The RSCA Methodology

~ Services | Tips & Tricks | Compliance | Helpful Links | Home ~

Risk, Security & Compliance Assessments (RSCA Methodology) The Risk Assessment approach is used to evaluate the current state of security and compliance activities for Sox remediations. The RSCA approach is a three-step methodology that has been implemented at many large corporations, such as Freddie Mac, Fannie Mae, Nextel and Verizon.   Planning and Data Collection: Initial SOx assessments and management engagement. Identify and collect the data for mission-critical systems including operating systems, applications, patch data and other user and critical data. The team then compares the data to sets of established compliance templates. This data is analyzed and a RSCA report is developed to address the objectives of the remediation process.   Risk and Security Analysis; Remediation items are broken down into action plans that can be scheduled, tracked and reported on. Each action plan is identified as critical or non-critical, major or minor effort, short range fix, or long range resolution. The action plans are also identify high, medium or low risk to the security of corporate financials. This can be technical security or business security.   Reporting: This information is consolidated into an executive summary report that is reviewed with management on a monthly basis. Discussions are held to summarize findings, background issues, methods of improvement, and immediate and long term remediation methods. Including the highlights of compliance with IT best practices and government regulations (not just SOx if applicable). The action plan will include a roadmap illustrating a systematic approach for securing and remediating risk exposures across the enterprise.   These reports can then be summarized at a higher level for presentation to senior management and the corporations board of directors.   Resource Data: There are many tools on the market that assist with the identification, tracking and reporting of RSCA items. Paisley's Risk Navigator       (Recommended) Configuresoft's RSCA(TM) - Rapid Security Configuration Assessment