SlideShare a Scribd company logo

Case study: Getting a grip on application risk

Iceberg Networks Corporation
Iceberg Networks Corporation

Iceberg recently helped a large North American bank with an Application Risk Management project using the RSA Archer platform. Their goal was to create a process that would allow them to make risk-based decisions in order to make better use of their resources. Although the scale of this project was very large, the approach they took is relevant to organizations of any size.

Technology
1 of 5
Download to read offline
www.icebergnetworks.com Delivering Risk Intelligence CASE STUDY Getting a grip on application risk Centralizing & automating application risk assessments at a North American bank How many applications are deployed within your organization? Which of those applications are linked to critical business processes? When was the last time you ran a risk assessment on each of them? How should you prioritize the applications that need attention today? Are you sure your risk mitigation dollars are being spent effectively? Most organizations struggle to come up with confident answers to these questions. That’s a big concern, considering that companies rely on applications to deliver the vast majority of products and services. Risk assessments that do exist are often out of date or are spread out in various spreadsheets and archives. Why is application risk management so important? With IT and information as the backbone to any business, the applications that are deployed become the pathway to data. Everyone who relies on that infrastructure ­— employees, customers, suppliers ­— wants to have confidence in the confidentiality, integrity, and availability of the data and the applications that access it. Without an effective application risk management program, organizations could face IT failures and reduced performance; they are at risk of privacy and security breaches; they may not meet the requirements of auditors and regulators; and ultimately they may lose the ability to deliver products and services. Most importantly, since companies have limited resources for risk mitigation, they need to ensure they are using these funds as effectively as possible. Having a clear understanding of their application risk posture gives managers confidence that they’re spending money in the right places. CASE STUDY: From spreadsheets to centralization Iceberg recently helped a large North American bank with an Application Risk Management project using the RSA Archer platform. In the case of this financial institution, they had over 2,000 applications, and our engagement was over the last two years of a five-year journey. Their overall goal was to be able to confidently answer questions like the ones above. They wanted to make risk-based decisions in order to make better use of their resources. They knew they needed to centralize their disparate spreadsheets, although at the onset it was not entirely clear how they would accomplish that. The scale of this project was very large. Although thousands of applications and multi-year timeframes are typical for a large bank, the approach they took is relevant to organizations of any size. What’s important here is that the process sequence and the lessons learned are very applicable to both large and small organizations, and whether you’re dealing with a few dozen or a few thousand deployed applications. by Kirk Hogan, COO, Iceberg
www.icebergnetworks.com Delivering Risk Intelligence STEP ONE: Inventory & categorization For this particular bank, their journey goes back five years. At the time, each line of business (LOB) had their own lists of applications kept on spreadsheets. They knew (or at least they were reasonably certain!) that they had over 2,000 applications in their inventory, but that list was spread out over each LOB and there was no formal categorization. Which applications supported business operations? Which ones were technology applications? In other words, they had a huge unordered list of apps, without any meaningful data to make risk decisions on. At this point in their maturity determining which applications were the most important to the business would have been largely a guesswork exercise. For example, they knew that SAP was a really important application, but they didn’t have any solid data to prove how many business processes were dependent on it. So step one for them was categorization. Their basic criteria was: Which applications does our business need to run? Which ones do we rely on to deliver our core processes? Based on the inventory and information that they had, they identified 1,800 applications that they believed were business-critical and that they wanted to target for risk assessments. They had a team of about 30 business technology risk managers spread out between six LOB’s, tasked with doing an initial assessment of those 1,800 applications. For the most part those managers all worked within their own units and created their own spreadsheet questionnaires and collected the data. There was no agreed-on framework for measuring and reporting on risk. STEP TWO: Harmonization Here was their first “AHA!” moment: They started to realize that they were all asking similar questions. Now that probably sounds obvious in hindsight, but if you know how the internal org structure and politics of a large banks work, it won’t be too surprising! So their next step was a decision to build a common framework to properly consolidate and co-ordinate their assessment process. Working with an outside consultant, and with strong support from leadership, before long they narrowed a few dozen risk assessment spreadsheets down to a set of four or five spreadsheets, each representing a co-ordinated question set. With a common question set, and a consistent risk framework, they could now generate better, more reliable data. This wasn’t an easy task and involved some give-and-take. It was important to not take away the autonomy of each LOB to assess risk, because ultimately the LOBs are the ones that own the risk. They started to achieve alignment when the various stakeholders realized that with a good set of questions, leading to a harmonized set of assessments, they could have a much more effective risk management program. Eventually they worked their way to a state where everyone tasked with assessing risk, regardless of the LOB, was using the same template, based on one spreadsheet. STEP THREE: Automation So now we’re a few years into the program. Up until this point, all the application risk information was being maintained on spreadsheets. The thing about spreadsheets is they’re good by themselves, but when you try to co-ordinate hundreds or thousands of spreadsheets (each with hundreds of rows), you have to do an awful lot of linking. 508Average # of applications per enterprise1 1 Netskope survey, 2014 2 Veracode survey, 2015 22%Percentage of cloud applications believed to remain invisible to IT.1 >2,000Average number of unsafe mobile apps installed on employee devices.2 85%Percentage of data uploaded to apps that allow file sharing.1 85%Of those unsafe apps, percentage that exposed sensitive data such as device location, call history, contacts, SMS logs, SIM information2
www.icebergnetworks.com Delivering Risk Intelligence Believe it or not the bank actually had professionals linking spreadsheets together. Think about the cost implication of having professional “linkers”, spending their hours making cross-references within the various spreadsheets across the LOBs. This is the point where they started looking at platform solutions to centralize everything and move away from spreadsheets. They ended up picking RSA Archer to be that initial risk platform, which would link together the inventory of applications, and the inventory of the controls that mitigated the risk. They took the single Excel spreadsheet assessment template, and converted it into an online assessment form on Archer. The collection of information could now be automated, with users logging in to fill out their answers and upload documents on the platform. Where previously the assessors had to interview the application owner, interview the people who owned the controls, and then go and get evidence that the controls were in place — now that could all be done online. Instead of being kept on different laptops and sharepoint drives, the information collection was now done in real time, attached to records within the platform. Remember those professional “linkers” who were collating Excel sheets? Now they could go back to their regular jobs: assessing risk! When people talk about automation, often it’s linked to the idea of reducing human resources. In our experience usually we are not eliminating positions — just re-assigning people to more useful work. STEP FOUR: Risk-based prioritization With all these assessments running through Archer, the bank started to build up a very accurate, thorough and clean inventory of information: applications, controls and assessments. Now they could finally start prioritizing risk management activities. Risk is a combination of likelihood and impact. The assessments help determine the likelihood ­— basically the fewer controls that are met, the more likely an event. The impact is based more on business continuity considerations: what’s the impact on my ability to deliver products and services if this application isn’t available? To determine risk, we combined those two factors together. Every application gets a basic risk rating on a scale of 1 to 5 (low to high), along with a weighted risk score. You might have 1,500 applications come out as “high risk”, but within that there will be a range of scores to help you prioritize which ones need attention first. The weighting was accomplished by assigning specific control profiles to mitigate risks based on the application type. The state of the controls assigned to each application, as well as the risk rating assigned by the risk assessors, helped to create the needed separation between the many risk scores calculated for all the applications in the LOB. So now each LOB could begin prioritizing where money and resources were targeted to address the most critical risks and applications. They could base those decisions on standardized data ­— something they could not have accomplished at this scale using spreadsheets. Another interesting benefit that they realized: Now that they were using a common risk framework and consistent risk scores, they could look across the organization and see where there were discrepancies in assessments between the LOBs. They had a centralized governance group looking across the organization, and saw that some applications were rated by one LOB as a 5, and a different LOB rated it as a 4. They could start to ask questions to understand why there were differences. The importance of leadership This project benefited from strong executive leaders in the organization. Essentially it was a single point of governance — one executive — who said “thou shalt” and gave a clear direction. That was very important to achieve this evolution. Without, it would have been very hard to navigate the politics and co-ordinate work between various groups in the organization. They also benefitted from having a leader who’d been through a similar process before. One of his key insights was that before they put their assessments on a platform, an important first step was to make sure their data was as tight, clean and consistent as possible. It may have taken five years to get from A to B, but the extra time they took to get through each stage kept everyone on board, built up momentum and buy-in, and ultimately resulted in an effective solution.
www.icebergnetworks.com Delivering Risk Intelligence Keys to Better Reporting I like to think of effective reporting as being like the cockpit of an airplane. You don’t want to inundate a pilot with everything that’s going on. If the oil pressure is good, you don’t have to tell her about it. If the pilot starts to see a low fuel warning light, she knows right away it’s a critical warning. You need to give the pilot the information she needs to see at the time she needs to see it. Every dashboard or report designed and configured has to have a defined purpose In this organization, most managers were making decisions on a weekly basis, asking “how am I going to change my program this week to make sure that we’re focused on the right things”. There still might be 400 applications with “high” or “very high” risk ratings, but typically the managers want to see a filtered list of only the “top 10” or “top 100” risks. That’s what they need to see in a dashboard or report. This bank uses the concept of “actionable metrics”. They’re looking for more than just reports and statistics. Within Archer an executive can drill down and see what the action plan should be to remediate the risk, and what the status is of that plan. So for example, a risk manager might have identified a gap, and has recommended that a system needs anti-malware protection. The action is that the owner has to prove that anti-virus or anti-malware is protecting this application. When the action is complete, the platform can show a change record where this application is now filtering all traffic through this central available system. The executive who owns that application can see the remediation action plan and evidence that the control is in place, and therefore that the control gap has been addressed. That kind of drill-down transparency in the process is not possible with spreadsheets, but it’s integrated throughout the Archer platform.
STEP FIVE: Measure & improve Our approach on this project was, don’t strive for 100% perfection. We worked towards getting 80% correct, and then making small improvements from there. The process of moving from Excel spreadsheets to automated questionnaires is a good example. We didn’t try to over-engineer the solution in the beginning. We resisted the urge to categorize everything into rigid values lists. To start, we categorized four or five attributes in the questionnaire, but for the rest we allowed free-form values. After a few months of using that questionnaire, we analyzed the answers and responses, then worked with the bank to refine the questionnaire for version 2.0. That made the system smarter and more responsive to how users wanted to respond. It was a great evolutionary step, and it resulted in even better reporting. On the program strategy side, initially, their approach was to over-compensate. If there were 400 high-priority applications, they wanted to make sure they had an action plan to remediate all the risks. Now that they’ve accomplished that first wave over the last couple years, they have more data to help understand how they can better prioritize their risk remediation. In other words, now they can start to say: we can live with that risk. Another area they’ll tackle soon is around performance metrics. So far they’ve been focused on effectiveness first, and then efficiency, which is right order. Throughout the process they have been gathering information to give them a baseline to understand how the platform can improve efficiency. Achieving value Today there are about 100 active users on the platform, but the platform impacts tens of thousands of employees who rely on business applications to do their jobs. Five years ago, this bank was making application risk management decisions largely on gut or guesswork, and for the most part within the silos of each LOB. They had no effective way to cross-link assessments and had inconsistent data. With the RSA Archer platform in place, they are further along the journey to achieve “Risk Intelligence”: they have trusted, transparent and aggregated risk data, and the ability to make informed, confident and effective decisions. Ultimately they’re in a much better position to react quickly to change, and move more quickly to take advantage of opportunities that will allow them to grow their business. Kirk Hogan is the Chief Operating Officer at Iceberg, managing the delivery of Iceberg’s GRC Centre of Excellence program. For more information or to request a demo, contact Kirk at khogan@icebergnetworks.com ® PREMIUM PARTNER Iceberg Networks USA: 67 Bedford St. • Suite 400 West • Burlington, MA • 01803 CANADA: 600-515 Legget Drive • Ottawa, Ontario • K2K 3G4 Toll Free: 855-595-0808 • info@icebergnetworks.com Twitter: @icebergnetworks • Blog: icebergnetworks.com/blog About Iceberg Iceberg is a Value-Added Partner (VAP) for RSA Archer, delivering software and services to help our clients successfully deploy Governance, Risk & Compliance (GRC) technology. Headquartered in Ottawa, Canada and serving all of North America, our team of over 20 certified and practicing RSA Archer experts offer a full lifecycle of consulting and services through our Centre of Excellence. Our missions is to help our clients achieve trusted, aggregated and transparent risk intelligence that enables their business to make more informed business decisions.

Recommended

Data in the Wild: Survival Guide
Data in the Wild: Survival GuideData in the Wild: Survival Guide
Data in the Wild: Survival GuideDruva
 
Allow is the New Block
Allow is the New BlockAllow is the New Block
Allow is the New BlockSean Dickson
 
EveryCloud 5-steps-cloud-confidence
EveryCloud 5-steps-cloud-confidenceEveryCloud 5-steps-cloud-confidence
EveryCloud 5-steps-cloud-confidencePaul Richards
 
Risk_Technology
Risk_TechnologyRisk_Technology
Risk_TechnologyTom Patterson CPA CISA
 
The Future of Advanced Analytics
The Future of Advanced AnalyticsThe Future of Advanced Analytics
The Future of Advanced AnalyticsHaystax Technology
 
Whole Person Risk Modeling
Whole Person Risk ModelingWhole Person Risk Modeling
Whole Person Risk ModelingHaystax Technology
 
Strengthening Security with Continuous Monitoring
Strengthening Security with Continuous MonitoringStrengthening Security with Continuous Monitoring
Strengthening Security with Continuous MonitoringBooz Allen Hamilton
 
10 alternatives to heavy handed cloud app control
10 alternatives to heavy handed cloud app control10 alternatives to heavy handed cloud app control
10 alternatives to heavy handed cloud app controlAneel Mitra
 

Recommended

Data in the Wild: Survival Guide
Data in the Wild: Survival GuideData in the Wild: Survival Guide
Data in the Wild: Survival GuideDruva
 
Allow is the New Block
Allow is the New BlockAllow is the New Block
Allow is the New BlockSean Dickson
 
EveryCloud 5-steps-cloud-confidence
EveryCloud 5-steps-cloud-confidenceEveryCloud 5-steps-cloud-confidence
EveryCloud 5-steps-cloud-confidencePaul Richards
 
Risk_Technology
Risk_TechnologyRisk_Technology
Risk_TechnologyTom Patterson CPA CISA
 
The Future of Advanced Analytics
The Future of Advanced AnalyticsThe Future of Advanced Analytics
The Future of Advanced AnalyticsHaystax Technology
 
Whole Person Risk Modeling
Whole Person Risk ModelingWhole Person Risk Modeling
Whole Person Risk ModelingHaystax Technology
 
Strengthening Security with Continuous Monitoring
Strengthening Security with Continuous MonitoringStrengthening Security with Continuous Monitoring
Strengthening Security with Continuous MonitoringBooz Allen Hamilton
 
10 alternatives to heavy handed cloud app control
10 alternatives to heavy handed cloud app control10 alternatives to heavy handed cloud app control
10 alternatives to heavy handed cloud app controlAneel Mitra
 
Reasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about itReasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about itShahid Shah
 
Business Intelligence and Data Security for Long-Term Care Financial Professi...
Business Intelligence and Data Security for Long-Term Care Financial Professi...Business Intelligence and Data Security for Long-Term Care Financial Professi...
Business Intelligence and Data Security for Long-Term Care Financial Professi...Gross, Mendelsohn & Associates
 
Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...Shahid Shah
 
Cyber Security Infographic
Cyber Security InfographicCyber Security Infographic
Cyber Security InfographicBooz Allen Hamilton
 
How to Use Open Source Technologies in Safety-critical Medical Device Platforms
How to Use Open Source Technologies in Safety-critical Medical Device PlatformsHow to Use Open Source Technologies in Safety-critical Medical Device Platforms
How to Use Open Source Technologies in Safety-critical Medical Device PlatformsShahid Shah
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
Sl nashville major Hospital company
Sl nashville major Hospital companySl nashville major Hospital company
Sl nashville major Hospital companySplunk
 
Data Analytics Action Figures
Data Analytics Action FiguresData Analytics Action Figures
Data Analytics Action FiguresPaul Boal
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...Shahid Shah
 
How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...Shahid Shah
 
Ultimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecUltimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecJessica Lavery Pozerski
 
Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Hiten Sethi
 
Proper Data Integration can change Medical Science
Proper Data Integration can change Medical ScienceProper Data Integration can change Medical Science
Proper Data Integration can change Medical ScienceShahid Shah
 
Importance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareImportance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareChromeInfo Technologies
 
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About ItReasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About ItShahid Shah
 
ultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeSean Varga
 
Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...Shahid Shah
 
Chapter 11 group assignment
Chapter 11 group assignmentChapter 11 group assignment
Chapter 11 group assignmentjandrewsxu
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskJohn Loveland
 
Webinar: Getting a grip on application risk
Webinar: Getting a grip on application riskWebinar: Getting a grip on application risk
Webinar: Getting a grip on application riskIceberg Networks Corporation
 
Stanford social innovation review The Power of Lean Data
Stanford social innovation review The Power of Lean DataStanford social innovation review The Power of Lean Data
Stanford social innovation review The Power of Lean DataMobile Surveys Inc.
 

More Related Content

What's hot

Reasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about itReasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about itShahid Shah
 
Business Intelligence and Data Security for Long-Term Care Financial Professi...
Business Intelligence and Data Security for Long-Term Care Financial Professi...Business Intelligence and Data Security for Long-Term Care Financial Professi...
Business Intelligence and Data Security for Long-Term Care Financial Professi...Gross, Mendelsohn & Associates
 
Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...Shahid Shah
 
How to Use Open Source Technologies in Safety-critical Medical Device Platforms
How to Use Open Source Technologies in Safety-critical Medical Device PlatformsHow to Use Open Source Technologies in Safety-critical Medical Device Platforms
How to Use Open Source Technologies in Safety-critical Medical Device PlatformsShahid Shah
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
Sl nashville major Hospital company
Sl nashville major Hospital companySl nashville major Hospital company
Sl nashville major Hospital companySplunk
 
Data Analytics Action Figures
Data Analytics Action FiguresData Analytics Action Figures
Data Analytics Action FiguresPaul Boal
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...Shahid Shah
 
How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...Shahid Shah
 
Ultimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecUltimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecJessica Lavery Pozerski
 
Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Hiten Sethi
 
Proper Data Integration can change Medical Science
Proper Data Integration can change Medical ScienceProper Data Integration can change Medical Science
Proper Data Integration can change Medical ScienceShahid Shah
 
Importance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareImportance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareChromeInfo Technologies
 
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About ItReasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About ItShahid Shah
 
ultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeSean Varga
 
Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...Shahid Shah
 
Chapter 11 group assignment
Chapter 11 group assignmentChapter 11 group assignment
Chapter 11 group assignmentjandrewsxu
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskJohn Loveland
 

What's hot (20)

Reasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about itReasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about it
 
Business Intelligence and Data Security for Long-Term Care Financial Professi...
Business Intelligence and Data Security for Long-Term Care Financial Professi...Business Intelligence and Data Security for Long-Term Care Financial Professi...
Business Intelligence and Data Security for Long-Term Care Financial Professi...
 
Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...
 
Cyber Security Infographic
Cyber Security InfographicCyber Security Infographic
Cyber Security Infographic
 
How to Use Open Source Technologies in Safety-critical Medical Device Platforms
How to Use Open Source Technologies in Safety-critical Medical Device PlatformsHow to Use Open Source Technologies in Safety-critical Medical Device Platforms
How to Use Open Source Technologies in Safety-critical Medical Device Platforms
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
Sl nashville major Hospital company
Sl nashville major Hospital companySl nashville major Hospital company
Sl nashville major Hospital company
 
Data Analytics Action Figures
Data Analytics Action FiguresData Analytics Action Figures
Data Analytics Action Figures
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...
 
How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...
 
Ultimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecUltimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSec
 
Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011
 
Proper Data Integration can change Medical Science
Proper Data Integration can change Medical ScienceProper Data Integration can change Medical Science
Proper Data Integration can change Medical Science
 
Importance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareImportance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in Healthcare
 
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About ItReasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About It
 
ultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracode
 
Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...
 
Chapter 11 group assignment
Chapter 11 group assignmentChapter 11 group assignment
Chapter 11 group assignment
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info Risk
 

Similar to Case study: Getting a grip on application risk

Stanford social innovation review The Power of Lean Data
Stanford social innovation review The Power of Lean DataStanford social innovation review The Power of Lean Data
Stanford social innovation review The Power of Lean DataMobile Surveys Inc.
 
Enterprise and Applications: Definition; Types; Challenges; Opportunities
Enterprise and Applications: Definition; Types; Challenges; OpportunitiesEnterprise and Applications: Definition; Types; Challenges; Opportunities
Enterprise and Applications: Definition; Types; Challenges; OpportunitiesSudhanshuKMevat
 
Detect Early Stress in Borrower Accounts
Detect Early Stress in Borrower Accounts Detect Early Stress in Borrower Accounts
Detect Early Stress in Borrower Accounts Pratham Software (PSI)
 
How Can Enterprise App Development Help Your Business Growth.pdf
How Can Enterprise App Development Help Your Business Growth.pdfHow Can Enterprise App Development Help Your Business Growth.pdf
How Can Enterprise App Development Help Your Business Growth.pdfXDuce Corporation
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
How Can Enterprise App Development Help Your Business Growth.pptx
How Can Enterprise App Development Help Your Business Growth.pptxHow Can Enterprise App Development Help Your Business Growth.pptx
How Can Enterprise App Development Help Your Business Growth.pptxXDuce Corporation
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersDenim Group
 
Please read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docxPlease read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docxLeilaniPoolsy
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreVeracode
 
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MINING
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MININGA DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MINING
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MININGIRJET Journal
 
Applied_Data_Science_Presented_by_Yhat
Applied_Data_Science_Presented_by_YhatApplied_Data_Science_Presented_by_Yhat
Applied_Data_Science_Presented_by_YhatCharlie Hecht
 
1 6Project ProposalThe purpose of this proposal is .docx
1 6Project ProposalThe purpose of this proposal is .docx1 6Project ProposalThe purpose of this proposal is .docx
1 6Project ProposalThe purpose of this proposal is .docxoswald1horne84988
 
Accretive solutions northstarinitiativeassessment-datasheet
Accretive solutions northstarinitiativeassessment-datasheetAccretive solutions northstarinitiativeassessment-datasheet
Accretive solutions northstarinitiativeassessment-datasheetrichibh
 
Accretive Solutions Northstar Initiative Assessment Software Overview
Accretive Solutions Northstar Initiative Assessment Software OverviewAccretive Solutions Northstar Initiative Assessment Software Overview
Accretive Solutions Northstar Initiative Assessment Software Overviewrichibh
 
Accenture 2017 Global Risk Study: Capital Markets Summary
Accenture 2017 Global Risk Study: Capital Markets SummaryAccenture 2017 Global Risk Study: Capital Markets Summary
Accenture 2017 Global Risk Study: Capital Markets Summaryaccenture
 
Why Do Enterprise Companies Build Apps So Slowly?
Why Do Enterprise Companies Build Apps So Slowly?Why Do Enterprise Companies Build Apps So Slowly?
Why Do Enterprise Companies Build Apps So Slowly?Helpshift
 
Risk Management Software Implementation Guide eBook
Risk Management Software Implementation Guide eBookRisk Management Software Implementation Guide eBook
Risk Management Software Implementation Guide eBookGlenn Peake
 
Vanson Bourne Case Study: Progress Software
Vanson Bourne Case Study: Progress SoftwareVanson Bourne Case Study: Progress Software
Vanson Bourne Case Study: Progress SoftwareVanson Bourne
 

Similar to Case study: Getting a grip on application risk (20)

Webinar: Getting a grip on application risk
Webinar: Getting a grip on application riskWebinar: Getting a grip on application risk
Webinar: Getting a grip on application risk
 
Stanford social innovation review The Power of Lean Data
Stanford social innovation review The Power of Lean DataStanford social innovation review The Power of Lean Data
Stanford social innovation review The Power of Lean Data
 
Enterprise and Applications: Definition; Types; Challenges; Opportunities
Enterprise and Applications: Definition; Types; Challenges; OpportunitiesEnterprise and Applications: Definition; Types; Challenges; Opportunities
Enterprise and Applications: Definition; Types; Challenges; Opportunities
 
Detect Early Stress in Borrower Accounts
Detect Early Stress in Borrower Accounts Detect Early Stress in Borrower Accounts
Detect Early Stress in Borrower Accounts
 
How Can Enterprise App Development Help Your Business Growth.pdf
How Can Enterprise App Development Help Your Business Growth.pdfHow Can Enterprise App Development Help Your Business Growth.pdf
How Can Enterprise App Development Help Your Business Growth.pdf
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
How Can Enterprise App Development Help Your Business Growth.pptx
How Can Enterprise App Development Help Your Business Growth.pptxHow Can Enterprise App Development Help Your Business Growth.pptx
How Can Enterprise App Development Help Your Business Growth.pptx
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Please read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docxPlease read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docx
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t Ignore
 
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MINING
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MININGA DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MINING
A DATA MINING FRAMEWORK FOR PREVENTION OF FAKE APPLICATIONS USING OPINION MINING
 
Applied_Data_Science_Presented_by_Yhat
Applied_Data_Science_Presented_by_YhatApplied_Data_Science_Presented_by_Yhat
Applied_Data_Science_Presented_by_Yhat
 
1 6Project ProposalThe purpose of this proposal is .docx
1 6Project ProposalThe purpose of this proposal is .docx1 6Project ProposalThe purpose of this proposal is .docx
1 6Project ProposalThe purpose of this proposal is .docx
 
Accretive solutions northstarinitiativeassessment-datasheet
Accretive solutions northstarinitiativeassessment-datasheetAccretive solutions northstarinitiativeassessment-datasheet
Accretive solutions northstarinitiativeassessment-datasheet
 
Accretive Solutions Northstar Initiative Assessment Software Overview
Accretive Solutions Northstar Initiative Assessment Software OverviewAccretive Solutions Northstar Initiative Assessment Software Overview
Accretive Solutions Northstar Initiative Assessment Software Overview
 
Intro to insight as-a-service
Intro to insight as-a-serviceIntro to insight as-a-service
Intro to insight as-a-service
 
Accenture 2017 Global Risk Study: Capital Markets Summary
Accenture 2017 Global Risk Study: Capital Markets SummaryAccenture 2017 Global Risk Study: Capital Markets Summary
Accenture 2017 Global Risk Study: Capital Markets Summary
 
Why Do Enterprise Companies Build Apps So Slowly?
Why Do Enterprise Companies Build Apps So Slowly?Why Do Enterprise Companies Build Apps So Slowly?
Why Do Enterprise Companies Build Apps So Slowly?
 
Risk Management Software Implementation Guide eBook
Risk Management Software Implementation Guide eBookRisk Management Software Implementation Guide eBook
Risk Management Software Implementation Guide eBook
 
Vanson Bourne Case Study: Progress Software
Vanson Bourne Case Study: Progress SoftwareVanson Bourne Case Study: Progress Software
Vanson Bourne Case Study: Progress Software
 

More from Iceberg Networks Corporation

Yes, there is a better way to do vendor risk assessments!
Yes, there is a better way to do vendor risk assessments!Yes, there is a better way to do vendor risk assessments!
Yes, there is a better way to do vendor risk assessments!Iceberg Networks Corporation
 
How Archer users are leveraging Iceberg APS for a stronger GRC program
How Archer users are leveraging Iceberg APS for a stronger GRC programHow Archer users are leveraging Iceberg APS for a stronger GRC program
How Archer users are leveraging Iceberg APS for a stronger GRC programIceberg Networks Corporation
 
Transforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNowTransforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNowIceberg Networks Corporation
 
WEBINAR: Enhance your perspective of vendor risk with ServiceNow
WEBINAR: Enhance your perspective of vendor risk with ServiceNowWEBINAR: Enhance your perspective of vendor risk with ServiceNow
WEBINAR: Enhance your perspective of vendor risk with ServiceNowIceberg Networks Corporation
 
Iceberg Webinar: Adding relevant financial context to your BCM program
Iceberg Webinar: Adding relevant financial context to your BCM program Iceberg Webinar: Adding relevant financial context to your BCM program
Iceberg Webinar: Adding relevant financial context to your BCM program Iceberg Networks Corporation
 
Webinar: Vulnerability Management IT can fix it, but the business needs to ow...
Webinar: Vulnerability Management IT can fix it, but the business needs to ow...Webinar: Vulnerability Management IT can fix it, but the business needs to ow...
Webinar: Vulnerability Management IT can fix it, but the business needs to ow...Iceberg Networks Corporation
 
Solution Brief: Helping prepare for risk & compliance challenges for GDPR
Solution Brief: Helping prepare for risk & compliance challenges for GDPRSolution Brief: Helping prepare for risk & compliance challenges for GDPR
Solution Brief: Helping prepare for risk & compliance challenges for GDPRIceberg Networks Corporation
 
RSA-Iceberg Seminar: Building an effective supplier risk management program
RSA-Iceberg Seminar: Building an effective supplier risk management programRSA-Iceberg Seminar: Building an effective supplier risk management program
RSA-Iceberg Seminar: Building an effective supplier risk management programIceberg Networks Corporation
 
Solving data publication challenges for even better rsa archer reporting
Solving data publication challenges for even better rsa archer reportingSolving data publication challenges for even better rsa archer reporting
Solving data publication challenges for even better rsa archer reportingIceberg Networks Corporation
 

More from Iceberg Networks Corporation (10)

Yes, there is a better way to do vendor risk assessments!
Yes, there is a better way to do vendor risk assessments!Yes, there is a better way to do vendor risk assessments!
Yes, there is a better way to do vendor risk assessments!
 
How Archer users are leveraging Iceberg APS for a stronger GRC program
How Archer users are leveraging Iceberg APS for a stronger GRC programHow Archer users are leveraging Iceberg APS for a stronger GRC program
How Archer users are leveraging Iceberg APS for a stronger GRC program
 
Transforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNowTransforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNow
 
WEBINAR: Enhance your perspective of vendor risk with ServiceNow
WEBINAR: Enhance your perspective of vendor risk with ServiceNowWEBINAR: Enhance your perspective of vendor risk with ServiceNow
WEBINAR: Enhance your perspective of vendor risk with ServiceNow
 
Iceberg Webinar: Adding relevant financial context to your BCM program
Iceberg Webinar: Adding relevant financial context to your BCM program Iceberg Webinar: Adding relevant financial context to your BCM program
Iceberg Webinar: Adding relevant financial context to your BCM program
 
Webinar: Evolve Beyond the Third Line
Webinar: Evolve Beyond the Third LineWebinar: Evolve Beyond the Third Line
Webinar: Evolve Beyond the Third Line
 
Webinar: Vulnerability Management IT can fix it, but the business needs to ow...
Webinar: Vulnerability Management IT can fix it, but the business needs to ow...Webinar: Vulnerability Management IT can fix it, but the business needs to ow...
Webinar: Vulnerability Management IT can fix it, but the business needs to ow...
 
Solution Brief: Helping prepare for risk & compliance challenges for GDPR
Solution Brief: Helping prepare for risk & compliance challenges for GDPRSolution Brief: Helping prepare for risk & compliance challenges for GDPR
Solution Brief: Helping prepare for risk & compliance challenges for GDPR
 
RSA-Iceberg Seminar: Building an effective supplier risk management program
RSA-Iceberg Seminar: Building an effective supplier risk management programRSA-Iceberg Seminar: Building an effective supplier risk management program
RSA-Iceberg Seminar: Building an effective supplier risk management program
 
Solving data publication challenges for even better rsa archer reporting
Solving data publication challenges for even better rsa archer reportingSolving data publication challenges for even better rsa archer reporting
Solving data publication challenges for even better rsa archer reporting
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Case study: Getting a grip on application risk

  • 1. www.icebergnetworks.com Delivering Risk Intelligence CASE STUDY Getting a grip on application risk Centralizing & automating application risk assessments at a North American bank How many applications are deployed within your organization? Which of those applications are linked to critical business processes? When was the last time you ran a risk assessment on each of them? How should you prioritize the applications that need attention today? Are you sure your risk mitigation dollars are being spent effectively? Most organizations struggle to come up with confident answers to these questions. That’s a big concern, considering that companies rely on applications to deliver the vast majority of products and services. Risk assessments that do exist are often out of date or are spread out in various spreadsheets and archives. Why is application risk management so important? With IT and information as the backbone to any business, the applications that are deployed become the pathway to data. Everyone who relies on that infrastructure ­— employees, customers, suppliers ­— wants to have confidence in the confidentiality, integrity, and availability of the data and the applications that access it. Without an effective application risk management program, organizations could face IT failures and reduced performance; they are at risk of privacy and security breaches; they may not meet the requirements of auditors and regulators; and ultimately they may lose the ability to deliver products and services. Most importantly, since companies have limited resources for risk mitigation, they need to ensure they are using these funds as effectively as possible. Having a clear understanding of their application risk posture gives managers confidence that they’re spending money in the right places. CASE STUDY: From spreadsheets to centralization Iceberg recently helped a large North American bank with an Application Risk Management project using the RSA Archer platform. In the case of this financial institution, they had over 2,000 applications, and our engagement was over the last two years of a five-year journey. Their overall goal was to be able to confidently answer questions like the ones above. They wanted to make risk-based decisions in order to make better use of their resources. They knew they needed to centralize their disparate spreadsheets, although at the onset it was not entirely clear how they would accomplish that. The scale of this project was very large. Although thousands of applications and multi-year timeframes are typical for a large bank, the approach they took is relevant to organizations of any size. What’s important here is that the process sequence and the lessons learned are very applicable to both large and small organizations, and whether you’re dealing with a few dozen or a few thousand deployed applications. by Kirk Hogan, COO, Iceberg
  • 2. www.icebergnetworks.com Delivering Risk Intelligence STEP ONE: Inventory & categorization For this particular bank, their journey goes back five years. At the time, each line of business (LOB) had their own lists of applications kept on spreadsheets. They knew (or at least they were reasonably certain!) that they had over 2,000 applications in their inventory, but that list was spread out over each LOB and there was no formal categorization. Which applications supported business operations? Which ones were technology applications? In other words, they had a huge unordered list of apps, without any meaningful data to make risk decisions on. At this point in their maturity determining which applications were the most important to the business would have been largely a guesswork exercise. For example, they knew that SAP was a really important application, but they didn’t have any solid data to prove how many business processes were dependent on it. So step one for them was categorization. Their basic criteria was: Which applications does our business need to run? Which ones do we rely on to deliver our core processes? Based on the inventory and information that they had, they identified 1,800 applications that they believed were business-critical and that they wanted to target for risk assessments. They had a team of about 30 business technology risk managers spread out between six LOB’s, tasked with doing an initial assessment of those 1,800 applications. For the most part those managers all worked within their own units and created their own spreadsheet questionnaires and collected the data. There was no agreed-on framework for measuring and reporting on risk. STEP TWO: Harmonization Here was their first “AHA!” moment: They started to realize that they were all asking similar questions. Now that probably sounds obvious in hindsight, but if you know how the internal org structure and politics of a large banks work, it won’t be too surprising! So their next step was a decision to build a common framework to properly consolidate and co-ordinate their assessment process. Working with an outside consultant, and with strong support from leadership, before long they narrowed a few dozen risk assessment spreadsheets down to a set of four or five spreadsheets, each representing a co-ordinated question set. With a common question set, and a consistent risk framework, they could now generate better, more reliable data. This wasn’t an easy task and involved some give-and-take. It was important to not take away the autonomy of each LOB to assess risk, because ultimately the LOBs are the ones that own the risk. They started to achieve alignment when the various stakeholders realized that with a good set of questions, leading to a harmonized set of assessments, they could have a much more effective risk management program. Eventually they worked their way to a state where everyone tasked with assessing risk, regardless of the LOB, was using the same template, based on one spreadsheet. STEP THREE: Automation So now we’re a few years into the program. Up until this point, all the application risk information was being maintained on spreadsheets. The thing about spreadsheets is they’re good by themselves, but when you try to co-ordinate hundreds or thousands of spreadsheets (each with hundreds of rows), you have to do an awful lot of linking. 508Average # of applications per enterprise1 1 Netskope survey, 2014 2 Veracode survey, 2015 22%Percentage of cloud applications believed to remain invisible to IT.1 >2,000Average number of unsafe mobile apps installed on employee devices.2 85%Percentage of data uploaded to apps that allow file sharing.1 85%Of those unsafe apps, percentage that exposed sensitive data such as device location, call history, contacts, SMS logs, SIM information2
  • 3. www.icebergnetworks.com Delivering Risk Intelligence Believe it or not the bank actually had professionals linking spreadsheets together. Think about the cost implication of having professional “linkers”, spending their hours making cross-references within the various spreadsheets across the LOBs. This is the point where they started looking at platform solutions to centralize everything and move away from spreadsheets. They ended up picking RSA Archer to be that initial risk platform, which would link together the inventory of applications, and the inventory of the controls that mitigated the risk. They took the single Excel spreadsheet assessment template, and converted it into an online assessment form on Archer. The collection of information could now be automated, with users logging in to fill out their answers and upload documents on the platform. Where previously the assessors had to interview the application owner, interview the people who owned the controls, and then go and get evidence that the controls were in place — now that could all be done online. Instead of being kept on different laptops and sharepoint drives, the information collection was now done in real time, attached to records within the platform. Remember those professional “linkers” who were collating Excel sheets? Now they could go back to their regular jobs: assessing risk! When people talk about automation, often it’s linked to the idea of reducing human resources. In our experience usually we are not eliminating positions — just re-assigning people to more useful work. STEP FOUR: Risk-based prioritization With all these assessments running through Archer, the bank started to build up a very accurate, thorough and clean inventory of information: applications, controls and assessments. Now they could finally start prioritizing risk management activities. Risk is a combination of likelihood and impact. The assessments help determine the likelihood ­— basically the fewer controls that are met, the more likely an event. The impact is based more on business continuity considerations: what’s the impact on my ability to deliver products and services if this application isn’t available? To determine risk, we combined those two factors together. Every application gets a basic risk rating on a scale of 1 to 5 (low to high), along with a weighted risk score. You might have 1,500 applications come out as “high risk”, but within that there will be a range of scores to help you prioritize which ones need attention first. The weighting was accomplished by assigning specific control profiles to mitigate risks based on the application type. The state of the controls assigned to each application, as well as the risk rating assigned by the risk assessors, helped to create the needed separation between the many risk scores calculated for all the applications in the LOB. So now each LOB could begin prioritizing where money and resources were targeted to address the most critical risks and applications. They could base those decisions on standardized data ­— something they could not have accomplished at this scale using spreadsheets. Another interesting benefit that they realized: Now that they were using a common risk framework and consistent risk scores, they could look across the organization and see where there were discrepancies in assessments between the LOBs. They had a centralized governance group looking across the organization, and saw that some applications were rated by one LOB as a 5, and a different LOB rated it as a 4. They could start to ask questions to understand why there were differences. The importance of leadership This project benefited from strong executive leaders in the organization. Essentially it was a single point of governance — one executive — who said “thou shalt” and gave a clear direction. That was very important to achieve this evolution. Without, it would have been very hard to navigate the politics and co-ordinate work between various groups in the organization. They also benefitted from having a leader who’d been through a similar process before. One of his key insights was that before they put their assessments on a platform, an important first step was to make sure their data was as tight, clean and consistent as possible. It may have taken five years to get from A to B, but the extra time they took to get through each stage kept everyone on board, built up momentum and buy-in, and ultimately resulted in an effective solution.
  • 4. www.icebergnetworks.com Delivering Risk Intelligence Keys to Better Reporting I like to think of effective reporting as being like the cockpit of an airplane. You don’t want to inundate a pilot with everything that’s going on. If the oil pressure is good, you don’t have to tell her about it. If the pilot starts to see a low fuel warning light, she knows right away it’s a critical warning. You need to give the pilot the information she needs to see at the time she needs to see it. Every dashboard or report designed and configured has to have a defined purpose In this organization, most managers were making decisions on a weekly basis, asking “how am I going to change my program this week to make sure that we’re focused on the right things”. There still might be 400 applications with “high” or “very high” risk ratings, but typically the managers want to see a filtered list of only the “top 10” or “top 100” risks. That’s what they need to see in a dashboard or report. This bank uses the concept of “actionable metrics”. They’re looking for more than just reports and statistics. Within Archer an executive can drill down and see what the action plan should be to remediate the risk, and what the status is of that plan. So for example, a risk manager might have identified a gap, and has recommended that a system needs anti-malware protection. The action is that the owner has to prove that anti-virus or anti-malware is protecting this application. When the action is complete, the platform can show a change record where this application is now filtering all traffic through this central available system. The executive who owns that application can see the remediation action plan and evidence that the control is in place, and therefore that the control gap has been addressed. That kind of drill-down transparency in the process is not possible with spreadsheets, but it’s integrated throughout the Archer platform.
  • 5. STEP FIVE: Measure & improve Our approach on this project was, don’t strive for 100% perfection. We worked towards getting 80% correct, and then making small improvements from there. The process of moving from Excel spreadsheets to automated questionnaires is a good example. We didn’t try to over-engineer the solution in the beginning. We resisted the urge to categorize everything into rigid values lists. To start, we categorized four or five attributes in the questionnaire, but for the rest we allowed free-form values. After a few months of using that questionnaire, we analyzed the answers and responses, then worked with the bank to refine the questionnaire for version 2.0. That made the system smarter and more responsive to how users wanted to respond. It was a great evolutionary step, and it resulted in even better reporting. On the program strategy side, initially, their approach was to over-compensate. If there were 400 high-priority applications, they wanted to make sure they had an action plan to remediate all the risks. Now that they’ve accomplished that first wave over the last couple years, they have more data to help understand how they can better prioritize their risk remediation. In other words, now they can start to say: we can live with that risk. Another area they’ll tackle soon is around performance metrics. So far they’ve been focused on effectiveness first, and then efficiency, which is right order. Throughout the process they have been gathering information to give them a baseline to understand how the platform can improve efficiency. Achieving value Today there are about 100 active users on the platform, but the platform impacts tens of thousands of employees who rely on business applications to do their jobs. Five years ago, this bank was making application risk management decisions largely on gut or guesswork, and for the most part within the silos of each LOB. They had no effective way to cross-link assessments and had inconsistent data. With the RSA Archer platform in place, they are further along the journey to achieve “Risk Intelligence”: they have trusted, transparent and aggregated risk data, and the ability to make informed, confident and effective decisions. Ultimately they’re in a much better position to react quickly to change, and move more quickly to take advantage of opportunities that will allow them to grow their business. Kirk Hogan is the Chief Operating Officer at Iceberg, managing the delivery of Iceberg’s GRC Centre of Excellence program. For more information or to request a demo, contact Kirk at khogan@icebergnetworks.com ® PREMIUM PARTNER Iceberg Networks USA: 67 Bedford St. • Suite 400 West • Burlington, MA • 01803 CANADA: 600-515 Legget Drive • Ottawa, Ontario • K2K 3G4 Toll Free: 855-595-0808 • info@icebergnetworks.com Twitter: @icebergnetworks • Blog: icebergnetworks.com/blog About Iceberg Iceberg is a Value-Added Partner (VAP) for RSA Archer, delivering software and services to help our clients successfully deploy Governance, Risk & Compliance (GRC) technology. Headquartered in Ottawa, Canada and serving all of North America, our team of over 20 certified and practicing RSA Archer experts offer a full lifecycle of consulting and services through our Centre of Excellence. Our missions is to help our clients achieve trusted, aggregated and transparent risk intelligence that enables their business to make more informed business decisions.