not only the expected configurations within the environment but also should directly guide audit, compliance and security assessments. Getting the technologists across the enterprise on the same page when it comes to technical controls is a big step toward a consistent, efficient, controlled infrastructure.

The VMware technical control procedures will be made available in the coming weeks as part of RSA’s continually growing eGRC Content Library. For more information, watch for the Content Library updates this quarter.

August 30, 2010

As we accelerate toward the 2010 RSA Archer eGRC Roadshow this fall, we invite you to tune into Roadshow Radio. In our first episode, listen as Annie Rector, senior events manager for RSA, provides an overview of what you can expect from these free, value-packed user group meetings.

Tune in by visiting the RSA Archer eGRC Roadshow landing page and clicking the Roadshow Radio play button in the right column. We hope you enjoy the show!  

And don’t forget to register for the RSA Archer eGRC Roadshow stop near you. Registration is currently open for the following cities:

• Kansas City – September 16
• Chicago – September 17
• Denver – September 22
• Louisville – November 1
• Atlanta – November 2
• Charlotte – November 12
• Toronto – November 17
• Boston – November 18
• Seattle – December 7
• San Diego – December 14
• Los Angeles – December 16

If you have any questions about the Roadshow, email us at events@archer-tech.com.

August 30, 2010

Today at VMWorld 2010 in San Francisco, EMC unveiled the RSA Solution for Cloud Security and Compliance for comprehensively managing security, risk and regulatory compliance of cloud infrastructures, helping increase customer confidence to virtualize business-critical applications.

“Security is a top concern organizations have about moving critical business applications to the cloud,” said Jon Oltsik, Principal Analyst at the Enterprise Strategy Group. “Even with all the benefits cloud computing provides, CIOs will continue to be wary until there is a way to manage security and compliance with the same level of assurance that is available today with physical data center environments. With today’s announcement, EMC has made an important first step in addressing this fundamental concern with security in today’s growing virtualized and cloud infrastructures.”

Featuring an easy to use dashboard based on the RSA® Archer™ eGRC platform, the solution is designed to give organizations a complete assessment of security and compliance posture across their VMware virtual infrastructure. This allows customers to centrally manage security across both virtual and physical infrastructures using RSA Archer.

The dashboard integrates with a library of more than 100 VMware-specific controls such as administrative authentication, that map to the most current global regulations such as PCI-DSS and HIPAA to ensure best practices for deployment. The solution also integrates with the RSA® enVision security information and event management platform to provide a more comprehensive assessment of security events from across the enterprise.

If you’d like to learn more about the RSA Solution for Cloud Security and Compliance, visit the following resources:

• Video Demo on YouTube
• Solution Brief on Cloud Security and Compliance
• Video Interview with RSA Leadership on YouTube

Also stay tuned here on the RSA Archer Blog for more commentary on managing security and compliance across your physical and virtual infrastructure.

 Prioritize, investigate and resolve incidents across your enterprise.

 Register today to learn how RSA Archer Incident Management streamlines the complete case management
 lifecycle for cyber and physical incidents and ethics violations that impact your business.

 Discover how RSA Archer Incident Management enables you to:

•  Centralize incident data and control access
•  Track incidents and ethics violations in real time
•  Manage the investigation process, implement response procedures and track incident resolution
•  Monitor incident status and impact
•  Report on incident management activities
•  Ensure regulatory compliance

 Prioritize. Investigate. Resolve. Register today to learn how!

 Thursday, September 2  |  1-2 p.m. US Central  |  2-3 p.m. US Eastern

by Jason Rohlf – August 25, 2010

Greetings faithful readers! I’m writing to you from the beautiful Breakers Hotel in West Palm Beach, Florida, site of the Institute of Internal Auditors’ 2010 GRC Conference. As is often the case with my blogs, here’s a little history lesson: The hotel was originally built in 1896 by Standard Oil Company magnate Henry Flagler. After the hotel burned down in 1903, it was rebuilt and reopened in 1904, when rooms were going for $4 per night, including three meals. Um, let’s just say the times (and prices) have changed a bit, but much of the hotel’s rich heritage has been lovingly maintained and is prominently featured throughout the resort.

I consider myself fortunate on two fronts: being able to have such fine accommodations and having the opportunity to attend a conference with a fine professional organization like the IIA. I’ve been an IIA member for some time now and have faithfully read their publications, attended and taught at seminars and leveraged the knowledge they provide with their members in the spirit of their motto “Progress through Sharing”. Today my boss, the legendary David Walter, left me a voicemail asking me if I was on the beach, having a massage or enjoying a leisurely breakfast. I know what you’re thinking – how dare I ignore my boss’s call!  Well I was too wrapped up in the excellent presentation being given by James D. Ratley, President of the Association of Certified Fraud Examiners, to take David’s call. When we finally connected, I joked that I had actually been receiving a massage on the beach while eating breakfast and therefore couldn’t take his call. All joking aside, he wanted to see how things were going and, more importantly, just how “geeked out” I was by the conference.

I understand that the term/acronym “GRC” is viewed by many as a buzzword or a marketing tool, but based on the sessions I’ve participated in and the conversations I’ve had, GRC is nothing of the sort. It’s a collection of closely interrelated processes, initiatives, challenges and opportunities that are prominent in the minds of the internal audit community. I am very pleased to see the IIA assemble such a strong curriculum focused on governance, risk and compliance, with tracks assembled to address:

• Internal Audit’s role in risk management
• Fraud
• Regulatory, legislative and compliance concepts, and
• Governance insights

I don’t know about you, but this tells me that GRC is not just a concept, but something that’s been woven into the fabric of what the internal audit profession strives to represent. I have attended many of these sessions and each one has been packed with excellent information from very knowledgeable presenters and with equally poignant questions and insights from the attendees. I’ve also been very pleased to see that internal auditors are not only keenly aware of their need to expand their risk focus beyond traditional financial compliance controls, but they also understand that leveraging technology to support continuous auditing and monitoring activities is widely viewed as a critical future competency of an effective audit practice. If nothing else, the conference has helped validate the research we’ve been performing and the conclusions we’ve reached about the challenges the profession faces and the opportunities it has to elevate its stature within the organizations it serves.

So to answer David’s question – I am extremely geeked out by this conference, and I’m even more geeked out by the way the internal audit profession is embracing the challenge of being a trusted business advisor and essential enablers of effective GRC programs.

Ensure your ongoing operations with a 3-in-1 business continuity management solution. 

 Register today to learn how to centralize and automate your approach to business continuity, disaster recovery
 and crisis management with the RSA Archer Business Continuity Management solution. See how this 3-in-1
 solution enables you to:

• Consolidate business continuity and disaster recovery plans, business processes, impact analyses
  and recovery procedures.
• Evaluate the criticality of business processes and supporting technologies though online assessments.
• Ensure rapid access to business continuity and disaster recovery plans in the event of a crisis or
  business disruption.
• Centralize reporting and management of crisis events that affect employees, customers, stakeholders
  and mission-critical operations.
• Tie business continuity activities into your enterprise governance, risk and compliance program.

  Prepare. Respond. Protect. Register today to learn how.

 Thursday, August 26 | 1-2 p.m. US Central | 2-3 p.m. US Eastern

August 20, 2010

Will you be attending the Institute of Internal Auditors Governance, Risk and Compliance Conference next week? If so, we invite you to stop by booth #19 to visit with Jason Rohlf and Josh Reid from the RSA Archer eGRC team.

IIA GRC Conference
August 23–25, 2010
The Breakers in Palm Beach, FL
RSA Booth #19

A primary focus of the 2010 IIA GRC Conference will be Audit’s role in Risk Management. Jason and Josh look forward to speaking with you about how our customers are implementing RSA Archer Audit Management to enable risk-based, business-aligned internal audit. Whether you’d like to see a solution demo or just have a conversation, the RSA Archer team looks forward to seeing you there!

by David Walter – August 19, 2010

Throughout our lives, we all have to make decisions without all the relevant facts. Sometimes our instincts guide us in the right direction, and sometimes we just get lucky. But there are also those decisions that blow up in our faces. For an example, look no further than the thousands of homeowners who purchased their dream homes at the height of the housing boom, only to find themselves in a nightmare scenario months later when the market tanked and they went upside-down in their mortgages.

While we’ll never have a crystal ball that helps us see clearly into the future, we’d all like to have the facts—and just the relevant facts—when we’re faced with an important decision. But in this age of information explosion, it’s a major challenge to sift through the constant influx of data, most of which is completely immaterial. Consider this statistic presented by Eric Schmidt, CEO of Google: “Every two days now, we create as much information as we did from the dawn of civilization up until 2003.” While we may not be able to avoid the barrage of information that floods our minds and our inboxes on a daily basis, we can strive to filter out the excess and make sense of what’s left.   

But to do this, we need context.

From a governance, risk and compliance (GRC) perspective, it starts with understanding what’s important to the business:

• What are the business processes that directly support our corporate objectives?
• What people, information and applications support those critical processes?
• And what are the risks to our people, information, applications and processes that may prevent us from achieving our corporate objectives?

Our customers rely on RSA Archer eGRC Solutions to answer these very questions. To put it simply, RSA Archer is a repository of what’s important to people. It helps our customers put risks, threats, incidents and compliance deficiencies into business context so they can prioritize their response and focus on what’s most significant to the organization.

Here’s just one example: Every business has intellectual property that it needs to protect, and this data may be stored and used across the global enterprise. How do you know who should be looking at this information? What movement of the information is safe and appropriate? What do you do if the information is compromised? To answer these questions, you must have business context:

• Who manages the information and who needs to access it?
• What business processes does the data support and what regulations impact the data?
• When is the information accessed?
• Where is the data accessed and where is it moved?
• Why is it necessary to store the information?

Using RSA Archer, organizations can manage a repository of information assets and perform online assessments to determine classification ratings and required retention periods. They can also link information assets to the business processes they support, the applications where they are managed, the facilities where they are housed, and the owners and custodians of the information. Based on these relationships, RSA Archer automatically generates a criticality rating for each information asset.

When a log management or data loss prevention system identifies a potential compromise of sensitive information and those events are passed into RSA Archer, both IT and business users have the context they need to respond appropriately. Events that impact critical information assets will receive prioritized attention, and appropriate users are notified of their responsibilities for issue analysis and remediation.

As a division of EMC, RSA is ideally positioned to deliver value to our customers by providing business context for governance, risk and compliance activities. EMC is renowned for its expertise in collecting data, giving it context, and presenting it to users in a way that’s easy to digest and manage. As we continue to enhance the RSA Archer eGRC Platform capabilities, we’ll maintain our focus on helping customers make sense of complex information, prioritize risks and issues, and allocate resources effectively to protect what is most important to their business.

 Build your governance, risk and compliance program on a firm foundation.

 Register today to learn how the RSA Archer Policy Management solution can help you centrally
 manage policies, map them to objectives, and promote awareness to support a culture of
 corporate governance. 

 Thursday, August 19, 2010   |   1-2 p.m. US Central   |   2-3 p.m. US Eastern

 Register now!  

August 11, 2010

Registration is open for the 2010 RSA Archer eGRC Roadshow! We’ll be traveling the country and crossing the globe to bring the governance, risk and compliance discussion to you.

Join us in your city of choice to:

• Engage with fellow risk and compliance experts and connect with the RSA Archer eGRC team
• Learn about updates to RSA Archer solutions, content, integrations and platform capabilities
• See how your peers are solving business challenges and moving up the eGRC maturity curve
• Extend your network in the Archer eGRC Community

The agenda for the RSA Archer eGRC Roadshow is packed with client case studies, product tours and much more. Registration is currently open for the following cities:

• Kansas City – September 16
• Chicago – September 17
• Denver – September 22
• Atlanta – November 2
• Charlotte – November 12
• Toronto – November 17
• Boston – November 18
• Seattle – December 7
• San Diego – December 14
• Los Angeles – December 16

We’ll announce several additional Roadshow stops around the globe, so stay tuned to the Archer eGRC Blog for more information. If you have questions about any of our Roadshow stops, email events@archer.com.

We look forward to connecting with you on the road!