GRC 20/20 Research awarded LockPath its 2013 GRC Value award in the IT & Information Risk, Security, and Compliance category. A leading manufacturer of medical devices recently extended its use of LockPath's Keylight platform, including several applications. During the first year, the implementation has meant an 80 percent reduction in IT audit preparation time with five weeks of work reduced to one week, improved clarity and efficiency related to security functions, and improved insight companywide through dashboards and reports.
The manufacturer of medical devices recently extended their use of LockPath's Keylight platform, including the Risk Manager (Rm) and Compliance Manager (Cm) applications, as well as its Audit Manager (Am), Security Manager (Sm) applications, for streamlining internal and external audit processes, as well as operational control environment. They now have linkages to all of this data (vulnerabilities, audits) to assets, which is expected to unlock further valuable insight.
A disparate system with poor visibility
Prior to the LockPath implementation the organization's audits were managed on a SharePoint site, using spreadsheets, emails and individual or manual item tracking. No direct numbers were available, other than through spreadsheet manipulation. Vulnerabilities, penetration tests and Web application assessments were all maintained as separate efforts and tracked separately, without historical linkage or other insight. The company rarely had a solid view of GRC, and results were rarely reported or even visible to leadership.
Internal security teams managed tracking of audit requests to internal controls, and all communication between the organizations personnel and external auditors. The last midterm audit consumed the corporate team of two for six weeks or more, in addition to other teams at each location.
Adding safety and accountability, application-by-application
The medical device manufacturer first purchased Rm and Cm to manage control activities of one division, to map policies to requirements and to manage risk tracking and exceptions. Next, they added the Sm application, and more recently nearly automated management of its vulnerability management process, cataloged its assets and tagged them with responsible owners, and provided a near-real time dashboard for its risk posture. The organization has also included its Web apps and penetration tests from this year and the past two years into the system to track back findings and systems to historical information. The workflow transitions phases of vulnerability, alerts owners of any need to remediate, automatically reminds them if a task overdue, and automatically verifies a completed patch.
In late August of 2013, while preparing for a sizable (1,300-item) roll-forward audit, the organization quickly added Am to handle external audit requests. In only days, they entered these requests via an upload file, and set up their external audit team with specialized Keylight accounts that allowed it to review responses. Using built-in workflow, employees are alerted to items that require a response; and auditors receive notifications when requests were submitted for review. This eliminates inefficient back-and-forth dialog that typically accompanies an audit. A single dashboard allowed many views of audit progress and breakdowns providing real-time tracking and brand new insight.
The new LockPath system has enabled this medical device manufacturer to:
- Save at least 10 weeks of corporate-internal personnel time managing the audit (two people at five weeks consumed time).
- Save billing time from the external auditors on nonvalue transactions and coordination.
- Shorten audit duration and speed results since they are directly available, and automatically turn into a remediation project with tasks.
- Avoid costs associated with exploited vulnerabilities.
Qualitatively, staff feels the system has meant:
- Reduction in risks that result in fines, litigation and reputation loss.
- A shift to highly productive and effective tasks such as detailed analysis and discovery of opportunities, business efficiencies and true risk-analysis.
- Audits can be managed by a central group of administrators for all locations.
- Efficiency across all audit participants, improved morale and better cooperation.
- Multiple views of real-time information and can be presented as desired via dashboards.
- Better leadership confidence of management and direct insight via dashboards and tracking.
Expected benefits, five years on
This organization expects to add additional audit tasks due to increased efficiency, expanding analysis and consulting provided by its internal audit team, and also expects reduction in negative findings and remediation required from external audits, and increased opportunities recommended by internal audit team, resulting in fraud reduction, risk reduction and additional cost savings.
Enhanced security features are expected to provide improved efficiency and operations of the control environment. Security analyst work is just a fraction of what the work used to be, since it is a matter of running the tools and adding the output to the GRC system for any of several operational tasks. This means more can be done done as a team and a view can be continually maintained into organizational effectiveness through the reporting inherent in the tool.
To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients