GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE → W E L| INSPIRE C O M |ETRANSFORM © MetricStream, Inc. |All Rights Reserved MetricStream GRC Summit 2013: Product Showcase ENGAGE | INSPIRE | TRANSFORM GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Policy and Compliance Management Aneesh Bhatnagar Aneesh Bhatnagar ENGAGE | INSPIRE | TRANSFORM Associate Director – Product © MetricStream, Inc. |All Rights Reserved Policy & Compliance Management ENGAGE | INSPIRE | TRANSFORM GRC Agenda SUMMIT 2013 1. Policy Management Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV 2. Compliance Management ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Policy Management ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC Topics SUMMIT 2013 1. Policy Management Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV 2. Product Overview: Key Features 3. Policy Development 4. Policy Maintenance 5. Policy Communication 6. Policy Implementation & Enforcement 7. Reports / Dashboards ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV GRC ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV RC Policy Management helps set the principles/ rules to guide decisions (set the governance objective & procedures) to achieve compliance on these objectives ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC Policy Management SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Determine the Need Develop & Maintain Implement & Enforce Communicate ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Key features of Policy Management 1. Ability to create Inline as well as Document based policies GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Key features of Policy Management 1. Ability to create Inline as well as Document based policies 2. Ability to link policies/sections to relevant GRCF objects GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Key features of Policy Management 1. Ability to create Inline as well as Document based policies 2. Ability to link policies/sections to relevant GRCF objects 3. User Configurable workflows ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Key features of Policy Management 1. Ability to create Inline as well as Document based policies 2. Ability to link policies/sections to relevant GRCF objects 3. User Configurable workflows 4. Audit Trails ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Key features of Policy Management 1. Ability to create Inline as well as Document based policies 2. Ability to link policies/sections to relevant GRCF objects 3. User Configurable workflows 4. Audit Trails 5. Powerful Policy Search ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Key features of Policy Management 1. Ability to create Inline as well as Document based policies 2. Ability to link policies/sections to relevant GRCF objects 3. User Configurable workflows 4. Audit Trails 5. Powerful Policy Search 6. Granular Access Controls ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Key features of Policy Management 1. Ability to create Inline as well as Document based policies 2. Ability to link policies/sections to relevant GRCF objects 3. User Configurable workflows 4. Audit Trails 5. Powerful Policy Search 6. Granular Access Controls 7. Supports for policy management lifecycle ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Key features of Policy Management 1. Ability to create Inline as well as Document based policies 2. Ability to link policies/sections to relevant GRCF objects 3. User Configurable workflows 4. Audit Trails 5. Powerful Policy Search 6. Granular Access Controls 7. Supports for policy management lifecycle 8. Ability to control the number of copies that can be printed ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Key features of Policy Management 1. Ability to create Inline as well as Document based policies 2. Ability to link policies/sections to relevant GRCF objects 3. User Configurable workflows 4. Audit Trails 5. Powerful Policy Search 6. Granular Access Controls 7. Supports for policy management lifecycle 8. Ability to control the number of copies that can be printed 9. Automatic conversion of the final policies into PDF along with the header, footer, e-signature & document information ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Key features of Policy Management 1. Ability to create Inline as well as Document based policies 2. Ability to link policies/sections to relevant GRCF objects 3. User Configurable workflows 4. Audit Trails 5. Powerful Policy Search 6. Granular Access Controls 7. Supports for policy management lifecycle 8. Ability to control the number of copies that can be printed 9. Automatic conversion of the final policies into PDF along with the header, footer, e-signature & document information 10. Sophisticated dashboards to monitor the policy management ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Key features of Policy Management 1. Ability to create Inline as well as Document based policies 2. Ability to link policies/sections to relevant GRCF objects 3. User Configurable workflows 4. Audit Trails 5. Powerful Policy Search 6. Granular Access Controls 7. Supports for policy management lifecycle 8. Ability to control the number of copies that can be printed 9. Automatic conversion of the final policies into PDF along with the header, footer, e-signature & document information 10. Sophisticated dashboards to monitor the policy management ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved 11. MLS enabled GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Any user defined in the first stage (i.e. the author stage) of the lifecycle can initiate a policy creation process Select the lifecycle and the category/ sub-categories Modify the stage level users. Upload the controlled policy document ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Create Document based policies GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV The author / reviewers can relate a policy with GRCF Objects to set the Policy / Procedures for one or many GRCF Objects ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Map it to other GRC Content GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV The Reviewers can access the Policy using the View, Download, Print, Upload Privileges Reviewers can select the reviewers of the next stage based on the appropriate privileges Can have ‘n’ number of stages based on how the lifecycle is setup ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Review / Approve Document based policy GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Create a policy in sections. Each section can relate to a GRCF object All the sections will be exported to Word and the Policy Users will get a complete view of the policy The author can choose to send the section to a reviewer / approver ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Create Inline Policy GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Each approver / reviewer will be shown the section that he needs to approve He can choose to approve or reject a section Once all the sections are approved / reviewed, the policy will get published. ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Review & Approve Inline Policy GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Policy Maintenance • Major Change - When an existing policy needs to be changed significantly • Minor Change - When an existing policy needs to be undergo a small modification • Policy Obsoletion - When an existing policy goes out-of-date GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Option to change the lifecycle while upversioning the policy ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Policy Maintenance : Upversion GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Select the Request. Option Change The policy routes through all the stages of the lifecycles and once published will be available to the end users ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Policy Maintenance : Change Request GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Policies can be obsoleted by initiating the policy Obsoletion process Obsoleted policies are available to the end users not ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Policy Maintenance : Change Request GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV After a policy is published, the policy can be sent out for Policy Communication. All the policy users of that specific policy will receive an email notification with the link to provide their feedback. The policy users can access the Policy and can either accept or reject the policies The acceptance or rejection of the policy is retained in the system and can be produce as an evidence ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Policy Communication GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV The Policy users can either accept a policy or Request for exception and provide their comments The attestation information provided by the policy users are available in the policy management reports ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Policy Attestation GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Policy discovery can be done in two ways • Browse – In a windows explorer like tree view • Search – Using the search filters ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Policy Discovery GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV • In-process Policy Documents Report • Approved Policy Documents Report • Obsolete Policy Documents Report • Audit History Report • Policy Management Reports ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Reports GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Audit History GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Dashboards for • Policies in the lifecycle • Published Policies • Policy Access • Policy Attestations Provides drill down from each of the dashboards to list additional information like the number of people who have not attested, who have already attested etc. with an option to export these details ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Dashboards GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Multi Lingual Support GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Multi Lingual Support GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Regulatory Changes ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC Intelligence GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC Intelligence GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Compliance Management ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC Objectives SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Processes Policies ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Standards Controls Compliance Management AOC Regulations GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Questions/ Procedure Objectives Functions Standards Controls Auditable Entity Processes Assertions Compliance Management Evidences Financial Account Policies ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved AOC Regulations Exceptions Assets GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved ONE FLEXIBLE DATA MODEL GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Flexible Model that helps test NOT just Controls ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Leverages Harmonized Content from GRC Library ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV GRC Library linked to your Policies ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Supports correlation between Controls and Question ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Integrated with Issue and Action Tracking System ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Create Adhoc Tests ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV View Prior Test Results while performing Tests ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Calendar to view Task Schedule ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Upload Test Plans ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Summary 1. Flexible model that helps test not just Controls 2. Leverages Harmonized Content from GRC Library 3. GRC Library linked to your Policies 4. Supports correlation between controls and questions 5. Integrated with Issue and Action Tracking System 6. Easily create ad-hoc tests and assign to individuals (without creating a full-blown plan) 7. Provides access to prior assessment data while doing the assessment. 8. Calendar to view Tests, Surveys & Certifications 9. Upload Test Plans 10. Out of the Box Reports & Dashboards ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV The Year 2012 What we did ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC 2012… SUMMIT 2013 1. Advanced Testing Framework Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV • Enhances planning and scheduling • Enables proactive detection of non-compliance • Sends Surveys and Certifications to Users, Roles, Control and Process Owners 2. Regulatory Compliance Dashboard • Allows the compliance manager to track control failures and sample failures for every Area of Compliance, Type of Area of Compliance and at an Organization level 3. New Reports • • • • Failed Test Report Not Tested Report Line Items with key controls with no Test Plan Compliance Status by Organization 4. Data Upload ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved 5. Multi lingual support GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Regulatory Compliance Dashboard GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved SOX Dashboard GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved SOX Report GRC SUMMIT 2013 SOX Score Card Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV Total # Of Controls Controls Tested / Not Tested Controls Missing Test Plans Controls Failed / Passed Overdue Tests Issues – Open, Overdue, Closed ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV The Road Ahead 2013 ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV The Road Ahead – 2013… 1. Create Requirements from Policy 2. Support for Testing Control Objectives and Standards 3. Test Controls and Process related to Objectives, Standards, Regulations, AOC, Policy etc 4. Integration with PDMS and Surveys Module 5. Link Evidences and Exceptions during Tests 6. Automated Sample Size Calculation 7. SOX Scoping 8. Simplified Self Assessment 9. Mass Reassignment 10. Automated Issue Creation for Failed Tests 11. Remediation Testing 12. Validation Testing ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved 13. Enhanced Reporting and Dashboards GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Test Standard & Objectives GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Add Exceptions to Test GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Attach or Link Evidences GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved View Exceptions and Evidences GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved Test Status Report GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV The Vision 2014 and Beyond ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV The Vision – 2014 and Beyond… 1. Roll over Tests 2. Test Compliance of Products, Projects etc 3. Mind Map Style Visualization of Controls and its connections 4. Simplified Control Testing User Interface 5. Continuous Control Monitoring ENGAGE | INSPIRE | TRANSFORM © MetricStream, Inc. |All Rights Reserved GRC SUMMIT 2013 Apr 30 - May 1, 2013 | Mandarin Oriental, Las Vegas, NV [Presenter Name] ENGAGE | INSPIRE | TRANSFORM [Presenter’s Contact Email ID] © MetricStream, Inc. |All Rights Reserved Questions and Discussion ENGAGE | INSPIRE | TRANSFORM