Here’s How to Reinvent Your Approach to Internal Controls

Do you ever feel overwhelmed by controls? Maybe you have to test controls, again and again, to comply with various regulatory initiatives. Maybe you have controls that are applicable to some platforms and not others. Some are automated, some are manual; some need to be tested monthly, others annually. How many spreadsheets will it take to satisfy everyone who wants to know that your systems are secure? Managing controls can be a complicated undertaking without a system to simplify their deployment.

How Do You Explain the Concept of Risk?

My son once asked me what I do for a living, and I had to pause before attempting an answer. I tried to describe controls and how we implement them to mitigate risk. It was difficult to explain. A few years later, I worked for a great CISO who explained risk and controls in a way that was much more illustrative than what I told my son that day.

He asked me to imagine someone wanting to steal money from a bank. How might you prevent the theft? You could put locks on your doors as a physical security control to prevent anyone from entering your bank without a key. What if the bank robbers have guns? You could put bulletproof glass in front of the tellers – another physical security measure.

As the risks become more complicated, more and more controls are necessary to keep up. Creative robbers will never stop evolving in order to get to the money they know is nearby.

The Growing Challenge of Regulatory Compliance

The bank analogy is a simplified example of utilizing a risk-based approach. Organizations today are required to manage risk and controls processing dozens of changing variables. As the number of regulatory initiatives grows and it becomes increasingly challenging with which to comply; As organizations become increasingly more complex with more processes and business units in scope, making it all the more difficult to manage risk and ensure that controls are operating effectively; It also becomes a progressively more cumbersome task to dig through multiple standards and control frameworks to find best practices. Managing the ever-evolving complexity and growing risks can quickly become a tangled mess.

How many regulatory initiatives and/or control frameworks is your organization required to consider? How many key applications or platforms are in play? How do all the IT and security controls interrelate? Is there a lowest common denominator across all your compliance requirements? It often takes a vast number of spreadsheets and uncountable hours across multiple departments to stay compliant. We believe there is a better way, and we are currently going through the process of simplifying this herculean task for our customers.

Simplifying the Deployment of Controls

It’s extremely challenging for companies today to figure out how to implement controls in these complex environments. Using point solutions from multiple products to manage all the controls from all regulatory initiatives is not cost effective or efficient. Senior management needs to understand risk exposure in a heartbeat in order to make well-informed decisions. A system that integrates all the controls for the handfuls of regulatory initiatives and platforms is long overdue.

Saviynt’s Controls Exchange provides cross-mapping between regulatory initiatives, control frameworks, platforms, control types and how these are managed in Saviynt’s Security Manager. If a customer requires controls that pertain to PCI-DSS, those are available; as are those that pertain to NIST and ISO, as well as AWS, Azure, SAP, Oracle EBS, and Workday.

The Controls Exchange provides insight into effective identity governance, least privilege, and cloud and/or IT general controls that can be implemented across the multiple platforms currently supported by Saviynt. Instead of spending time trying to keep track of several disparate systems, you can download automated controls and easily implement them into your enterprise.

Controls don’t have to be difficult. Once you have a solution that can connect your many platforms to many regulatory initiatives to many control types, it is bound to reduce complexity, making it easier to provide auditors with the information they need and helping your organization form a clear blueprint of its controls. Saviynt’s Controls Exchange is the first step in a collaborative effort to provide our customers with an open source exchange of necessary and easily implementable controls, no matter
what regulatory initiatives, platforms or control types you require.

 

To read all of our blogs, visit here: https://saviynt.com/blog/.

Jeff Purrington

About author

Jeff Purrington, Director of Product Management at Saviynt, has over 20 years of experience in technology, audit, risk, and controls. His expertise is primarily focused around ERP controls and information security programs aimed at achieving compliance with regulatory initiatives such as SOX, HIPAA and PCI-DSS.

Leave a Reply

Your email address will not be published. Required fields are marked *