“By changing the conversation from a siloed, bottom-up, compliance only one to a top-down enterprise program view, we are now taking a true risk approach rather than a ‘check-the-box’ approach."
Atlanta, GA (PRWEB) January 27, 2014
Modulo, a leading provider of technology governance, risk and compliance (GRC) solutions, announced today the best practices of how customer Airlines Reporting Corporation (ARC) has paved a path from IT GRC to effective Enterprise Risk Management within its organization. ARC is a technology solutions company providing transaction settlement and data information services, processing more than $84 billion annually for over 190 Airlines, 9,400 travel agencies and other travel suppliers - making it the financial backbone of travel distribution.
Like many organizations that handle large volumes of financial transactions, ARC is focused on meeting the annual compliance requirements of the Payment Card Industry Data Security Standard (PCI DSS) to increase controls around cardholder data and reduce credit card fraud. However these activities shed little insight on real risk or compliance and were only once-a-year point in time events. Further it was a scramble to pull them together for auditors because they were handled manually with spreadsheets and SharePoint, and there was no overarching framework for guidance for a top-down approach.
To move the company to the next level, Rich Licato, Managing Director, Corporate Security for ARC, outlines the steps he took to build his IT risk view into an organizational risk view. By tackling his goal to automate the ISO 27001 certification process and ongoing risk assessments, he established a platform upon which he could establish successful and effective ERM.
The 5-Step Program included:
1. Pick a Framework: ARC decided upon using ISO 27001, an internationally adopted information security management system standard that provides a method for a holistic set of policies, processes and systems to manage risks to information assets, enabling an enterprise view of risk
2. Drive Scope through Risk Assessment: ARC used its Disaster Recovery and Business Continuity work to define program scope, including prioritization and identification of critical business processes and risk
3. Map Risks: First all risks were identified (leveraging other methodologies provided by NIST, ISACA, etc.), evaluated in terms of likelihood and impact, and related to enterprise strategy; then the controls tied to those risks were evaluated; and finally the residual risks were determined, an action plan developed and reduced
4. Treat, Measure and Monitor: ARC created a risk treatment plan; established a consolidated set of meaningful metrics using loss events; and now monitors on a regular basis; using Capability Maturity Model (CMM) ARC was able to set out both an interim and long term target and scores progress for a process of continuous improvement
5. Automate: Where possible, ARC uses tools, such as Modulo, to automate inefficient and ineffective manual processes
ARC also provides the number one success tip for a program of this size: start small and expand, for example beginning with remediation, compliance or vulnerability management.
“By changing the conversation from a siloed, bottom-up, compliance only one to a top-down enterprise program view, we are now taking a true risk approach rather than a ‘check-the-box’ approach. We handle a lot of important information and I now have visibility into the overall security posture of the organization along with a common dialogue with constituents,” says Licato, who has a long history in both operational and information security risk.
He adds, “Modulo has great visual tool with an organizational overview so I can tie everything together. So if something happens from a low level I can show how it ties back to the business – and I have everything in one spot, without stacks of papers, for presenting to the executive team and for auditors. Also I was able to set everything up in weeks to months versus years as with other tools.”
Modulo Risk Manager – which earned the top 5-star rating from SC Magazine for the past three consecutive years – offers a complete solution for technology risk and compliance management, enterprise risk management, vendor risk management, and business continuity management across the enterprise and extended enterprise of third-party relationships − all in a flexible and affordable package specifically designed “out-of-the-box” for IT, security, and compliance professionals looking to align security to their risk and compliance needs.
To watch the entire webinar: https://www.brighttalk.com/webcast/8563/96417
Share this: “Modulo Customer Airline Reporting Corporation Paves Path to Enterprise Risk Management for Security Officers @Modulo_Intl”
Modulo is a leading global enterprise provider of technology governance, risk and compliance (GRC) management solutions. Hundreds of organizations around the world leverage the award-winning Modulo Risk Manager™ as a flexible and affordable approach to manage risk, compliance, and business continuity across the enterprise and extended enterprise of third-party relationships. Customers span the financial, health care, retail, manufacturing, higher-education, telecom, energy and government sectors and include BASF, BC Hydro, Commercial Bank of Dubai, Microsoft, New York University Medical Center, Synovus Financial, and Schlumberger. Modulo has earned industry recognition as both a 2012 and 2013 Innovator of the Year from SC Magazine, which also gave the company's products “5-Star” review ratings for three consecutive years.
Visit http://www.modulo.com and follow Modulo on Twitter @Modulo_Intl.