Brinqa Announces Strategic Integrations
Continuing the Focus on the Cloud and Analytics
Brinqa, a worldwide leader in governance, risk management, and compliance solutions, has announced that its upcoming GRC Suite 4.0 will be integrated with IBM’s zEnterprise 196 next gen core mainframe platform.
The zEnterprise mainframe was developed by IBM not only to speed processing and allow cloud support, but also to easily integrate various software packages such as Brinqa’s GRC Suite.
Brinqa offers its GRC package as a fully integrated system at the time of installation, ensuring smooth operations and ease of use. Brinqa’s integration brings Risk Manager’s advanced analytics and metrics reporting together with System z’s high availability and fast output.
We are addressing the changing economics of IT, which today include additional devices, workloads and data increasing while IT budgets face continued pressure. Brinqa took the opportunity to integrate early after seeing an increased demand for workload optimization as well as big data and analytics being a high priority for our customers.
Additionally, Brinqa has added an integration point with iSIGHT Partners, a worldwide leader in risk mitigation. iSIGHT’s strength is in helping customers manage human, electronic and physical threats, so the strength in the integration with Brinqa’s next generation GRC Platform creates a powerhouse for insight into measureable threat intelligence.
Finally, Brinqa has added an integration with WhiteHat Sentinel. WhiteHat offers continuous vulnerability assessment and management services for websites. Together with Brinqa’s Risk Manager, this brings timely, comprehensive and verified vulnerabilities together for a unified view of threats and a stronger continuous risk management solution.
Automated, streamlined, scalable, and easy to understand, Brinqa’s GRC suite of services is a perfect fit for our joint customers who struggle to make sense of the hordes of data they consume daily. “Our customers consistently tell us they have problems measuring their threats as well as how complex it is to make those findings actionable”, said Amad Fida, Brinqa’s CEO.
The goal of any of our joint solutions is to help our customers understand their security risk while affording them the opportunity to leverage their complex multi-vendor environments. As a result, we have a comprehensive security data management platform that scales to the big data requirements of large enterprises. Brinqa combines powerful data analysis to derive security intelligence and meets the need for versatility and the assurance of accuracy.
For more information on Brinqa, contact us directly at sales@brinqa.com or visit us at www.brinqa.com
Building A Solid Foundation for Measurable Security Risk
A Case Study in Aggregation, Measurement and Remediation
Customer Profile
This customer is a Fortune 500 technology company and leader in its market, which is focused on the business of selling products and services to consumers, small and mid-sized business, education, enterprise and government agencies.
Business Drivers
The Company has a need for a full lifecycle application security as well as supplier security. Some of the building blocks have been put in place over the years and can be leveraged in the overall solution. However, the focus will be to design and build an end-to-end solution to ensure the functions exist for easily identifying, measuring, monitoring and controlling risk as they relate to applications and suppliers.
The comprehensive Brinqa GRC solution will establish:
- Aggregation of information from various sources
- Application risk assessments and risk reporting
- Full lifecycle of issues and remediation
- Vendor assessments and risk reporting
The Solution
The Brinqa GRC Platform, together with Brinqa’s Risk Manager and Vendor Risk Manager provides the complete solution and establishes the foundation for going from this initial corporate initiative to taking small steps toward enterprise wide risk and compliance. The first order of business is to get a process established for identifying and managing application and vendor security. To accomplish this, we start with the basics of data aggregation. The Brinqa GRC Connector Framework is used to directly connect to the company’s critical applications, including vulnerability management and event management applications. The automated collection means reducing human effort as well as reducing human error. Next we look at two primary requirements in solving this company’s problem: Risk and Assessment Models.
Risk Modeling and Prioritization — The risk model is at the core of the Brinqa’s Risk Manager. The risk model provides advanced quantitative risk scoring, statistical risk models and scenario testing. Quantitative risk score calculations factor in all relevant parameters such as weights, tolerances, thresholds, aggregations and data normalizations in establishing an accurate representation of risk across applications.
Assessment Model — The Brinqa Assessment Model provides the ability to categorize vendors by, for example, building a risk profile. A standard assessment would be established using the assessment model, defining a specific set of questions that ultimately would establish a risk score associated with that vendor thereby identifying the level of risk that vendor presents to the company.
In addition, all issues resulting in the completion of an assessment or a risk would be tracked and remediated either manually or automatically when applicable.
The following diagram describes an example of the full life cycle of an issue
Benefits
The ability to put the GRC Platform in place established the foundation for building the customer’s security processes and provided the building blocks to manage critical business processes. Once applications and vendors are set on a risk management life cycle, reporting and managing issues become a daily exercise of informed decision making.
Key benefits of the customer’s solution include:
GRC Platform based architecture — A robust platform to ensure common management services and guarentees that GRC initiatives reduce redundancy associated with various silos and are consistent across the enterprise.
Automated Risk & Control Assessments — Automated risk and controls assessment using the customizable Connector Framework.
GRC Warehouse — A robust and comprehensive warehouse with the ability to maintain history, trend data and forecasts
Key Metrics Monitoring — Brinqa provides the ability to continuously monitor key metrics and delivers robust dashboards and reports with actionable information for executive management.
About Brinqa
Brinqa provides enterprises and government agencies with governance, risk management, and compliance solutions that enable the continuous improvement of operational and regulatory efficiencies. Brinqa’s offering is the most comprehensive available on the market today, based on our forward-thinking vision of a centralized, fully automated, and re-usable governance, risk and compliance (GRC) platform combined with targeted applications to meet program specific GRC needs. Brinqa streamlines compliance through automation, monitoring of controls, measurement of key metrics and visibility through executive dashboards and reporting.
For more information please contact us via email at sales@brinqa.com or visit us at www.brinqa.com.
Simplifying Security and Risk
Brinqa: Security and Risk Simplified
Growing fast and deploying even faster is what Brinqa was all about this year!
Simplifying security and risk was the biggest challenge for large organizations and we stepped up to deliver.
Brinqa continues to gain the attention of many who are seeking an easy way to solve a difficult problem. More and more customers are demanding the ease of use of their mobile applications combined with the complexity of their diverse enterprise environments. We have been relentless in our pursuit of making it simple and easy to manage and aggregate data to bring your information to you wherever you are.
Our partnerships with vendors such as Rapid7, Qualys and McAfee have allowed for the integration of our GRC Platform, enabling customers to aggregate their data into a single, intuitive, user-friendly dashboard view of risk. The combination of vulnerability manager asset discovery data with Brinqa’s asset life-cycle management and asset classification provides the comprehensive GRC solution so many enterprises are looking for. This is a combined effort that aggregates data for simplified viewing and reporting.
Tolerance for complex enterprise applications has gone by the way side and we made room for “simple and easy” in the world of “complex and difficult”. Our focus for 2012 continues to be improved ease of use, expanding our reach with cloud solutions, compatibility with mobile devices , all with a focus on risk analytics and intelligence and we will continue to bring value to our customers by finding ways to work together to solve big problems.
Simplifying Security and Risk in 2012.
Amad Fida
Chief Executive Officer, Brinqa
Proactive Vendor Risk Management
In today’s tough economic conditions, organizations are forced to reduce costs and improve operational efficiencies while delivering better products and services to stay ahead of their competition. Technology outsourcing (TSO), business process outsourcing (BPO), and cloud based offerings are some of the strategies that companies are adopting. This means organizations are becoming more and more reliant on 3rd party service providers and services. Though meeting the business requirements, introduction of 3rd party service providers increases the organization’s exposure to various risks. These risks may range from financial impact caused due to disruption of a particular service provided by the vendor to brand impact if an organization is dealing with a vendor with a bad reputation, among many others. Due to a greater risk exposure, determining a vendor’s risk posture needs to be an integral part of an organization’s risk management strategy.
Building a comprehensive and proactive vendor risk management program became a top priority for one of the Brinqa’s financial services client. The existing vendor management program in use was fragmented and manual, leading to inefficiencies and rising costs with the addition of new vendors and services. A single automated vendor on-boarding process was also required. Finally, tracking, auditing, and reporting of vendor risk posture was non-existent and a normalized process to report the risk back to various stakeholders was not available. This financial institution managed 1800 top tier vendors whose risk posture was reported only at a vendor level. This made the root cause analysis difficult and did not provide a complete picture to the stakeholders. A granular slice of risk management at the vendor service / contract level was required. All assessment work was done using spreadsheets which were distributed and tracked using email.
The Solution
Brinqa provides a robust Vendor risk management application that provides an organization the capability to automate and streamline the Vendor risk management process. At the financial institution, Brinqa’s Vendor Risk Manager was implemented to provide a solution to above mention challenges. The diagram shown below highlights the implementation of the Vendor Risk Manager solution.
Brinqa Vendor Risk Management
- Automated solution to capture vendor assessment – Brinqa provides a centralized repository and a vendor on-boarding workflow, capturing the vendor profile, services provided by vendors, assessments and evidences. Out of the box integration with various contract management systems helps capture and centralize this information quickly and efficiently. Next, configurable baseline assessments were used to categorize vendors (Level 1, Level 2 etc.) and a risk assessment based on standards and best practices were configured and implemented. Brinqa also provides a centralized management of risk assessment including scheduling and tracking with the capability to create configurable workflows on each assessment cycle. Centralized issue tracking and action plan management allow for the detection and management of various issues resulting from the assessments and the resulting action and remediation plans
- Multiple dimensions used to capture vendor profile –The traditional process has been to use the various assessments to capture what is the overall risk profile of a vendor. This process is laborious, subjective and does not allow a 3rd party validation of vendor information.
Brinqa’s data integration layer and connectors can be used to integrate with the third party referential agencies such as Dun & Bradstreet and Lexis Nexis. Integration with change detection systems such as Google Alerts are available to capture and alert management on breaches in near real time.
- Centralized Solution – Brinqa provides a central cloud offering of the vendor risk management application that provides accessibility to both the organization and the vendors. The Role-based security within the application ensures that vendors get a restricted view of only their assessments and progress. However, executives and risk managers are provided with more details around assessment cycles and dashboards to view repeat offenders, high-risks impacting the organization, and trending to view the history of performance and forecasting to analyze program improvements
In addition, Brinqa supports a complete vendor on-boarding process with configurable workflows that can be used to communicate organization policies and on-boarding documents to the vendors.
- Report on Vendor Risk posture – Brinqa provides a risk engine which uses a quantitative risk scoring and statistical risk modeling to present the vendor risk posture in a normalized scheme back to the business and the various executives. In addition, Brinqa analyzes risk at a service/contract level which helps executives pinpoint the exact problem area. In addition to these reports, Brinqa provides a maturity model influenced from BITS and data captured from various industry benchmarks. The maturity model helps organizations measure their process against the various industry benchmarks.
Benefits
By implementing the Brinqa vendor risk manager application, an organization can see an increased efficiency and transparency in their vendor risk programs. A centrally hosted vendor risk solution lowers the overall operating cost for the organization and provides an easier mechanism of data exchange.
For more information on Brinqa Vendor Risk Manager please visit our website, or request a demo.
Promoting Wellness at the Sacred Heart Community Clinic
Sacred Heart Clinic
It’s Saturday morning in Round Rock Texas, just outside of Austin, and the caring has begun for yet another day because the Sacred Heart Community Clinic has opened its doors.
The brainchild of Liz Burton-Garcia, the clinic opened its doors in May and already has a patient list of more than 350 local residents. Burton-Garcia, a veteran of the Medical Mission of the Austin Diocese of the Roman Catholic Church, decided to open the clinic last year. After making a number of annual week-long medical outreach trips to Central and South America, she felt she was called to help “the people in our own backyard.” (By the way, she still heads off with the Mission and will be in Peru in September.)
The community support was instant and almost overwhelming, with Will Droste playing a key role in the success of the clinic. Will is a good friend of both Brinqa and the clinic and provided Brinqa with an opportunity to help the Clinic and donate toward their cause.
“I am pleased that with Will’s help we have been able to develop our relationship with the clinic and I look forward to their continued success,” said Brinqa President Hilda Perez. “We’re committed to the clinic and its amazing efforts.”
Through the generosity of Brinqa’s support and other benefactors, Burton-Garcia raised more than $300,000 in just a few months to buy the clinic building (on the Saint William’s Church campus) and has secured on-going funding sources to cover clinic expenses.
Since they have no debt and no paid staff, all of the money donated to the clinic goes directly into patient services, Burton-Garcia said.
“The community support has been extraordinary,” Burton-Garcia said. “People and companies and organizations donate money, doctors and nurses and staffers donate their time, and God puts all the rest of it together.”
The clinic opened in May of this year and has seen nearly 1,000 people so far. Burton-Garcia hopes to expand her provider volunteer base to both take some of the stress of the volunteer doctors and nurses and possibly expand the clinic’s hours of operation.
The clinic is a registered 501-c-3 non-profit and is dedicated to helping the residents of Williamson County who live in and around the Round Rock area. For more information on the clinic and to donate, please go to www.sacredheartclinic.org
Brinqa Adds McAfee to Stable of Partners
|
|
|
Internal risk. External risk. Regulatory risk – when it comes to ensuring secure and compliant enterprise systems and processes, there are risks around every corner.
That is why Brinqa has teamed up with McAfee, the world’s largest dedicated technology security firm, and joined the Security Innovation Alliance (SIA).
“Becoming a member of the SIA signifies Brinqa’s commitment to providing our customers a seamless risk management environment that leverages existing investments in McAfee solutions,” said Amad Fida, Brinqa’s CEO. “Consolidating data-sources within a central risk management platform will deliver a thorough, global, and accurate view of application risk, enabling fully-informed decision making processes across the enterprise”
Brinqa’s centralized, fully automated, and re-usable GRC Platform combined with Brinqa Risk Manager provides the most comprehensive risk management solution available on the market today and can be customer tailored to fit the needs of any enterprise. The system allows management teams to assess the maturity of their current programs, define and improve internal processes, measure ROI and risk reduction and review metrics and trends in real-time.
The addition of McAfee security information and vulnerability management data into the platform will expand the already quite comprehensive “risk view” available to IT professionals and management teams.
“Our partnership with McAfee will mean our current and future customers will extend our already top-rated risk management capabilities,” Fida said. “We’re really pleased to be offering these new capabilities.”
The McAfee SIA is the foundation of a technology ecosystem designed to assemble leading security innovators. Program requirements were driven by customers’ need to have greater interoperability between security solutions and the innovative solutions that address emergent threats such as application risk.
“We’re pleased to add Brinqa to the McAfee SIA,” said Ed Barry, McAfee’s senior SIA director. “Our customers face growing challenges to secure their network and maintain compliance and are looking to integrate Brinqa with their McAfee solutions.”
For more information on the McAfee SIA and McAfee Vulnerability Manager please visit: http://www.mcafee.com/sia.
Listening to our customers to build a better Brinqa
Talking and listening – people and businesses need to do both – and do them well – every day.
Huzefa Olia, Director & Kevin Gallagher, VP
In the past few months, Brinqa has been hard at work on both. Besides constantly improving its own products and processes and forging new alliances with new business partners, the Brinqa team has been hitting the road to listen to what customers need and to tell them about what the firm has to offer.
At the Spring ISACA conference in Los Angeles, Brinqa CEO Amad Fida chatted about “Cutting the Cost of Compliance with Controls Automation and Monitoring,” a topic that hit home with the hundreds of attendees.
“One of the most consistent topics of discussion was the need for companies to have the ability to aggregate and report on risk data,” said Kevin Gallagher, Brinqa’s VP of Sales. “This is obviously a very strong need in the marketplace right now and plays exactly to one of Brinqa’s greatest strengths.”
The team then headed to Miami for the FS-ISAC & BITS Annual Summit, where financial services industry issues came to the fore. Brinqa, already a leader in GRC services in this segment, was able to explain how its platform and systems can simplify and automate the mostly manual GRC processes still in place at many banks and institutions.
An interesting aspect of the Miami event was how the definition of exactly what GRC is varies greatly from person to person and industry to industry. “You can ask 50 people what GRC is and you can get nearly 50 answers,” Kevin Gallagher said. “The great thing is that while people had different definitions, they all had a need and desire for GRC programs. This was great news for us, as our platform and five targeted applications help jump-start these programs, and are customizable to fit practically any definition of GRC anyone may have.”
Finally, just a couple of weeks ago, the Brinqa Advisory Board held its annual meeting. The Board brings together Brinqa executives with expert customers, folks that Brinqa can depend upon for intelligent honest feedback about the industry and the company. A number of different industries were represented, from banking to retail to insurance. The agenda included discussions centering on compliance, controls automation, risk metrics, and general vulnerabilities.
“It was a truly positive meeting and we received some really useful feedback while being able to tell some of our most valued partners about new and upcoming developments in the industry and at Brinqa,” said Brinqa president Hilda Perez.
Paul de Graaff, Sr. Vice President and Global Information Security Officer, AIG; John O'Donnel, GTO/COO IT Governance & Control, Deutsche Bank; Kevin Gallagher, VP Sales, Brinqa; Bob Gleason, Director of Sales, Brinqa; Amad Fida, CEO, Brinqa; Gary Eppinger, CISO and Vice President, Retail Market Development, Legal and Pharmacy Systems, SuperValu; Hilda Perez, President, Brinqa; Louis Rosenthal, Principal, Rosenthal Advisors, LLC
Now that’s a picture of talking and listening, the Brinqa way.
Governance, Risk, and Compliance in the Public Sphere
How to Help Prevent Government Corruption
Insider loans. Phantom contracts. Millions in tax dollars gone.
The small city of Bell, California has been at the center of one of the most notorious local government corruption cases in years, corruption that may have been impossible to hide or even carry out if the City had a proper GRC system.
According to media reports and courtroom testimony, in the course of seven years, former Bell City Manager Robert Rizzo increased his salary by ten-fold and loaned hundreds of thousands of dollars of City money to council members, friends and co-workers, all the while keeping few if any notes, let alone proper documentation. In his time there Rizzo got a $70 million parks improvement bond passed and proceeded to siphon off more than $23 million to cover other expenses. All of this was done in a city of less than 40,000 people and less than half the acreage of nearby Los Angeles International Airport.
For nearly a decade, the pay and benefits of the top 10 employees of the city gobbled up half of the entire city budget, illegal fines were levied on residents, contracts were simply made up, the public was denied access to information, but all the while the city continued to receive clean bills of health from its auditing firm.
Obviously, controlling illegal behavior is difficult; no matter what system is in place clever crooks will try to find a way around it to their own benefit. But by having no controls in place at all (the city didn’t even have a policies and procedures manual and the city council didn’t care because they were in on the deal), Bell became ripe for the picking. Rizzo and his cohorts even bragged about the situation amongst themselves, declaring that they would all “get fat” working in Bell.
So how could this situation have been prevented? First and foremost, if the city had proper GRC systems in place it would have simply been impossible for Rizzo and his cronies to do what they did. A system such as Brinqa’s would have automatically thrown up so many red flags, notices, and alerts that the information about the corruption simply could not have stayed hidden for long. As the various criminal cases wind their way through the courts, employee after employee has testified to the effect that they thought everything was legal because their boss said it was okay. GRC software would have made that statement impossible to make.
Using the Brinqa GRC Platform to document city policies would have ensured the effective communication of such policies to all relevant levels within Bell, eliminating the opportunity for employees to deny culpability. Connecting the processes and controls (e.g. approval processes for raises and Segregation of Duties) that effect adherence to the city’s policies through Brinqa GRC Platform would have prevented, or at least red flagged and documented, violations. Lastly, the centralized auditing and tracking of issues, reporting, and dashboards provided by Brinqa GRC Platform would have forced accountability through regular certifications internally and provided a clear picture to Bell’s auditing firm of where the city employees were illegally circumventing policy.
One often thinks of GRC solutions in the context of private industry, of having to comply, in part, with government regulations and edicts. But as the sad situation in Bell points out, even government agencies can benefit from better governance procedures.
2011 Brinqa Advisory Board Off-site
The Brinqa Advisory Board held it’s annual meeting on May 19, 2011. The agenda included in-depth discussions on relevant pain points centered around compliance, controls automation, risk metrics, reporting and general vulnerabilities in financial services. The primary goal of the Board is to share their collective experiences and validate current challenges in the industry they each represent. In attendance were John O’Donnell, GTO/COO IT Governance & Control, Deutsche Bank; Gary Eppinger, CISO and Vice President, Retail Market Development, Legal and Pharmacy Systems, SuperValu; Paul De Graaff, Global Information Security Officer, SVP AIG IT Security & Risk, AIG; Louis Rosenthal, Principal, Rosenthal Advisors, LLC; and the Brinqa Executive Team including Amad Fida, CEO; Hilda Perez, President; Kevin Gallagher, VP of Sales & Business Development and Bob Gleason, Director of Sales, Eastern Region & Federal. The meeting was held in the Jardins Board Room of the Cosmopolitan Hotel in Las Vegas.
Brinqa manages risk for one of the world’s largest banks
No matter what industry you are in, corporate governance pressures require the managing of the risks associated with critical business applications every day. For the financial services industry in particular, the regulations require the most stringent risk awareness and risk controls. The establishment of a holistic view of risk management and the reduction of the costs associated with the currently disjointed and manual risk management projects are the main objectives of the Brinqa Risk Management for Financial Services solution.
Homegrown risk management solutions can result in isolated internal governance “silos” that result in duplicated effort, higher implementation costs, and an incomplete picture of risk. For example, one of Brinqa’s newest financial services clients had over 1200 business critical applications they were actively managing the risk of. Application owners gathered application and infrastructure data manually and generated risk reports for their applications, but those reports were not collated or communicated at an organizational level. The result? A lack of prioritization of the organization’s overall risks and in-efficiencies in allocating resources and funding to the most critical risk remediation action plans. Brinqa Risk Manager and the GRC Platform centralized and standardized the underlying services that were common across individual application and infrastructure risk management projects. Through this consolidation, the comprehensive Brinqa solution (see below) established an enterprise view of risk for executive management to make informed decisions related to resource management and funding allocations, reducing time, cost, and worry.
Brinqa Risk Management Solution for Financial Services
Brinqa Risk Management Solution for Financial Services
- Automated Risk & Controls Self Assessment (RCSA)
Brinqa Risk Manager provides the common interface and process management to streamline RCSAs . Out-of-the-box surveys and assessment processes were customized to support the customer’s specific business processes, applications, and infrastructure. Finally, Brinqa manages the RCSA process through robust workflows which ensure full auditing and storage within the GRC Warehouse.
Leveraging the Brinqa solution greatly reduced the amount of effort involved in conducting RCSAs. Survey questions are answered once and mapped into all relevant surveys through our built-in “many-to-many” mapping model. Additionally, assessment updates are scheduled and are initiated automatically, thereby continuously increasing the accuracy of assessment data.
- Controls Automation & Continuous Monitoring
Brinqa GRC Connector Framework is used within the solution to directly connect to the company’s more than 1200 applications and IT components, including vulnerability management, server configuration controls, and access controls. The collection of data no longer requires human intervention for the more than fifty thousand IT components, reducing the effort and errors in data associated with human fallibility. Automated data collection is done in near real-time ensuring issues are detected quickly, and built-in issue management is leveraged to trigger the practically instantaneous initiation of action plan execution.
- Risk Scoring, Modeling, and Prioritization
Brinqa Risk Manager’s risk engine is the core of our financial services solution. The risk engine is configured to implement advanced quantitative risk scoring, statistical risk modeling and “what if?” analysis. Quantitative risk score calculations factor in all relevant parameters such as weights, tolerances, thresholds, aggregations, and data normalizations in establishing an accurate representation of risk across applications and infrastructure. Risk modeling and prioritization is simplified through this comprehensive approach to calculating risk combined with the Risk Manager’s centralized and automated controls monitoring and assessments capabilities.
For more information on Brinqa Risk Manager please visit our website, or request a demo.
TURNING IT UP TO 11
Brinqa: building on our 2010 success for an amazing 2011
More products. More customers. More partners. Improved products. New innovations – 2010 was a great year for Brinqa and its clients and now we plan to build on our recent successes and “turn it up to 11” this year.
In the past year, Brinqa has increased its customer base by 300 percent, attracting major new clients in the education, insurance, and financial services sector.
Being entrusted by one of the largest banks in the world to provide risk management and GRC services is a great testament to the quality of Brinqa’s product line, as well being a great responsibility that we know our team is more than capable of meeting. In 2011, Brinqa will be focusing on expanding its outreach to large enterprises and government agencies across many verticals, emphasizing its experience and flexibility.
2010 also saw Brinqa release version 3.0 of its flagship product and add six new partners, including CSC, Ernst & Young, and American Systems. Improving our products and improving our industry partnerships will continue to be a top priority in 2011.
In the coming year, Brinqa plans to explode across the GRC industry, with constant expansion and improvement being the watchwords.
We are expanding our global presence in Germany and the United Kingdom to better serve our clients around the world.
Version 4.0 of our main product will be released with numerous improvements, including expanded connector sets. We also plan to continue to invest in new cost-effective alternative product delivery options, including enhancing our products to extend our “cloud enabled solutions.” This will allow our clients even more flexibility and accessibility.
Brinqa’s planned expansion also includes new tailored solutions for both the health care industry and government services market. Considering the current uncertainty in both sectors, we know that our GRC and risk management services will be embraced by government agencies desperate to save money and ensure that tax dollars are properly handled and by hospitals and insurers responding to the new strictures of health care reform.
Finally, we are going to make sure our clients – current and prospective – and our partners have all the information they need to maximize their Brinqa experience. We’ve planned an expanded webinar series and we will be increasing our public outreach programs. Finally, our website will become the true information hub of the GRC industry.
Yup – We’re turning it up to 11 this year and we hope you’ll join us!
Amad Fida
Chief Executive Officer, Brinqa
Celebrating 2010′s successes with customers & partners
The London NYC
As a very successful year for Brinqa wound down, the Brinqa team hosted a Holiday dinner for our top clients and prospects at the London Hotel in NYC. The London Hotel features a Gordon Ramsey kitchen and the food did not disappoint. We enjoyed a private room with a cocktail hour followed by a round table dinner with lively discussions. The group was enthralled in conversations throughout the night that ranged from business related topics to the telling of jokes. This was a great gathering of people from different organizations that resulted in a fun night of collaboration. This was truly a great way to end the year and kickoff the new year!
Brinqa Has Successful Exhibition at ISACA Conference
Brinqa had a successful exhibition September 13-15 at the ISACA Information Security and Risk Management Conference in Las Vegas.
This all-encompassing security event merged network security, information security management and risk management.
At the event, Brinqa demonstrated its governance, risk and compliance (GRC) solutions that enable enterprise customers to minimize risk, meet stringent regulatory mandates, and increase the operational efficiency of their IT infrastructures.
Once the exhibit hall opened there was a flood of individuals seeking out information on Risk. We had many intelligent conversations as to how you can solve the risk problem utilizing technology. Risk has become a very widespread term that relates to many facets of an organization. Everything from Operational Risk, Application Risk, Infrastructure Risk to how Privacy, BCM, Vendors all have an effect on the way in which a company can measure, account and reduce risk in their organizations.
The ISACA Conference was the perfect forum for Brinqa to outline our solution and demonstrate the power of technology in solving the many areas of Risk. One of the most prevalent conversations was around how our platform allows for seamless integration with an organization’s IT environment to allow for true Continuous Control Management (CCM). This provides a foundation for customers to proactively manage risk as well as allowing one view into the many aspects of risk a company is accountable for.
Brinqa was very pleased to be part of such a great conference and we look forward to attending future ISACA events.
The Clock is ticking – Massachusetts Data Protection Act and VRM Program
With the Massachusetts Data Security Law (SPPIRC) going into effect March of 2010, the clock has started clicking on your legacy vendor agreements. You have less than two years (March 1, 2012) to get those vendor agreements compliant with the statute. Although two years sounds like a long time, consider the following:
Identify relevant service providers and perform Vendor Threshold Assessment (VTA)
Although one hope this step is relatively easy, most companies I work with can have difficulty in even identifying all the business partners and agreements that they have in place, especially if contracts are managed within the business units instead of centrally. Once you have identified the vendors, you will need to review the service they are providing, and perform a level one assessment to determine if the relationship includes the vendor having access to your customers information (electronic or paper).
Perform Vendor Impact Assessment (VIA)
Once level II providers are identified, it is time to take a deeper dive to ensure they comply with the law. In essence they need to have a security program in place. This program should include:
- One or more persons assigned security program responsibilities
- Implementation of an annual program risk assessment and oversight process
- Awareness Training (employee and contractor)
- Access and Encryption Controls
- Program monitoring for control failures
- Policies and Disciplinary actions for non-compliance
Negotiating / renegotiating terms
Following the vendor impact assessments, there will likely be one or more risks identified where action plans are needed. These actions may cause the service providers costs to go up, so be cognoscente that as your expectations are increased, the price for the services provided may go up as well.
Find a new vendor
If you cannot come to terms with your existing vendor(s) you may have to find a new vendor . Make sure you take into account the Massachusetts requirements when negotiating all new contracts.
Vendor Risk Management – The Basics
In these lean economic times, companies are leaning more and more on outsourced services that are not aligned with their core business. This many times includes IT services, and can lead to outside vendors having access, or outright holding the crown jewels of your organization.
So what are you supposed to do, you may ask? There are several steps you and your organization can take to ensure your customer and employee information; and ultimately your organization are protected.
Insert risk management controls into your contracting process.
This may sound easier that it actually is. I can’t count the number of times I have been told about a contract after an uninformed business partner signs a long term “secret” deal. The best way I have found to get involved upfront is to partner with the purchasing or contracting area. Have senior management (the higher the better) agree that any contract or vendor agreement that specifies IT services or information services must be contingent on performing a risk assessment. This risk assessment should be short and to the point, and should be able to be performed by your purchasing, contracting or business partner. Secondly, be sure the business has identified a contract exit strategy. This exit strategy should include transition of source code, data, and proof that any data left with the vendor has been appropriately destroyed.
Identify your data flows and perform risk assessments on your existing suppliers.
Given the short supply of resources these days, you will need to tread lightly here. Take a risk based approach. Understand how your organizations information is fed, to and from your vendors, and what information is actually being transmitted. Plan on visiting your higher risk providers (those that have access or maintain those crown jewels) more frequently, and lower risk providers less frequently or not at all. The best approach is to inventory your providers, understand what they have access to, and then rank them in three categories, low, medium and high. Concentrate on your high risk providers first. Distribute a self risk assessment, and then take a deeper dive into those that fall short of your expectations. Ask for simple things including:
- Results from their last attack and penetration assessment
- Policies
- Results from their last internal control tests (BCP, internal audit, etc.)
Any vendor that is worthy of your business should be willing to provide these items upon demand.
Perform onsite risk assessments.
Once you have identified your high risk providers, plan to visit the highest risk, or the most strategic partners. These risk assessments should include the standard data center tour, discussion between senior management of both firms, and general observation of daily operations, physical security, and employee behaviors. The last thing you want is a vendor telling you they encrypt their laptops, only to find out they send unencrypted back-up tapes offsite for BCP.
Take action on identified risks.
Once you have performed these risk assessments you are bound to have a list of items that need to be addressed. Review these items with the business area responsible for the relationship with the vendor. It is up to them to either assume the risk for these items, or have the vendor resolve them. In any event, it is important to document what you have found, provide the facts to the decision makers, educate them on what it means to the business in order to help them make educated decisions.
If you have difficulty in selling these concepts internally, remind the business how difficult it will be to hit that sales number when your organization is in the news for lost customer information. There are countless stories of organizations that have shipped tapes, or have had contractors download data onto unprotected devices, that go missing.
About the Author
Craig Cooper is the Director of Product Management for Brinqa and focuses on the Vendor Risk Management Application.
GRC Platform: Building the Foundation for Continuous GRC
Governance, Risk, and Compliance (GRC) initiatives are a key focus in all large organizations today. Many of these organizations have addressed GRC from an administrative standpoint by mapping controls and policies to the applicable regulations and industry mandates. This approach makes sense because it provides clarity on specific regulations as they relate to the business – a crucial point given the extreme consequences of non-compliance. However, administrative GRC lacks an automated way to test controls. To stop here would mean limiting controls management to a content repository of controls that are manually validated infrequently (usually annually). The result is a limited ability to manage risk and have a comprehensive, up to date view of business adherence to policies.
The natural next step beyond the administrative aspects of GRC is to build out a robust GRC platform. An effectively implemented GRC platform not only automates compliance-related activities and risk management, but also provides a strategic governance foundation for all enterprise initiatives and programs.
One of the key elements and most reusable components of a comprehensive GRC platform is the controls sub-system. The controls sub-system consists of four components; the connectivity layer, the asset repository, continuous controls monitoring, and controls life cycle management.
The connectivity layer should leverage standard methods for data collection in real time from applications, servers, databases and infrastructure reports. The result is improved data integrity and reaction time to remediate gaps.
The asset model defines and classifies the relative importance and characteristics of assets; such as employees, vendors, contracts, business processes, departments, applications, servers, databases and infrastructure reports (SIEM, IAM, VA etc). The model includes asset relationships and the impact of assets on each other.
Continuous controls monitoring tracks the effectiveness of each control by automatically testing against assets and the data collected through the connectivity layer or through control assessments (surveys).
Controls life cycle management allows for creation, updates, approvals, and reviews of controls throughout its existence. It should also include a complete audit history, version control and workflows to manage the life cycle process.
Implementing the controls framework (GRC sub-system) across an enterprise streamlines compliance-related activities in the short term, while laying the necessary foundation for rapid ROI on future risk management and GRC initiatives.
