RSA Governance & Security Management


Published on

Many organizations are now very aware of the onslaught of publicly reported successful hacking attacks, as well as significant breaches of information from internal process and people failures. To provide companies with the ability to make good business judgments when these events occur, these events have to be in the language of the business in real time, whether it is a financially impacting event or a significant brand risk incident, collecting the data and presenting it in a way that allows the Board to respond proactively and constructively is imperative. In this session, we will go through the techniques of collecting the supporting information and providing Business Context immediately.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

RSA Governance & Security Management

  1. 1. RSA Governance & Security Management William O’Brien IP Expo 19 October 2011© Copyright 2011 EMC Corporation. All rights reserved. 1
  2. 2. Security Is Not Working 91% of breaches led to data 79% of breaches took compromise within “days” or less “weeks” or more to discoverSource: Verizon 2011 Data Breach Investigations Report © Copyright 2011 EMC Corporation. All rights reserved. 2
  3. 3. Your Approach Matters “A lot of times people take a shotgun approach and they’re not focusing on exactly what they should. You have to have an eye on what the risk is and direct your program toward what you are protecting against.” Adam Rice, CISO Tata Communications
  4. 4. Poor Security Impacts Business Increased Exposure to Inhibited Business Catastrophic Loss Objectives • Theft of trade secrets • Virtualization • Headline-making breaches • Product launches • Fines and penalties • New geographic markets© Copyright 2011 EMC Corporation. All rights reserved. 4
  5. 5. The Language of GRC IT Finance Operations Legal strong segregation productControl trademark passwords of duties testing unauthorized unsatisfied brandRisk fraud access customers dilution missing high errorIncident data breach money from infringement rate cash drawer ineffectiveThreat hacking theft competitive testsAsset information cash quality brand © Copyright 2011 EMC Corporation. All rights reserved. 5
  6. 6. Decision-Making Needs a Process Maturity Strategic Tactical Framework Model Plan Plan “Where are “What do “How will “What are the we going?” we need to we get milestones?” consider?” there?”© Copyright 2011 EMC Corporation. All rights reserved. 6
  7. 7. Security Management Maturity Model Where are we going? Step 4: Business-Oriented • Security fully Step 3: embedded in Risk-Based Security enterprise processes • data fully integrated Step 2: • Proactive and with business context Compliance and assessment based drives decision-making Defense-in-Depth • Collect data needed to • Security tools assess risk and detect integrated with • Check-box mentality advanced threats business tools Step 1: • Collect data needed • Security tools Threat Defense primarily for integrated with compliance common data and Approach • Security is “necessary • Tactical threat management platform evil” defenses enhanced Scope • Reactive and de- with layered security centralized monitoring controlsTechnology • Tactical point products © Copyright 2011 EMC Corporation. All rights reserved. 7
  8. 8. #1: Begin and End with Business Context Executive Audit Risk Legal, HR, Committee Committee Committee etc Business Authoritative Business Policies Objectives Sources Criticality Governance Security Monitoring Management© Copyright 2011 EMC Corporation. All rights reserved. 8
  9. 9. #2: Follow an Integrated Framework Approach Business How? Define business objectives Define business-level risk Governance targets Define business-critical assets Understand external and internal threat Security Risk landscape Management Identify vulnerabilities in critical assets Prioritise and implement remediation projects Prioritise work by risk Operations Add security controls where needed Management Maximise monitoring and visibility Identify security events Incident Prioritise by business Management impact Report to business owners Reassess business risk and critical assetsSecurity Management framework: ISO 27001 Risk Management framework: ISO 31000 © Copyright 2011 EMC Corporation. All rights reserved. 9
  10. 10. #3: Develop a Maturity Strategy Where do you want to be in 3 years? Current state Desired state Business Governance Security Basic guidelines Security is part of buried inside defined by every business IT business processSecurity RiskManagement Newspaper Follow industry Manage business- view of risk practices specific risks OperationsManagement Bare minimum Compliance- Risk-based tools driven controls controls and monitoring IncidentManagement Siloed monitoring Correlation and Advanced analytics prioritization Tactical Maturity Strategic © Copyright 2011 EMC Corporation. All rights reserved. 10
  11. 11. Archer’s Approach to a GRC Framework Governance Corporate Control Authoritative PoliciesArcher Policy Management Objectives Standards SourcesCentrally manage policies, map them to objectivesand guidelines, and promote awareness to supporta culture of corporate governance. Control Procedures Exception Requests Question Library MetricsArcher Risk Management RiskIdentify risks to your business, evaluate themthrough online assessments and metrics, andrespond with remediation or acceptance. Quarterly Loss Risk Register Events Assessments Risk Review Findings Remediation Compliance PlansArcher Compliance ManagementDocument your control framework, assess design Manual Automated Scoping Test Resultsand operational effectiveness, and respond to Testingpolicy and regulatory compliance issues. Enterprise ManagementArcher Enterprise Management Devices Facilities InformationManage relationships and dependencies withinyour enterprise hierarchy and infrastructure to Businesssupport GRC initiatives. Hierarchy Business Product/Services Processes Applications © Copyright 2011 EMC Corporation. All rights reserved. 11
  12. 12. How We Do ItSystem for Managing Security, Risk and Compliance BUSINESS DRIVERS Manage Governance, Risk + Compliance Assess Risk Monitor | Audit | Report Define Policy and Report Correlate Add Map to Controls Collect Context IDENTITIES INFRASTRUCTURE INFORMATION Manage Monitor Detect Enforce © Copyright 2011 EMC Corporation. All rights reserved. 12
  13. 13. How We Do ItOur Suite for Managing Security, Risk and Compliance BUSINESS CONTEXT Manage Governance, Risk + Compliance Define Policy Report On Risk Monitor | Audit | Report RSA enVision RSA Archer eGRC Suite Add Context Map to Controls Assess SIEM Compliance Correlate IDENTITIES / Access Authentication Provision Fraud Prevention INFRASTRUCTURE INFORMATION Data Loss Encryption & Prevention Tokenization Ionix Config Mgmt DLP RKM App Access Fraud SecurID Manager Manage Action Network Security Feeds Monitor RKM DC Cisco IronPort Adaptive Federated Transaction BSAFE Auth Identity Mgr Monitoring Endpoint Security Feeds Network Partners Tokenization Identity Detect eFraud Infrastructure Feeds Enforce Endpoint Microsoft Verification Network Partners RMS © Copyright 2011 EMC Corporation. All rights reserved. 13
  14. 14. Proposed SolutionEMC Critical Incident Response Center, Bedford, MA © Copyright 2011 EMC Corporation. All rights reserved. 14
  15. 15. Core Security Management Suite RSA Archer eGRC RSA NetWitness Manage the enterprise Network capture and • Policy analysis • Risk • Real-time investigation • Compliance • Forensics • Incidents • Malware detection • Threats • Reporting RSA DLP RSA enVision Protect sensitive data Event collection and analysis • Datacenter • Collect all the data • Network • Alerting • Endpoint • Forensic analysis • Compliance reporting© Copyright 2011 EMC Corporation. All rights reserved. 15
  16. 16. Resources • RSA Security Management Solution Brief • Maturity Model Whitepaper (authored by ESG) • EMC Consulting Strategy Workshop • Archer/enVision/DLP/NetWitness product briefs© Copyright 2011 EMC Corporation. All rights reserved. 16
  17. 17. Governance, Risk and Compliance© Copyright 2011 EMC Corporation. All rights reserved. 17
  18. 18. YOUR YEAR-ROUND IT RESOURCE – access to everything you’ll need to know
  19. 19. THE WHOLETECHNOLOGY STACKfrom start to finish
  20. 20. COMMENT & ANALYSISInsights, interviews and the latest thinking on technology solutions
  21. 21. VIDEOYour source of live information – all the presentations from our live events
  22. 22. TECHNOLOGY LIBRARY Over 3,000 whitepapers,case studies, product overviews and press releases from all the leading IT vendors
  23. 23. EVENTS, WEBINARS & PRESENTATIONS Missed the event? Download the presentations thatinterest you. Catch up with convenient webinars. Plan your next visit.
  24. 24. DirectoryA comprehensive A-Z listing providing in-depth company overviews
  25. 25. ALL FREE TO ACCESS 24/7
  26. 26.