GRC: Aligning Policy, Risk and Compliance Raquel Miller – RSA Archer Specialist Matt Crawley – RSA Archer Engineer Jesse Read & Steve Armendariz – RSA Account Manager

RSA Archer eGRC Ecosystem RSA works closely with Fortune 1000 organizations across multiple industries to understand how they approach GRC. Through our experiences with our clients, RSA has discovered a few common traits:   Each company approaches GRC differently, although the basic elements of their processes are largely the same Businesses need to consolidate, classify and analyze data from multiple sources and use that information to plan, prioritize and execute activities Companies need a consistent framework for integrating GRC initiatives Every business needs to report on the results of their GRC efforts across their enterprise to help break down the silos that exist today With these in mind, RSA has developed an eGRC Ecosystem that enables our clients to implement a best-in-class GRC program that can address their needs across all four major domains – IT, Finance, Operations, and Legal. The Ecosystem includes solutions, a common platform, an active user community, and an online exchange.

Gartner’s eGRC Magic Quadrant - 2013

RSA Archer eGRC Suite Solutions for Enterprise Governance, Risk and Compliance Global organizations rely on RSA Archer eGRC Solutions to: Manage the lifecycle of corporate policies and their exceptions Comply with regulations in the most efficient way possible Visualize and communicate risk at all levels of the business Investigate and resolve cyber and physical incidents Centralize business continuity and disaster recovery planning Enable risk-based, business-aligned internal audit RSA Archer provides a software platform that can serve as the foundation for your company’s Governance, Risk and Compliance (GRC) program. By automating processes, our solutions can help you manage policies, identify and analyze risks, and demonstrate compliance. RSA Archer has helped companies like [list companies in similar industry] automate, measure, validate, and report at every step of their GRC initiatives ultimately reducing costs and increasing transparency enterprise-wide. Archer was originally founded over 10 years ago and was acquired by EMC in January 2010. We now operate as part of RSA, the Security Division of EMC. EMC is a $17 billion company that employs over 40,000 people in more than 60 countries worldwide. In 2010, EMC invested more than $3 billion in Research & Development. (OPTIONAL) By the way, do you currently work with EMC, RSA, or VMWare today? If so, what solutions?

RSA Archer eGRC Solutions Audit Management Centrally manage the planning, prioritization, staffing, procedures and reporting of audits to increase collaboration and efficiency. Policy Management Centrally manage policies, map them to objectives and guidelines, and promote awareness to support a culture of corporate governance. Business Continuity Management Automate your approach to business continuity and disaster recovery planning, and enable rapid, effective crisis management in one solution. Risk Management Identify risks to your business, evaluate them through online assessments and metrics, and respond with remediation or acceptance. Threat Management & VRM Track threats through a centralized early warning system to help prevent attacks before they affect your enterprise. Compliance Management Document your control framework, assess design and operational effectiveness, and respond to policy and regulatory compliance issues. RSA delivers nine core enterprise GRC solutions, all built on a common platform. Whether you’re addressing one specific challenge or looking to build a comprehensive program, we typically see clients start with 2 to 3 core solutions and add additional solutions as their program matures. The solutions we’re going to focus on today include: Policy – a comprehensive and consistent process for managing the lifecycle of corporate policies and their exceptions Risk – a central management system for identifying risks, evaluating their likelihood and impact, relating them to mitigating controls and tracking their resolution Compliance – a centralized, access-controlled environment for automating enterprise compliance processes, assessing deficiencies and managing remediation efforts Enterprise – a central repository of information on your business hierarchy and operational infrastructure Incident – centralizes and streamlines the complete case management lifecycle for cyber and physical incidents and ethics violations Vendor – enables you to automate and streamline the ongoing oversight of vendor relationships Threat – a consolidated repository of threat data, clear reporting of activities related to threat remediation, and a consistent and repeatable threat management process Business Continuity – a centralized, automated approach to business continuity and disaster recovery planning, allowing you to respond swiftly in crisis situations to protect your ongoing operations Audit – puts you in control of the complete audit lifecycle, enabling improved governance of ongoing audit-related activities, data and processes Looking at this solution “wheel”, are there any other solutions you’d like to learn more about or see if we have time to cover during our demonstration today? Vendor Management Centralize vendor data, manage relationships, assess vendor risk, and ensure compliance with your policies and controls. Enterprise Management Manage relationships and dependencies within your enterprise hierarchy and infrastructure to support GRC initiatives. Incident Management & SecOps Report incidents and ethics violations, manage their escalation, track investigations and analyze resolutions.

RSA Archer eGRC Platform User Experience Brand the interface with your corporate colors, graphics, icons and text to facilitate end-user adoption. Application Builder Build and tailor on-demand applications and package them into solutions to solve business problems. Integration Seamlessly integrate cross-departmental and enterprise data systems with the Archer SmartSuite Framework. Reports and Dashboards Gain a real-time view of your enterprise through actionable reports and graphical dashboards. Notifications Automatically notify users via email when content changes, tasks enter their queue or deadlines approach. As I mentioned, all 9 of these solutions are built on the same eGRC Platform. This flexible platform approach provides you with the following capabilities: Application Builder – a drag-and-drop, point-and-click, wizard-based interface that allows an Administrator to make changes without any coding required Reports and Dashboards – each report you will see in the demonstration will reflect a real-time view with the ability to create dashboards based on a user’s group or role Access Control – ability to control information access at the system, application, record and field level Business Workflow – allows the ability to automatically assign tasks based on user-defined data conditions and route content to defined reviewers and approvers Notifications – allows you to automatically notify users via email based on defined rules or trigger events Integration – a vendor-neutral, content-independent platform to consolidate the integration of data from other sources without the need for additional software or coding User Experience – ability to brand the application with your corporate look and feel to help with end-user adoption As I give control over to our Sales Engineer [list name], I have shared the following information with [list name] to ensure our demonstration is most relevant to you: [List Minimum Required Capabilities] Is there anything else we need to add? Access Control Enforce access controls at the system, application, record and field level to ensure a streamlined user experience. Business Workflow Define and automate business processes to streamline the management of content, tasks, statuses and approvals.

Enterprise Management Overview Model your organizational hierarchy for governance, risk and compliance reporting purposes. Create an aggregate view of infrastructure technologies. Relate business processes to your products and services. Identify applications that support your critical business processes. Manage the devices and facilities that support your applications. Classify enterprise assets, define their criticality and assign ownership. Quickly generate real-time reports and graphical dashboards. Benefits Understand what you own, its value and its interdependencies to protect your most valuable assets. Assign accountability at all levels of your enterprise hierarchy and infrastructure, allowing simple distribution of risk and compliance assessments and tasks. Manage relationships and dependencies within your enterprise hierarchy and infrastructure to support GRC initiatives. Document Your Business Hierarchy Model out your organizational hierarchy to enable governance, risk and compliance reporting at every level of your business. Capture information on organizational responsibilities and management, current year financials, and related business processes and technologies. Centralize Your Infrastructure Database Gain an aggregate view of infrastructure technologies and their relationships to your organizational hierarchy and business offerings. You can enter information through RSA’s web-based interface or automatically import data from third-party discovery and inventory solutions using the Data Feed Manager.   Track Information Assets Manage a repository of information assets, and perform online assessments to determine classification ratings and required retention periods. Also link information assets to the business processes they support, the applications where they are managed and the facilities where they are housed. Classify, Prioritize and Establish Ownership Classify your business offerings and technologies by type or grouping, understand relationships and dependencies, and assign ownership to establish a clear line of authority for maintenance, control and security. Because the solution is built on the flexible RSA Archer eGRC Platform, you can tailor the solution structure to collect an unlimited number of data points that are important to your organization. Quickly Generate Real-Time Reports Utilize RSA’s powerful reporting capabilities to monitor GRC initiatives at the company, division and business-unit levels and to track supporting technologies and information assets by type, owner and other attributes. Also deliver information through graphical dashboards, providing users with a complete understanding of the technologies, information and processes that support your business offerings. Support Governance, Risk and Compliance Initiatives Implement RA Archer Enterprise Management as the hub of your enterprise governance, risk and compliance program. The solution integrates seamlessly with all other RSA Archer solutions, allowing you to link policies, control standards and configuration procedures directly to technologies, to identify assets as the “target” of online risk and compliance assessments, to track threats and security incidents that affect specific technologies, and more. RSA Archer Enterprise Management Dashboard

Business Continuity Management Overview Centralize business continuity and disaster recovery plans, business impact analyses and recovery tasks. Prioritize business processes based on the impact to your business in the event of process disruption or failure. Test plans to identify process gaps and determine the time it will take to restore processes and infrastructure. Track crisis events in real time. Implement rapid response plans, contacting emergency responders through phased notification plans. Report on plan testing, gap analyses and remediation efforts using real-time reports and graphical dashboards. Benefits Automate and streamline your plan creation, review, testing and activation. Reduce effort and expense through a “create once, use many times” approach. Automate your approach to business continuity and disaster recovery planning, and enable rapid, effective crisis management in one solution. Centrally Manage Your Business Continuity Program Consolidate business continuity and disaster recovery plans, business processes, impact analyses and recovery procedures to allow efficient governance of your business continuity program. Also ensure the consistency of plan documentation across your organization using fully configurable web-based forms, and improve your plans over time through periodic reviews triggered by date-driven notifications.   Perform Business Impact and Environmental Risk Analyses Measure the value of business processes, and prioritize them based on impacts to your revenue, brand image, stakeholder confidence and customer loyalty in the event of process disruption or failure. Also assess the probability of environmental threats against your IT infrastructure. Because a single business impact or environmental risk assessment may apply to multiple plans, RSA allows you to complete an analysis once and link it to any number of plans to reduce duplication of effort. Test Your Plans and Facilitate Periodic Reviews Test your business continuity and disaster recovery plans to identify process gaps, determine the time it will take to restore your business processes and infrastructure, and ensure that all dependencies have been captured. With RSA, you can estimate completion time at the recovery task or procedure level and roll those estimates up to the overall plan to determine the duration for testing and plan execution. RSA’s solutions also allow you to track testing gaps and remediation efforts through integrated task management capabilities. Track Crisis Events in Real Time Report crisis situations that occur anywhere you do business, including natural disasters, workplace violence, product tampering, terrorist attacks, etc. RSA’s web-based solution allows you to quickly capture the details of a crisis, including the time of occurrence, event location, type and severity. To automate the collection of crisis data, you can also integrate the solution with a call center or notification service using the Data Feed Manager. Rapidly Implement Response Plans In the event that a crisis occurs, enable rapid contact with emergency responders through phased notification plans designed for specific business units, departments or facilities. RSA’s on-demand platform allows efficient access to business continuity and disaster recovery plans no matter where you or your stakeholders reside. Report on Your Business Continuity Program Gain an enterprise view of your business continuity program through RSA’s flexible reporting capabilities. Report in real time on plan testing, gap analyses and remediation efforts, and gain a real-time view of current and historical crises, supporting event analysis and program enhancement. For senior managers who require a rollup view of your program, you can also deliver graphical dashboards, enabling them to drill down for more details. RSA Archer Business Continuity Management Dashboard

Business Outcomes Business Impacts Solution Outcomes “ ” “ ” “ ” “ ” “ Compliance reporting is stored in spreadsheets and represent one point-in-time “ ” Policy exceptions go untracked and pose risk to the business “ ” Compliance data scattered across multiple silos “ ” Managers struggle to prioritize threats by their potential impact to the business. “ ” Compliance initiatives are tackled as individual projects “ ” Efficiency Automation Accountability Collaboration Visibility Ask once, Answer Many: Reduction or elimination of redundant assessments “ ” By implementing RSA Archer eGRC Solutions, our have told us that they experience: Efficiency: [Initial quote] Organizations are tackling a specific compliance initiative, such as PCI or Privacy Mandates, as one-off projects… [Click] …rather than asking the question once of your business and IT teams and reusing that information across several compliance initiatives. By asking once and answering to many regulations you can reduce the time it takes to show compliance and reduce the number of assessments sent to the business and IT teams. Automation: [Click] Compliance data is often stored in several spreadsheets and only represent this data at one specific point in time. The data is instantly out of date. [Click] Using automated tools like RSA Archer, you can pull this isolated data into one system of record transforming one-off proccesses into a sustainable, consistent process that is used by all within the organization. Accountability: [Click] Many organizations lose track of exceptions to policies that they have grant to specific areas of the organization. Untracked, these exceptions often result in risks to the business. [Click] Managing the exception process including status and expirations improve the overall transparency and accountability of the process within the organization. Partnerships: [Click] Multiple business units track compliance data across the organization. [Click] Collaboration across these silos enables you to consolidate this critical data to provide better insight of threats and risk across the entire organization. Visibility: [Click] One of the most difficult challenges manager face is the ability to prioritize the growing number of threats they must address based on their impact to the business. [Click] With an eGRC solution, organizations can assess the impact a particular threat has on your operational infrastructure and business hierarchy and easily track the resolution. Transition: Our customers have come to rely on RSA Archer eGRC Solutions to answer questions through an extensive repository of what’s important to them. It helps put risks, threats, incidents and compliance deficiencies into business context so they can prioritize their response and focus on what’s most significant to the organization. Transparency and accountability: Knowing the status or exceptions and unresolved issues “ ” Threats are identified and remediation actions are easily prioritized and tracked “ ” Isolated data is transformed into sustainable processes “ ” Partnerships and consistency across business silos “ ”

See More. Act Faster. Spend Less.