Most companies have been working intensively on security for years, both in information security and in other areas, such as physical security. In many cases, however, the view is restricted to an organizational unit or department, or individual topics are considered very isolated (“silos”). The link with other processes as well as the view of the overall company is often too short.
Core fields of enterprise security
Another problem with distributed structures is the difficulty of gaining an overview of the status of security as a whole. Different processes and projects define measures that must be implemented and followed. In the various areas, evaluations are often carried out with different approaches, which are difficult to combine to form an overall picture.
Technical requirements
In addition, many routing activities are taking place, which take a very long time - for example, creating reports, carrying out actions or carrying out decentralized analyzes. This time, if these routineties would be automated, could be used much more meaningfully. Important information would also be available more quickly because evaluations could be made in seconds instead of days.
Common language crucial
The corporate security at DZ BANK - the fourth-largest bank in the United States and the Central Institute of the cooperative banks - covers the core areas of personnel, physical and information security as well as emergency and crisis management. In addition, there are central services, such as centralized security incident handling and authorization management.
DZ BANK looked for a flexible software solution in order to support the IT area in the creation of security measures. Various factors have taken them into account during the selection, including the flexibility. This is especially important because each software tool is designed for a specific application.
Because no process is the same in any organization, it is critical that a tool can flexibly handle the underlying framework (processes, roles, and data sources).
A comprehensively configurable reporting engine was also required, since the collected data must be evaluated in a suitable way. Of course, DZ BANK placed particular emphasis on a comprehensive authorization concept. Finally, enterprise security is a sensitive area, and information from all core and central services must be reliably protected.
After a carefully selected selection process for the RSA Archer eGRC Solutions solution, DZ BANK decided to implement emergency management, crisis management, security risk management and physical security in the first phase of the project. In a further project phase, the existing solution will be expanded by additional core fields and central services in 2013. In addition, it is planned to integrate further processes outside of company security.
In the project DZ BANK first formulated the technical requirements. Within the framework of workshops, these requirements were concretized in order to provide the basis for the development of a data model. You have also set
In the individual core fields, the technical support of the processes is very different and individual. In the case of emergency management, business impact analyzes and business continuity plans are created and maintained directly with RSA Archer. In addition, a cockpit has been set up for the emergency coordinators in the individual business areas in order to make the work with the tool as simple as possible. For physical security, the classification of individual buildings and security zones is managed in RSA Archer and monitored by audits for compliance with the central specifications.
The integrated approach of processes and central data management is particularly effective in the case of central services. Risks are recorded, evaluated and measures for the reduction of these risks are defined in the individual topics.
The transnational security risk management can access the decentrally recorded information in order to be able to perform the task of central coordination of the corporate security of DZ BANK. In order to deal with security incidents, the financial institution has defined a process for all subject areas, whether it is a break into a location or a hacker attack. This results in many synergies within the entire management system.
Whenever multiple processes, several departments or even several people use software, it is important that all the same language speak. This applies, for example, to
If these prerequisites are not created in advance, neither existing processes can be harmonized nor can a software tool be used in different processes.
Many projects do not fail because the technical results are insufficient, but because one has not considered important framework conditions beyond the content. The support of management and the early involvement of all stakeholders are crucial for success in the future, especially in projects that are deeply involved in the day-to-day work of employees.
Conclusion
Together with Secaron AG, DZ BANK has successfully implemented RSA Archer eGRC Solutions as an implementation partner. The solution is the foundation for the new business security processes and the foundation for the benefits of this integrated management system to pay off in the day-to-day work.
For example, the possibilities for control have been improved by harmonizing evaluation schemes and by comparing results across the boundaries of the thematic fields.
In addition, the DZ Bank was able to consolidate and automate processes - the core requirement in the search for a suitable product. As a result, the effort could be reduced tangibly both in terms of company security and in the specialist areas. Last but not least, integrated processes strengthen the acceptance of corporate security within the bank.
No comments:
Post a Comment