Unlocking Regulatory Compliance and GRC Success: Aligning Your ITAM System with a Robust Risk Control Framework

Anglepoint:

All right. Welcome, everyone. Thanks for joining today. We’re really excited for this webinar. We really appreciate you attending. I’m super pleased to announce. Or introduce, I should say, Chris, who is our speaker and who is our presenter on today’s webinar. Chris Hayes is a principal consultant on Anglepoint’s ITAM program transformation team, and he has over 18 years of ITAM experience and has an incredible ability to distill complex ITAM concepts into easily understandable terms to affect meaningful organizational change.

In addition to everything that Chris does to help Anglepoint’s clients design, transform, and implement mature ITAM programs, Chris is also an accredited IAITAM trainer. He is our instructor for all of the certification courses offered by the Anglepoint Academy. So that’s Chris.

We’re really excited and grateful to have him here. Withou any further ado, I’m going to go ahead and pass it on to him.

Chris Hayes:

Thanks, Braden. So, let’s say good morning. Good afternoon. Probably not good evening but depending on your time zone. Welcome. We’re going to be talking about how to add value outside of, the typical silo that ITAM sometimes sits in an organization, really how to work with other potential stakeholders, and expand the sphere of influence and hopefully really supercharge some of the capability in your organization.

So really, what we want to focus on today is aligning the ITAM management system. What’s happening in terms of people, process, technology? How you’re managing your assets. And then we’re going to look at aligning that with risk and control frameworks. So, this is going to be the topic that cover off today.

So, the agenda, what we want to cover off we will have a couple poll questions just to see from all the respondents what your experience has been in this area. So, we’ll get to those in a couple minutes here. We’re going to go through a quick overview of some common risk control frameworks, what they’re about, what areas that you would be contending with these in, what industries, etc.

We’re going to talk about the Deming cycle, the W. Edwards Deming cycle of continuous improvement, how that fits in, why that’s important, and what the impact is here when you’re designing your management system. Your organizational priorities. As they relate to that management system. So that kind of goes into that next topic of also defining that control scope.

What we’re going to set up is to ensure that when you’re designing and planning, everything is lining up and accommodating some of these additional concepts. Last but not least, we’re going to pull this all together. So, I’ll give a quick example down into a little bit more level of detail and question and answer.

So, I am monitoring the chat and the question and answer. As Braden mentioned, we do want this to be participatory and interactive. So, if you’ve got questions during the session, feel free to put those in. If we can squeeze them in in the agenda, I will. Otherwise, we’ll try and address these at the very end.

So again, excited to have everyone here and let’s get into the content. So, we want to know out of all the respondents. All the organizations on here. Is your organization currently in a regulated industry? Okay, so for this 1st question, what I’m being indicated, and I don’t know if you can see this on the screen or not, but I’ll just share with you the output.

It looks like 64 percent of respondents. Right around 2/3rds are in a regulated industry. So, what this means is that’s a good thing, right? That means that already. That should be in your kind of thought process as an organization when you’re conducting your day-to-day activities when you’re planning and doing your IT asset management, there should be some other concepts or requirements floating around, right?

For those of you that are not considering this already, or you’re not sure that’s not the end of the world. But this is the focus of today to say, okay, if you’re not already considering IT security, or your governance risk compliance teams as a key champion and ally of your management system when you’re going through and managing your assets.

This is something that we strongly encourage. So, 2/3rds of the respondents here are already considering that. Others we’re going to talk about through the rest of this. So that’s an interesting one. Okay. So, for those of you who are regulated, this is then the kind of that logical follow on question.

When was your last regulatory audit? Okay. So, looks like we have an even split. Some of the respondents weren’t sure. That’s also indicating to me that maybe you are involved in an organization that has regulatory requirements. But you may have a little bit of segmentation, or your IT asset management program might not be tapping into and working with these stakeholders quite yet.

Some of you might be fortunate enough to not have any of these external auditors or requirements, or even the internal auditors come and audit what’s going on to manage IT assets. And then some of the other respondents, so a little bit less than half, we’re visited or had a review in the previous year in 2023.

This could be abstracted to other topics as well. If you’re talking just classical asset management. The percentages would probably be a lot higher, so we’ll get into the topic and, think about, okay, another thing on the plate. What do we have to do with management?

This is why we’re talking about the topic today. Some of these risk control frameworks, lot of different logos here. Both of these situations apply. The respondents that said, yes, we sit in a regulated industry. You might be an energy supplier. You might be in a financial sector. You might have some tax reporting requirements.

You may have some financial implications. There might be all different types and reasons or industries where you have official requirements. You might be processing payment card information. So, you’re PCI Regulated. You might be in the state of New York and a financial institution. So, you have to abide by NYDFS, the FFIEC, or FBA is another financial regulation.

You may be in Europe and the BIS. So, a branch of the U. K. government is coming up with some new regulations similar to Sarbanes Oxley. So, kind of corporate control and tax reporting schema that’s going to be published and officially effective sometime in 2024, all of these things are happening, right?

And that’s not to minimize any of this environmental sustainability and governance area such as, GRI sustainability accounting standards board, SASB. All of these control frameworks have similar structures, right? You’ve got control points and you’ve got to demonstrate the conformance with those controls.

If the Center for Internet Security comes in and says this is a formal audit or your internal audit says, how are we managing this? This is going to be a joint venture, and this is the heart of what we’d like to really impart to all of you today and how we want to discuss this. This should not just be info security off playing in their silo and responding to these things.

It should not just be service management off saying, oh, we’ve had another ITIL audit, or we need to demonstrate COBIT conformance, et cetera, et cetera. It needs to be a joint activity, thereby. Increasing the engagement and the stakeholder involvement with IT asset management and you drive that value, right?

So that’s what we’re talking about when we say some of these risk control frameworks, they are in several different areas. And this is just a small slice they’re in, right? So, these are just some of the common ones that we typically see when we work with clients. The second question. I love this one.

Any of you who are familiar with or are actively running an IT asset management program. Yeah. You have one three letter short answer, right? Absolutely. Yes. Do we have to? Yes. But beyond this, just being best practice. Now, this is a double-edged sword. This means that IT asset management is getting more and more central and critical.

But this is now hitting, at least for US regulated and mandated corporations. This is now hitting the bottom line. So Standard and Poor’s, which is a credit rating agency, it started to incorporate other metrics and measures when they assess credit worthiness for organizations. So being able to borrow money and being able to expand and have more cash on hand, the credit worthiness, that part of the assessment is considering cybersecurity.

One of the aspects, so going down to that next layer, one of the aspects of a proactive and demonstrated management of cyber security is IT asset management. In other words, backing that all up, you’re not going to have a great credit rating. If you’re not doing this stuff well, right? You have to be able to demonstrate this.

And like I said, double edged sword. What this also does is it takes that ITAM function out of the silo and puts it very centrally in this discussion. It is less of a yeah, it’s best practice or well, we’ll do this when we need to. You have to. This is going to be critical. So, what I’d like to impart to everyone is leverage this, right? Supercharge your IT asset management program and say, great, we are going to take this opportunity. We are going to work with these cross functional teams, and that’s that ITAM perspective. Information security, also governance risk compliance, they should be your program’s best friend.

You should have a regular cadence. You should be sharing information. You should be aligned with strategy and resourcing and process. What you’re doing, you have to align the basis. On the priorities of the program, when you’re planning for your IT asset management, your management system, that should be aligned from various functions.

Next is the Deming cycle. So, in as much as IT asset management and software asset management is governed by a standards body, so ISO 19770 is the software asset management standard. These are all aligned, these international standards, to a cycle of continuous improvement, the Deming cycle. Plan, do, check, act.

The plan, do, check, act is that iterative loop of we’re executing what we’ve planned. And is this working? Are we measuring things that are demonstrating progress and then taking corrective action to make sure you’re still on track if you’re measuring that you’re off track? So that’s how this works.

But we really are focusing in on the plan. So, when we say things like what are you measuring? And your IT asset management program, your management system that is addressing what’s important to your organization. What are those metrics? How do we ensure that those now can also address? We’ll talk about this in a couple subsequent slides.

Some of these regulatory or governance compliance risk control frameworks. How do we make sure that’s aligned? So, what that does is that expands that group of stakeholders or people that are interested or will potentially support the IT asset management program from a risk assessment and risk treatment point of view for governance, risk and compliance.

We want to make sure that this is aligned to very top levels within the organization that governs risk and compliance team. Are aware and looped in where there is a potential risk. And also, this is keeping with this theme that expands the influence and power potentially of the IT asset management function to say, oh, not only do we have a compliance topic here with Salesforce, right? It might be a license risk or a financial risk. We have a regulatory and compliance risk when that happens, that really helps kick into gear that do check act right. The continuous improvement.

If there is a gap where you say, look, we just failed and missed compliance audit or FBA came in and they gave us an ECRA level one finding where we are not hitting our financial and regulatory reporting requirements. That needs to live at a very high level within the organization that has to be aligned in lockstep with governance, risk and compliance.

It has to be reported. So, we are taking on more, but we are also adding a lot of value. Let me be very clear as well. What I’m not advocating for here necessarily is IT asset management, gobbles up security, right? We are not talking about doing N10 security, but what we are talking about is ensuring that this plan, planning the management system and aligning what’s important to the organization.

That view expands that we talked to multiple stakeholders. We talked to governance. We talked to info security, et cetera. So that’s where this Deming cycle kind of fits into this conversation, planning the management system and then addressing that as we note nonconformance or we’re doing some continuous improvement.

So, the first part and what I’m talking about is, aligned to what’s important for your organization. Any of you who are familiar with some of these frameworks, especially the standards framework ISO, you’ll understand, and you’ll appreciate that this is not just paint by numbers.

It is not you want to be successful. You do these exact six things and you’re going to knock it out of the park. At, 15 different organizations, the management system might have 15 different flavors because 15 different organizations are going to be different. You have to understand your priorities.

So, if you look here, this is a little bit smaller. Just for example, this organization in this example says what do we want this management system to do? We want to be protected from risk. We want to drive innovation and agility using cloud adoption, and we want to be a sustainable organization.

So, they’re going to have different metrics and measures and processes than a different organization that might say we really are zoomed in and laser focused on cost control and maybe application rationalization, et cetera when you consider what your priorities are.

That’s that second question. What other objectives and priorities should you consider for those respondents? The beginning who said yeah, I’m in a regulated industry, but I don’t know if we’ve been audited or, I’m not even sure. Now is the time to take this 1st step and say, Hey. Info security. Do we follow NIST? Do we follow CIS?

Do we have an IT service management, ITSM control framework that we have? What did the internal audit folks say? Governance risk compliance are you looking at some of our processes? When have you reviewed this last, et cetera? And to be sure, this can happen because of act from an organization where you say, Great it’s my first week on the job. I’m an IT asset manager. I’m thinking about software. I’m just planning this. I’m just designing this. Excellent time to incorporate that. Or because we’re talking about continuous improvement, doing, and checking and acting on where we are with this management system and consistently improving, then an organization who is already mature or saying we have very sophisticated in tool dashboarding, and we already look at our risk and you can make that adjustment.

You can go talk to InfoSecurity. You can go talk to Governance Risk Compliance, Internal Audit et cetera. So, either way, if you’re just starting out or you’re a very advanced and mature organization, this is applicable. Talk to InfoSecurity. Talk to Governance Risk Compliance. Understand so what we’re asking you to do is widen your view. And say, okay, understand these additional kind of regulatory drivers. There may be other priorities as well, right? Hey, we want to be sustainable. Yes, there’s a risk control framework, but there are other aspects here, right?

Consider widening your view that will enable your program and supercharge your program with more stakeholders where you can. Drive that value. Okay, so next level down of defining a control scope. So, if you say, for example, this example we’re giving is CIS has a number of different controls and safeguards.

So, if you zoom in there, that’s what we’re talking about. What we want to make sure is that when we’re planning and defining that control scope, so we’re designing the management system. In other words, all of the roles and people, all of the processes and policies and measurements and all of the tooling and technology that’s going to be involved.

That’s what we mean when we say management system that this is going to incorporate 2 things, a test of design and a test of effectiveness. So, against each of these safeguards, this is what we’re zooming in here on this 1st best practice. All of the supporting processes and measurements should be very clear.

De facto, you’re going to work with other functions. We’re going to talk to operations. We might talk to security. You might talk to architecture, development, et cetera, to be able to have that capability to measure. But what you’re going to want to do is align that measurement and understand exactly what you were measuring with that same goal in mind.

For example, one of the controls for CIS is making sure you have supported and authorized software. And if it’s not supported or authorized, that you want to remove that from the environment. Understanding this, you want to align and say, okay, we’re going to look at what we’re measuring and make sure what we’re measuring is governed and where we have a gap or where we have a potential nonconformance with what we’re doing, we need to be able to address that within whatever aligned time scale.

So, I’m talking kind of generalities here, but you’re going to work with other functions distinctions and have that common goal, right? That way they’re going to support they’re going to facilitate. Maybe, I would be amazed if info security does not have some kind of scanning and discovery capability, right?

So that’s a good opportunity to say, okay, we want to measure the environment. How are we going to do that? What’s our process? And that leads to that next best practice. Making sure that once you align and said, okay, we want to do the following things to say, number one, the test of design, that’s usually a black and white kind of pass fail from the regulatory and risk control framework point of view.

Is there a process? Did we write something down? Yes, or no? So, you can say, yes, we have something written down. We’ve aligned with security. Here’s exactly what we’re doing. We want to have that documentation. So, if you have an external audit from a body who is auditing against CIS, for example, for this example, they can.

What are you doing to scan your environment? How are you measuring? How are you demonstrating against the control point that says you will not have unauthorized software or software that hasn’t reached end of life? And you say, Oh, that’s a great question. Here are the 3 or 4 things and the policy and the processes and it’s aligned with multiple functions.

Exactly what we do. And that’s what this says. When you have your measurements, you might have some sample reports, your test of effectiveness. That documentation can start as the basis to demonstrate conformance. If you are audited externally, and they say what are you doing about this? And you say we have a CMDB and.

We look at it sometimes and no, but if you’re organized, this is the proactive approach and what you can endeavor to do is working with governance and working with security, et cetera, et cetera, widen your scope. You plan this by design. When you are designing your management system, you are proactive and then you can demonstrate conformance with these various risk and control frameworks you align that up front.

So, thinking about the puzzle pieces and then pulling this together. How this looks in practice. So, like I said, the example we were giving was from CIS Center for Internet Security. And one of their controls is to address unauthorized software. So unauthorized, in this instance, we’re going to say we have aligned a control and test of effectiveness that we do not want any unsupported software in our environment. Maybe we’re focused in on cost control. We might be focused in on some aspects of risk, but we want to formalize this. So, we’re going to work with info security. So, all of those stakeholder requirements from the Deming cycle from the plan part and plan do you check act would be pre aligned.

We would say Mr. and Mrs. CISO and executives in the security organization and the operations team were all aligned that we want to measure and control for this aspect of the environment. So, what we would say is we do not want as a data point to have unsupported or end of life software in the environment.

What does that mean in practice? We’re going to have a test of design that says. We’re doing something right that passes that aspect of CIS. The next aspect would be the test of effectiveness to say what is the actual process. and what are we measuring? How do we actually demonstrate this as aligned with these other functions?

So here, the test of effectiveness that we propose and are just giving this kind of example of a data reporting a weekly report review. Showing two things -what we want to show is that we have control and visibility over a good portion of the environment. So, we’re going with a 97 percent coverage as a thumb in the air key metric that we’re going to be measuring for the asset management program anyway.

But what we also want to discover in here is that we are not showing any installed instances or consumed instances of unsupported software. So obviously we need to understand which of those pieces of software are and are not supported, right? We have to have some normalization. We have to have some discovery.

There are other data points and other sub processes behind here. But what we want from this dashboard point of view is. What’s our coverage? And in that coverage, are we seeing any software instances of software where that is unsupported? And we’re discovering this. So just an example. And then best practice here is to continuously report this.

Remember, we’re thinking plan, do, check, act. This is the do, check, act. We’re executing what we planned. We’re measuring. And then we’re checking to see are we in conformance? And then the act bit is, ah, if we’re not, just this example. We only have 53 percent completeness and some of these areas are red, or we need to zoom in here.

That is part of the management system, so that needs to be aligned. If you have a low visibility percentage, or if you’re discovering software, that’s end of life. That is the act portion of continuous improvement. What that also does is that loops back in to IT asset management governance. But what we’re saying is and the message from the overarching message here is you’re also expanding that set of governance vis a vis your stakeholders.

If you are not just reporting to IT asset management, senior executives, but you’re now reporting to governance, risk and compliance and info security. There will be action. You’d better believe, right? You think about those two things? We have a potential compliance risk here. We need to install software.

This is no, we are nonconformant with our control framework, or we have unauthorized software that’s happening here again. This isn’t necessarily IT asset management owning the whole function, but it is working together on, with these other functions, to drive a lot more value outside of just compliance and outside of just the program, we can say you are not in alignment and you have a gap against this risk and control framework.

So go and do, make sure this is visible. Make sure this is a line. Make sure that action happens. So that’s pulling it together here. And again, the best practice is to use this is just a Power BI-type dashboard to use some kind of continuous measurement and visibility to demonstrate. Are we on track? Are we not on track? If you’re not on track, then that precludes those actions.

Some recommended best practices here. And then it looks like we have a couple minutes for a question and answer as well. What we want to do is expand your management system to incorporate a control scope. So, what we’ve talked about today, and just this example was a little bit more in the info security area, but, put your hat on and put your kind of expanding the influence type hat on you could for instance, work with sourcing procurement vendor management and say, hey, what additional supplier data points do you need for sustainability for ESG?

What framework do we use there? What are our common, we mentioned this, security frameworks. Are we in a regulated industry where we need to be measuring some things like FBA or NYDFS? Are we overseas in the UK and this BIS new regulatory framework similar to Sarbanes Oxley.

When that comes out, what do we need to do? So, defining that control scope and not completely going back to the drawing board, but revisiting. Your management system for IT assets. So, for ITAM management that it also incorporates those control components. So, understanding what that happens, what happens there, what the implication is rather than together cross functionally.

This is the key. That you’re working with other functions. You continue to do that. You expand that sphere of influence, but also driving that value. You want to define the required data points and get down to those procedures and tests of effectiveness for each control item. In the example, again, we said we do not want to have unauthorized software.

That means we need to have a good coverage and visibility, but also not discover any unauthorized software. Software in the environment, and that gets that next square. They’re talking about a data led gap analysis. You need to see the reports where you are in the Deming cycle executing that do check act loop of continuous improvement.

Are we on track or do we have to do something? Is this a green report or is it a bright red report? Or where does this information need to go? And like I mentioned in that previous slide, the risk mitigation and by necessity gets elevated. It crosses these functional boundaries, not just for IT asset management, but to drive a lot more impact and value in the organization with let’s be honest about the same data. It’s a minor tweak. It’s measuring a couple other data points aligned to a risk control framework. This is the stuff that’s happening day to day. Anyway, it’s not hey, we’re not doing any discovery, or we’re not looking at cost and risk, or we’re not doing this stuff. We are anyway, as managers in I T asset management, the management system is really close.

So, what we’re advocating for here is just tweaking it slightly to incorporate and expand that framework. So really, like I mentioned, what we want to do, then, is because we’re crossing these functional boundaries internally breaking down these silos, we want this risk to be managed collectively and governed collectively.

So, it’s not just a well, we have a compliance risk here or potential cost issue here. It is we are in violation and we’re nonconformant with a regulatory or risk control framework. And necessarily those security risks, the regulatory risks, et cetera, they should be on a corporate risk register that should be managed and supported and governed by GRC type processes.

That really hooks in and says, ah, if there is something on this corporate risk register, that means we have to take action. It is not optional. So that’s the core message. Making sure we’re adjusting, making sure we’re adding more value, and it’s double edged, right? Yes, we take on one or two more things, but really, what we want to do is destroy those silos, ensure that we have additional stakeholders, we have additional budget, we have additional support for IT asset management.

But why? Because we’re aligning to the larger priorities of the organization. We’re not just looking at cost control and not just looking at license compliance. We are really driving that further value. And this is one of the key areas where we can do it against these risk and reporting frameworks. One of the things we did want to highlight as well.

The obligatory, we are happy to have any of these conversations and happy to have, them offline connect with him with me. I’m on LinkedIn visit the Anglepoint. So one of the things we did want to highlight as well. Just as we close out. We wanted to offer a complimentary access to the Critical Capabilities report for SAM Managed Services.

Gartner puts out annually. And these are some of the things where, if you’re considering working with a third-party organization to help you in your asset management journey and design some of the processes and policies and the elements of people, process, technology, for your management system, some of the capabilities that you want to consider and think about those are all contained in that report.

So, you have complimentary access as part of the slides. And with that, Braden, I will send it back to you to close out. Thanks everyone for the time today.

Anglepoint:

Awesome. Yeah, thank you, Chris. Thanks to everyone who joined and participated today. Yeah, I just want to remind you again. We are sharing the recording.

That’s going to go out in an email tomorrow morning. Yeah. If you have any questions, you can reach out to Chris directly. You can reach out to us at [email protected]. And then one more reminder as you close out of the webinar on in your browser, there will be a link to take a survey.

We ask that you take that so that we can get your feedback so that we can improve these webinars. And continue to provide what we hope is really helpful and valuable content. But thank you all so much again, we really appreciate having you here and hope that you have a great rest of your day.