0
The Tao of GRC
Danny Lieberman
CTO – Software Associates, Israel
2
I have heard of military operations that
were clumsy but swift, but I have never
seen one that was skillful and lasted a...
The Tao of GRC
• Practical
• Any business can cook
• Protect customers and
comply more
effectively with
regulation.
3
Agenda
• The flavors of GRC
• Why GRC 1.0 is broken
• The Tao of GRC
• Why it works
4
3 flavors of GRC
• Government
• Industry
• Vendor-neutral standards
5
Government
• SOX, GLBA, HIPAA, EU Privacy, FDA
• Protect consumer
• Top-down risk analysis
6
Industry
• PCI DSS 1.2
• Protect card associations
• No risk analysis
7
Vendor-neutral standards
• ISO2700x
• Protect information assets
• Audit focus
8
GRC 1.0
• Big Enterprise Software
• “automate the workflow and documentation
management associated with costly and complex...
Why GRC 1.0 is broken
10
Fixed control structures
Focusing on yesterday’s threats
4 mistakes CIOS make
11
1. Focus on process while ignoring that
hackers attack software
2. Label vendors as partners
3. Co...
Both attackers and defenders have
imperfect knowledge in making
their decisions.
12
Mobile clinical assistants
• Mobile medical devices
used by hospital radiologists
had unplanned Internet
access.
• Over 30...
The Tao of GRC
14
Step 1 - Adopt a standard language
15
The threat analysis base class
People Threats Methods
People entities
16
Decision makers
• Encounter threats that
damage their assets
• Risk is part of running a
business
Attac...
Threat entities
17
• An attacker may
exploit vulnerabilities
to cause damage to
assets.
• Security
countermeasures
mitigat...
Threat T3 – Malicious code may be used in order to exploit
OS vulnerabilities and obtain patient information from
mobile m...
Methods
• SetThreatProbability
– estimated annual rate of occurrence of the threat
• SetThreatDamageToAsset
– estimated da...
Step 2 - Learn to speak fluently
20
Learn on the job
Vis-à-vis the regulator
• Understand what audit
requirements count
Vis-à-vis your business
• Understand w...
Understand what threats count
22
Prioritize countermeasures
Step 3 Go green
• Measure risk reduction in money
• Attention to root causes
• Recycle controls & policies
24
Why the Tao of GRC works
• Threat models are
transparent and
recyclable.
• Transparency means
more eyeballs can look at
is...
Acknowledgements
26
1. Michel Godet, for sharing his work
reducing silos and creating reusable
risk building blocks
2. Wlo...
Upcoming SlideShare
Loading in...5
×

Grc tao.4

395

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
395
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Grc tao.4"

  1. 1. The Tao of GRC Danny Lieberman CTO – Software Associates, Israel
  2. 2. 2 I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time. Master Sun (Chapter 2 – Doing Battle, the Art of War)
  3. 3. The Tao of GRC • Practical • Any business can cook • Protect customers and comply more effectively with regulation. 3
  4. 4. Agenda • The flavors of GRC • Why GRC 1.0 is broken • The Tao of GRC • Why it works 4
  5. 5. 3 flavors of GRC • Government • Industry • Vendor-neutral standards 5
  6. 6. Government • SOX, GLBA, HIPAA, EU Privacy, FDA • Protect consumer • Top-down risk analysis 6
  7. 7. Industry • PCI DSS 1.2 • Protect card associations • No risk analysis 7
  8. 8. Vendor-neutral standards • ISO2700x • Protect information assets • Audit focus 8
  9. 9. GRC 1.0 • Big Enterprise Software • “automate the workflow and documentation management associated with costly and complex GRC processes” Sword, Oracle, CA, Gartner, Forrester 9
  10. 10. Why GRC 1.0 is broken 10 Fixed control structures Focusing on yesterday’s threats
  11. 11. 4 mistakes CIOS make 11 1. Focus on process while ignoring that hackers attack software 2. Label vendors as partners 3. Confuse business alignment with risk reduction
  12. 12. Both attackers and defenders have imperfect knowledge in making their decisions. 12
  13. 13. Mobile clinical assistants • Mobile medical devices used by hospital radiologists had unplanned Internet access. • Over 300 devices infected by Conficker and taken out of service. • Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities. 13
  14. 14. The Tao of GRC 14
  15. 15. Step 1 - Adopt a standard language 15 The threat analysis base class People Threats Methods
  16. 16. People entities 16 Decision makers • Encounter threats that damage their assets • Risk is part of running a business Attackers • Create threats & exploit vulnerabilities • Fame, fortune, sales channel Consultants • Assess risk, recommend countermeasures • Billable hours Vendors • Provide countermeasures • Marketing rhetoric, pseudo science
  17. 17. Threat entities 17 • An attacker may exploit vulnerabilities to cause damage to assets. • Security countermeasures mitigate vulnerabilities and reduce risk. Asset Vulnerability Counter measures Attacker
  18. 18. Threat T3 – Malicious code may be used in order to exploit OS vulnerabilities and obtain patient information from mobile medical devices Vulnerability V3 – Unnecessary devices may be enabled Countermeasure C4 – Hardware toggle USB on Countermeasure C5 – Network isolation Countermeasure C6 – Software security assessment Example threat scenario 18 Attackers ePHI Weak or well- known passwords Software defects OS vulnerabilities
  19. 19. Methods • SetThreatProbability – estimated annual rate of occurrence of the threat • SetThreatDamageToAsset – estimated damage to asset value as a percentage • SetCountermeasureEffectiveness – estimated effectiveness as a percentage • SetAssetValue , GetValueAtRisk – in Dollars/Euro/Rupee 19
  20. 20. Step 2 - Learn to speak fluently 20
  21. 21. Learn on the job Vis-à-vis the regulator • Understand what audit requirements count Vis-à-vis your business • Understand what threats count • Prioritize • Increase profits 21
  22. 22. Understand what threats count 22
  23. 23. Prioritize countermeasures
  24. 24. Step 3 Go green • Measure risk reduction in money • Attention to root causes • Recycle controls & policies 24
  25. 25. Why the Tao of GRC works • Threat models are transparent and recyclable. • Transparency means more eyeballs can look at issues. • Recycling & more eyeballs reduces cost. • More eyeballs means safer products. • Safer products means more revenue. 25
  26. 26. Acknowledgements 26 1. Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks 2. Wlodek Grudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics 3. My clients ,for giving me the opportunity to teach them the language of threats. 4. My colleagues at PTA Technologies for doing a great job.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×