controls mapping is hot. it’s also difficult
TRANSCRIPT
![Page 1: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/1.jpg)
CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT.
MODERATORMEGAN PHEE BROWN, HEAD OF STRATEGIC ALLIANCES, LOGICGATE
SPEAKERSTOM CORNELIUS, SENIOR PARTNER, COMPLIANCE FORGEGARY ELENS, DIRECTOR OF CUSTOMER SUCCESS, LOGICGATE
![Page 2: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/2.jpg)
2
Housekeeping
• Download slides at https://go.oceg.org/controls-mapping-is-hot-it-s-also-difficult
• Answer all 3 polls
• Certificates of completion (only for OCEG All Access Pass holders)
• Evaluation survey at the close of the webinar
• Find the recording on the OCEG site at https://go.oceg.org/webinar-recordings
![Page 3: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/3.jpg)
Learning Objectives
3
• Discuss an overview of controls and controls mapping
• Understand the drivers behind the recent interest
• Understand reasons why it’s harder than it sounds
• Discuss recommendations for how to adopt controls mapping
• Discuss cautionary tales and what to watch for
![Page 4: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/4.jpg)
a. Yes, I have an All Access Pass and I would like to receive a Certificate of Completion for this event
b. Yes, I have an All Access Pass but I do not need a Certificate of Completion
c. No, I do not have an All Access Pass but I would like to get one and receive CPE credit for this and future webcasts I attend
d. No, I do not have an All Access Pass and I don’t want to buy one at this time (so I won’t get CPE credit for this event)
Poll 1
Do you have an OCEG All Access Pass (a paid membership) and would you like to
receive CPE credit for this event?
4
![Page 5: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/5.jpg)
WEBINAR:
Controls mapping is hot. It’s also difficult.
![Page 6: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/6.jpg)
Today’s Panel of Speakers
Tom CorneliusSenior Partner, Compliance Forge
Founder, Secure Controls
Framework
Gary ElensDirector of Customer Success
LogicGate
6LogicGate, Inc. | Confidential
Megan Phee BrownHead of Strategic Alliances
LogicGate
![Page 7: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/7.jpg)
▪ Introductions
▪ Controls: An Overview
▪ Audience Poll #1
▪ Controls Mapping: In Demand
▪ Why it’s Hard
▪ Recommendations
▪ Audience poll #2
▪ Closing Thoughts
▪ Q&A
Agenda
7LogicGate, Inc. | Confidential
![Page 8: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/8.jpg)
8
Setting the foundation:
▪ What are controls?
▪ What are some common
examples?
▪ How are they different
across companies? Across
industries?
Controls: An Overview
8LogicGate, Inc. | Confidential
![Page 9: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/9.jpg)
9
“Where the rubber meets the road”—where people, processes,
and technology come together to
operationalize a GRC program
May be statutory, regulatory,
contractual, or self-imposed
Controls: An Overview
9LogicGate, Inc. | Confidential
People
ProcessTechnology
Security
![Page 10: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/10.jpg)
Controls are central to managing risks, procedures, and metrics.
Risks, metrics, and procedures map
into the controls, which then map to
standards and policies.
Controls: An Overview
1010LogicGate, Inc. | Confidential
Policies
Standards
ControlsRisks Procedures
Metrics
![Page 11: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/11.jpg)
What are the greater implications of having Controls in place?
▪ Two-sided coin analogy
▪ Consequences
11
Controls: An Overview
11LogicGate, Inc. | Confidential
![Page 12: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/12.jpg)
Well-designed documentation is
hierarchical and builds on
supporting components to enable a
strong governance structure that
utilizes an integrated approach to
managing requirements.
12
Controls: An Overview
12LogicGate, Inc. | Confidential
Policy
Control
Standard
Objective
Procedure
Guideline
Tactical/Individual
Strategic/Enterprise
Why?
What are best practices?
What is the requirement?
What will it accomplish?
What are the steps?
Who needs information?
![Page 13: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/13.jpg)
a. I don’t know
b. We don’t have controls in place
c. We have controls, but don’t always follow through
d. Controls are managed by relevant individuals on a one-off basis
e. With a coherent strategy, framework, and robust mappings
Poll 2
How are you currently managing your controls?
13
![Page 14: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/14.jpg)
What is controls mapping?
What’s driving the interest?
14
Controls Mapping: In Demand
14LogicGate, Inc. | Confidential
![Page 15: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/15.jpg)
Why do more regulations seem to
be cropping up every year?
Are they simply avoiding fines, or
are there more fundamental
reasons?
1515LogicGate, Inc. | Confidential
Controls Mapping: In Demand
![Page 16: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/16.jpg)
Time: evidence collection, assessments
Cost: labor, technology
Effort: requirements, breadth
Why It’s Hard
16LogicGate, Inc. | Confidential | May 1, 2018 16LogicGate, Inc. | Confidential
OBJECTIVES
RISKS
CONTROLS
ISSUES
ROLES
POLICIES
OBLIGATIONS
ORGANIZATION
Strategic
Department
Process
Strategic
Operational
Financial
Preventive
Detective
Corrective
Complaint
Event
Investigation
Owner
SME
Employee
Code of Conduct
Policies & Procedures
Training & Awareness
Regulatory
Contractual
Value
Entity
Process
Asset
![Page 17: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/17.jpg)
What are control frameworks?
▪ NIST 800-53, PCI, HIPPA,
ISO 27002
▪ SCF
▪ Technology as enabler
Frameworks
17LogicGate, Inc. | Confidential | May 1, 2018 17LogicGate, Inc. | Confidential
![Page 18: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/18.jpg)
Not All Are Created Equal
▪ Level of detail (depth)
▪ Scope of coverage (breadth)
▪ Taxonomy (overall arrangement
of requirements & formatting)
▪ Industry-specific terminology
Frameworks
18LogicGate, Inc. | Confidential | May 1, 2018 18LogicGate, Inc. | Confidential
![Page 19: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/19.jpg)
a. Not at this time
b. Yes, just completed
c. Yes, currently in progress
d. Yes, we plan to adopt controls mapping within the next year
e. I don’t know
Poll 3
Is controls mapping on your company’s compliance road map?
19
![Page 20: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/20.jpg)
Thank You!
20LogicGate, Inc. | Confidential
Tom CorneliusSenior Partner, Compliance Forge
Founder, Secure Controls
Framework
Gary ElensDirector of Customer Success
LogicGate
Megan Phee BrownHead of Strategic Alliances
LogicGate
![Page 21: CONTROLS MAPPING IS HOT. IT’S ALSO DIFFICULT](https://reader034.vdocuments.us/reader034/viewer/2022051402/627c59bf4557bb44864e934c/html5/thumbnails/21.jpg)
21LogicGate, Inc. | Confidential
Q&A