Archer : GRC

Big Steps Toward Managing Security and Compliance for Virtual Infrastructure

Sarah Nord — Wed, 01 Sep 2010 13:43:00 GMT

by Steve Schlarman – September 1, 2010

This week, the industry celebrates one of the most influential and explosive technologies influencing the world of information systems: Virtualization. At VMworld 2010, the focus on virtualization across the enterprise and cloud computing highlights some of the most interesting and impactful technologies that our industry is utilizing. We have had several previous blog posts regarding the cloud computing trend in terms of Governance, Risk and Compliance. The combination of traditional physical data center structures, virtual data centers and cloud services is something that we, as GRC professionals, need to continue to expand our knowledge on. The VMworld conference is one of those opportunities where we get glimpses into the future of information systems and are challenged with maturing our GRC processes and approaches to help our organizations leverage this exciting technology while keeping those risks inherent in all new business opportunities in check.

One of the major challenges of virtualization is in the definition of controls that are cognizant of the nuances and dimensions of the new virtual world. In conjunction with our RSA, EMC and VMware colleagues, we have just completed the documentation of technical control procedures for VMware as part of the RSA Archer eGRC Content Library. Technical control procedures for the VMware platform were developed based on the vSphere 4.0 Security Hardening Guide April 2010 and other generally accepted industry best practices.

The approximately 130 controls and associated Question Library content provide a comprehensive, end-to-end framework for providing a baseline secure configuration of a virtualized infrastructure and, where possible, automating and reporting upon the measurement of that configuration. This configuration baseline status monitoring may be complemented with relevant security events should the RSA enVision SIEM product be deployed also. The controls were developed by a team of platform experts from EMC, RSA and VMware. In addition to these control procedures, the team is extending the controls into automated testing scripts and other tools to drive the controls all the way through testing and verification.

The definition of technical controls—documented configuration settings and baselines—is a key part of the IT-GRC process. These controls define not only the expected configurations within the environment but also should directly guide audit, compliance and security assessments. Getting the technologists across the enterprise on the same page when it comes to technical controls is a big step toward a consistent, efficient, controlled infrastructure.

The VMware technical control procedures will be made available in the coming weeks as part of RSA’s continually growing eGRC Content Library. For more information, watch for the Content Library updates this quarter.

Live from the IIA GRC Conference

Sarah Nord — Wed, 25 Aug 2010 13:28:00 GMT

by Jason Rohlf – August 25, 2010

Greetings faithful readers! I’m writing to you from the beautiful Breakers Hotel in West Palm Beach, Florida, site of the Institute of Internal Auditors’ 2010 GRC Conference. As is often the case with my blogs, here’s a little history lesson: The hotel was originally built in 1896 by Standard Oil Company magnate Henry Flagler. After the hotel burned down in 1903, it was rebuilt and reopened in 1904, when rooms were going for $4 per night, including three meals. Um, let’s just say the times (and prices) have changed a bit, but much of the hotel’s rich heritage has been lovingly maintained and is prominently featured throughout the resort.

I consider myself fortunate on two fronts: being able to have such fine accommodations and having the opportunity to attend a conference with a fine professional organization like the IIA. I’ve been an IIA member for some time now and have faithfully read their publications, attended and taught at seminars and leveraged the knowledge they provide with their members in the spirit of their motto “Progress through Sharing”. Today my boss, the legendary David Walter, left me a voicemail asking me if I was on the beach, having a massage or enjoying a leisurely breakfast. I know what you’re thinking – how dare I ignore my boss’s call! Well I was too wrapped up in the excellent presentation being given by James D. Ratley, President of the Association of Certified Fraud Examiners, to take David’s call. When we finally connected, I joked that I had actually been receiving a massage on the beach while eating breakfast and therefore couldn’t take his call. All joking aside, he wanted to see how things were going and, more importantly, just how “geeked out” I was by the conference.

I understand that the term/acronym “GRC” is viewed by many as a buzzword or a marketing tool, but based on the sessions I’ve participated in and the conversations I’ve had, GRC is nothing of the sort. It’s a collection of closely interrelated processes, initiatives, challenges and opportunities that are prominent in the minds of the internal audit community. I am very pleased to see the IIA assemble such a strong curriculum focused on governance, risk and compliance, with tracks assembled to address:

• Internal Audit’s role in risk management
• Fraud
• Regulatory, legislative and compliance concepts, and
• Governance insights

I don’t know about you, but this tells me that GRC is not just a concept, but something that’s been woven into the fabric of what the internal audit profession strives to represent. I have attended many of these sessions and each one has been packed with excellent information from very knowledgeable presenters and with equally poignant questions and insights from the attendees. I’ve also been very pleased to see that internal auditors are not only keenly aware of their need to expand their risk focus beyond traditional financial compliance controls, but they also understand that leveraging technology to support continuous auditing and monitoring activities is widely viewed as a critical future competency of an effective audit practice. If nothing else, the conference has helped validate the research we’ve been performing and the conclusions we’ve reached about the challenges the profession faces and the opportunities it has to elevate its stature within the organizations it serves.

So to answer David’s question – I am extremely geeked out by this conference, and I’m even more geeked out by the way the internal audit profession is embracing the challenge of being a trusted business advisor and essential enablers of effective GRC programs.

IIA GRC Conference: Visit the RSA Archer Team

Sarah Nord — Fri, 20 Aug 2010 13:58:00 GMT

August 20, 2010

Will you be attending the Institute of Internal Auditors Governance, Risk and Compliance Conference next week? If so, we invite you to stop by booth #19 to visit with Jason Rohlf and Josh Reid from the RSA Archer eGRC team.

IIA GRC Conference
August 23–25, 2010
The Breakers in Palm Beach, FL
RSA Booth #19

A primary focus of the 2010 IIA GRC Conference will be Audit’s role in Risk Management. Jason and Josh look forward to speaking with you about how our customers are implementing RSA Archer Audit Management to enable risk-based, business-aligned internal audit. Whether you’d like to see a solution demo or just have a conversation, the RSA Archer team looks forward to seeing you there!

Making Sense of GRC: The Case for Business Context

Sarah Nord — Thu, 19 Aug 2010 17:18:00 GMT

by David Walter – August 19, 2010

Throughout our lives, we all have to make decisions without all the relevant facts. Sometimes our instincts guide us in the right direction, and sometimes we just get lucky. But there are also those decisions that blow up in our faces. For an example, look no further than the thousands of homeowners who purchased their dream homes at the height of the housing boom, only to find themselves in a nightmare scenario months later when the market tanked and they went upside-down in their mortgages.

While we’ll never have a crystal ball that helps us see clearly into the future, we’d all like to have the facts—and just the relevant facts—when we’re faced with an important decision. But in this age of information explosion, it’s a major challenge to sift through the constant influx of data, most of which is completely immaterial. Consider this statistic presented by Eric Schmidt, CEO of Google: “Every two days now, we create as much information as we did from the dawn of civilization up until 2003.” While we may not be able to avoid the barrage of information that floods our minds and our inboxes on a daily basis, we can strive to filter out the excess and make sense of what’s left.

But to do this, we need context.

From a governance, risk and compliance (GRC) perspective, it starts with understanding what’s important to the business:

• What are the business processes that directly support our corporate objectives?
• What people, information and applications support those critical processes?
• And what are the risks to our people, information, applications and processes that may prevent us from achieving our corporate objectives?

Our customers rely on RSA Archer eGRC Solutions to answer these very questions. To put it simply, RSA Archer is a repository of what’s important to people. It helps our customers put risks, threats, incidents and compliance deficiencies into business context so they can prioritize their response and focus on what’s most significant to the organization.

Here’s just one example: Every business has intellectual property that it needs to protect, and this data may be stored and used across the global enterprise. How do you know who should be looking at this information? What movement of the information is safe and appropriate? What do you do if the information is compromised? To answer these questions, you must have business context:

• Who manages the information and who needs to access it?
• What business processes does the data support and what regulations impact the data?
• When is the information accessed?
• Where is the data accessed and where is it moved?
• Why is it necessary to store the information?

Using RSA Archer, organizations can manage a repository of information assets and perform online assessments to determine classification ratings and required retention periods. They can also link information assets to the business processes they support, the applications where they are managed, the facilities where they are housed, and the owners and custodians of the information. Based on these relationships, RSA Archer automatically generates a criticality rating for each information asset.

When a log management or data loss prevention system identifies a potential compromise of sensitive information and those events are passed into RSA Archer, both IT and business users have the context they need to respond appropriately. Events that impact critical information assets will receive prioritized attention, and appropriate users are notified of their responsibilities for issue analysis and remediation.

As a division of EMC, RSA is ideally positioned to deliver value to our customers by providing business context for governance, risk and compliance activities. EMC is renowned for its expertise in collecting data, giving it context, and presenting it to users in a way that’s easy to digest and manage. As we continue to enhance the RSA Archer eGRC Platform capabilities, we’ll maintain our focus on helping customers make sense of complex information, prioritize risks and issues, and allocate resources effectively to protect what is most important to their business.

Take the OCEG GRC Maturity Survey

Sarah Nord — Wed, 04 Aug 2010 19:35:00 GMT

by David Walter – August 4, 2010

As a member of the Open Compliance and Ethics Group (OCEG), RSA is happy to keep you posted on OCEG activities of general interest to the Archer eGRC Community. With this in mind, I’d like to invite you to participate in OCEG’s 2010 GRC Maturity Survey about the state of GRC in your organization.

According to OCEG, “This benchmarking study offers an opportunity to learn how your organization compares to others that are addressing the need for integration of governance, risk management and compliance efforts. With only 15 minutes of your time, you will address questions about the state of GRC in your organization today, GRC organization and oversight structure, benefits from integration (and negative effects of siloed operations) and use of technology to support GRC.”

OCEG will present the results of the 2010 GRC Maturity Survey at the upcoming GRC360° Executive Forum in the Netherlands, October 4–5. A summary of survey findings will also be available on the OCEG web site.

The OCEG GRC Maturity Survey is open through September 10, 2010. We hope you’ll participate and forward the survey to your colleagues as well.

The GRC Learning Model

Sarah Nord — Wed, 28 Jul 2010 20:24:00 GMT

by Steve Schlarman – July 28, 2010

The older one gets, the more one forgets what one knows.

We have all seen the enlightened “master” in movies tell the young learner “Your cup must be emptied before it can be filled” or “Clear your mind and the truth will be revealed.” The premise that one must unlearn to learn is such a common theme in so many movies that it has become a cliché. But there is a truth in that to truly master something, you have to somehow transition that knowledge from an act of concentration to an act of just doing.

We recently held an internal training session for our managers to help facilitate some organizational transitions within our groups. Part of the session was a review of an adult learning model. The point of the model was to articulate the difference between how adults learn and how children learn. Adults generally learn differently than children and, as such, any effort to teach adults a new skill, implement a new organizational approach or introduce a major change needs to take this into consideration.

The model depicted four simple stages:

1. Unconsciously unskilled
2. Consciously unskilled
3. Consciously skilled
4. Unconsciously skilled

These stages are perfectly sensible—essentially outlining the path from “not knowing what you don’t know” to “doing what you do without thinking.” I had a colleague that used the folksy phrase “a pig looking at a watch” to describe the unconsciously unskilled. His point was that although the pig could see a watch, it didn’t know what it meant. Anyone watching Michael Jordan sink a fall-away jumper with a defender hanging all over him has seen the unconsciously skilled in action. What I find interesting is that the stages have two pieces—the technical elements of skilled vs. unskilled and the mental elements of the subconscious and conscious.

Another component of the model focuses on how the transition between the stages is prompted. Moving from Stage 1 to Stage 2 involves an epiphany of sorts fueled by increasing awareness and relevant examples. Moving from Stage 2 to Stage 3 requires a shift in motivation and incentive. Finally, moving up to the “enlightened” Stage 4 demands repetition and practice, practice, practice.

Now it doesn’t take much enlightenment to draw parallels to our world of governance, risk and compliance (GRC). If we apply this model to the objectives within our organization, we can see that GRC is not just the mechanics of audit, security and the controls in business processes but also the cultural and psychological growth of the organization. It seems to me that these stages outline the fundamental transition that all organizations are looking to achieve for GRC. If we want our organization to really implement governance, understand risk and manage compliance, then we need to help the organization “learn” the way adults do.

As GRC leaders in our organizations, we can take a step back and analyze just where our organization is in this continuum:

• Is the organization still in the “don’t know what we don’t know” stage?
• Has it reached the consciously unskilled stage where it really understands what skills it needs but lacks the motivation to progress?
• Does the organization need an epiphany or merely more time to practice?

Thinking in these terms brings to light some of the needs of the GRC efforts outside the mere technicalities of policy, controls and audit. True organizational change is the only thing that will push a GRC program toward enlightenment. This is where the cultural and psychological components of the program have to be pushed as hard as the mechanics. We all would like to see our organization begin to unconsciously incorporate well designed controls into business processes. The trick is to get the organization to move up this scale one step at a time.

Many times, risk and compliance professionals can get caught in the trap of teaching their organizations the way children need to be taught. Telling people over and over the “right way” to do things, making people learn by rote and other methods targeting a green-field mind do not work when you are trying to teach an organization of mature professionals. These simple tenets of adult learning, when applied to the grand scale of an organization, might help identify some of the reasons why GRC is not taking hold as well as one would hope in the organization.

Take a moment to evaluate how the risk and compliance activities are being presented to the organization. You may find that while the skilled is winning over the unskilled, the long-term strategic win comes when the unconscious wins over the conscious. Think of the pride you would have if your organization would sink a game-winning shot over the outstretched hand of a defender in a pure, fluid motion of unconscious skill.

Governance: The Big Problem

Sarah Nord — Wed, 07 Jul 2010 20:22:00 GMT

by Sam Curry – July 6, 2010

That government is best which governs least
–Thomas Jefferson or Thomas Paine, uncertain attribution

If people behaved like governments, you'd call the cops.
– Kelvin Throop

Unbiddable, ungovernable – like a riot in the heart, and nothing to be done, come ruin or rapture
– Viola de Lesseps in Shakespeare in Love

I alluded to this a few weeks ago in Xanadu, but I got to thinking about the subject and realized it deserves a little more exploration and discussion. I mentioned an almost mythical "hunter-gatherer" society and the potential to build a more modern civilization (for good or ill) when social constructs emerged to let us live in groups of more than 100 to 200 people. This bears some more thinking and some comment because it highlights for me what is so hard about modern Governance: making a large number of people work together is hard and it's not an extension of what a small number of people do!

As I mentioned earlier, we as people tend to organize ourselves even today in groups of between 100 and 200 people. This was first highlighted for me by Malcolm Gladwell in the Tipping Point when he wrote about the Gore corporation and how they self-organize. In a weird coincidence, it was driven home to me by presentations I saw from Guy Kawasaki and Gary Hamel in the same week. We organize ourselves in groups that have a social dynamic and ability to understand one another at somewhere around 150 people: this is true for optimizing a business unit, for military companies and even for some religious congregrations. There's something special about the way our brains work and that size of community.

As I've moved around and changed jobs over the years, I've seen my personal network of active colleagues and associates stay constant at around this number, although the passive number is much, much larger. This magic number rang true for me – it’s been very hard to keep deep contacts with a large number of people, and the “inner circle” of friends we all have changes if we move or change careers, locations or just mature over time. Basically, the number made it personal for me.

Then I read the God Delusion by Richard Dawkins, and regardless of your personal feelings with respect to Dr. Dawkins or his work, bear with me a moment. He postulated that it's entirely possible that we evolved a brain capable of subjecting itself to larger social structures and to what is basically religion, and that this might mean that we evolved a capacity for religion so that we can exist in larger groups than 100 to 200 people. Many scientists, incidentally, loathe the notion of social evolution (and for good reason incidentally), many are leery of the chasm that yawns between science and religion as a no-person's land and many on the religious side despise the reversal this implies; but there are some great points I'd like to summarize from Gladwell and from Dawkin's points:

1. We as Human beings seem to self-organize and work well in groups of about 150 people ― this is our "sweet spot"
2. What is potentially one of the most significant advances in our species was overcoming the ability to work in groups greater than 150 outside the "sweet spot"

And now…we need to combine this with "Governance." Governance is really the ability to direct, manage and determine how a large group of people (and their technology, applications, services and so on) behave. We do this to manage risk and pursue reward, but the magnitude of the task becomes evident very quickly: the heart of the problem around Governance is not a tech problem…it's a Human problem. Solving this one is solving the big one in many ways.

What we want to do is take the personal management techniques that we have evolved for within the "sweet spot" and create a structure for managing companies and countries to the same degree that are measured in the thousands and millions of people. That's hard!

The good news is that we don't have to do it all. We don't have to boil the ocean, we just have to do it well enough to have an impact on risk and on reward. That's good enough and that should be our goal.

In to the Heart of the Matter (and in Will the Real GRC Please Stand Up), I spoke to RSA buying Archer and came to the following conclusions that we need to…

1. Create policy and have IT carry it out
2. Know what is happening, especially with respect to the policies we've created

Perhaps the most significant thing that we can do is minimize the difficulty of managing large groups of people and technology and creating cultures that form in organizations the size of a "sweet spot" to follow corporate principles. If we can't manage a company of 50,000 people as we would one of 50 people, then work on making the tools easier to use, easier to find, faster to respond and empowering to the natural, smaller groupings to follow the policy determined at the top. This is about empowering business to better self-govern and become more powerful.

Fundamentally, GRC and Governance are Human problems and while not completely solvable, they are imminently addressable!

PS ― Next week is the 6 month anniversary of RSA (the Security Division of EMC) acquiring Archer, and I am incredibly proud of how we have and are integrating the two companies to be greater than the sum of the parts!

PPS ― I will be presenting a “Compliance in the Clouds” webinar next week for any who are interested; details are here.

Are You a GRC Saboteur?

Sarah Nord — Wed, 30 Jun 2010 15:34:00 GMT

by Steve Schlarman – June 30, 2010

We all have our own little secret hobbies that we use to escape from the craziness of our everyday life. Spend any time with someone, and most likely you will learn about their pets, their thimble collection, their penchant for photographing railroads or their clandestine weekend job as a rodeo clown. Frankly, I haven’t met any rodeo clowns yet, but I am still holding on to some hope that somewhere, I will meet someone whose passion outside of work is to jump in a barrel a split second before a furious bull comes charging near.

Now, I have a few covert interests as well—I play bass guitar (check out iTunes, and I have one song as part of a compilation CD), I enjoy video games (who doesn’t enjoy blasting away at bad guys to burn stress off) and I enjoy working out (I will hit the big FOUR-O this year and have to do something to stay young.) However, one my favorite underground loves is military history, specifically World War II. A visit to my home office would reveal collages of D-Day maps and pictures on the wall, some metal soldiers in a display case and a bookcase full of tomes written on the conflict. I know: geek city…

So when I saw a “World War II Sabotage Field Manual” post on Bruce Schneier’s blog, I literally fell out of my seat—which in our row is not an out-of-the-ordinary event. In fact, Jason Rohlf (my product management compadre and “cubemate”) didn’t even blink. But he did ask me what I had found. I proudly displayed my monitor and showed him the declassified Operations of Strategic Services’ Simple Sabotage Field Manual. For those of you who aren’t familiar with the history, the OSS was the intelligence agency within the United States established during World War II that led many of the covert operations. The organization was the precursor to the Central Intelligence Agency and was based on Britain’s Special Operations Executive. The tattered document on my screen—now 56 years old—was published to help locals behind enemy lines disrupt operations and cause damage in many simple ways.

Part 5 “Specific Suggestions for Simple Sabotage,” section (11) outlines some rather amusing suggestions to cause general interference with organizations and production facilities:

• “Insist on doing everything through ‘channels.’ Never permit short-cuts to be taken in order to expedite decisions.”
• “Bring up irrelevant issues as frequently as possible.”
• “Haggle over precise wordings of communications, minutes, resolutions.”
• “Be worried about the propriety of any decision.”

The document goes on and on with numerous suggestions on how to essentially cause general mayhem in any organizational situation. While it is laughable now, I have no doubt that these are very effective strategies given that we see many of these things every day in our corporate world.

This brings me to my point—and how this relates to our beloved GRC world. Many times, as risk and compliance professionals, we pride ourselves on the intricacies and technical details of our world. I mean, who doesn’t love throwing the difference between a threat and a vulnerability into the discussion? However, we always must be grounded in the fact that most of the people we interface with—and those who are truly the ones we must impact the most—are business people who couldn’t care less about the difference between a buffer overflow and an overflowing buffoon. They want to conduct business and keep our companies moving forward. Our job is to help them do that while maintaining some level of control.

Therefore, think about how you explain risk and compliance needs within your organization. Use straightforward, relevant examples and make the needs real for your business counterparts. Establish some common understanding of risk language within your organization. Speak in terms that mean something to the business and don’t get wrapped up in the technical nuances of governance, risk and compliance. While the cloak-and-dagger world of spies may seem glamorous, the last thing you want to have happen at a meeting is to be introduced as the “saboteur” sent from the risk group.

Archer Community Passes the 4,000 Member Milestone

Sarah Nord — Mon, 28 Jun 2010 19:09:00 GMT

by Jeff Glasco – June 28, 2010

We stopped and took notice last week as the membership count on the Archer Community crossed the 4,000 member threshold. While slightly shy of Facebook’s leading 400,000,000 user base, we’re very excited at the 81% growth rate in Community membership over the past year. How excited, you ask? We danced. We sang. We rang bells typically reserved for big sales announcements. We even got some kid named Andy and his dad to stack up exactly 4,000 dominoes and knock them down in a glorious display as captured on this YouTube video. OK, maybe that’s a small lie, but would we have enlisted them if we’d been struck with the creative epiphany to do so? You bet.

We interpret this growth as an ongoing testimonial to the importance our clients place on the Community and the need for more collaboration in the governance, risk and compliance (GRC) landscape. Let’s face it, business problems in the GRC arena aren’t getting any easier to tackle. Dealing with the complex issues our Community of practitioners face on a daily basis takes creativity, rigor and guidance in the form of thought leadership. And sometimes, we suspect, it simply helps to know and interact with peers who are facing the same challenges, understand your perspective and can offer a little empathy when needed.

It’s important to mark the occasions when milestones are crossed, but we must continue to think of the future. Now more than ever, our focus is set on connecting our Community of practitioners while keeping relevant GRC topics and discussions flowing into their connected work life. We are currently looking at opportunities to expand the Community platform to enhance the member experience. Our objective is simple: We want to evolve the way the Community collaborates to advance thought leadership and help solve common problems. In truth, we aim to build the most connected and relevant GRC Community in the industry along the way.

So thanks from the RSA Archer eGRC team! We look forward to welcoming the next 4,000 Community members. Facebook here we come (which, by the way, you can follow us on).

Visit RSA’s Archer Team at the Gartner Security and Risk Management Summit

Sarah Nord — Mon, 21 Jun 2010 13:00:00 GMT

June 21, 2010

RSA is exhibiting this week at the Gartner Security and Risk Management Summit 2010. We invite you to stop by Booth #5 to visit with RSA’s Archer team, take a tour of our eGRC solutions, and gain a broader understanding of the RSA solution portfolio.

June 21-23, 2010
Gaylord National Convention Center
National Harbor, MD (Washington, D.C. area)

Also join the RSA team for the following sessions:

The Journey to the Cloud
Monday, June 21 at 10:15 a.m.
Led by David Walter, RSA’s Director of eGRC Solutions, and Steve Preston, RSA’s Senior Director of Product Marketing

Integrated GRC in the Security Operations Center
Monday, June 21 at 3:45 p.m.
Led by Chris Young, RSA’s Sr. Vice President of Products, Technologies and Markets, and Chris Leach, CISO for Affiliated Computer Services

Managing Risks in Today’s Landscape
Tuesday, June 22 at 1 p.m.
Led by David Walter, Director of eGRC Solutions for RSA

For more information on this event, visit the Gartner Security and Risk Management Summit web site. We hope to see you there!

Congratulations to Visa for the 2010 OCEG GRC Achievement Award

Sarah Nord — Thu, 27 May 2010 14:56:00 GMT

May 27, 2010

The RSA | Archer team would like to congratulate Visa on winning the Peer Choice Award in the 2010 Open Compliance and Ethics Group (OCEG) GRC Achievement Awards program. Announced yesterday at the Compliance Week Conference in Washington, D.C., the Peer Choice Award is determined by conference attendees, which include corporate financial, legal, risk, audit and compliance officers.

The OCEG GRC Achievement Awards recognize the great strides many organizations have made in improving and integrating their approach to governance, risk management and compliance. Visa was selected for the Peer Choice Award based on their Global Enterprise Risk Management program and their strategic GRC roadmap.

Please join us in congratulating Visa on this important achievement. We’re honored to have the Visa team as active participants in the Archer eGRC Community, and we thank them for their involvement in driving GRC program innovation.

Live from Compliance Week 2010

Sarah Nord — Wed, 26 May 2010 16:35:00 GMT

by Jason Rohlf – May 26, 2010

Greetings from Compliance Week’s 5th Annual Conference in our Nation’s Capital! It’s my pleasure to report to you from the banks of the beautiful Potomac River (actually, I’m inside the historic Mayflower Hotel, but no need to split hairs). These days, there seems to be an inordinate amount of rumbling and grumbling about how nothing of importance ever gets done in Washington. Based on what I’ve seen at Compliance Week, I’d say that the last two days have certainly been the exception to that common perception.

Throughout the conference, I’ve had the chance to interact with many interesting people. As is common with these events, every attendee wears a badge with their name, company and business title, and I’ve found my eyes instinctively trained on this information. Oh, the titles I’ve seen! Chief Audit Executive, Director of Enterprise Risk Management, IT Governance Director, Chief Risk and Ethics Officer…the list goes on and on.

Despite the varying functional lexicons employed by the companies represented here, the same common thread runs through all of the attendees. Regardless of title, these individuals came here to share ideas around how to continuously improve their governance, risk and compliance programs. And not only have we been able to share our ideas among one another, we’ve also been given the rare and exciting opportunity to hear from some very well-respected dignitaries in the GRC space:

• U.S. SEC Commissioner Luis Aguilar
• Former SEC Chairman Harvey Pitt
• U.S. House Representative Barney Frank
• Shelley Parratt from the SEC’s Corporation Finance Division
• Acting U.S. Deputy Attorney General Gary Grindler

It’s the 1927 Yankees of GRC! We would have been fortunate to hear from any one of these individuals, but to have them all on the same agenda afforded us a unique opportunity to gain valuable perspectives on where we are in terms of GRC policy and, more importantly, where we are collectively headed.

In addition to these great keynotes, the breakout sessions gave us all a chance to further the knowledge sharing process. I had the pleasure of presenting on RSA Archer eGRC solutions during my session on “Governance, Risk and Compliance: The Power of a Platform Approach.” And RSA’s Director of eGRC Solutions David Walter led a highly interactive session outlining the GRC Strategy Roadmap process. I think I speak for David when I say we are both very appreciative for the thoughts and insights offered by those who attended these sessions.

While onsite here at the conference, I received another bit of exciting news—the announcement that RSA has joined the Open Ethics and Compliance Group (OCEG), a not-for-profit organization with a mission to help companies align their GRC management activities to drive business performance and promote integrity. I had some thought-provoking conversations with some of OCEG’s leadership team, and I can honestly say that I am very excited about our membership with them.

Overall we’ve had a great experience at Compliance Week 2010. This was RSA’s first time here, but something tells me it won’t be our last.

RSA Joins the Open Compliance and Ethics Group

Sarah Nord — Tue, 25 May 2010 19:33:00 GMT

May 25, 2010

Today, we’re pleased to announce that we have joined the Open Compliance and Ethics Group (OCEG), a nonprofit organization with a mission to help companies align their governance, risk and compliance (GRC) management activities to drive business performance and promote integrity.

Since Archer joined RSA in January 2010, RSA has demonstrated its strong commitment to strategic, efficient and sustainable enterprise GRC solutions that span IT, finance, operations and legal business domains. As an OCEG Charter Member, RSA will participate in the Leadership and Technology Councils and help guide the GRC Capability Model, bringing to bear the collective vision of the Archer eGRC Community, whose membership includes more than 3,800 GRC professionals.

"GRC leadership is about involvement and participation in the broad GRC community,” said Michael Rasmussen, OCEG fellow and president of Corporate Integrity LLC. “As an eGRC leader, Archer Technologies had a proven track record of excellence in client relationship and interaction; RSA continues on that path, participating in Compliance Week’s industry recognized GRC conference and contributing to the thought leadership of OCEG, which has the only publicly vetted and collaborated GRC process framework in the Red Book GRC Capability Model—what I refer to as the GRC Rosetta Stone."

According to David Walter, our director of eGRC solutions, “OCEG is a recognized leader in providing GRC standards, guidelines and assessment procedures, and we look forward to offering those resources to our clients. We’re also excited to bring the voice of the Archer Community to the OCEG Technology Council. Our active membership of GRC clients, partners and product experts is helping to shape the vision for enterprise GRC technology innovation. We believe the influence of this Community will provide great value to OCEG.”

To learn more about OCEG, visit http://www.oceg.org/.

Webcast - IT-GRC for Healthcare

Demian Tallman — Mon, 24 May 2010 21:31:00 GMT

Need a common plan of attack for compliance?
Struggling to evaluate, prioritize and respond to risks?

Join this live webcast, and learn how you acn solve these challenges with a unified, automated and
sustainable IT governance, risk and compliance (IT-GRC) program. Discover how to:

Take advantage of pre-mapped policies, control standards, procedures, assessment questions
and regulations that affect the healthcare industry, including HIPAA, HITECH, PCI and others.
Implement a "one-stop shop" for risk analysis, control definition, continual assessments
and ongoing remediation.
Flush out redundancies, and bring together disparate compliance processes with a common approach.
Visualize and communicate risk at all levels of your business.
Report on your IT-GRC program in real time through enterprise dashboard capabilities.

Tuesday, May 25
1-2 p.m. Central
2-3 p.m. Eastern

Don't miss this event! Register today.

Visit the Archer GRC Team at Compliance Week 2010

Sarah Nord — Wed, 12 May 2010 15:25:00 GMT

May 12, 2010

The Archer team is gearing up for Compliance Week 2010, the 5th annual conference for corporate financial, legal, risk and compliance officers. We’re excited to be sponsoring this event, and we hope to see you there!

May 24–26, 2010
Booth #5
Mayflower Hotel
Washington, D.C.

Please join our eGRC experts for the following educational sessions:

GRC: The Power of a Platform Approach
Monday, May 24 at 11:15 a.m.
Led by Jason Rohlf, eGRC Solutions Manager
Location: Virginia

GRC Strategy Roadmap
Tuesday, May 25 at 3:45 p.m.
Led by David Walter, Director of eGRC Solutions
Location: Chinese

For Archer customers who have not yet registered for Compliance Week 2010, please take advantage of our discounted rate, and register today.

Be sure to stop by booth #5 to visit with the Archer team, and take advantage of the full agenda of educational sessions available to you. If you have any questions about the Archer GRC presence at Compliance Week 2010, email us at events@archer.com.