Gartner Security & Risk Management Summit

Risk Management & Compliance Program

Measuring and managing risk, and complying with a variety of global rules, regulations and laws about financial transactions and privacy has become a critical component of successful operations in the worldwide environment. This program focuses on the technologies and strategies to improve governance, manage risk, and abide to the letter and spirit of the law.

Sessions

Future Scenarios for Privacy, Advertising, and Online Social Identity

Many of the regulatory prescriptions for improving online privacy address data collection practices based on cookies, particularly certain types of cookies favored by marketers. However, restraining the use of cookies will not reduce the demand for consumer data to target digital advertising, and social media is poised to exploit any new scarcity of consumer data supply. Social media profiles and login mechanisms provide consumers with much more granular control over the use of their personal data than browsers, but this leads to a question of whether these controls and explanations are – or can be made – sufficient to consider consumers informed enough to protect their interests – especially in the case of our youngest social media enthusiasts. Evidence on both sides of this question is considered, and some future scenarios are presented to illuminate some potential side-effects of current approaches under consideration.

The End of the Beginning and What's Next in Compliance

In the wake of the near collapse of the U.S. financial services sector and the worldwide economic recession, new laws attempt to avert such a crisis in the future. In sheer page count, the new Dodd-Frank Act is six times more voluminous than Sarbanes-Oxley (SOX) passed in 2002. While Dodd-Frank targets banks and the financial services industry, much of it also applies to all publicly held companies. Those focused on the ingredients of compliance and risk management success need to keep in mind the letter and the spirit of the new laws that call for improving visibility into governance processes, access to information, and the ability respond to changing market conditions in a timely fashion.

Risk Assessment 101

Risk used to be a lot like the weather—everyone talked about it, but few people actually did anything about it. While the weather still remains unpredictable, today’s business world demands a more predictable approach to the exploration, assessment, and expression of IT-related risks. This session will help the CISO understand what level of risk assessment is practical today, and what level of assessment formality is appropriate for their specific circumstances.

The KRI Catalog

Mapping key risk indicators (KRI) into business centric key performance indicators (KPI) is an excellent way to link risk and security to corporate performance. However, developing KRIs that are directly related to KPIs is challenging. Gartner has developed a foundation Catalog of both KPIs and KRIs to help risk officers develop their own set.

The Future of Privacy

A high impact panel with senior privacy officers from Google, Amazon, Visa, a large gov agency and a large bank.

Report Risk to the Board…And Keep Your Job

Aligning risk and security activities to business strategy is necessary when reporting and communicating to business executives. Engaging business managers can facilitate necessary cultural change and provide business managers with the risk information they need in the proper context to make better business decisions. This session presents three case studies and two practical methods for communicating with executives.

Analytics’ Role in Managing Risk

For some, risk management is a qualitative assessment of potential exposures. For others, it’s a quantitative calculation set that identifies likelihood, potential impact, and predicts a range of possible outcomes. In any case, analytics—from simple to sophisticated—plays a role in determining the level of risk you face, what your tolerance for risk is, and whether you accept it or mitigate it.

Selecting IT Risk Assessment Methods and Tools: A Use-Case Approach

Leading organizations understand that effective IT risk assessment depends on the ability to manage a toolbox of assessment techniques, and to apply the most appropriate technique on a case by case basis. This presentation provides practical advice on selecting RA methods and tools, and on optimizing the utilization of these tools/methods. Issues addressed

Driving Performance, and Improving Risk Management With BPM

It’s surprising how many organizations don’t have control over their processes and worse may even not know what processes they have and what they do. It’s hard to make cogent decisions about risk in this environment. This session explains how BPM can help uncover hidden processes and how to continuously improve them to mitigate risk.

Understanding the Foundations and Components of Compliance

To avoid the common pitfalls of compliance efforts, organizations must clearly define their compliance objectives, establish a coherent governance structure and address all three forms of compliance. Even the strictest business rules, tightest financial controls, and latest technologies will leave most organizations vulnerable to fraud and noncompliance if "people" issues — that is, workplace beliefs, values, customs, and behaviors — are not addressed. Changing people's behaviors means changing organizations' corporate cultures in a way that ensures compliance and legal behaviors. Without cultural change, people tend to slip into old patterns of conduct, with predictable results.

Best Practices for IT Auditors

IT Auditors are dealing with a both traditional issues like SOX compliance, but also emerging issues like compliance in the cloud. Join other participants and share hot button issues as well as best practices for IT Auditors.

Ensuring Cloud Assurance

2011 is the year of the great cloud computing experiment. Recognizing that externally provisioned cloud computing services have new risk characteristics, the global computing community spent two years developing new frameworks and assessment models for it. This year, enterprises have begun to apply these new assessment methods through their own evaluation processes, through vendor self-assessment, and increasingly, through third parties. Do we have useful new best practices, or are we just fooling ourselves?

Intelligent Information Governance 2011

Information governance provides a structure for making better, faster decisions about information. But governance is technically complex, organizationally challenging and politically sensitive.

Net IT Out: Privacy Policy — Structure and Content

Is your privacy policy a tedious legal necessity or an exciting business enabler? Gartner compiled the best from over a dozen different privacy policies. Learn how to structure and develop your policy to be most effective. Take away some best practice examples on sections like accountability, logging, cookies, advertisements, data retention, and communications monitoring. Leverage your policy to gain and maintain trust from clients and employees with an enforceable policy that takes using and sharing of personal information seriously.

Net IT Out: Operational Technology Governance, Risk Management, and Compliance

Operational technology presents unique governance, risk management, and compliance challenges. Often OT GRC is managed by staff with engineering skills and experience focused on reliability, but less so on broader security management or IT operational risk concerns. Governance can be a challenge, especially at the IT/OT interface.

Net IT Out: Choosing Enterprise GRC Vendors

This presentation provides an overview of the the Enterprise GRC Platforms and CCM magic quadrants, as well as the Enterprise GRC Consulting Marketscope. Going beyond these Gartner market evaluations, learn the architectural elements of GRC, how to prioritize the investments for GRC technology solutions, and the organization needed for operational support of risk management and compliance.

Net IT Out: Managing Relationships with Internal and External Auditors

Whether with your current firm or a new one, managing the audit relationship continues to be essential to receiving the appropriate attention and the proper scope of services at the appropriate cost. With ever expanding regulatory requirements, it is critical to understand the audit impact on your organization and its internal capability to fulfill these mandates. The interaction with internal and external auditors: what is needed, the time required, who is involved and cost must be carefully managed and controlled. This session will discuss proven best practices for managing effective relationships with internal and external auditors that result in maintaining effective compliance while minimizing evidence collection wear-and-tear on your IT staff.

Net IT Out: Understanding the E-Discovery Market

The e-discovery vendor landscape is crowded and confusing. E-discovery is a business process that requires legal and IT to work together to make cost optimization and risk reduction decisions. Vendors offer a plethora of software and services, with a multiplicity of delivery models. We'll help you make the right decisions about what to buy and when to use it to best effect.

Net IT Out: Choosing IT GRC Management Vendors

With costs of risk management and compliance coming under scrutiny and regulations still increasing, IT GRC Management continues to gain momentum. Additionally, IT GRC can improve confidence in the reliability of controls, which in turn can improve the ability of IT security and operations organizations to demonstrate their value contribution to the rest of the business. Learn about IT GRC management, its uses and the vendors.

Power Breakfast: The CFO’s Impact on Technology Investment Decisions – Executive Findings from the 2011 Gartner / Financial Executives International (FEI) CFO survey

Understanding the finance organization's perspective of technology is critical for CIOs and other IT leaders. However, the relationship between the finance and IT departments continues to be challenging, because of the perception that value is not being achieved from IT investments. Working in partnership with Financial Executives International (FEI), we have been surveying the CFO for the past three years to get their' views on enterprise technology. This session will present an executive summary of the 2011 findings which was just released in April 2011.

Enterprise Risk Management Roundtable

ERM has emerged as a critical issue for many corporations, and the technology to support it varies from GRC solutions to complex risk analytics. Join other participants in a roundtable discussion of how ERM is evolving.

Enterprise and Operational Risk Management: What the Board Wants

Closing the gap between board expectations for risk management, IT organization views, and what is within the art of the possible for GRC technologies is a challenge for most enterprises. This is a high impact panel with board members, CIOs and other senior executives and advisors from major corporations.

Enterprise Fraud Management Roundtable

Participants discuss their requirements and use cases for fraud management in finance, benefits, homeland security.

Supply Chain Risks in a Changing World

With the economy on the rebound, supply chains must cope with commodity shortages, increased demand from developing countries, increasing regualtory pressures, and renewed pressures for environmental and social sustainability.

Which Regulations Apply to Me

One of the biggest regulatory challenges that CIOs and IT compliance managers face is determining exactly which regulations apply to the IT organization. Answering that question is a prerequisite to reducing compliance complexity and costs of regulatory compliance.

Critical Strategies to Manage Risk and Maximize Business Value of Open Source Within The Enterprise

Today, the presence of open source is inevitable within mainstream mission-critical IT portfolios. Moreover the presence of open source introduces both positive and negative impact on IT business values -- in the form of both technical and legal challenges. Above all other considerations the primary factor in balancing risk versus reward from OSS assets hinges on the successful execution of an enterprise open source governance program. In this presentation we address detailed risk/reward scenarios related to open source and discuss ways to manage these dynamics for maximize business value.

Negotiating and Managing Cloud Legal and Liability Issues

Cloud computing, for better or worse, has had at least two years of peak hype experience. Executives are asking IT organizations to seriously look at cloud computing to lower costs and create a more agile IT environment. But cloud computing still has many risks regarding data security, vendor viability, disaster recovery, high availability, and liability.

What to do When a lawyer is Not Around

Information security professionals often find themselves on the front lines of civil and criminal legal matters or eyeball-to-eyeball with government regulators. And as luck would have it, there is never a corporate lawyer around just when you need one. That is why a CISO needs to have a basic understanding of such legal concepts as electronic discovery, preservation obligations and cross border jurisdictional requirements. While this session WILL NOT provide you with legal advice, it will raise your awareness of potential pitfalls and opportunities as well as point you to appropriate sources of information. While some believe a little bit of knowledge can be dangerous – ignorance of the law is no excuse in today’s very uncertain and litigious world.

Sustainability, GRC and Business Reality

During the recession sustainability has often been sidelined by pressing business issues. Yet, it has not gone away as an both a GRC issues, with new environmental regulations, and with businesses considering “green technology” to reduce costs while at the same time meeting stakeholder expectations for sustainability. Join participants to discuss the challenges and successes of sustainability.

Case Study: Best Practices in E-Discovery

Electronic discovery can be expensive, time-consuming and risky. This Case Study of a major insurance company describes practices you can put in place to improve your management of e-discovery.

Managing Vendors and Their Risks to Your Business

Vendor risk management helps prevent negative impacts on business performance from risks associated with IT service providers. Through oversight and prevention of problems, VRM can also help improve vendor performance and the vendor's value contribution to the business.

Workshop: Assessing your organization's privacy posture -- Privacy IT Score Workshop

Privacy is getting ever more complex. How do organizations know they are doing enough? How do they know they are not doing too much? Measuring privacy is an emerging discipline. In this workshop, we will introduce Gartner's ITScore assessment for privacy. Bring your laptop to run your own assessment.

Key Technologies for Boards of Directors: Compliance, Investigations and Defense

Directors Roundtable is a civic group which organizes the preeminent worldwide programming for Corporate Directors and their advisers. In cooperation with Gartner, this Directors Roundtable session brings together directors, chief risk officers, chief financial officers, chief legal officers, and IT executives for an expert seminar on the critical technology issues that must be addressed in order to support directors in their duties for oversight of corporate governance, risk management, and compliance, as well as to ensure that their enterprises are not subject to unanticipated liabilities.

Workshop: Vendor Risk Management

While companies can outsource sensitive data processes and services, they can never outsource responsibility for the associated risk. To manage risk and respond to evolving regulatory requirements, companies must carefully evaluate the security of the controls their service provider partners have in place. This session will explain the Shared Assessments (www.sharedassessments.org) which is a member-driven, industry-standard body that injects speed, efficiency and cost savings into the service provider control assessment process. Shared Assessments Program members work together to eliminate redundancies and create efficiencies, giving all parties a standardized, consistent, faster, more rigorous, more efficient and less costly means of conducting security, privacy and business continuity assessments.

Workshop: Creating Key Risk Indicators for Your Company

This workshop follows the concepts from the session “Build a KRI Catalog to Link Risk and Security to Corporate Performance” to help you develop your own set of organization-specific KPIs and KRIs.