Governance: a mandate for the data-driven enterprise
Organizations are increasingly recognizing the value of corporate data as a resource and consequently are focusing more on governance of that data. Governance includes keeping track of who owns which data, deciding what needs to be retained and for how long, and ensuring that it is protected. In that context, governance is a component of risk management; in addition, knowing certain things about management of the data is essential to compliance. Governance can also cover processes to ensure they meet the needs of the organization, do not create risks and comply with internal guidelines and external regulations.
The highly competitive online social games market is estimated at nearly $2 billion in 2015 and is predicted to exceed $2.4 billion by 2020. Social gaming is an international business, with Asia being the largest market, already having exceeded $2 billion and with about half a billion active monthly users. Governance of the financial, legal and customer data in those businesses is a major undertaking.
One major provider of social video games has 20 million daily users and 240 million monthly active users. The games work in standalone mode on mobile phone platforms and on the Internet through the company’s website and social media networks such as Facebook. The customer base is global, and the environment is both competitive and dynamic.
Like any business, the company needs to govern its organization to be in compliance with financial and legal regulations and to ensure that business risks are appropriately managed. Initially, the company was using spreadsheets and Google docs to manage compliance and risk operations, but those products did not provide sufficient tracking ability, nor did they consolidate information centrally, which raised the possibility of loss or not including all the information in the required analyses.
The company began looking into governance, risk and compliance (GRC) solutions and found that some were too complex or required expensive customization. The senior security and risk analyst of the gaming company sought a product that fit the company’s unique requirements and could be easily tailored to fit its specific processes. In the course of doing research, the analyst discovered Keylight, a GRC platform from LockPath. Interactions with LockPath were positive, and the demo indicated that Keylight provided the functionality that the company needed.
After providing a short training program, LockPath brought its QuickStart program into the company and developed four pilot programs. The first was for control documentations, including policies that direct activities and standards and workflow approval. One was for third-party vendor risk assessment, another for incident management and a final one for security management processes. The applications were then tested by employees and feedback was provided about features they liked or disliked. The company was impressed by the speed of implementation—as a cloud application, Keylight was easy to test and quick to launch.
Those applications were then phased into a production environment, and the policies, procedures and playbooks were brought into the Keylight solution. The transition provided workflow processes to which the company had never had access before, according to the senior security risk analyst who was directing the implementation. For example, documents were able to be put in review within a defined period of time, with automatic notification being sent to the document owners. Some of the policies such as acceptable use were enterprisewide, while others were specific to a particular department.
In the past, vendor assessment had not been done in a consistent manner, but with Keylight, the assessments were standardized. A scale of risks was developed and evaluated for each vendor. Now the vendor risk is assessed in a more systematic way, with the scores tabulated automatically.
In addition, Keylight consolidates input from several software security products, including Check Point and Nessus and presents it in a dashboard. Those products detect potential vulnerabilities such as a distributed denial of service (DDoS), a significant threat to video games that rely on connectivity. Keylight automatically categorizes the incidents, and the appropriate notifications and alerts are sent out.
Having all the information related to governance, risk and compliance documented and readily available helps not only from an operational viewpoint but also with audits, according to the company’s risk analyst. The historical information about when the document was last reviewed, along with any ensuing changes, is provided within the document. In the future, the company plans to use Keylight to support its business continuity plan and to put in place analytics for two-level management.