• Like

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
365
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. The Tao of GRC
    Danny Lieberman
    CTO – Software Associates, Israel
  • 2. 2
    I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time.
    Master Sun
    (Chapter 2 – Doing Battle, the Art of War)
  • 3. The Tao of GRC
    Practical
    Any business can cook
    Protect customers and comply more effectively with regulation.
    3
  • 4. Agenda
    The flavors of GRC
    Why GRC 1.0 is broken
    The Tao of GRC
    Why it works
    4
  • 5. 3 flavors of GRC
    Government
    Industry
    Vendor-neutral standards
    5
  • 6. Government
    SOX, GLBA, HIPAA, EU Privacy, FDA
    Protect consumer
    Top-down risk analysis
    6
  • 7. Industry
    PCI DSS 1.2
    Protect card associations
    No risk analysis
    7
  • 8. Vendor-neutral standards
    ISO2700x
    Protect information assets
    Audit focus
    8
  • 9. GRC 1.0
    Big Enterprise Software
    “automate the workflow and documentation management associated with costly and complex GRC processes”Sword, Oracle, CA, Gartner, Forrester
    9
  • 10. Why GRC 1.0 is broken
    10
    Fixed control structures
    Focusing on yesterday’s threats
  • 11. 4 mistakes CIOS make
    11
    Focus on process while ignoring that hackers attack software
    Label vendors as partners
    Confuse business alignment with risk reduction
  • 12. Both attackers and defenders have imperfect knowledge in making their decisions.
    12
  • 13. Mobile clinical assistants
    Mobile medical devices used by hospital radiologists had unplanned Internet access.
    Over 300 devices infected by Conficker and taken out of service.
    Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.
    13
  • 14. The Tao of GRC
    14
  • 15. Step 1 - Adopt a standard language
    15
  • 16. People entities
    16
  • 17. Threat entities
    17
    • An attacker may exploit vulnerabilities to cause damageto assets.
    • 18. Security countermeasures mitigate vulnerabilities and reduce risk.
    Attacker
  • 19. Threat T3 – Malicious code may be used in order to exploit OS vulnerabilities and obtain patient information from mobile medical devices
    Vulnerability V3 – Unnecessary devices may be enabled
    Countermeasure C4 – Hardware toggle USB on Countermeasure C5 – Network isolation
    Countermeasure C6 – Software security assessment
    Example threat scenario
    18
    Attackers
  • 20. Methods
    SetThreatProbability
    estimated annual rate of occurrence of the threat
    SetThreatDamageToAsset
    estimated damage to asset value as a percentage
    SetCountermeasureEffectiveness
    estimated effectiveness as a percentage
    SetAssetValue , GetValueAtRisk
    in Dollars/Euro/Rupee
    19
  • 21. Step 2 - Learn to speak fluently
    20
  • 22. Learn on the job
    Vis-à-vis the regulator
    Understand what audit requirements count
    Vis-à-vis your business
    Understand what threats count
    Prioritize
    Increase profits
    21
  • 23. Understand what threats count
    22
  • 24. Prioritize countermeasures
  • 25. Step 3 Go green
    Measure risk reduction in money
    Attention to root causes
    Recycle controls & policies
    24
  • 26. Why the Tao of GRC works
    Threat models are transparent and recyclable.
    Transparency means more eyeballs can look at issues.
    Recycling & more eyeballs reduces cost.
    More eyeballs means safer products.
    Safer products means more revenue.
    25
  • 27. Acknowledgements
    26
    Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks
    WlodekGrudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics
    My clients ,for giving me the opportunity to teach them the language of threats.
    My colleagues at PTA Technologies for doing a great job.