Less Pain, More Gain: InfoSec risk management and ISO 27001

By Jason Eubanks

Lead Auditor, LockPath

 

Jason Eubanks, LockPath

Jason Eubanks, LockPath

How have the recent privacy and security violations reported in the news everyday changed your company’s behavior? There’s a silver lining to all the doomsday headlines — they should compel stakeholders in your company to pay more attention and provide more buy-in for proactive safeguarding activities against these risks.

How are you going to leverage this opportunity? You need a fresh approach, management support, a solid plan, and comprehensive technology to support all the moving parts involved in setting up an integrated security and risk management program.

As an experienced governance, risk management, and compliance (GRC) consultant and former auditor, I’ve assessed and supported many companies through the challenges inherent to building a mature, enterprise-wide information security risk management program that aligns with global standards and boosts competitive advantage.

One way many organizations are approaching this is through ISO 27001, an international standard for establishing, operating, maintaining and continually improving an Information Security Management System (ISMS).

This standard pushes organizations to move past checking boxes for adherence to controls by promoting a top-down, risk-based approach to developing processes, policies, and controls that specifically address the organization’s information security risks.

Organizations are certified based on adherence to a set of process level clauses (requirements) and controls used to support the processes, and auditors certify against these requirements.

 

Why try to certify?

I’ve seen a growing number of companies working toward ISO 27001 certification (or towards compliance without undergoing the certification process). Implementing this standard is a highly effective way to build an integrated risk management program by establishing an ISMS.

An ISMS is comprised of the people, processes and IT systems used to apply a risk management program for managing an organization’s most sensitive and valuable data.

Approaching ISMS development in alignment with ISO standards will help your organization protect its critical data and IT assets, build resilience against threats and incidents, and be prepared for challenges and opportunities as they arise.

Even though it is voluntary, ISO 27001 certification is a valuable undertaking for many reasons. ISO 27001 is highly recognized and respected worldwide, encourages continual improvement and serves as a solid foundation for other IT risk and compliance standards and frameworks.

If you can meet the ISO 27001 standard, you are well positioned to comply with most other information security regulations, as well as client information security requirements.

At this point, organizations doing business globally are increasingly encouraged to achieve certification to stay competitive and win new business. As US companies expand operations internationally, they are often forced to comply with additional privacy and security regulations and provide additional assurances to partners and customers.

In addition to being an important indicator of information security maturity, a certified ISMS operates as a marketing tool, and as a seal of approval, providing a competitive advantage over competitors. For evidence of this trend, do a quick search on ISO 27001 certification; note that the results are packed with company press releases announcing certification and re-certification.

 

A high bar to clear

Many companies struggle to achieve certification. The ISO 27001 standard sets a high bar — it is not a one-and-done, checkbox list of requirements.

It’s a continual living and breathing program that includes understanding interested party requirements, management commitment, cataloging risks, assessing the severity of risks, planning how to remediate risks, and producing documentation to substantiate the risk management activities.

The standard also requires that organizations apply a mindset of continual improvement, where management pushes past program mediocracy and strives to improve the overall health of the ISMS.

 

Manual approach not working 

Traditionally, ISO 27001-related tasks have been performed manually; documents are stored in network file folders or process owner local drives and tasks are managed through spreadsheets, documents and email.

It is nearly impossible for global, digital businesses to keep up using a manual approach, given the complexity of information security programs, the expanding reliance on supply chains and outsourcing, and the criticality of data and IT systems.

 

The pain points become acute when it is time for auditors to assess a company’s operations. Scrambling to pull together the proper documentation is a time-consuming hunt that distracts staff from core functions and operational improvement work.

An inability to efficiently prove compliance, of course, increases the likelihood of failing an audit.

This dynamic is disastrous enough for mandatory regulations like HIPAA and SOX. When it comes to voluntary standards like ISO 27001, failed audits, runarounds, and tedious tasks kill stakeholder enthusiasm and make it impossible to gain traction.

 

How can you bring focus and efficiency to your ISMS efforts, so you can build momentum towards certification? The key is to streamline, centralize, and automate.

As a first step, consider your current processes to document and manage ISMS processes. If they are performed through manual ad hoc processes, then departmental segmentation, duplicated efforts, lack of visibility and accountability, and wasted resources are sure to follow.

 

Integrated systems deliver lasting benefits

This is why a governance, risk management and compliance (GRC) technology platform is so critical to successful ISMS initiatives and efficient compliance programs. These enterprise software suites are comprised of interoperable tools that all types of organizations deploy to help manage risk, demonstrate regulatory compliance, automate business processes, and prepare for audits.

 

Streamlined documentation and automated tracking are key features of these tools. When a task (e.g., inventory, assessment, remediation workflow, exceptions approval, policy review, etc.) is performed within the tool, the tool automatically retains the required evidence, allowing GRC teams to gain significant efficiencies.

In contrast, if you’re performing or documenting that task in Excel, it’s nearly impossible to show when or by whom that task was completed.

 

GRC platforms do far more than establish evidence repositories. They support the work of integrating processes, policies, and controls across departments and business units, which is essential to extending comprehensive risk management throughout the value chain.

Digitally linking processes to risks you identify, to policies you create, and to control procedures you administer weaves a tighter web of protection and oversight. I see the “shall” requirement statements — the standards set by ISO 27001 and other security and risk management frameworks — as objectives.

The processes, procedures, and controls you put in place and maintain with the help of a GRC platform determine if you will achieve those objectives, and how expedient you’ll be getting there.
GRC as instrumental

GRC platforms, when combined with sufficient staff and expertise and supported from the top down, are instrumental in many ways. Whether your organization is building an ISMS from the ground up, seeking a better method for managing and integrating security and risk activities, or trying to streamline the audit process after certification, manual processes will no longer suffice.

Your team can leverage a GRC platform’s capabilities to manage regulatory requirements, policies and procedures, risk assessments, third parties, incidents, asset repositories, vulnerabilities, audits, and business continuity. When deployed across the organization, GRC technology systems facilitate collaboration, and increase visibility and accountability. A team attuned to the importance of working together to develop a world-class ISMS can reach compliance and certification more expediently with these capabilities at its disposal.
These benefits are valuable to every organization. Indeed, there are a lot of companies that will follow the ISO 27001 standards without attempting certification, but achieving the certification is the only way to provide assurance that your information security and risk management processes are compliant with the standard.

The public, legislators, and industry organizations are increasingly aware of and reactive to negative news about corporate data breaches, and individual data privacy issues.

Organizations that have built a mature ISMS that matches the standard of excellence set by the ISO will be well-positioned to sustain competitive advantage and protect their assets and reputation in the face of a myriad of challenges.

Jason Eubanks is a CRISC, ISO 27001 Lead Auditor, Principal Consultant at Lockpath, a provider of integrated risk management solutions.

ERP Migrations: Creating New GRC Exposure and Upgrade Hazards

Scott Goolik, Symmetry

Scott Goolik, Symmetry

 

By Scott Goolik Symmetry

Vice President of Compliance and Security Services

As anyone with an iPhone or Windows PC understands, when Apple or Microsoft issue a new software update, apps and functions that worked fine before suddenly experience degraded performance or simply do not work at all.

There is a parallel for enterprises today as they move to upgrade and migrate to the latest enterprise resource planning (ERP) software from companies like SAP and Oracle. These comprehensive software platforms act like the ‘heart and lungs’ for these companies, managing everything from the supply chain and logistics through to HR and financials.

A key part of ERP software is governance, risk and compliance (GRC) controls, in particular Segregation of Duties (SoD), which are designed to safeguard businesses, investors and customers alike.

At their primary layer, SoD and other access control measures provide checks and balances to prevent careless processes from exposing a business to risks. Taking it a step deeper, these access control measures are carefully designed, systematic rules implemented to keep people from defrauding an organization.

Businesses today count on GRC solutions for their ERP software as an operational necessity — much like encryption or security monitoring. Like these controls, GRC can blend seamlessly into an enterprise and with automation doesn’t have to restrict or slow down daily operations. In fact, without creating additional work for administrators, a system can effectively and automatically check every task employees do in their ERP software.

However, this streamlined process can be disrupted when new functionality is introduced into a system, just like an iPhone or Windows PC update. A good example of this upgrade hazard comes from SAP, one of the main ERP providers with more than 365,000 customers in 180 countries.

SAP Fiori is a new role-based, simplified and personalized user experience interface for SAP. Because SAP’s GRC software is designed around its legacy user interface, the introduction of SAP Fiori can create false negatives around an enterprise’s SoD conflicts.

So how can a business ensure its SAP Fiori solution for access control isn’t missing or mislabeling SoD issues? In the traditional SAP interface, users perform tasks through transactions by selecting them from the menu or entering the transaction code as a shortcut.

SAP’s GRC software then checks these transactions against a list of SoD conflicts to catch combinations of actions that could lead to fraudulent actions. For example, if a user can both create and pay vendors, they could abuse their access power by creating a fictitious vendor to begin funneling money out of the company.

A less extreme example involves flagging authorization risks that circumvent business processes — for example, ensuring managers can’t sign off on their own work. SoD checks are critical in catching these discrepancies for organizations. SAP Fiori, however, functions through service authorizations instead of transaction authorizations. If a user is performing similar tasks like creating or paying a vendor, a transaction start authorization isn’t necessary.

This ultimately means that most SAP GRC solutions can’t monitor for SoD conflicts within Fiori apps, which increases an enterprise’s exposure to fraud. To accurately analyze SoD conflicts and maintain compliance in this SAP example, a GRC solution must check both transaction start authorizations as well as service authorizations.

Within this analysis, a company’s service authorizations will output hash value character codes that correspond to services. To properly interpret these outputs, a company’s GRC team needs to add these codes to its rulebook, essentially creating an ad-hoc SAP Fiori solution for access control.

This can prove challenging because hash values can be system-specific and difficult to connect to the underlying services. Also, manually recreating a complex set of SAP GUI checks in Fiori introduces the opportunity for dangerous errors or inconsistencies — ultimately making maintaining GRC more difficult in the long run.

To close the emerging gap in access controls in this example, businesses need a GRC solution with an included ruleset designed to work across both Fiori and SAP GUI.

This way you can eliminate false negatives, inconsistent security rules, and complex maintenance requirements while protecting the business and ensuring compliance.

As IT departments continue to upgrade software platforms and migrate them to hybrid infrastructures, it is critical for corporate GRC teams to ensure that any upgrades or migrations of ERP or other important software do not create new holes in their SoD processes and expose the company to increased fraud.

Scott Goolik is vice president of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events.

IntelligenceBank eyes new customers in North America

By John L. Guerra

Editor, GRC & Fraud Software Journal

Dominic Gluchowski, IntelligenceBank

Dominic Gluchowski, IntelligenceBank

As North America suffered under an Arctic freeze last month, IntelligenceBank employees depended on air conditioning to keep the brutal Australian summer.

“We are in the middle of summer, it’s about 97 degrees outside,” says Dominic Gluchowski, IntelligenceBank’s Marketing Director. “But we’re just as comfortable working in the winter in North America, too.”

The company, founded in Melbourne in 2009 with U.S. headquarters in San Diego, is a business process management platform that delivers niche SaaS applications that help teams reduce costs and risk.

IntelligenceBank has a host of GRC contracts in Australia and customers in more than 50 other countries.

Through a partnership with Deloitte, IntelligenceBank provides risk and compliance software for retail and franchise industries in the United States.

The company is in the midst of negotiations to provide GRC and other solutions to other American-based Fortune 500 companies, Gluchowski said.

“In the United States, we’ve secured several great enterprise customers, and it’s full steam ahead with the growing demand of compliance services across organizations in North America.

Conflict of Interest (COI) platforms are some of the company’s best selling solutions. IntelligenceBank’s conflict of Interest software is purpose-designed to enable staff, distributors and the board to easily report potential conflicts and seamlessly create a culture of integrity and corporate responsibility,” Gluchowski says.

“It automates the review and approval of critical gift, financial interests, and relational conflicts. With a real-time audit trail, compliance officers can instantly run custom reports and track actions taken.”

The solution is designed for any organization, but works well for highly regulated industries such as financial services, government, and healthcare where a system of managing disclosures are required.

It helps companies avoid large penalties for non-compliance, Gluchowski says. It’s less expensive than larger platforms that cost millions and 18 months to install and launch.

The IntelligenceBank solution is usually up and running in three or four weeks, he said. “It’s easier to customize, provides granular permissions for specific groups, and automatically escalates to management if someone doesn’t respond.”

To learn more, please visit our website.

Top 3 predictions for 2018 – a year of change

By French Caldwell

MetricStream Chief Evangelist

French Caldwell, MetricStream

French Caldwell, MetricStream

In what is becoming an annual event, MetricStream’s chief evangelist, French Caldwell, provides GRC & Fraud Software Journal readers with predictions for the upcoming year.

 

Prediction 1:

Data controllers and others face surge in complaints

In 2018, large data controllers, data processors, and privacy authorities will be found to be unprepared for a surge in requests and complaints by data subjects. The new EU GDPR expands the rights of EU citizens with several new rules, including the right to rectification, right to erasure, the right to object, and the right to restrict processing.

Privacy advocate groups will launch campaigns that drive large numbers of EU citizens to test these new rights. Many companies and government organizations will find they are vastly under-prepared to manage the large volume of requests and complaints.

Furthermore, many privacy authorities will not be prepared to manage the large number of complaints they receive.  To prepare, data controllers should have robust case management processes in place, and they should assure their third party data processors do as well.

Likewise, privacy authorities should evaluate their complaint management processes and ensure they are ready for a large surge.

Prediction 2:

The first €1million or more penalty under GDPR

In the event of a data breach, the new EU GDPR regulation provides for large penalties, up to 4 percent of revenues or €20million, whichever is larger. With the number of large data breaches growing, it’s just a matter of time before a large breach occurs.

While typically with a new regulation, there is a period of adjustment where regulators work through enforcement priorities, in the case of GDPR European privacy authorities are under a very public spotlight.

The first few companies or government agencies with a large data breach will set the standard for enforcement – especially if they delay reporting it.

While Europe has had many fewer reported data breaches than the U.S. that could change with the mandatory requirement in GDPR to report breaches within 72 hours of becoming aware of them.

The best defense for data controllers and processors will be strong data protection and cybersecurity programs that are well tested, documented, and ready for an audit by privacy authorities.

Prediction 3:

Regulatory technology primary driver for GRC In 2018 and 2019, regulatory tech – which utilizes information technology to enhance regulatory processes – will emerge as the primary driver of technological innovation for the GRC market.

Just as biotech is driving innovation in the life sciences industry, and fintech is doing the same in finance, regulatory tech is starting to impact the research and development investments of major GRC providers.

Artificial intelligence and machine learning applied to both unstructured and structured data to discover new risk and threat insights are the obvious technical leaders of innovation, but not the only ones.

Alexa-like advanced chatbots will enable users to quickly navigate applications, create reports, and discover relationships between risks, controls, processes, performance, assets and other data objects.

Hybrid machine-human scoring of third party cybersecurity, financial, and sustainability risks will supplement onboarding and continuous monitoring programs.

Facial recognition will provide a new means of assurance for data access and separation of duties. To gain competitive advantage, GRC vendors will increase funding for regulatory tech initiatives both organically and through acquisitions.

mglass

Most organizations unaware when employees violate policy and rules

From MetricStream press release

French Caldwell, MetricStream

French Caldwell, MetricStream

More than half of organizations (55 percent) can’t tell when their own employees violate company workplace rules and policies across the enterprise, according to a revealing survey by MetricStream.

The company, a developer of governance, risk, and compliance (GRC) apps and solutions, said the survey, “What Makes an Effective Policy Management Program?” paints a picture of how organizations create, manage, and communicate policies.

Other results from the survey:

While only about 1 in 4 organizations use policy management software, the benefits they enjoy are significant. Of these organizations:

  • 21 percent take less than a month to develop and publish a policy from scratch
  • 70 percent do not consider it challenging to author and distribute policies, or provide training
  • 60 percent encountered fewer than 50 policy violations in the last year

Policy management software eases policymaking

  • 80 percent of organizations using policy management software on a GRC platform take less than three months to author and publish policies, compared to only 55 percent of organizations using pure-play policy management software
  • 42 percent of organizations that require employees to attest to certain policies encountered less than 50 policy violations.
  • 59 percent of organizations that have mapped their policies to risks and compliance requirements do not consider it challenging to update polices as regulations evolve.
  • The majority of organizations that use standardized policy templates (62 percent) take less than a quarter to develop and roll out a new policy.

French Caldwell, Chief Evangelist at MetricStream, said the survey shows automation and consistency work.

“Our survey findings indicate that an integrated and consistent approach to policy management can yield significant benefits,” Caldwell said.

Many organizations have written policies, but much more is required to ensure that those policies are adhered to across the enterprise. To build a pervasive culture of ethics and risk-intelligent behavior, organizations must ensure that their policies are communicated effectively and updated regularly in line with regulatory and business changes. Moreover, policy compliance and violations must be tracked and addressed proactively.

“Those surveyed who have mapped policies to risk and compliance requirements, have integrated training into policy management programs,” Caldwell said, “or are using policy management software on a GRC platform are able to create and communicate policies faster, update them effectively, and minimize compliance violations.”

To read the entire survey results, go here.

mglass

 

FICO regtech solutions protect GVNG nonprofit platform from fincrime

From press releases

ficoSilicon Valley analytic software firm FICO announced that GVNG, a technology platform for nonprofits, will use the FICO TONBELLER Siron suite of anti-money laundering and know your customer solutions.

Based in Los Angeles, GVNG will use the FICO “regtech” solutions to carry out risk-based checks on people setting up charities, making donations, receiving payments and volunteering services, and to provide immediate alerts when any suspicious transactions take place.

“When it comes to preventing money laundering and knowing our customers, we wanted to go beyond the letter of the law to truly ensure that we weed out organizations or individuals that could have criminal intent,” said Dominic Kalms, president and CEO of GVNG.

“For example, we wanted to put safeguards in place to prevent sexual predators from registering as volunteers, and make sure money launderers or terrorist financers are not using our clients’ services or receiving funds,” Kalms said. “With our ambitious goal to sign up 2,000 programs in the next year, we needed a scalable solution we could use in the cloud, without increasing our team’s workload.”

“Organizations like GVNG have limited internal resources to manage compliance, so a cloud implementation ensures that they will stay up to date and compliant,” said Torsten Mayer, vice president of risk and compliance solutions for FICO.

For more information, go here.

mglass

MetricStream releases new M7 Platform with ‘robust’ GRC apps

From MetricStream

MetricStream CEO Shellye Archambeau

MetricStream CEO Shellye Archambeau

MetricStream – the governance, risk, and compliance (GRC) apps and solutions provider – says its new M7 platform includes applications for risk, compliance, audit, IT security, third party management, and other functions upon which GRC professionals rely.

With M7, MetricStream says it is providing fourth-generation GRC technology the industry has so far lacked. The M7 platform and apps are designed to help companies preserve their corporate integrity, protect their brand, and drive exceptional business performance through GRC that is simple, pervasive, and delivered in the cloud, the company said.

M7 focuses on enabling high performers through an “engaging user experience, high degree of configurability, enhanced mobility and layering, sophisticated reporting and analytics, and a future-ready architecture,” MetricStream said in announcing the release.
“M7 enables high performing organizations by making GRC simple, intuitive, and more deeply embedded across the enterprise and extended ecosystem,” said MetricStream CEO Shellye Archambeau. “M7 gives our customers real-time intelligence that they need to anticipate risk, and balance opportunities effectively.”

Here are the M7 highlights:

For risk management professionals

The MetricStream Enterprise Risk Management app enables organizations to manage a wide range of risks and related activities in a systematic and integrated manner. Through the app, users can identify, assess, monitor, and mitigate enterprise risks effectively.

Powerful analytics and reporting capabilities, paired with detailed graphical dashboards and charts, offer comprehensive and real-time visibility into risks, enabling stakeholders to make informed decisions. This app is often deployed with the Operational Risk Management, Business Continuity Management, and Internal Audit Management apps.

For regulatory and corporate compliance pros

The MetricStream Regulatory Engagement Management app streamlines and automates the process of managing various regulatory engagements, including examinations, meetings, and requests for information from regulators.

metricstreamIn tandem with the Compliance Management app, the Regulatory Engagement Management app simplifies engagement creation and task management, and captures all regulatory engagement data in a central repository.

Powerful dashboards and reports provide real-time insights, enabling stakeholders to make informed decisions that strengthen the organization’s relationships with regulators.

For audit management professionals

The MetricStream Internal Audit Management app helps organizations plan, manage, and track internal audits with ease and efficiency.

The app streamlines audit planning and scheduling, audit execution, review and analysis of audit findings, creation of the final audit report, and follow-up activities.

Through an intelligent, risk-based approach to internal auditing, the app helps prioritize audit tasks and resources based on the areas of highest risk.

For an enterprise audit management solution, the Internal Audit Management App is often deployed with the Compliance Management and Operational Audit Management apps.

For IT security professionals

The MetricStream IT Risk Management app empowers organizations to adopt a focused and business-driven approach when managing and mitigating their IT risks.

The app streamlines IT risk identification, IT risk assessments, and risk treatment. It also provides sophisticated analytics and reports that transform raw risk data into actionable IT risk intelligence, providing clear visibility into the top risks, and improving decision-making.

This app is often deployed with the IT Compliance Management and Threat and Vulnerability Management apps for an integrated IT GRC solution.

The MetricStream Threat and Vulnerability Management app strengthens IT security by proactively aggregating and correlating threats and vulnerabilities across information assets. The app integrates with multiple end-point IT security and infrastructure management tools and security intelligence feeds to identify and prioritize the risk exposure for IT assets, and streamline the remediation process.

Third party management 

The MetricStream Issue Management app facilitates a systematic and integrated approach towards managing governance, risk, and compliance issues.

The app provides a single system for enterprise-wide issue management initiatives, thereby strengthening compliance and risk management, while reducing the associated costs.

Through an integrated approach, the app facilitates cross-functional coordination and collaboration on issue management, and helps align these processes centrally with corporate governance and reporting objectives. Issue Management is a critical component of any GRC solution.

Survey Management app

The MetricStream Survey Management app enables a structured and automated process to manage surveys for systems compliance, process compliance, risk assessments, HR policy awareness, legal attestations, etc.

The app fosters accountability by streamlining the flow of information and records, and documenting attestations and representations at appropriate stages.

Moreover, the reporting engine built on the MetricStream GRC Platform aggregates survey data, and enables exploration and evaluation of survey findings at the enterprise level.

Survey Management is a critical component of any GRC solution requiring the collection of intelligence across the enterprise and business partners, and can be integrated with other apps including Compliance Management, Risk Management, and Third Party Management.

For more information, go here

Giant denial of service attack a wake up call

Mirek Pijanowski, StandardFusion GRC

Mirek Pijanowski, StandardFusion GRC

The Dyn DNS DDoS attack should be a wake-up call for all organizations and service providers reliant on on the internet. A simple risk assessment of your services would have identified the dependency to Dyn, or their clients,  for production systems.  Simple mitigating controls, such as properly configured multiple DNS providers in the case of Dyn clients, would have minimized, or even eliminated the impact.

As far as National Security Agency hack goes, how is it that one of the largest security agencies in the world, with a budget of tens of billions per year, can’t figure out information security?

One would think with everything they know, they could at least secure their classified data from theft.

Do they follow the principle of least privilege? If so, then why do all these contractors have access to this sensitive data?  How are they getting this data out, and why is it taking years to find out?

The government must ask private-sector IT security firms and infowar experts for help. This is a national security issue that will take all of us to fix – both private and public sectors.

Mirek Pijanowski, CEO of StandardFusion GRC

MetricStream launches M7 GRC platform

From MetricStream press release

metricstreamMetricStream, a developer of governance, risk, and compliance (GRC) apps and solutions, has launched its new M7 GRC platform.

According to Vasant Balasubramanian, MetricStream’s senior vice president of product management, M7 is designed as a simple, pervasive and cloud-based approach to drive exceptional business performance through GRC.

  • User Experience that is intuitive, engaging, and personalized for the end user, helping to simplify and strengthen GRC adoption across the organization through technology
  • Configurability that delivers GRC how you need it, allowing the organization to tailor GRC to its unique reporting, workflow, and content requirements; scale up to support new users; and extend the platform to add more apps and solutions as GRC requirements evolve
  • Mobility and Layering that lets organizations embed GRC into their day-to-day activities, decisions, business critical apps, and devices such as phones, tablets, laptops, and Tvs.
  • Reporting and Analytics for better insights and better decision-making through a range of powerful visualizations, analytics, and reporting capabilities
  • Architecture that is faster, leaner, and” ready for the future”, with the flexibility to manage GRC on-premise or in the private and secure GRC cloud.

MetricStream’s GRC platform is used by more than 350 organizations worldwide, including large global banks, mid-sized banks, investment banks, insurance firms, asset management companies, federal financial agencies, and clearing corporations, the company says.

mglass

 

 

LockPath enhances Keylight 4.4 platform

From LockPath press release

lockpathOVERLAND PARK, Kan. — LockPath has added significant enhancements to its Keylight® Platform. In version 4.4 of Keylight, LockPath extends the functionality of its patented Dynamic Content Framework across the entire platform.

As the scalable and flexible foundation of the platform, the Dynamic Content Framework is designed to give users the ability to create custom tables and fields and to import and modify large sets of records, with no coding required.

The most visible result of this expansion is increased integration, flexibility and efficiency of LockPath’s compliance management solution, the company said. In addition, users will find richer integration features throughout Keylight, such as expanded record comparison functionality, augmented search results and the ability to email records externally.

By increasing context and efficiency, Keylight 4.4 is designed to provide the flexibility that organizations require when struggling to deal with compliance requirements and new risks.

GRC has become more visible, more challenging and more complex for organizations in the last decade. As compliance demands from regulatory and governing bodies increase, and risks related to IT, third parties and operations multiply, organizations need GRC tools that can adapt to the changing landscape, the company said.

Keylight 4.4 includes the following enhancements to the Dynamic Content Framework:

  •  Extended data sharing capabilities across the platform to efficiently provide data to those who need it.
  • More specific search options, allowing users to more quickly access the information they need.
  • Expanded comparison capabilities across the platform, which allow users to easily review and report on data revision history.

To learn more about LockPath and the Keylight platform, visit Keylight’s website.