• Like
The Tao of GRC
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Published

Summary …

Summary
The GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes-Oxley, industry compliance such as PCI DSS 1.2 and growing numbers of data security breaches and Internet acceptable usage violations in the workplace. $14BN a year is spent in the US alone on corporate-governance-related IT spending1.
Are large internally-focused GRC systems the solution for improving risk and compliance? Or should we go outside the organization to look for risks we’ve never thought about and discover new links and interdependencies2.
This article introduces a practical approach that will help the CISOs/CSOs in any sized business unit successfully improve compliance and reduce information value at risk. We call this approach “The Tao of GRC” and base it on 3 principles.
1. Adopt a standard language of threats
2. Learn to speak the language fluently
3. Go green – recycle your risk and compliance

Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
661
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
13
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. The Tao of GRC
    Danny Lieberman
    Software Associates
  • 2. GRC 1.0
    2
  • 3. The Tao of GRC
    3
  • 4. Agenda
    The flavors
    The Tao
    Why it works
    4
  • 5. GRC comes in 3 flavors
    Government
    Industry
    Vendor-neutral standards
    5
  • 6. Government
    SOX, HIPAA, EU Privacy
    Protect consumer
    Top-down risk analysis
    6
  • 7. Industry
    PCI DSS
    Protect card associations
    No risk analysis
    7
  • 8. Vendor-neutral standards
    ISO2700x
    Protect information assets
    Audit focus
    8
  • 9. 4 mistakes CIOS make
    9
    Focus on process while ignoring that hackers attack software
    Relabel vendors as partners
    Confuse business alignment with risk reduction
  • 10. Both attackers and defenders have imperfect knowledge in making their decisions.
    10
  • 11. Mobile clinical assistants
    Regulatory:Hospitals had to wait 90 days before applying remedy.
    Unplanned Internet access, 300 devices infected by Conficker.
    11
  • 12. The Tao of GRC
    12
  • 13. The Tao of GRC
    Adopt common threat language
    Learn to speak well
    Go green
    13
  • 14. 1. Common threat language
    14
  • 15. Players
    15
  • 16. Threat scenario
    • Threats exploitvulnerabilities to damage assets.
    • 17. Countermeasures mitigate vulnerabilitiesto reduce risk.
    Attacker
    16
  • 18. Methods
    17
  • 19. Countermeasure C41– Disable USB Countermeasure C53– Use Ubuntu
    Countermeasure C67– Software security assessment
    Sample threat scenario
    18
    Attackers
  • 20. VaR
    19
    ValueAtRisk = Asset Value x Threat Probability x (1 – Countermeasure Effectiveness)
  • 21. 2. Learn to speak well
    Practice
    What threats count
    Prioritize
    20
  • 22. Understand what threats count
    21
  • 23. Prioritize countermeasures
  • 24. 3. Go green
    Security is abouteconomics
    Attention to root causes
    Recycle control policies
    23
  • 25. Why the Tao works
    Threat models are transparent and recyclable.
    Transparency means more eyeballs can look at issues.
    Recyclingreduces cost
    More eyeballs improves security.
    Better security means safer products for customers
    Safer products is good for business.
    24
  • 26. Acknowledgements
    25
    Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks
    WlodekGrudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics
    My clients ,for giving me the opportunity to teach them the language of threats.
    My colleagues at PTA Technologies for doing a great job.