WEBVTT

1
00:00:00.000 --> 00:00:02.340
In this lesson, we're going to learn

2
00:00:02.340 --> 00:00:05.280
about Governance, Risk, and Compliance Tools.

3
00:00:05.280 --> 00:00:09.030
Governance, Risk, and Compliance or GRC tools

4
00:00:09.030 --> 00:00:11.190
are used to integrate the management

5
00:00:11.190 --> 00:00:13.440
of an organization's governance, risk

6
00:00:13.440 --> 00:00:17.130
and compliance activities by automating processes,

7
00:00:17.130 --> 00:00:19.710
tracking compliance with regulatory requirements,

8
00:00:19.710 --> 00:00:22.500
and maintaining accurate documentation.

9
00:00:22.500 --> 00:00:25.860
GRC tools often include features like mapping

10
00:00:25.860 --> 00:00:28.800
to align controls with specific regulations,

11
00:00:28.800 --> 00:00:31.830
automation to reduce manual workloads

12
00:00:31.830 --> 00:00:35.280
and continuous monitoring to ensure ongoing compliance

13
00:00:35.280 --> 00:00:38.700
and risk management, as well as documentation

14
00:00:38.700 --> 00:00:41.310
to centralize policies, procedures,

15
00:00:41.310 --> 00:00:43.290
and evidence of compliance.

16
00:00:43.290 --> 00:00:47.130
Now let's take a look at each GRC tool feature

17
00:00:47.130 --> 00:00:51.360
in more detail and learn specifically how a GRC tool

18
00:00:51.360 --> 00:00:55.020
can be applied within an enterprise organization.

19
00:00:55.020 --> 00:00:57.600
First, let's talk about documentation.

20
00:00:57.600 --> 00:01:00.630
In a GRC tool, a documentation tool

21
00:01:00.630 --> 00:01:04.530
provides a place to store and organize important rules,

22
00:01:04.530 --> 00:01:06.510
policies, and procedures.

23
00:01:06.510 --> 00:01:09.720
These documents allow a company to manage risks

24
00:01:09.720 --> 00:01:12.630
and stay in compliance with regulations.

25
00:01:12.630 --> 00:01:15.240
RSA Archer is a GRC tool

26
00:01:15.240 --> 00:01:18.510
that helps businesses keep documentation in one place,

27
00:01:18.510 --> 00:01:20.880
so it's easy to find when it's needed.

28
00:01:20.880 --> 00:01:25.560
For example, a telecommunications company may use RSA Archer

29
00:01:25.560 --> 00:01:29.370
to store documents about its data protection policies.

30
00:01:29.370 --> 00:01:32.250
By keeping everything organized, the company ensures

31
00:01:32.250 --> 00:01:33.510
that during an audit,

32
00:01:33.510 --> 00:01:36.810
it can easily show regulation compliance.

33
00:01:36.810 --> 00:01:39.930
Second, let's discuss the mapping feature.

34
00:01:39.930 --> 00:01:43.050
Mapping links a company's internal processes

35
00:01:43.050 --> 00:01:45.300
to external regulations and standards,

36
00:01:45.300 --> 00:01:48.390
ensuring that a company's actions stay aligned

37
00:01:48.390 --> 00:01:51.030
with all of their external commitments.

38
00:01:51.030 --> 00:01:54.660
A tool such as the Systems, Application and Products,

39
00:01:54.660 --> 00:01:58.950
or SAP GRC tool helps businesses map their activities

40
00:01:58.950 --> 00:02:02.100
to rules like the General Data Protection Regulation

41
00:02:02.100 --> 00:02:03.660
or GDPR.

42
00:02:03.660 --> 00:02:06.630
GDPR is a European Union law

43
00:02:06.630 --> 00:02:10.290
that sets strict guidelines for collecting, processing,

44
00:02:10.290 --> 00:02:12.540
and the protection of personal data,

45
00:02:12.540 --> 00:02:14.790
giving individuals greater control

46
00:02:14.790 --> 00:02:16.590
over their personal information

47
00:02:16.590 --> 00:02:20.220
and imposing significant penalties for non-compliance.

48
00:02:20.220 --> 00:02:24.720
So by mapping their activities to a law such as GDPR,

49
00:02:24.720 --> 00:02:28.050
a company can see how their actions and policies line up

50
00:02:28.050 --> 00:02:30.510
with the GDPR's legal requirements

51
00:02:30.510 --> 00:02:32.430
for protecting customer data.

52
00:02:32.430 --> 00:02:36.960
The mapping process may also identify any gaps in processes

53
00:02:36.960 --> 00:02:40.050
and help an organization make any needed adjustments

54
00:02:40.050 --> 00:02:41.700
to close those gaps.

55
00:02:41.700 --> 00:02:44.580
Third, let's explore compliance tracking.

56
00:02:44.580 --> 00:02:47.580
Compliance tracking monitors whether a company is following

57
00:02:47.580 --> 00:02:51.420
all necessary regulations and internal policies.

58
00:02:51.420 --> 00:02:54.180
A tool like ServiceNow GRC

59
00:02:54.180 --> 00:02:56.550
helps businesses track their own compliance

60
00:02:56.550 --> 00:02:58.770
and sends alerts to administrators

61
00:02:58.770 --> 00:03:01.260
when reviews or audits are due.

62
00:03:01.260 --> 00:03:05.760
For example, a financial institution may use ServiceNow GRC

63
00:03:05.760 --> 00:03:09.240
to track its compliance with the Sarbanes-Oxley Act

64
00:03:09.240 --> 00:03:11.520
or SOX regulations.

65
00:03:11.520 --> 00:03:15.000
The Sarbanes-Oxley Act is a U.S. federal law

66
00:03:15.000 --> 00:03:16.980
that sets strict financial reporting

67
00:03:16.980 --> 00:03:19.770
and auditing requirements for public companies

68
00:03:19.770 --> 00:03:22.050
to protect investors from fraud

69
00:03:22.050 --> 00:03:24.630
and ensure accurate corporate disclosures.

70
00:03:24.630 --> 00:03:28.080
In this example, the ServiceNow GRC platform

71
00:03:28.080 --> 00:03:31.830
can notify the security team when it's time for audits

72
00:03:31.830 --> 00:03:34.530
or if any compliance issues arise.

73
00:03:34.530 --> 00:03:37.470
This can ensure the company stays on top

74
00:03:37.470 --> 00:03:39.600
of its legal responsibilities.

75
00:03:39.600 --> 00:03:42.180
Fourth, let's talk about automation.

76
00:03:42.180 --> 00:03:45.270
Automation is used to complete repetitive tasks

77
00:03:45.270 --> 00:03:48.450
such as control testing or report generation

78
00:03:48.450 --> 00:03:51.510
without requiring manual intervention and work.

79
00:03:51.510 --> 00:03:55.320
A tool like SAP GRC, which we discussed earlier,

80
00:03:55.320 --> 00:03:57.540
helps businesses automate tasks,

81
00:03:57.540 --> 00:03:59.520
making compliance more efficient.

82
00:03:59.520 --> 00:04:03.360
For example, an energy company might use SAP GRC

83
00:04:03.360 --> 00:04:05.850
to automate its regular control testing

84
00:04:05.850 --> 00:04:09.300
where controls or policies, procedures and mechanisms

85
00:04:09.300 --> 00:04:12.240
put in place to manage risk, ensure compliance,

86
00:04:12.240 --> 00:04:14.640
and protect an organization's assets.

87
00:04:14.640 --> 00:04:17.400
In this scenario, the SAP GRC tool

88
00:04:17.400 --> 00:04:21.330
could automatically perform the tests and generate reports,

89
00:04:21.330 --> 00:04:23.880
reducing the test and report generation time

90
00:04:23.880 --> 00:04:25.380
and effort of employees

91
00:04:25.380 --> 00:04:27.930
while ensuring the controls work properly.

92
00:04:27.930 --> 00:04:31.740
Fifth, and finally, let's look at continuous monitoring.

93
00:04:31.740 --> 00:04:34.920
Continuous monitoring keeps track of risks and compliance

94
00:04:34.920 --> 00:04:36.420
in real time.

95
00:04:36.420 --> 00:04:39.390
Qualys is a tool that continuously monitors

96
00:04:39.390 --> 00:04:40.830
an organization's network

97
00:04:40.830 --> 00:04:43.260
for security risks and compliance issues.

98
00:04:43.260 --> 00:04:46.080
For example, a retail company may use Qualys

99
00:04:46.080 --> 00:04:49.380
to monitor its payment systems for security threats.

100
00:04:49.380 --> 00:04:51.270
If a vulnerability is found,

101
00:04:51.270 --> 00:04:54.120
Qualys can immediately alert the company administrator

102
00:04:54.120 --> 00:04:57.840
so they can fix the problem before it becomes a major issue.

103
00:04:57.840 --> 00:05:01.260
This monitoring and alert process can help organizations

104
00:05:01.260 --> 00:05:03.720
stay compliant with security standards

105
00:05:03.720 --> 00:05:06.990
like the Payment Card Industry Data Security Standard,

106
00:05:06.990 --> 00:05:09.030
or PCI-DSS.

107
00:05:09.030 --> 00:05:13.680
So remember, Governance, Risk, and Compliance or GRC tools

108
00:05:13.680 --> 00:05:17.100
are essential for managing an organization's regulatory

109
00:05:17.100 --> 00:05:18.960
and risk related activities.

110
00:05:18.960 --> 00:05:23.960
And GRC tools focus on areas like documentation, mapping,

111
00:05:24.060 --> 00:05:28.440
compliance tracking, automation, and continuous monitoring.

112
00:05:28.440 --> 00:05:31.470
Documentation features help businesses organize

113
00:05:31.470 --> 00:05:34.320
and store important policies and procedures,

114
00:05:34.320 --> 00:05:36.390
ensuring they are prepared for audits

115
00:05:36.390 --> 00:05:38.520
and regulatory reviews.

116
00:05:38.520 --> 00:05:42.630
Mapping aligns internal processes with external regulations,

117
00:05:42.630 --> 00:05:45.660
helping organizations meet legal requirements.

118
00:05:45.660 --> 00:05:49.080
Compliance tracking monitors adherence to regulations,

119
00:05:49.080 --> 00:05:52.350
sending alerts when reviews or audits are needed.

120
00:05:52.350 --> 00:05:54.510
Automation reduces manual effort

121
00:05:54.510 --> 00:05:56.700
by streamlining repetitive tasks

122
00:05:56.700 --> 00:05:59.190
such as control testing and reporting.

123
00:05:59.190 --> 00:06:02.370
And finally, continuous monitoring ensures

124
00:06:02.370 --> 00:06:05.970
real-time visibility into risk and compliance issues,

125
00:06:05.970 --> 00:06:07.950
allowing for immediate action

126
00:06:07.950 --> 00:06:12.303
to maintain smooth operations and regulatory compliance.