SlideShare a Scribd company logo

Its time to rethink everything a governance risk compliance primer

E
EnclaveSecurity

Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.

Technology
1 of 31
It’s Time to Rethink Everything: A Governance, Risk, and Compliance (GRC) Primer James Tarala, Enclave Security
Problem Statement • News agencies are reporting new data breaches almost on a daily basis • Resources to protect information are limited • Senior executives have not engaged to protect data • What we’re doing to secure enterprises isn’t working • It’s time to rethink how we protect our data A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Proposed Solution - IT GRC • One proposed solution therefore would be a proactive program for GRC • When it comes to IT GRC, there are three primary components: – Governance – Risk – Compliance A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
What is GRC (OCEG definition)? • A system of people, processes, and technology that enables an organization to: – Understand and prioritize stakeholder expectations – Set business objectives that are congruent with values and risks – Achieve objectives while optimizing risk profile and protecting value – Operate within legal, contractual, internal, social, and ethical boundaries – Provide relevant, reliable, and timely information to appropriate stakeholders – Enable the measurement of the performance and effectiveness of the system A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
IT Governance – Defined • The Institute of Internal Auditors defines IT Governance as the following: “Information Technology Governance consists of leadership, organizational structures, and processes that ensure the enterprise’s information technology sustains and supports the organization’s strategies and objectives.” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Business, Strategy, & Risk • These three concepts definitively walk hand in hand • Businesses are run via strategies • Strategies define & inspire business operations • Risk appetite & culture helps to influence strategies • The three are a team, and to understand which controls are appropriate for an organization, the interaction between these concepts must be understood A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
A General Framework • Business goals lead to… • Strategy, which leads to… • Policies, which are defined by… • Procedures, which are clarified by… • Standards & Guidelines, which necessitates… • Risk Management, which causes the evaluation of business goals • And so the process repeats A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Business Goals • An organization needs to understand why they exist • Once a business understands their purpose, they can determine which tools can assist them to reach their goals • Technology may be one of those tools • Technology is simply an enabler for business goals • Technology should never be implemented simply for the sake of new technology – there must be a business goal A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Business Strategy – Defined • BNET.com defines business strategy as: “a long-term approach to implementing a firm's business plans to achieve its business objectives” • Also often known as business: – Objectives / Goals – Vision / Mission – Etc, etc… A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Defining / Documenting Strategy • Somehow businesses have to document what their strategy is • These are documented for clarity, consistency, and to help educate workforce members • Different business gurus recommend different methods of documentation, some options include: – Mission statements – Vision statements – 3 / 5 / 10 year plans – Strategic roadmaps – Etc A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Influences to Strategy • There are a number of forces which influence an organization’s strategy • These forces define the business & shape their plans • Some forces include: – Corporate culture – The competitive marketplace – Government / industry regulations – Individual executive personalities / goals A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Policies – Defined • ISACA defines a policy as: “A document that records a high-level principle or course of action which has been decided upon. A policy’s intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams.” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Policy & Senior Executives • Policy is the result of documented business strategy • Senior executives are the ones to set strategy • Therefore senior executives should be the ones to charter policy based initiatives • Senior executives do not have to write the policies, but they do need to approve of the policies • Typically the IS Steering Committee is the group with the responsibility to write & recommend policy documents A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Policy Creation • Someone has to actually write the policies though • The draft author should be someone who understands the issue being addressed & relevant business goals • Do not be afraid to start with policy templates & build off of other people’s work • Generally the drafting process is done by a team, delegated by the IS Steering Committee • Auditors certainly can engage in the drafting process – it does not violate the spirit of auditor independence A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Necessary Policies in a Library • One of the first steps in creating or auditing policies is to generate a list of policies that should be included in the policy library • What policies should be documented in the library? • References to consider are: – The SANS Policy Project – Information Security Policies Made Easy (Wood) – T2P Policy Wiki A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Sample Information Security Policies • Some sample security policies to consider are: – Acceptable system use policy – Acceptable encryption policy – Remote network access policy – Data access authorization policy – User authentication policy – Network monitoring policy – Incident handling policy – Business continuity / disaster recovery policy – Physical security policy A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Consensus Audit Guidelines (CAG) • Known as Consensus Audit Guidelines (CAG) and as the Twenty Critical Security Controls for Effective Cyber Defense • Released in 2009 by CSIS and the SANS Institute • Collaborative effort by over 100 US agencies & private sector researcher groups • Purpose is to “establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
IT Governance Frameworks • There are two major frameworks that are used by auditors to assess IT governance: – ISACA’s Control Objectives for Information & Related Technologies (COBIT) – IIA’s GTAG 15: Information Security Governance A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Using the Frameworks • These frameworks are meant to be a help for your organization as you make GRC decisions • Organizations should not attempt to write their own • When it comes to governance, pick a framework and use it as the foundation for your GRC program • Senior executives and all business owners should be on board with the decision • Next, as you go through the next sections, use the framework you chose as the basis of answering the questions that are raised A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Formal Risk Management Models • Formal risk management models are meant to be the next step after an organization follows the steps from the previous section • If an organization follows those steps, but wants more from risk management, then a formal model makes sense • Organizations need to know why they are doing risk management & what they hope to achieve from it • What are the business objectives you hope to achieve? A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Formal vs. Ad hoc Models • Ad hoc models – how organizations will describe nonexistent, informal, or half hearted risk programs • Formal models – defined, thoughtful methods of performing risk management • Formal models enable businesses to create a plan for managing risk in light of business strategies • If an organization is not using a formal model, they likely are not doing risk management A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Choosing the Right Risk Model • One of the more important risk management decisions an organization will make is which model to follow • The model an organization chooses: – Has to fit the culture of the organization – Has to be supported by executive management – Has to be consistent across all business units – Has to be used comprehensively – Has to be useable and produce valuable outputs A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Open Source / Free Risk Mgmt Tools • SOMAP ORICO • Practical Threat Analysis (PTA) Professional • OSSIM Open Source SIEM A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
SOMAP ORICO • Tool created by the Security Officers Management and Analysis Project (SOMAP) • The ORICO tool, self-described by SOMAP: “is the reference implementation of our OGRCM3 methodology and follows the risk assessment and analysis workflow as described in our Guide.” • There are two versions, a Windows desktop version and a Java / web based version • The web version is the more fully functional version with custom views for different business roles in an enterprise A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
SOMAP ORICO Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
PTA Professional • Practical Threat Analysis (PTA) for Information Security Professions • Self described, it’s role is to: “Identify system vulnerabilities, map system assets, asses the risk of the threats and define an effective risk mitigation plan for a specific system architecture, functionality and configuration.” • It is distributed as a Windows based client application for managing this information A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
PTA Professional Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
OSSIM Open Source SIEM • Open Source Security Information Management (OSSIM) • Created & maintained by Alienvault • OSSIM’s goal, self described, is to: “provide a comprehensive compilation of tools which, when working together, grant network/security administrators with a detailed view over each and every aspect of his or her networks, hosts, physical access devices, server, etc.” • Can be installed as a VMWare appliance or by using an installer script to setup & configure each of the components A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
OSSIM Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Problem Statement • News agencies are reporting new data breaches almost on a daily basis • Resources to protect information are limited • Senior executives have not engaged to protect data • What we’re doing to secure enterprises isn’t working • It’s time to rethink how we protect our data A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit, @jamestarala – Blog: http://www.enclavesecurity.com/blogs/ • Resources for further study: – SANS Audit Program – Audit 407 Beta in Orlando (July) – 20 Critical Controls Project – The Balanced Scorecard (by Kaplan & Norton) – Security Metrics (by Andrew Jaquith) A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011

Recommended

Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secureEnterpriseGRC Solutions, Inc.
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 

Recommended

Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secureEnterpriseGRC Solutions, Inc.
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Security metrics
Security metrics Security metrics
Security metrics PRAYAGRAJ11
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxjojo82637
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdfKarthick Panneerselvam
 

More Related Content

What's hot

Security metrics
Security metrics Security metrics
Security metrics PRAYAGRAJ11
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 

What's hot (20)

Security metrics
Security metrics Security metrics
Security metrics
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
 

Similar to Its time to rethink everything a governance risk compliance primer

ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxjojo82637
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptxdotco
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringEmma Kelly
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Optimizing Compliance Programs in Organizations: A Top Down Approach
Optimizing Compliance Programs in Organizations: A Top Down ApproachOptimizing Compliance Programs in Organizations: A Top Down Approach
Optimizing Compliance Programs in Organizations: A Top Down ApproachEthisphere
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
Gaining and Maintaining IT & Business Alignment.pptx
Gaining and Maintaining IT & Business Alignment.pptxGaining and Maintaining IT & Business Alignment.pptx
Gaining and Maintaining IT & Business Alignment.pptxRobert Sheesley, CBA, CPHIMS
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014Paul Simidi
 
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceJohn Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceitSMF UK
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxkoushikDutta62
 
The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field Resolver Inc.
 
DAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty WordsDAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty WordsoGuild .
 
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chaukeMayk Campelo
 
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxCELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxDandzaPraditya
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarAli Zeeshan
 

Similar to Its time to rethink everything a governance risk compliance primer (20)

ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdf
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Optimizing Compliance Programs in Organizations: A Top Down Approach
Optimizing Compliance Programs in Organizations: A Top Down ApproachOptimizing Compliance Programs in Organizations: A Top Down Approach
Optimizing Compliance Programs in Organizations: A Top Down Approach
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
Gaining and Maintaining IT & Business Alignment.pptx
Gaining and Maintaining IT & Business Alignment.pptxGaining and Maintaining IT & Business Alignment.pptx
Gaining and Maintaining IT & Business Alignment.pptx
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014
 
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceJohn Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptx
 
The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field
 
DAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty WordsDAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty Words
 
Operation and strategy course 1.0
Operation and strategy course 1.0Operation and strategy course 1.0
Operation and strategy course 1.0
 
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
 
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxCELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - Webinar
 

More from EnclaveSecurity

Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security failEnclaveSecurity
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionEnclaveSecurity
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usualEnclaveSecurity
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 

More from EnclaveSecurity (17)

Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for Defense
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security Assessments
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security fail
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protection
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usual
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Its time to rethink everything a governance risk compliance primer

  • 1. It’s Time to Rethink Everything: A Governance, Risk, and Compliance (GRC) Primer James Tarala, Enclave Security
  • 2. Problem Statement • News agencies are reporting new data breaches almost on a daily basis • Resources to protect information are limited • Senior executives have not engaged to protect data • What we’re doing to secure enterprises isn’t working • It’s time to rethink how we protect our data A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 3. Proposed Solution - IT GRC • One proposed solution therefore would be a proactive program for GRC • When it comes to IT GRC, there are three primary components: – Governance – Risk – Compliance A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 4. What is GRC (OCEG definition)? • A system of people, processes, and technology that enables an organization to: – Understand and prioritize stakeholder expectations – Set business objectives that are congruent with values and risks – Achieve objectives while optimizing risk profile and protecting value – Operate within legal, contractual, internal, social, and ethical boundaries – Provide relevant, reliable, and timely information to appropriate stakeholders – Enable the measurement of the performance and effectiveness of the system A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 5. IT Governance – Defined • The Institute of Internal Auditors defines IT Governance as the following: “Information Technology Governance consists of leadership, organizational structures, and processes that ensure the enterprise’s information technology sustains and supports the organization’s strategies and objectives.” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 6. Business, Strategy, & Risk • These three concepts definitively walk hand in hand • Businesses are run via strategies • Strategies define & inspire business operations • Risk appetite & culture helps to influence strategies • The three are a team, and to understand which controls are appropriate for an organization, the interaction between these concepts must be understood A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 7. A General Framework • Business goals lead to… • Strategy, which leads to… • Policies, which are defined by… • Procedures, which are clarified by… • Standards & Guidelines, which necessitates… • Risk Management, which causes the evaluation of business goals • And so the process repeats A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 8. Business Goals • An organization needs to understand why they exist • Once a business understands their purpose, they can determine which tools can assist them to reach their goals • Technology may be one of those tools • Technology is simply an enabler for business goals • Technology should never be implemented simply for the sake of new technology – there must be a business goal A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 9. Business Strategy – Defined • BNET.com defines business strategy as: “a long-term approach to implementing a firm's business plans to achieve its business objectives” • Also often known as business: – Objectives / Goals – Vision / Mission – Etc, etc… A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 10. Defining / Documenting Strategy • Somehow businesses have to document what their strategy is • These are documented for clarity, consistency, and to help educate workforce members • Different business gurus recommend different methods of documentation, some options include: – Mission statements – Vision statements – 3 / 5 / 10 year plans – Strategic roadmaps – Etc A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 11. Influences to Strategy • There are a number of forces which influence an organization’s strategy • These forces define the business & shape their plans • Some forces include: – Corporate culture – The competitive marketplace – Government / industry regulations – Individual executive personalities / goals A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 12. Policies – Defined • ISACA defines a policy as: “A document that records a high-level principle or course of action which has been decided upon. A policy’s intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams.” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 13. Policy & Senior Executives • Policy is the result of documented business strategy • Senior executives are the ones to set strategy • Therefore senior executives should be the ones to charter policy based initiatives • Senior executives do not have to write the policies, but they do need to approve of the policies • Typically the IS Steering Committee is the group with the responsibility to write & recommend policy documents A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 14. Policy Creation • Someone has to actually write the policies though • The draft author should be someone who understands the issue being addressed & relevant business goals • Do not be afraid to start with policy templates & build off of other people’s work • Generally the drafting process is done by a team, delegated by the IS Steering Committee • Auditors certainly can engage in the drafting process – it does not violate the spirit of auditor independence A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 15. Necessary Policies in a Library • One of the first steps in creating or auditing policies is to generate a list of policies that should be included in the policy library • What policies should be documented in the library? • References to consider are: – The SANS Policy Project – Information Security Policies Made Easy (Wood) – T2P Policy Wiki A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 16. Sample Information Security Policies • Some sample security policies to consider are: – Acceptable system use policy – Acceptable encryption policy – Remote network access policy – Data access authorization policy – User authentication policy – Network monitoring policy – Incident handling policy – Business continuity / disaster recovery policy – Physical security policy A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 17. Consensus Audit Guidelines (CAG) • Known as Consensus Audit Guidelines (CAG) and as the Twenty Critical Security Controls for Effective Cyber Defense • Released in 2009 by CSIS and the SANS Institute • Collaborative effort by over 100 US agencies & private sector researcher groups • Purpose is to “establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 18. IT Governance Frameworks • There are two major frameworks that are used by auditors to assess IT governance: – ISACA’s Control Objectives for Information & Related Technologies (COBIT) – IIA’s GTAG 15: Information Security Governance A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 19. Using the Frameworks • These frameworks are meant to be a help for your organization as you make GRC decisions • Organizations should not attempt to write their own • When it comes to governance, pick a framework and use it as the foundation for your GRC program • Senior executives and all business owners should be on board with the decision • Next, as you go through the next sections, use the framework you chose as the basis of answering the questions that are raised A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 20. Formal Risk Management Models • Formal risk management models are meant to be the next step after an organization follows the steps from the previous section • If an organization follows those steps, but wants more from risk management, then a formal model makes sense • Organizations need to know why they are doing risk management & what they hope to achieve from it • What are the business objectives you hope to achieve? A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 21. Formal vs. Ad hoc Models • Ad hoc models – how organizations will describe nonexistent, informal, or half hearted risk programs • Formal models – defined, thoughtful methods of performing risk management • Formal models enable businesses to create a plan for managing risk in light of business strategies • If an organization is not using a formal model, they likely are not doing risk management A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 22. Choosing the Right Risk Model • One of the more important risk management decisions an organization will make is which model to follow • The model an organization chooses: – Has to fit the culture of the organization – Has to be supported by executive management – Has to be consistent across all business units – Has to be used comprehensively – Has to be useable and produce valuable outputs A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 23. Open Source / Free Risk Mgmt Tools • SOMAP ORICO • Practical Threat Analysis (PTA) Professional • OSSIM Open Source SIEM A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 24. SOMAP ORICO • Tool created by the Security Officers Management and Analysis Project (SOMAP) • The ORICO tool, self-described by SOMAP: “is the reference implementation of our OGRCM3 methodology and follows the risk assessment and analysis workflow as described in our Guide.” • There are two versions, a Windows desktop version and a Java / web based version • The web version is the more fully functional version with custom views for different business roles in an enterprise A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 25. SOMAP ORICO Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 26. PTA Professional • Practical Threat Analysis (PTA) for Information Security Professions • Self described, it’s role is to: “Identify system vulnerabilities, map system assets, asses the risk of the threats and define an effective risk mitigation plan for a specific system architecture, functionality and configuration.” • It is distributed as a Windows based client application for managing this information A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 27. PTA Professional Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 28. OSSIM Open Source SIEM • Open Source Security Information Management (OSSIM) • Created & maintained by Alienvault • OSSIM’s goal, self described, is to: “provide a comprehensive compilation of tools which, when working together, grant network/security administrators with a detailed view over each and every aspect of his or her networks, hosts, physical access devices, server, etc.” • Can be installed as a VMWare appliance or by using an installer script to setup & configure each of the components A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 29. OSSIM Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 30. Problem Statement • News agencies are reporting new data breaches almost on a daily basis • Resources to protect information are limited • Senior executives have not engaged to protect data • What we’re doing to secure enterprises isn’t working • It’s time to rethink how we protect our data A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 31. Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit, @jamestarala – Blog: http://www.enclavesecurity.com/blogs/ • Resources for further study: – SANS Audit Program – Audit 407 Beta in Orlando (July) – 20 Critical Controls Project – The Balanced Scorecard (by Kaplan & Norton) – Security Metrics (by Andrew Jaquith) A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011

Editor's Notes

  1. Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.