Your SlideShare is downloading. ×
0
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Its time to rethink everything a governance risk compliance primer

2,211

Published on

Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the …

Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,211
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.
  • Transcript

    1. It’s Time to Rethink Everything:A Governance, Risk, and Compliance (GRC) PrimerJames Tarala, Enclave Security
    2. Problem Statement• News agencies are reporting new data breaches almost on a daily basis• Resources to protect information are limited• Senior executives have not engaged to protect data• What we’re doing to secure enterprises isn’t working• It’s time to rethink how we protect our data A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    3. Proposed Solution - IT GRC• One proposed solution therefore would be a proactive program for GRC• When it comes to IT GRC, there are three primary components: – Governance – Risk – Compliance A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    4. What is GRC (OCEG definition)?• A system of people, processes, and technology that enables an organization to: – Understand and prioritize stakeholder expectations – Set business objectives that are congruent with values and risks – Achieve objectives while optimizing risk profile and protecting value – Operate within legal, contractual, internal, social, and ethical boundaries – Provide relevant, reliable, and timely information to appropriate stakeholders – Enable the measurement of the performance and effectiveness of the system A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    5. IT Governance – Defined• The Institute of Internal Auditors defines IT Governance as the following: “Information Technology Governance consists of leadership, organizational structures, and processes that ensure the enterprise’s information technology sustains and supports the organization’s strategies and objectives.” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    6. Business, Strategy, & Risk• These three concepts definitively walk hand in hand• Businesses are run via strategies• Strategies define & inspire business operations• Risk appetite & culture helps to influence strategies• The three are a team, and to understand which controls are appropriate for an organization, the interaction between these concepts must be understood A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    7. A General Framework• Business goals lead to…• Strategy, which leads to…• Policies, which are defined by…• Procedures, which are clarified by…• Standards & Guidelines, which necessitates…• Risk Management, which causes the evaluation of business goals• And so the process repeats A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    8. Business Goals• An organization needs to understand why they exist• Once a business understands their purpose, they can determine which tools can assist them to reach their goals• Technology may be one of those tools• Technology is simply an enabler for business goals• Technology should never be implemented simply for the sake of new technology – there must be a business goal A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    9. Business Strategy – Defined• BNET.com defines business strategy as: “a long-term approach to implementing a firms business plans to achieve its business objectives”• Also often known as business: – Objectives / Goals – Vision / Mission – Etc, etc… A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    10. Defining / Documenting Strategy• Somehow businesses have to document what their strategy is• These are documented for clarity, consistency, and to help educate workforce members• Different business gurus recommend different methods of documentation, some options include: – Mission statements – Vision statements – 3 / 5 / 10 year plans – Strategic roadmaps – Etc A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    11. Influences to Strategy• There are a number of forces which influence an organization’s strategy• These forces define the business & shape their plans• Some forces include: – Corporate culture – The competitive marketplace – Government / industry regulations – Individual executive personalities / goals A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    12. Policies – Defined• ISACA defines a policy as: “A document that records a high-level principle or course of action which has been decided upon. A policy’s intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams.” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    13. Policy & Senior Executives• Policy is the result of documented business strategy• Senior executives are the ones to set strategy• Therefore senior executives should be the ones to charter policy based initiatives• Senior executives do not have to write the policies, but they do need to approve of the policies• Typically the IS Steering Committee is the group with the responsibility to write & recommend policy documents A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    14. Policy Creation• Someone has to actually write the policies though• The draft author should be someone who understands the issue being addressed & relevant business goals• Do not be afraid to start with policy templates & build off of other people’s work• Generally the drafting process is done by a team, delegated by the IS Steering Committee• Auditors certainly can engage in the drafting process – it does not violate the spirit of auditor independence A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    15. Necessary Policies in a Library• One of the first steps in creating or auditing policies is to generate a list of policies that should be included in the policy library• What policies should be documented in the library?• References to consider are: – The SANS Policy Project – Information Security Policies Made Easy (Wood) – T2P Policy Wiki A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    16. Sample Information Security Policies • Some sample security policies to consider are: – Acceptable system use policy – Acceptable encryption policy – Remote network access policy – Data access authorization policy – User authentication policy – Network monitoring policy – Incident handling policy – Business continuity / disaster recovery policy – Physical security policy A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    17. Consensus Audit Guidelines (CAG)• Known as Consensus Audit Guidelines (CAG) and as the Twenty Critical Security Controls for Effective Cyber Defense• Released in 2009 by CSIS and the SANS Institute• Collaborative effort by over 100 US agencies & private sector researcher groups• Purpose is to “establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    18. IT Governance Frameworks• There are two major frameworks that are used by auditors to assess IT governance: – ISACA’s Control Objectives for Information & Related Technologies (COBIT) – IIA’s GTAG 15: Information Security Governance A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    19. Using the Frameworks• These frameworks are meant to be a help for your organization as you make GRC decisions• Organizations should not attempt to write their own• When it comes to governance, pick a framework and use it as the foundation for your GRC program• Senior executives and all business owners should be on board with the decision• Next, as you go through the next sections, use the framework you chose as the basis of answering the questions that are raised A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    20. Formal Risk Management Models• Formal risk management models are meant to be the next step after an organization follows the steps from the previous section• If an organization follows those steps, but wants more from risk management, then a formal model makes sense• Organizations need to know why they are doing risk management & what they hope to achieve from it• What are the business objectives you hope to achieve? A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    21. Formal vs. Ad hoc Models• Ad hoc models – how organizations will describe nonexistent, informal, or half hearted risk programs• Formal models – defined, thoughtful methods of performing risk management• Formal models enable businesses to create a plan for managing risk in light of business strategies• If an organization is not using a formal model, they likely are not doing risk management A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    22. Choosing the Right Risk Model• One of the more important risk management decisions an organization will make is which model to follow• The model an organization chooses: – Has to fit the culture of the organization – Has to be supported by executive management – Has to be consistent across all business units – Has to be used comprehensively – Has to be useable and produce valuable outputs A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    23. Open Source / Free Risk Mgmt Tools • SOMAP ORICO • Practical Threat Analysis (PTA) Professional • OSSIM Open Source SIEM A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    24. SOMAP ORICO• Tool created by the Security Officers Management and Analysis Project (SOMAP)• The ORICO tool, self-described by SOMAP: “is the reference implementation of our OGRCM3 methodology and follows the risk assessment and analysis workflow as described in our Guide.”• There are two versions, a Windows desktop version and a Java / web based version• The web version is the more fully functional version with custom views for different business roles in an enterprise A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    25. SOMAP ORICO Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    26. PTA Professional• Practical Threat Analysis (PTA) for Information Security Professions• Self described, it’s role is to: “Identify system vulnerabilities, map system assets, asses the risk of the threats and define an effective risk mitigation plan for a specific system architecture, functionality and configuration.”• It is distributed as a Windows based client application for managing this information A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    27. PTA Professional Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    28. OSSIM Open Source SIEM• Open Source Security Information Management (OSSIM)• Created & maintained by Alienvault• OSSIM’s goal, self described, is to: “provide a comprehensive compilation of tools which, when working together, grant network/security administrators with a detailed view over each and every aspect of his or her networks, hosts, physical access devices, server, etc.”• Can be installed as a VMWare appliance or by using an installer script to setup & configure each of the components A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    29. OSSIM VisualizedA Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    30. Problem Statement• News agencies are reporting new data breaches almost on a daily basis• Resources to protect information are limited• Senior executives have not engaged to protect data• What we’re doing to secure enterprises isn’t working• It’s time to rethink how we protect our data A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
    31. Further Questions• James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit, @jamestarala – Blog: http://www.enclavesecurity.com/blogs/• Resources for further study: – SANS Audit Program – Audit 407 Beta in Orlando (July) – 20 Critical Controls Project – The Balanced Scorecard (by Kaplan & Norton) – Security Metrics (by Andrew Jaquith) A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011

    ×