Quantify risk and protect your enterprise

Understanding and managing risk is crucial to performance. Your operations and information are what make you tick. Risk these and your performance will suffer. Wherever you are with risk and compliance, the Risk and Compliance Management (R&CM) Quickstart can help. Our service will help you sharpen your focus and develop the right strategy.

The fast track to improved risk management

With pressure from governments, regulators and investors to demonstrate good practice in risk and compliance management (R&CM), the importance of getting it right is now recognised in every sector.

Underpinning operational risk are threats and vulnerabilities to corporate and customer information. Protecting this information against deliberate or inadvertent compromise or loss is vital. You must also comply with key information security standards to maintain trust with customers, businesses and stakeholders.

As operational and enterprise risk become interlinked, you must assess networked IT infrastructure risks in an enterprise business context. R&CM must achieve both corporate objectives and compliance requirements to become a value-creating part of the business rather than an overhead.

Risk and Compliance Management Quick Start can help you:

• Rapidly assess risk management procedures and develop improved practices.
• Protect corporate and customer information against compromise and loss.
• Comply with ISO27001 and Payment Cards Industry Data Security Standard (PCI DSS) obligations.
• Improve accountability and corporate governance.
• Reduce the cost and improve the accuracy of R&CM.
• Better allocate your capital through understanding the trade-off between the cost of managing and treating risks.
• Increase customer and stakeholder trust through visible diligence on information and data security.

Minimise risk and improve efficiency – fast

Risk and Compliance Management (R&CM) Quick Start enables you to:

• Minimise loss by detecting risk exposures or controlling failures early, and ensuring that everyone is aware of their contribution to risk management and risk taking.
• Protect your corporate and customer information from inadvertent or deliberate compromise or loss.
• Increase trust with customers and stakeholders through diligent, visible and effective application of ISO27001 and PCI DSS information security standards.
• Increase effectiveness and reduce the cost of compliance by automating processes and reducing manual audits.
• Easily implement necessary alterations through the use of a single global control framework that can absorb change and adapt to new compliance directives.
• Ensure your risk strategy remains sound by monitoring and managing your key risk areas on an ongoing basis.
• Have confidence that you will mitigate risk, both now and in the future, with our full infrastructure support.

The R&CM Quick Start brings together a suite of services that will help you understand, assess and prioritise activities in the key areas of:

• Risk and Compliance Management: structured and pragmatic approach to establishing effective risk management and use of the BT Risk Cockpit™.
• Information Assurance and Protection: practical steps to assess and reduce information leakage and risk.
• ISO27001 compliance.
• Payment Cards Industry Data Security Standard (PCI DSS) compliance.

Stay ahead of the pack with BT

The Risk and Compliance (R&CM) Quick Start has been designed to help you radically improve risk management and protect your customer and corporate information through relevant standards and specialised analysis of your information risk.

Initially, we will complete a simple checklist on your current risk and compliance management status. This checklist enables you and your BT Account Manager to gauge where your strengths and weaknesses lie and choose the right mix of R&CM modules.

The second step of the process includes one of two levels of engagement – depending on your current status and needs. In both levels, the aim is to identify the actions that will achieve the highest return and benefit for your organisation and offer you the means and support to make it happen.

Level one: Workshop

A workshop-based interactive discovery for customers looking to rapidly understand
where they are and decide on the best strategy for their business:

• Risk Management: BT will provide an overview of our approach to risk management and BT RiskPAL (Process and Activity Lifecycle). The workshop will identify key business processes and risk focus areas along with the key risk and compliance pain points and a vision for improved risk management.
• Information Assurance and Protection: BT will provide an overview of information leakage/risk. You will gain a common understanding of your organisation’s information-centric risks and determine priorities for immediate action.
• ISO27001 Compliance: BT will provide an overview of the ISO27001 standard and the impact for organisations. You will gain a common understanding of your organisation’s current security position and relevance of ISO27001 compliance.
• Payment Cards Industry Data Security Standard (PCI DSS): BT will provide an overview of the PCI DSS standard and the impact for your organisation. You will gain an overview of your organisation’s current compliance position and scope of a full compliance assessment.

The level one workshops each last one day with a report produced within one to two weeks.

Level two: Assessment

This is best suited to those organisations that require an independent assessment of their capability and compliance status across each selected strand of activity:

• Risk Management: Will help you identify the most important risk areas in your business and where effective risk management will create the biggest benefits. It will help you significantly improve your ability to analyse, aggregate and exploit risk, control and compliance information with the BT Risk Cockpit™ or GRC suite (Governance, Risk and Compliance).
• Information Assurance and Protection: Uses a range of focused tools, connected to the client’s network and/or servers, to gain an objective insight into the nature of any threats, quantify the risks and issues, and identify suitable treatments.
• ISO27001 Compliance: BT’s qualified security consultants will conduct a risk assessment and compile the documentation set required for a Stage 1 ISO/IEC 27001 audit.
• PCI DSS Compliance: Provides the foundation key stage to achieving PCI DSS compliance. A BT PCI QSA will examine your PCI environment (web applications, business processes and technology) using a combination of an ASV scan, interviews, documentation review and workshops to define the scope, objectives and engagement necessary to deliver full PCI DSS compliance and certification.

Each level two assessment typically takes four to six weeks, involving around ten days on site, and can run in parallel with one another.

End result

You and your BT Account Manager will be able to establish the right mix of Risk and Compliance Management elements your organisation needs to introduce across all the strands of activity.

Your organisation will be well placed to develop a full Risk and Compliance Management model to help you achieve the risk insight, compliance and operational excellence you require.

Tailored applications for your organisation

Following a thorough assessment of your current risk management processes, we will decide together on the deployment of one or more of the following services or applications. These are all offered as part of our innovative approach to risk management: the Risk Process and Activity Lifecycle. This was developed by BT and is based on the Deming cycle, which follows four stages: plan, do, check and act. The services and applications include:

Risk Cockpit™: Provides the hub of the solution framework. It is a powerful web-based tool, connected to your enterprise and people, which enables you to view all areas of risk exposure and controls performance (through registers and dashboards, etc) at the touch of a button. This highly automated system can flag areas for immediate attention to ensure your organisation effectively deals with risk.

Business Case: Provides a return on investment approach to the implementation of risk and compliance management phases and associated treatments.

Information Discovery: A rapid and objective assessment of the disposition and quality of content on a selected number of file stores. This allows the organisation to assess the level of duplication, whether sensitive documents are being held inappropriately, and the overall quality and health of information in the enterprise.

Information Leakage Detection: Focuses on email as the highest risk channel; provides monitoring facilities for outbound email traffic to spotlight policy violations and hidden threats. This can then be further developed to implement protective measures and extended to other risk channels.

Database Activity Monitoring: Applications accessing core databases may be used to reveal and disseminate sensitive information – for example in an outsourced call centre. By characterising and monitoring the SQL queries into the database, inappropriate or suspicious transactions can be detected.

Risk Policy Formulation: Helps create policies and the ability to maintain these policies in relation to regulatory changes.

ISO27001 Compliance: Definition, execution and management of a full ISO27001 compliance and/or certification programme using BT’s highly efficient and proven Security Risk Assessment Methodology and toolset.

PCI DSS Compliance: Definition, execution and management of a full PCI DSS compliance and certification programme using BT’s highly efficient and proven Structured PCI Methodology.

Change Management: Provides management of risk environment, processes, resources and costs throughout the risk process and activity lifecycle.

Regulatory Compliance Reporting: Supplies standard and de facto regulatory reporting templates in the BT Risk Cockpit™ to accelerate and ease the compliance process.

Benchmarking: Offers the ability to track the effect of improvement plans over time and across different sectors. This leads on from the BT operational risk management Capability Maturity Model assessment.

KRI/KPI Repository: Provides a central and local library management of key result indicator (KRI) and key performance indicator (KPI) definitions and rules in the BT Risk Cockpit™. This accelerates the risk and compliance management process.

Loss History Warehouse: Supplies losses and near-misses used as supporting evidence to the assessment of risk and in calculating exposure in the BT Risk Cockpit™.

At Risk Process Engineering: Enables the redesign and/or optimisation of existing processes and procedures that pose an operational risk.

Horizon Scanning: Helps identify likely new risks and changes in risk profiles over the short, medium and long-term.

Risk Treatments: These are BT products and services that mitigate risk, such as Managed Security, Business Continuity, and Information Management. This draws on the expertise and services from BT’s recent acquisitions such as BT Counterpane and BT INS.

Manage the risks that matter

The best performing businesses actively use risk and control information to maximise operational performance, minimise cost and drive competitive advantage through aligning operational and enterprise risk management into a common approach.

Risk and Compliance Management is a top level priority for organisations everywhere. You may be entirely new to the area of risk management or simply looking to improve your existing processes.

Choose Risk and Compliance Management Quick Start if you want to:

• Introduce a realistic process to significantly enhance your risk management effectiveness.
• Identify and understand your information risk.
• Ensure alignment and/or compliance with key information and data security standards.
• Boost cost-efficiencies within your organisation.
• Ensure compliance and focus on the risks that matter through the construction of a tailored risk management infrastructure.
• Receive an independent view of your organisation’s risk management capability, maturity, strengths and weaknesses.

UK, Germany and France. Set to expand in 2009 to the US, Switzerland, Spain, Italy and the Asia Pacific region.

Start right with BT

Risk and Compliance Management is central to everything we do. BT has a long history of managing enterprise and operational risk and compliance across both customer and international IT infrastructure networks.

Choose BT because:

• The development of the BT Risk Cockpit™ and the associated risk and compliance capabilities framework marks a pioneering step by BT in the field of governance, risk and compliance.

We hold and maintain a significant number of ISO27001 certifications for our own operations and services, and are qualified PCI Standards Council Security Assessors (QSA) and Approved Scanning Vendors (ASV).

As well as securely managing our own 21 million customer records, we provide major strategic Information Management solutions for corporate and government customers.

• We have a strong track record of implementing complex projects and programmes with major customers around the world. For example, we have designed and built the largest secure data warehouse in Europe for the NHS.

• BT has won numerous industry awards, including the Best Compliance Company in the Telecoms Sector at the Compliance Register Awards in both 2005 and 2006.

• BT’s extensive global reach provides a breadth and depth of coverage which few can rival. Our globally trusted network covers more than 170 countries across five continents.