View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
The Tao of GRC Danny Lieberman CTO – Software Associates, Israel
2 I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time. Master Sun (Chapter 2 – Doing Battle, the Art of War)
The Tao of GRC Practical Any business can cook Protect customers and comply more effectively with regulation. 3
Agenda The flavors of GRC Why GRC 1.0 is broken The Tao of GRC Why it works 4
3 flavors of GRC Government Industry Vendor-neutral standards 5
Government SOX, GLBA, HIPAA, EU Privacy, FDA Protect consumer Top-down risk analysis 6
Industry PCI DSS 1.2 Protect card associations No risk analysis 7
Vendor-neutral standards ISO2700x Protect information assets Audit focus 8
GRC 1.0 Big Enterprise Software “automate the workflow and documentation management associated with costly and complex GRC processes”Sword, Oracle, CA, Gartner, Forrester 9
Why GRC 1.0 is broken 10 Fixed control structures Focusing on yesterday’s threats
4 mistakes CIOS make 11 Focus on process while ignoring that hackers attack software Label vendors as partners Confuse business alignment with risk reduction
Both attackers and defenders have imperfect knowledge in making their decisions. 12
Mobile clinical assistants Mobile medical devices used by hospital radiologists had unplanned Internet access. Over 300 devices infected by Conficker and taken out of service. Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities. 13
An attacker may exploit vulnerabilities to cause damageto assets.
Security countermeasures mitigate vulnerabilities and reduce risk.
Threat T3 – Malicious code may be used in order to exploit OS vulnerabilities and obtain patient information from mobile medical devices Vulnerability V3 – Unnecessary devices may be enabled Countermeasure C4 – Hardware toggle USB on Countermeasure C5 – Network isolation Countermeasure C6 – Software security assessment Example threat scenario 18 Attackers
Methods SetThreatProbability estimated annual rate of occurrence of the threat SetThreatDamageToAsset estimated damage to asset value as a percentage SetCountermeasureEffectiveness estimated effectiveness as a percentage SetAssetValue , GetValueAtRisk in Dollars/Euro/Rupee 19
Step 3 Go green Measure risk reduction in money Attention to root causes Recycle controls & policies 24
Why the Tao of GRC works Threat models are transparent and recyclable. Transparency means more eyeballs can look at issues. Recycling & more eyeballs reduces cost. More eyeballs means safer products. Safer products means more revenue. 25
Acknowledgements 26 Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks WlodekGrudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics My clients ,for giving me the opportunity to teach them the language of threats. My colleagues at PTA Technologies for doing a great job.