Archer : Archer Experts

Sharing is Caring

Sarah Nord — Thu, 09 Sep 2010 19:05:00 GMT

by Jason Rohlf, September 9, 2010

Parenting certainly has its ups and downs. One of the ups for me is having the chance to teach my kids something they’ve never known before. For instance, the other day I taught my 4½-year-old son that any game of tag worth playing doesn’t involve “goal.” And yesterday I taught my 2-year-old daughter how to crack an egg without making (much of) a mess. Sometimes teaching my kids the finer points in life can be somewhat of a struggle. A good example is the concept of sharing. My son, being a big, brave preschooler and part-time superhero, certainly understands the concept…that is until he is faced with the prospect of sharing something with his little sister. Likewise, my daughter is sweet as pie, yet she’s not always so keen on making nice with her big brother. In these situations, my wife and I always try to instill in them a simple yet important lesson—sharing is caring.

And we try, and try, and try. She wants to color, so he decides to swipe the crayons. She is not happy and expresses this by leveraging every cubic millimeter of her lung capacity. “Sharing is caring” we say. He gets a handful of vanilla wafers and she wants to help herself to a few, but he’s not very excited to give up his tasty treat. “Sharing is caring” we plead. She comes home from daycare with the stomach flu and promptly spreads the joy among the entire family. “Sharing is caring” we groan.

Sadly the reluctance to share the things we think are good (like crayons and vanilla wafers) and, in some cases, our eagerness to share the things that are not (like stomach flu) doesn’t always stay back in the pre-Kindergarten years where they belong. I don’t know about you, but I’ve encountered more than my fair share of professionals suffering from adult-onset stinginess. I like to think of myself as above such things, but the fact of the matter is that I too have fallen victim to my overprotective nature.

This is not to say that letting some knowledge you possess remain a mystery to others is inherently wrong. We all know that the Colonel has his secret blend of 11 herbs and spices, and we’re just fine with that. It is the right of every company and every individual to guard trade secrets, patents, copyrights, trademarks and the like from those who do not have proper rights to them. Protecting one’s intellectual property is not only understandable, it’s good business practice. The trouble comes when the information that could (and frankly should) be shared is critical or essential to the party that’s not privy to the information.

As I am apt to do, I will relate this concept to my experience as an internal auditor. I have been (and continue to be) fortunate to work with many very intelligent, professional and generous people. However, I can also vividly recall situations where certain individuals or departments that I ran afoul of adopted the mentality that their knowledge was their power and theirs alone, and that sharing that knowledge would somehow diminish their own worth. Whether this knowledge represented a progress report on their portion of the project we were working on together, the whereabouts of a critical piece of audit evidence or details of a serious policy violation, the fact that this knowledge was not shared inevitably resulted in some negative consequence (some obviously more severe than others).

It is with these hard lessons in mind that I hosted the recent RSA Archer Audit Management Working Group session, where we discussed how internal audit functions communicate and share information with other risk and assurance functions. Honestly, I think I selected the topic after a particularly trying negotiation session with my kids that may or may not have involved a pair of salad tongs. I braced myself for the horror stories of greedy coworkers stockpiling knowledge in their bomb shelters of insecurity, as if preparing for some cataclysmic GRC Armageddon.

Imagine my pleasant surprise when I found that all of the Working Group participants indicated that their internal audit departments found that their risk and assurance counterparts were not only willing to share information, they were downright proactive about it. The group agreed that it’s good for all parties responsible for managing risk to know what’s happening in the business and what threatens the company’s objectives, and to come to some common understanding about what the various risk and compliance ratings mean to the organization as a whole. If multiple assessors are evaluating risks and sharing the results, the company is also more likely to identify outliers in the process. Keep in mind that being an outlier doesn’t necessarily make one incorrect. It could actually represent a situation where someone who deems a risk to be more or less severe than the rest of the group may hold some specific knowledge that the rest of the group did not have. An organization that doesn’t collect and share multiple perspectives on its risk profile doesn’t give itself the opportunity to identify such situations.

We also discussed that it’s not just the responsibility of other risk and assurance functions to share their knowledge with internal audit. By being forthright about their evaluation and rating processes, the IA department can gain credibility with these risk and assurance functions, as well as the process owners they are responsible for assessing. The more transparent internal audit can be about their methods, the more willing the rest of the business will be to offer them a seat at the table when it comes time to discuss the organization’s strategic direction. We did recognize as a group that internal audit must take great care when determining what to share…and what not to share. This concept of sharing the right information with the right groups at the right level represents an immense challenge for all companies and their GRC practitioners, so the more internal audit can use its position in the organization to facilitate the process, the better off it will be for the organization as a whole.

Despite the ongoing sibling struggles in my household, it does warm my heart when I can catch my kids happily sharing their toys, stories and laughs with one another. It also gives me great satisfaction to see that GRC professionals realize the value of sharing risk information with others in their organization in the name of continuously improving their organization’s potential for success. In this case, sharing is indeed caring.

If you’re interested in hearing more about this concept of coordinating information and objectives among audit, risk and compliance teams, I invite you to join me for a live webcast on September 16. This event will feature a discussion with Michael Rasmussen, a leading GRC authority, who will share his insights on the changing role of internal audit in an evolving risk and regulatory landscape. One of our clients, Andy Weeks, will also discuss his organization’s use of RSA Archer as the platform for their audit, risk and compliance program.

Here are the event details:

Audit Webcast
Thursday, September 16
2-3 p.m. Eastern | 1-2 p.m. Central

Lastly, I invite you to check out our new Audit Management video in which David Walter, our Director of eGRC Solutions, describes how you can manage the complete audit lifecycle, enabling improved governance of ongoing audit-related activities, data and processes without the limitations of manual or stand-alone solutions.

Risk-Based, Business-Aligned Internal Audit - Join Our Upcoming Webcast

Sarah Nord — Tue, 07 Sep 2010 19:42:00 GMT

Expectations have never been higher for the internal audit profession. Do you have the tools to succeed?

Join us for a live, interactive webcast to learn how RSA Archer Audit Management can help you move toward a risk-based, business-aligned internal audit program—a true value-added service for your organization.

Audit Management Webcast
Thursday, September 16
2–3 p.m. US Eastern
1–2 p.m. US Central

You'll hear why a Fortune 100 healthcare company selected RSA Archer as the technology platform for its audit, risk and compliance program. OCEG Fellow Michael Rasmussen will also provide an industry perspective on the role of internal audit in an evolving risk and regulatory landscape.

Then Jason Rohlf, eGRC solution manager, will take you on a tour of RSA Archer Audit Management. Jason will demonstrate how you can:

• Risk assess your audit universe
• Align audit projects with strategic business objectives
• Manage the complete audit lifecycle with process automation
• Deliver business-relevant reporting
• Coordinate with other risk and assurance functions

Can’t join us? You’re in luck. The Audit Management webcast will be recorded, and you can access it by emailing us at marketingcommunications@archer-tech.com.

Solution Sneak Peek
If you’d like to take a brief tour of the Audit Management solution prior to the webcast, we invite you to watch our new video demo. You’ll see how RSA Archer Audit Management puts you in control of the complete audit lifecycle, enabling improved governance of ongoing audit-related activities, data and processes without the limitations of manual or stand-alone solutions.

Big Steps Toward Managing Security and Compliance for Virtual Infrastructure

Sarah Nord — Wed, 01 Sep 2010 13:43:00 GMT

by Steve Schlarman – September 1, 2010

This week, the industry celebrates one of the most influential and explosive technologies influencing the world of information systems: Virtualization. At VMworld 2010, the focus on virtualization across the enterprise and cloud computing highlights some of the most interesting and impactful technologies that our industry is utilizing. We have had several previous blog posts regarding the cloud computing trend in terms of Governance, Risk and Compliance. The combination of traditional physical data center structures, virtual data centers and cloud services is something that we, as GRC professionals, need to continue to expand our knowledge on. The VMworld conference is one of those opportunities where we get glimpses into the future of information systems and are challenged with maturing our GRC processes and approaches to help our organizations leverage this exciting technology while keeping those risks inherent in all new business opportunities in check.

One of the major challenges of virtualization is in the definition of controls that are cognizant of the nuances and dimensions of the new virtual world. In conjunction with our RSA, EMC and VMware colleagues, we have just completed the documentation of technical control procedures for VMware as part of the RSA Archer eGRC Content Library. Technical control procedures for the VMware platform were developed based on the vSphere 4.0 Security Hardening Guide April 2010 and other generally accepted industry best practices.

The approximately 130 controls and associated Question Library content provide a comprehensive, end-to-end framework for providing a baseline secure configuration of a virtualized infrastructure and, where possible, automating and reporting upon the measurement of that configuration. This configuration baseline status monitoring may be complemented with relevant security events should the RSA enVision SIEM product be deployed also. The controls were developed by a team of platform experts from EMC, RSA and VMware. In addition to these control procedures, the team is extending the controls into automated testing scripts and other tools to drive the controls all the way through testing and verification.

The definition of technical controls—documented configuration settings and baselines—is a key part of the IT-GRC process. These controls define not only the expected configurations within the environment but also should directly guide audit, compliance and security assessments. Getting the technologists across the enterprise on the same page when it comes to technical controls is a big step toward a consistent, efficient, controlled infrastructure.

The VMware technical control procedures will be made available in the coming weeks as part of RSA’s continually growing eGRC Content Library. For more information, watch for the Content Library updates this quarter.

Take the OCEG GRC Maturity Survey

Sarah Nord — Wed, 04 Aug 2010 19:35:00 GMT

by David Walter – August 4, 2010

As a member of the Open Compliance and Ethics Group (OCEG), RSA is happy to keep you posted on OCEG activities of general interest to the Archer eGRC Community. With this in mind, I’d like to invite you to participate in OCEG’s 2010 GRC Maturity Survey about the state of GRC in your organization.

According to OCEG, “This benchmarking study offers an opportunity to learn how your organization compares to others that are addressing the need for integration of governance, risk management and compliance efforts. With only 15 minutes of your time, you will address questions about the state of GRC in your organization today, GRC organization and oversight structure, benefits from integration (and negative effects of siloed operations) and use of technology to support GRC.”

OCEG will present the results of the 2010 GRC Maturity Survey at the upcoming GRC360° Executive Forum in the Netherlands, October 4–5. A summary of survey findings will also be available on the OCEG web site.

The OCEG GRC Maturity Survey is open through September 10, 2010. We hope you’ll participate and forward the survey to your colleagues as well.

Taking the Mystery out of Internal Audit

Sarah Nord — Wed, 04 Aug 2010 17:51:00 GMT

by Jason Rohlf – August 4, 2010

“If you continue building, you will live…”

When I was in 4th grade, my parents took us on a family trip to visit my uncle in California. This was pretty exciting for me considering it was my first time leaving Illinois to visit a state that wasn’t Wisconsin, Indiana or Michigan. Being 10 years old at the time, I had a very different perspective on life than I do now. However, three highlights of the trip for 10-Year-Old-Me still stand out as wonderful memories all these years later: experiencing the great city of San Francisco (which I still love to this day), meeting the great Clint Eastwood in Monterrey (I was so excited that I could barely speak) and visiting one of my all-time favorite attractions, the Winchester Mystery House.

I am a bit of a history geek (OK, I’m just a geek, but history is one of my geekier areas of geekdom), so it makes sense that I would love a place like the Winchester Mystery House. A little history—Sarah Winchester was married to William Wirt Winchester, inventor of the Winchester Rifle, commonly known as “The Gun that Won the West.” Upon her husband's death, Mrs. Winchester inherited his vast fortune, earning the equivalent of $1,000 per day in the days before income tax, and she used a good deal of it to build herself a mansion outside of San Jose, California. Mrs. Winchester had a reputation as being quite eccentric (which we all know means “crazy with money”), and after her husband’s death in 1881, she visited with a Medium who convinced her that she was being stalked by the spirits of those that had died at the hand of her husband’s invention (legend has it that the quote leading off this blog was spoken by that Medium). In an attempt to ward off these spirits, Mrs. Winchester employed construction crews to work on her home 24 hours a day, 7 days a week. Not only that, but her instructions to the crew were to modify her home in such a way that these spirits would be so confused and confounded trying to navigate her home that they wouldn’t have the time or energy to haunt her. So the crews built a multitude of oddities into her home: stairways that went into the ceiling, doors that opened into brick walls, secret passageways, elevator shafts with no elevator, dead-end hallways and so on. Her attempts to baffle the spirit world carried on until her death in 1922.

When I think back to being 10 years old, I distinctly remember how much fun I had on that tour, volunteering to test every stairwell, every door, every hallway because I was curious to know what must have being going through the minds of those tortured souls who sought their revenge on the woman who had profited from their demise. As with most museums, there were various placards containing information about the oddities we were observing, and as part of the tour we were provided with a map that told us about every attempt to fool the spirit world. More importantly, the placards and map gave us insight into how Mrs. Winchester was able to maneuver through the various peculiarities the crews had built into her home in the hopes of sparing herself the displeasure of a good old fashioned haunting.

I know what you’re thinking: “How is this guy going to segue from a mad woman’s scheme against the spirit world to internal audit?” Well, you’re probably only thinking this if you’ve never read my postings before. As I relate this seminal childhood experience to the challenges facing the internal audit profession, I can’t help but draw a number of parallels.

Lurking within every company (the mansion) is a Rogue’s Gallery of risks (ghosts, spooks and spirits). Company Management (Sarah Winchester) directs their staff (the construction crews) to design and implement controls to address these risks (maps of the property, architectural oddities to confuse spirits). In order to properly assess the effectiveness of management’s system of controls, internal audit (the Medium) must develop a detailed understanding of the threats to the company’s objectives (living a haunt-free lifestyle). Simply testing controls that you’ve always tested, as has often been the case in recent compliance-heavy years, does not provide the company with an adequate level of assurance in the face of changing or emerging risks. For example, if you constantly validated that a stairway did indeed lead up to the ceiling without considering that 1) the existing ghosts may have gotten wise to your plan or 2) new, more clever ghosts may have inhabited the mansion, you would gain false assurance that this stairway could help ensure a haunt-free lifestyle. It is internal audit’s responsibility to constantly reevaluate the risk landscape and understand the threat that these risks pose to the company.

So as the Medium in this scenario, internal audit would channel the spirit world to determine who the ghosts were, what their intention was and how likely they were to cause a great deal of consternation for their key stakeholder (Mrs. Winchester). Once the threat is better understood, internal audit would consult management, who could in turn instruct their staff to take the proper steps to improve their controls (maybe by building a twisting hallway that leads into a brick wall). In addition, recent studies by the IIA and Big Four consulting firms alike point out that internal audit must improve and expand its risk focus beyond the strict focus on financial controls that has gripped auditors during the Sarbanes-Oxley area. By only focusing your attention on one subset of risks, you would not enable yourself to provide your organization with the level of assurance they need and expect. Or to put it another way, while you may be able to tell Sarah Winchester that everything is just fine and dandy in the parlor, she may still get the scare of her life when she ventures up to the fourth floor ballroom.

Did my visit to the Winchester Mystery House somehow plant a seed in my head and eventually lead me down the path of becoming an internal audit professional? Not likely. Actually, I think my career goal after that visit was to become a Medium. However given my little analogy, maybe I did become a Medium of sorts—channeling information about the strange and mysterious world of risk and helping organizations figure out the best approach to solve those mysteries. Given where I now sit in my career, I view RSA Archer eGRC Solutions as a potential crystal ball into that portal, an effective tool that allows organizations to decode the mystery of risk for themselves and focus time and attention in the right areas, leading to that haunt-free lifestyle many of us desire.

Catching Up with My Old Friend SOX

Sarah Nord — Wed, 21 Jul 2010 14:45:00 GMT

by Jason Rohlf – July 21, 2010

I am a firm believer in maintaining strong and lasting friendships, and the maintenance method I choose largely depends on the nature of the friendship. For my closest friends, this typically includes periodic texts and emails and an annual trip to Las Vegas followed by the requisite 11 months of recovery time. When I take my kids to the park, I catch up with their friends’ parents. I play ice hockey once a week, and this affords me the opportunity to catch up with other lovers of the beautiful sport. And LinkedIn and Facebook allow me to reach into my past and catch up with oodles of my old workmates and grade school chums, or at least to play voyeur into their (sometimes) interesting lives.

Certain events of the last few weeks have given me cause to catch up with another one of my dear old friends—the Sarbanes-Oxley Act of 2002 (or as I endearingly refer to him, “SOX”). OK, maybe that’s overstating things a bit; after all, SOX has only been around for 8 years and that’s really only old in dog-years. Nonetheless, SOX and I got together for a cup of coffee and a little bit of reminiscing, and I’d like to take this opportunity to bring you up to speed on what my good pal has been up to:

• Last December, the United States Supreme Court heard the argument filed by the Free Enterprise Fund challenging the constitutionality of the Public Company Accounting Oversight Board (PCOAB) and ultimately SOX. On June 28, 2010, the Court issued a 5-4 decision that gave the Securities and Exchange Commission (SEC) more leeway to relieve PCAOB Board Members; however, aside from this change, the Court chose not to open up the legislation to further scrutiny, so all indications are that my friend SOX won’t have to go changing any time soon…

• ...or will he? On October 2, 2009, the SEC issued a release that put an end to the parade of SOX section 404(b) filing extensions afforded to small public companies (defined as those with a market capitalization below $75 million). The release stated that these non-accelerated filers will see the last extension expire beginning with the annual reports of companies with fiscal years ending on or after June 15, 2010. SEC Chairman Mary L. Schapiro commented that, “Since there will be no further Commission extensions, it is important for all public companies and their auditors to act with deliberate speed to move toward full Section 404 compliance.”

• Fast forward to last Thursday. Congress passed the Restoring American Financial Stability Act of 2010 by a heavily bipartisan 60-39 margin (read more in the New York Times). Among the sweeping reforms and regulations aimed primarily at the Financial Services industry, the bill included a provision to permanently exempt the very same non-accelerated filers from 404(b) filing requirements. President Obama is expected to sign this bill into law later this week.

As I discussed back in December in my article SOX or Not: Strong Internal Controls Hold Their Value, despite the heavy scrutiny that my buddy SOX has come under recently, I still believe that the benefits of maintaining a sound, comprehensive system of internal controls far outweigh the costs. Needless to say, I was pleased to read Protiviti’s 2010 Sarbanes-Oxley Compliance Survey in which their results indicate that 70% of respondents indicated that the benefits of Sarbanes-Oxley outweighed the costs (versus 39% of respondents when asked during Year One of SOX).

Now let’s move beyond the various legislative goings-on for something a little more exciting (at least for me). Last Wednesday, I had the pleasure of facilitating the latest RSA Archer SOX Compliance Working Group session. I really enjoy these sessions because they are primarily driven by the users of our eGRC solutions, and they provide a forum for customers to share thoughts and ideas on any topics of interest or issues they may be facing as a collective.

Last week’s session was focused on the process of scoping controls for SOX purposes. We discussed the various elements that factor into the scoping process (see chart), the approach participants take when encountering “gray” areas (i.e., those elements of the business that fall at or just below financial thresholds), the frequency with which controls are re-scoped and what effect the economic downturn has had on each organization’s SOX processes.

I typically learn a great deal from the practitioners who participate in our Working Groups, and last week’s meeting was no exception. I found that there are varying methods being employed to determine the financial significance of controls (clearly the most important driver of scope) and that all who offered their thoughts during the session are incorporating some level of qualitative analysis in their scoping decisions (the “gut” factor).

For me, the most interesting thing I picked up from the session was that serious consideration was being given to the effects of the economic downturn, from how to treat “borderline” entities that have fluctuated between in and out of scope (due to a “down” financial cycle) to the impact of staff reductions on the ability to maintain proper segregation of duties at various points of critical processes. All in all, it was a great discussion, using up each and every one of the allotted 60 minutes and hopefully setting the stage for (Shameless Promotion Alert!) another great SOX Working Group session on Wednesday October 6.

It sure was good to catch up with my buddy SOX, and I’ll be sure to keep you posted on any further developments in his life. At the very least, I’ll let you know when someone posts unflattering pictures of him on Facebook…

Physical to Virtual Disaster Recovery Planning: Considerations for the Cloud

Sarah Nord — Thu, 08 Jul 2010 14:33:00 GMT

by Steve Suther – July 8, 2010

How's your disaster recovery planning these days?

If you’re reading this, it’s pretty safe to assume that either you or someone in your organization is “tuned in” enough to have well documented DR plans that enable your company's business operations to continue in the face of a significant loss of technologies, facilities or human life. And they’re testing these plans at some regular interval (once each quarter, once a year, etc.) based on internal business impact analyses, or external regulatory requirements. Right?

Now, has your disaster recovery planning been adjusted to take into account the virtualization and cloud computing initiatives that are more than likely either currently being talked about, or actually implemented, by your IT architects, or the vendors that manage your IT environments? Probably not.

How many of you did I lose with "How's your disaster recovery planning these days?" Hopefully not many. But how many of you did I lose at the first mention of virtual, or cloud recovery planning? From what I’ve been seeing and hearing from our customers, I’d be willing to bet more than a few of you.

A traditional physical-to-physical disaster recovery strategy is wrought with challenges like being able to move to another data center in a reasonable time frame, always having contracts in place with that alternate data center, reliance on a single managed service provider with geographic and organizational redundancy that won’t go out of business without warning…just to name a few. Good governance and risk management practices within your infrastructure, asset and vendor management processes are always a best-practice approach to help mitigate and control these risks to the business.

Now imagine the physical-to-virtual challenges in the development of data backup routines that move data out of the primary data center (and out of the control of the entity running that data center) and into a virtual IT environment. Cloud computing can definitely help address these challenges by serving as an important foundation for rapid recovery with a low amount of data loss. Imagine, for example, regularly synchronizing your production environments with a virtual environment that packages the data regularly for DR deployment in the event of a disaster. Assuming you’ve set up machine images that mirror your production environments, you should be able to rapidly recover into the cloud without paying to run an entirely redundant data center 24x7.

Security is quickly becoming a major concern when setting up these environment and their related DR processes, and RSA is actively participating as part of the Cloud Security Alliance to ensure that through EMC, RSA and other products, safe cloud computing can address newly emerging threats to the cloud, as well as incident response within the cloud. Be sure to check out the RSA web site for more information.

Security aside, here are a few more key components to ensure that you too can achieve effective DR in your cloud computing environment:

• Set up procedures for synchronizing data with tools that package the data regularly for DR deployment (and don’t forget about data encryption!)
• Create machine images that have the same operating system, tools, core applications, and libraries as your production systems
• Use the appropriate set of tools to configure your DR environment to automate your required DR processes
• Regularly test restoring your infrastructure based on the current data in your cloud environment and validate the success of the event

The main benefit of this approach is that you simply know your DR system will work for you in the same manner that it did for you in your physical environment, while reducing computing and resource costs to your organization.

Where is your organization these days with regards to ensuring DR capabilities within your cloud? Let me know, and I promise to keep everyone updated on the great work being done within the industry!

Are You a GRC Saboteur?

Sarah Nord — Wed, 30 Jun 2010 15:34:00 GMT

by Steve Schlarman – June 30, 2010

We all have our own little secret hobbies that we use to escape from the craziness of our everyday life. Spend any time with someone, and most likely you will learn about their pets, their thimble collection, their penchant for photographing railroads or their clandestine weekend job as a rodeo clown. Frankly, I haven’t met any rodeo clowns yet, but I am still holding on to some hope that somewhere, I will meet someone whose passion outside of work is to jump in a barrel a split second before a furious bull comes charging near.

Now, I have a few covert interests as well—I play bass guitar (check out iTunes, and I have one song as part of a compilation CD), I enjoy video games (who doesn’t enjoy blasting away at bad guys to burn stress off) and I enjoy working out (I will hit the big FOUR-O this year and have to do something to stay young.) However, one my favorite underground loves is military history, specifically World War II. A visit to my home office would reveal collages of D-Day maps and pictures on the wall, some metal soldiers in a display case and a bookcase full of tomes written on the conflict. I know: geek city…

So when I saw a “World War II Sabotage Field Manual” post on Bruce Schneier’s blog, I literally fell out of my seat—which in our row is not an out-of-the-ordinary event. In fact, Jason Rohlf (my product management compadre and “cubemate”) didn’t even blink. But he did ask me what I had found. I proudly displayed my monitor and showed him the declassified Operations of Strategic Services’ Simple Sabotage Field Manual. For those of you who aren’t familiar with the history, the OSS was the intelligence agency within the United States established during World War II that led many of the covert operations. The organization was the precursor to the Central Intelligence Agency and was based on Britain’s Special Operations Executive. The tattered document on my screen—now 56 years old—was published to help locals behind enemy lines disrupt operations and cause damage in many simple ways.

Part 5 “Specific Suggestions for Simple Sabotage,” section (11) outlines some rather amusing suggestions to cause general interference with organizations and production facilities:

• “Insist on doing everything through ‘channels.’ Never permit short-cuts to be taken in order to expedite decisions.”
• “Bring up irrelevant issues as frequently as possible.”
• “Haggle over precise wordings of communications, minutes, resolutions.”
• “Be worried about the propriety of any decision.”

The document goes on and on with numerous suggestions on how to essentially cause general mayhem in any organizational situation. While it is laughable now, I have no doubt that these are very effective strategies given that we see many of these things every day in our corporate world.

This brings me to my point—and how this relates to our beloved GRC world. Many times, as risk and compliance professionals, we pride ourselves on the intricacies and technical details of our world. I mean, who doesn’t love throwing the difference between a threat and a vulnerability into the discussion? However, we always must be grounded in the fact that most of the people we interface with—and those who are truly the ones we must impact the most—are business people who couldn’t care less about the difference between a buffer overflow and an overflowing buffoon. They want to conduct business and keep our companies moving forward. Our job is to help them do that while maintaining some level of control.

Therefore, think about how you explain risk and compliance needs within your organization. Use straightforward, relevant examples and make the needs real for your business counterparts. Establish some common understanding of risk language within your organization. Speak in terms that mean something to the business and don’t get wrapped up in the technical nuances of governance, risk and compliance. While the cloak-and-dagger world of spies may seem glamorous, the last thing you want to have happen at a meeting is to be introduced as the “saboteur” sent from the risk group.

Visit RSA’s Archer Team at the Gartner Security and Risk Management Summit

Sarah Nord — Mon, 21 Jun 2010 13:00:00 GMT

June 21, 2010

RSA is exhibiting this week at the Gartner Security and Risk Management Summit 2010. We invite you to stop by Booth #5 to visit with RSA’s Archer team, take a tour of our eGRC solutions, and gain a broader understanding of the RSA solution portfolio.

June 21-23, 2010
Gaylord National Convention Center
National Harbor, MD (Washington, D.C. area)

Also join the RSA team for the following sessions:

The Journey to the Cloud
Monday, June 21 at 10:15 a.m.
Led by David Walter, RSA’s Director of eGRC Solutions, and Steve Preston, RSA’s Senior Director of Product Marketing

Integrated GRC in the Security Operations Center
Monday, June 21 at 3:45 p.m.
Led by Chris Young, RSA’s Sr. Vice President of Products, Technologies and Markets, and Chris Leach, CISO for Affiliated Computer Services

Managing Risks in Today’s Landscape
Tuesday, June 22 at 1 p.m.
Led by David Walter, Director of eGRC Solutions for RSA

For more information on this event, visit the Gartner Security and Risk Management Summit web site. We hope to see you there!

“Red Flags” Compliance Deadline Extended…Again!

Sarah Nord — Tue, 15 Jun 2010 17:25:00 GMT

by Steve Suther – June 15, 2010

On May 28, 2010, the FTC announced that it would again delay enforcement of the Identity Theft Red Flags Rule that was enacted as part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). With an original compliance deadline of November 30, 2008, this is the fifth time the commission has announced an extension of the enforcement deadline, after most recently extending it to June 1, 2010. What’s the reason for all the delays?

It stems from the fact that these regulations are written to apply to all businesses that have "covered” accounts. A covered account is one for which there is a possible risk of identity theft—for example, credit cards, monthly billed accounts like utility or cell phone bills, Social Security or Tax ID numbers, drivers license numbers, medical health and insurance accounts, as well as many others. This significantly expands the definition to include all companies, regardless of their size, that access, store or utilize consumer information for business purposes. Because of the broad definitions in these regulations, small and medium-sized businesses won’t be able to escape having to demonstrate compliance to the requirements.

The Red Flags Rule requires these businesses to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities—known as “red flags”—that could potentially indicate an identity theft. So the enforcement date is now December 31, 2010, for creditors and financial institutions subject to FTC jurisdiction. The FTC reported that the delay had been requested by members of Congress who are currently considering a bill that would limit the rule’s scope to address the challenges of smaller organizations. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the FTC will begin enforcement as of that effective date. That could certainly mean a tight deadline for those who haven’t yet begun to build their compliance capabilities for this regulation.

Is your organization prepared to demonstrate compliance to the rules using RSA Archer Privacy and Policy Management offerings? If not, contact us for a demo of how we enable this out of the box, and I promise to keep you posted as to anymore changes to the Act’s effective date.

Ridding Your Diet of SALT and JELLY

Sarah Nord — Fri, 11 Jun 2010 15:14:00 GMT

by Jason Rohlf – June 11, 2010

*********************
Come gather ’round people wherever you roam
And admit that the waters around you have grown
And accept it that soon you’ll be drenched to the bone
If your time to you is worth savin’
Then you better start swimmin’ or you’ll sink like a stone
For the times they are a-changin’

– from “The Times They Are A-Changin’” by Bob Dylan

*********************
While there are many reasons I’m glad to have tramped down the path that has taken me through the first 13 or so years of my career, there is one that jumps out as the crown jewel. As I have mentioned before on the Archer GRC Blog, I love to learn new things. Put away the Oil of Olay, spurn the Botox needle and thumb your nose and Ponce de Leon – the true path to eternal youth is through continuous learning.

And wouldn’t you know it, I was lucky enough to select internal audit as a career, one that places a high premium on the continuous pursuit of knowledge. Huzzah to my good fortune! I can remember life as a green staff auditor like it was yesterday. (It was just yesterday, right?) When my supervisor approached me about promoting me to senior, I was quite pleased. And imagine my delight when he said that because I was on the cusp of such glory, I was being sent to a week-long Senior Auditor training course in sunny Orlando, Florida!

“Let me get this straight,” I countered, “you’re thinking of promoting me AND you’re paying for me to go learn a whole new skill set?? Can you pinch me so I can be certain that I am not dreaming some wonderful dream?”

After he informed me that pinching violated our company’s Code of Conduct, I was sent down to Senior School. In all seriousness, it really was a very exciting opportunity for me. And one particular lesson I learned really resonated with me and sticks with me to this day – namely, the importance of ridding one’s diet of SALT and JELLY.

No, I am not talking about some strange sweet-yet-salty culinary oddity. (Sidenote: If you want the most delicious sweet-yet-salty experience, I highly recommend bacon-wrapped dates and any reputable tapas restaurant.) Our instructor explained to us that as new seniors, we were expected to be the hub of all audit projects, and that meant making sense of the information gathered by our staff and communicating it up to our managers and directors so that, as a team, we could come up with an objective and reasonable conclusion for the audit.

“One thing you need to be highly aware of as seniors is when the auditee is rationalizing their behavior by feeding you SALT and JELLY.”

Clearly this fine gentleman saw the blank stares on all of our faces so he mercifully enlightened us. When we ask our auditees why their process seems inefficient, disorganized or convoluted, they may rationalize it by saying they do it…

Same As Last Time or Just Exactly Like Last Year

AH! I get it – SALT and JELLY! When I first heard this, I thought “great acronyms, but there’s no way anyone would fall back on these excuses as their rationale for carrying on with a bad process.” It just wasn’t possible. And then as I went back out into the working world, I started to pay closer attention…and my instructor was 100% correct. I was blown away at how many people fell back on the old “this is the way we’ve always done it” explanation. And this was not a phenomenon limited to those I audited. As I continued down my windy, tree-lined career path, I was shocked to find that there were many internal audit departments, assurance groups, risk management functions and the like that fell back on that very same “logic” when justifying their way of tackling their responsibilities.

On one level, this line of thinking is bemusing. Yet on another level it’s quite troubling. I don’t think anyone reading this piece is shocked when I say that the environment we now operate in as business professionals is vastly different than the one we had to maneuver 5 years ago. New and unheard of risks have reared their ugly heads. The gap between the skill sets and sophisticated business information we need to identify and address these new threats and those that we actually possess has grown too wide for anyone’s comfort. The challenges that we face in our respective professions demand our attention and require us to be open to new ways of doing things.

I’ve had the pleasure of speaking with numerous professionals who are trying with the best of intentions to address these challenges head on. Working with RSA’s Archer eGRC solutions affords me the opportunity to help these folks identify new and unique ways of doing things. As many of our customers have come to realize, our solutions offer a different approach to tackling these issues, one that is flexible and forward looking, one that seeks to transform business data into valuable business information, and one that rejects the bland concoction of SALT and JELLY.

Let’s face it – the times they are a-changin’. I truly hope we all start swimmin’, lest we sink like a stone.

Live from Compliance Week 2010

Sarah Nord — Wed, 26 May 2010 16:35:00 GMT

by Jason Rohlf – May 26, 2010

Greetings from Compliance Week’s 5th Annual Conference in our Nation’s Capital! It’s my pleasure to report to you from the banks of the beautiful Potomac River (actually, I’m inside the historic Mayflower Hotel, but no need to split hairs). These days, there seems to be an inordinate amount of rumbling and grumbling about how nothing of importance ever gets done in Washington. Based on what I’ve seen at Compliance Week, I’d say that the last two days have certainly been the exception to that common perception.

Throughout the conference, I’ve had the chance to interact with many interesting people. As is common with these events, every attendee wears a badge with their name, company and business title, and I’ve found my eyes instinctively trained on this information. Oh, the titles I’ve seen! Chief Audit Executive, Director of Enterprise Risk Management, IT Governance Director, Chief Risk and Ethics Officer…the list goes on and on.

Despite the varying functional lexicons employed by the companies represented here, the same common thread runs through all of the attendees. Regardless of title, these individuals came here to share ideas around how to continuously improve their governance, risk and compliance programs. And not only have we been able to share our ideas among one another, we’ve also been given the rare and exciting opportunity to hear from some very well-respected dignitaries in the GRC space:

• U.S. SEC Commissioner Luis Aguilar
• Former SEC Chairman Harvey Pitt
• U.S. House Representative Barney Frank
• Shelley Parratt from the SEC’s Corporation Finance Division
• Acting U.S. Deputy Attorney General Gary Grindler

It’s the 1927 Yankees of GRC! We would have been fortunate to hear from any one of these individuals, but to have them all on the same agenda afforded us a unique opportunity to gain valuable perspectives on where we are in terms of GRC policy and, more importantly, where we are collectively headed.

In addition to these great keynotes, the breakout sessions gave us all a chance to further the knowledge sharing process. I had the pleasure of presenting on RSA Archer eGRC solutions during my session on “Governance, Risk and Compliance: The Power of a Platform Approach.” And RSA’s Director of eGRC Solutions David Walter led a highly interactive session outlining the GRC Strategy Roadmap process. I think I speak for David when I say we are both very appreciative for the thoughts and insights offered by those who attended these sessions.

While onsite here at the conference, I received another bit of exciting news—the announcement that RSA has joined the Open Ethics and Compliance Group (OCEG), a not-for-profit organization with a mission to help companies align their GRC management activities to drive business performance and promote integrity. I had some thought-provoking conversations with some of OCEG’s leadership team, and I can honestly say that I am very excited about our membership with them.

Overall we’ve had a great experience at Compliance Week 2010. This was RSA’s first time here, but something tells me it won’t be our last.

RSA Joins the Open Compliance and Ethics Group

Sarah Nord — Tue, 25 May 2010 19:33:00 GMT

May 25, 2010

Today, we’re pleased to announce that we have joined the Open Compliance and Ethics Group (OCEG), a nonprofit organization with a mission to help companies align their governance, risk and compliance (GRC) management activities to drive business performance and promote integrity.

Since Archer joined RSA in January 2010, RSA has demonstrated its strong commitment to strategic, efficient and sustainable enterprise GRC solutions that span IT, finance, operations and legal business domains. As an OCEG Charter Member, RSA will participate in the Leadership and Technology Councils and help guide the GRC Capability Model, bringing to bear the collective vision of the Archer eGRC Community, whose membership includes more than 3,800 GRC professionals.

"GRC leadership is about involvement and participation in the broad GRC community,” said Michael Rasmussen, OCEG fellow and president of Corporate Integrity LLC. “As an eGRC leader, Archer Technologies had a proven track record of excellence in client relationship and interaction; RSA continues on that path, participating in Compliance Week’s industry recognized GRC conference and contributing to the thought leadership of OCEG, which has the only publicly vetted and collaborated GRC process framework in the Red Book GRC Capability Model—what I refer to as the GRC Rosetta Stone."

According to David Walter, our director of eGRC solutions, “OCEG is a recognized leader in providing GRC standards, guidelines and assessment procedures, and we look forward to offering those resources to our clients. We’re also excited to bring the voice of the Archer Community to the OCEG Technology Council. Our active membership of GRC clients, partners and product experts is helping to shape the vision for enterprise GRC technology innovation. We believe the influence of this Community will provide great value to OCEG.”

To learn more about OCEG, visit http://www.oceg.org/.

EMC’s CIRT: Smart People Solving Complex Problems with RSA/Archer Integration

Sarah Nord — Wed, 12 May 2010 19:48:00 GMT

by Jeff Glasco – May 12, 2010

Complex problems are everywhere, as witnessed in the headlines of the past week. How do you plug a hole gushing 200,000 barrels of oil a day when it’s a mile deep in the ocean? How do you implement controls to prevent mysterious 1000 point drops in the DOW? How do you bail out an entire country’s economy amidst rioting?

For many of us, the answer is straightforward: We look to our smart people to come up with a solution. Our smart people are being forced to become even smarter as they stare down modern problems. I hear it’s even causing some of our not-so-smart people to smarten up and contribute to the cause. (I got a letter in the mail last week asking me to step up my game.)

I had the opportunity to work with some of these smart people at EMC, prior to its acquisition of Archer (yes, EMC was a customer first). EMC’s Critical Incident Response Team (a.k.a. “The CIRT”) looked for new ways to identify and respond to security events in the organization. They had a vision for streamlining their incident investigation processes by integrating RSA’s industry leading SIEM product, enVision, with Archer GRC business process management capabilities.

EMC’s CIRT elevated their incident-triage capability by minimizing manual data aggregation processes and providing business context to technical alerts from enVision. They sought to enrich alert data in order to move beyond a vulnerability-driven context model and toward an exposure-driven model of security management. The result is a triage process that allows EMC to prioritize resources based on business impact and data exposure. They’re now able to view the business operational impact of incidents through the single lens of an Archer dashboard and operate incident management processes in a cross-functional GRC domain.

EMC’s CIRT continues to evolve their enVision and Archer integration architecture, providing the RSA enVison and Archer GRC product teams with a unique opportunity to build on a proven solution—one that was crafted by smart people to tackle complex problems facing global organizations. You could say we’ve been inspired, and now we have new teams of smart people creating solutions that leverage RSA enVision and Archer to help organizations tackle an ever-expanding pool of GRC-related issues.

A few of our resident smart people will present new solutions for tackling risk and compliance challenges through the integration of RSA enVision and Archer in an upcoming webcast. Please join our own Steve Schlarman along with Sam Curry and Paul Stamp of RSA as they expand on the opportunities for your organization.

Here are the details of this event:

When: Tuesday, May 18 at 2 p.m. US Eastern
Registration: http://info.rsasecurity.com/2010Am/webcast/100518_Archer_Compliance/online.html

Visit the Archer GRC Team at Compliance Week 2010

Sarah Nord — Wed, 12 May 2010 15:25:00 GMT

May 12, 2010

The Archer team is gearing up for Compliance Week 2010, the 5th annual conference for corporate financial, legal, risk and compliance officers. We’re excited to be sponsoring this event, and we hope to see you there!

May 24–26, 2010
Booth #5
Mayflower Hotel
Washington, D.C.

Please join our eGRC experts for the following educational sessions:

GRC: The Power of a Platform Approach
Monday, May 24 at 11:15 a.m.
Led by Jason Rohlf, eGRC Solutions Manager
Location: Virginia

GRC Strategy Roadmap
Tuesday, May 25 at 3:45 p.m.
Led by David Walter, Director of eGRC Solutions
Location: Chinese

For Archer customers who have not yet registered for Compliance Week 2010, please take advantage of our discounted rate, and register today.

Be sure to stop by booth #5 to visit with the Archer team, and take advantage of the full agenda of educational sessions available to you. If you have any questions about the Archer GRC presence at Compliance Week 2010, email us at events@archer.com.