A Case Study in Aggregation, Measurement and Remediation
This customer is a Fortune 500 technology company and leader in its market, which is focused on the business of selling products and services to consumers, small and mid-sized business, education, enterprise and government agencies.
The Company has a need for a full lifecycle application security as well as supplier security. Some of the building blocks have been put in place over the years and can be leveraged in the overall solution. However, the focus will be to design and build an end-to-end solution to ensure the functions exist for easily identifying, measuring, monitoring and controlling risk as they relate to applications and suppliers.
The comprehensive Brinqa GRC solution will establish:
- Aggregation of information from various sources
- Application risk assessments and risk reporting
- Full lifecycle of issues and remediation
- Vendor assessments and risk reporting
The Brinqa GRC Platform, together with Brinqa’s Risk Manager and Vendor Risk Manager provides the complete solution and establishes the foundation for going from this initial corporate initiative to taking small steps toward enterprise wide risk and compliance. The first order of business is to get a process established for identifying and managing application and vendor security. To accomplish this, we start with the basics of data aggregation. The Brinqa GRC Connector Framework is used to directly connect to the company’s critical applications, including vulnerability management and event management applications. The automated collection means reducing human effort as well as reducing human error. Next we look at two primary requirements in solving this company’s problem: Risk and Assessment Models.
Risk Modeling and Prioritization — The risk model is at the core of the Brinqa’s Risk Manager. The risk model provides advanced quantitative risk scoring, statistical risk models and scenario testing. Quantitative risk score calculations factor in all relevant parameters such as weights, tolerances, thresholds, aggregations and data normalizations in establishing an accurate representation of risk across applications.
Assessment Model — The Brinqa Assessment Model provides the ability to categorize vendors by, for example, building a risk profile. A standard assessment would be established using the assessment model, defining a specific set of questions that ultimately would establish a risk score associated with that vendor thereby identifying the level of risk that vendor presents to the company.
In addition, all issues resulting in the completion of an assessment or a risk would be tracked and remediated either manually or automatically when applicable.
The following diagram describes an example of the full life cycle of an issue
The ability to put the GRC Platform in place established the foundation for building the customer’s security processes and provided the building blocks to manage critical business processes. Once applications and vendors are set on a risk management life cycle, reporting and managing issues become a daily exercise of informed decision making.
Key benefits of the customer’s solution include:
GRC Platform based architecture — A robust platform to ensure common management services and guarentees that GRC initiatives reduce redundancy associated with various silos and are consistent across the enterprise.
Automated Risk & Control Assessments — Automated risk and controls assessment using the customizable Connector Framework.
GRC Warehouse — A robust and comprehensive warehouse with the ability to maintain history, trend data and forecasts
Key Metrics Monitoring — Brinqa provides the ability to continuously monitor key metrics and delivers robust dashboards and reports with actionable information for executive management.
Brinqa provides enterprises and government agencies with governance, risk management, and compliance solutions that enable the continuous improvement of operational and regulatory efficiencies. Brinqa’s offering is the most comprehensive available on the market today, based on our forward-thinking vision of a centralized, fully automated, and re-usable governance, risk and compliance (GRC) platform combined with targeted applications to meet program specific GRC needs. Brinqa streamlines compliance through automation, monitoring of controls, measurement of key metrics and visibility through executive dashboards and reporting.