 |
IT governance aims to balance risk versus
return on IT and its related processes. It is
a well-demarcated structure of relationships and
processes that direct and control the enterprise’s
goals.
At EXL Risk Advisory, we recognize the significance
of securing business-critical information in order
to achieve an overall enterprise governance strategy.
We provide guidance for using information security
as a critical component of IT and business governance.
Our IT governance and security review services
help organizations benchmark and align their IT
processes, systems and controls with globally
accepted governance frameworks and security standards,
such as COBIT and ISO17799. We also provide security
reviews for compliance to the regulatory requirements
such as GLBA, HIPAA and EU Data Privacy.
Our IT governance review services include assessment
of compliance with global best-practices frameworks
and standards such as COBIT, BS7799 and ISO 17799.
EXLBRPS' team of experienced consultants conduct
detailed process and controls reviews to identify
gaps and improvement opportunities with reference
to COBIT and ISO17799. Our distinctive risk-based
approach drives the identification of select controls
that mitigate key risks.
We work closely with our clients to advise and
assist in developing the leadership and organizational
structures, processes and relational mechanisms
to achieve compliance with the governance framework
adopted by the client's organization. Some of
the key activities include definition of IT processes
and design of controls, policies and procedures
in tune with the organization’s business
and IT environment.
In today’s corporate world, IT and Financial
reporting environments are becoming increasingly
complex with applications operating on large number
of platforms and across complex networks. Consequently,
it is critical to ensure that the computing platforms,
data networks and the overall IT infrastructure
meet the security and availability requirements
of the business.
In addition, several regulations such as GLBA,
HIPAA and EU Data Privacy laws require corporations
to adopt and implement strong data privacy and
security controls.
EXL Risk Advisory provides targeted services focusing
on a detailed security and controls assessment
of IT platforms, networks and data centers.
 |
|
Platform security review:
We provide security reviews of different computing
platforms including Windows & UNIX/Linux
variants, AS400 and mainframe systems. We
cover authentication mechanisms, user management,
data confidentiality and integrity, configuration/change
control, system administration, secure operations
and auditing. |
|
|
Network security review: Our network security
reviews cover perimeter security assessments
including Internet security, network device
security assessments (routers, firewalls,
intrusion detection systems) and remote access
security reviews. |
|
|
Data center review: Our data
center assessment focuses on reviewing the
physical, environmental and administrative/procedural
safeguards that have been implemented within
the data centers. |
Our approach:
|
|
We adopt a comprehensive
risk-based approach that maps key information
assets to business processes and underlying
IT infrastructure. We advise and assist in
identifying threats, vulnerabilities and risks
to these information assets through a detailed
threat and risk assessment exercise. |
|
|
We work closely with our clients for the
development of detailed risk treatment plans
that identify technical, administrative, legal
and procedural controls to mitigate risk of
information security exposures; while setting
the foundation for the organization’s
information security framework. |
|
|
We also provide assistance
in integrating the information security framework
with the enterprise’s risk management
framework, legal and compliance framework,
business environment and the organizational
structure. |
|
|
We employ a wide range of
in-house as well as third party tools in our
review and testing procedures. |
| |
|
|
Corporate governance regulations like the Sarbanes-Oxley
Act 2002, MI 52-111 (Canada), 8th Directive (EU),
Recommendation 7.2 (Australia) and Clause 49 (India)
impose significant challenges on organizations
to maintain adequate internal controls to ensure
the integrity of financial reporting and mitigate
fraud risks. Organization need to put in place
a sound risk management framework, of which effective
IT risk management is a key element.
IT General Controls are the controls operating
around the IT systems of an organization. These
controls consequently have a pervasive impact
on the process level controls. IT General Controls
cover both functional and operational areas: management
& organization of IT activities, new systems
development/implementation, change management,
access to systems and data (including physical
and logical security), backup and recovery, and
computer operations.
We adopt a structured approach spanning across
four phases to evaluate the effectiveness of IT
General Controls:
Organizations today are subjected to
a large number of regulations that require businesses
to implement appropriate governance and control
mechanisms over the use and management of data
and information systems. These regulations range
from laws governing data privacy, security and
availability of information systems, accuracy
of financial information systems to specific requirements
for electronic data, copyrights, e-commerce and
e-signatures.
While some of the current regulations are industry
specific (HIPAA and GLBA), others are country
specific (Sarbanes Oxley and EU’s 8th Directive).
Regulatory compliance impacts business functions
and underlying applications, IT processes and
infrastructure both within the organization as
well as external service providers.
We help our clients in gearing up for the current
as well as future regulations by providing proactive
guidance and focused compliance support. We analyze
the scope and applicability of various regulations
on the client's organization and identify the
consequent impact on client's information systems.
Our understanding of the requirements of the regulations
and their impact on our clients’ environment
helps in effective leveraging of existing controls,
processes and procedures, with a view to reduce
Total Cost of Compliance.
Our services include:
|
|
Training: We provide customized
training workshops for senior management and
internal project staff on regulatory requirements,
scope considerations, project roles and responsibilities. |
|
|
Project plan development:
We work closely with our clients to determine
and define scope of engagement, roles and
responsibilities, effort estimates, activities
and timelines. |
|
|
Project management assistance:
Our experienced team members work side by
side with our clients in establishing project
management office; helping to define project
review and control deficiency reporting mechanisms
and also evaluate project management and compliance
tracking/reporting tools. |
|
|
Controls evaluation: We provide
services for documentation and evaluation
of design and operating effectiveness of controls.
Our comprehensive risk assessment methodology
covers risk assessment at the IT organization
level (entity level), IT general controls
and IT security and application controls. |
|
|
Remediation assistance: Our
remediation assistance services leverage our
in-depth exposure to industry best-practices
and experience in assessing, designing and
implementing IT controls, security and IT
processes. We provide project management and
technical consulting assistance to help our
clients for remediation of control deficiencies. |
Organizations are increasingly relying on third-party
service providers as a viable and cost-effective
alternative to internal technology and data processing
functions. Information and systems that are open
to third party service providers are subject to
controls outside the purview of the organization.
While it is important to recognize and manage
the underlying risks to information security (confidentiality,
integrity, availability and privacy) and regulatory
compliance, obtaining objective assurance on the
effectiveness of these controls is a major challenge
for the organization.
We assess the adequacy of IT controls in place
at vendor locations and help our clients review
and test the effectiveness of the controls relating
to data safeguards, fraud prevention, compliance
with applicable laws/regulations and also adherence
to specific controls mandated by contractual obligations.
We help our clients in developing IT policies
and procedures; based upon compliance requirements
of different regulations, global best-practices
and frameworks. We also provide training to users
for complying with policies and procedures relating
to their areas of responsibility.
|
|
