3. Laws, regulations and management
Business
Laws &
Regulations
Frameworks,
Standards
Mandated
Compliance
Guidance
Influence
Influence
Influence
Management
Policies
Process
Controls
4. Avoid risk management theatre
4
• One process to rule them all
• Success is following the process
• Stops people from getting their work done
• Pass the audit
• Lack of responsibility
8. The way we work should determine controls
Taliesen http://mrg.bz.ziSMzq
8
Rollingroscoe http://mrg.bz.vOsu5e
Kconnors http://bz/PY1Jni
9. 9
Map the value stream
• End to end value delivery
• Identify times
• Encourages collaboration
• Measure improvement
10. Consider GRC from the beginning
10
• Type of Information
• Take a risk based approach
• Control access
• Mastery and craftsmanship
• GRC specialist are part of the team
12. Risk based security compliance
Security
stories,
AC
Inception
Test
In dev
Analysis
UAT
Prod
High Level – obligations,
adversaries, assets,
disaster scenarios
Threat model &
risk matrix
Coding
guidelines,
pairing, code
reviews
CI
Manual
security testing
Pen
test
Automated code
analysis, security
proxy, model
verification
Logs,
Firewall,
IDS,
WAF,IPS
13. Seek controls that maintain flow
13
• Right level of granularity
• Decisions by responsible people
• Boundaries defined
• Risk based controls
• Contain the blast area
• Use compensating controls
14. Create visibility and transparency
14
• Demand participation
• Leave a trail of evidence
• Visible means visible
• Be disciplined, be consistent
17. 17
Gov.uk alpha design principles
• Don’t slow down delivery
• Decision when they are needed and at the
right level
• Do it with the right people
• Go see for yourself
• Only do it if it adds value
• Trust and verify
https://digitaltransformation.blog.gov.uk/2014/06/24/governance-principles/
19. 19
Most significant challenges
• Organizational structure not designed for
fast pace of digital demands
• Business process too inflexible to take
advantage of new opportunities
• Inability to adopt an experimental mind-set
that is key for best practices
http://www.mckinsey.com/insights/business_technology/The_digital_tippingbusiness_point_McKinsey_Global_Survey_results
20. 20
Conclusion
Manage risks, not compliance
Seek controls that match the way we
work
Create a shared understanding and cross
collaboration
Visualize and create flow
Laws and Regulations : Sox, Hippa, Privacy laws, security breach laws, Air transport, Government and Government agencies
Frameworks, Standards – Guidance – ISO 270001, ITIL, CobiT, COSO, TOGAF
Laws and Regulations – Sox, Privacy Laws, Security breach legislations
Frameworks and Standards – CobiT, ISO 27000 series, ITIL, COSO, PCI DSS
Policies and Processes – Information Security, Access, Change Management, Solution Delivery Life Cycle
Controls – Approvals, reviews, limited access, boundaries
Reduce risks with smaller decisions with more frequent review
Goal is to pass the audit, not reduce the risks
Approvals and reviews by busy people or those who don’t have a clue
Throwing over the wall
Those doing the work are not responsible
One process to rule them all
Success measured by following the process
If we leave this to auditors and risk and compliance people to worry about this, we get what we deserve.
Our responsibility to understand the obligations and work collaboratively to figure out the best way to achieve this, given our own knowledge and experience.
Dirty little secret – Most IT auditors ads GRC people have never actually worked in IT.
They don’t understand the process, tools or capabilities to leverage them. It is up to us who are doing the work to educate them. To do that intelligently, we need to understand their language and the intent of the control, not the specific way they think we should meet the controls meet the control.
Make decision around assumptions
how information is presented
Based on your ‘experience’ what is the decision?
What is the colour represented value -- how much would you bet?
Microsoft story -- 1/3 wrong, no impact, add value
Dirty little secret – Most IT auditors and GRC people have never actually worked in IT.
They don’t understand the process, tools or capabilities to leverage them. It is up to us who are doing the work to educate them. To do that intelligently, we need to understand their language and the intent of the control, not the specific way 0t meet the control.
Story Suncorp
Australian Insurance and Banking company
Coming out of a growth strategy which involved acquisitions with multiple brands of insurance and legacy back end systems to support it. Realized growth had to come from another place.
Goal move all brands onto one platform - Mainframe.
Go from agile to continuous delivery, leverage fewer, stronger, more trusting partnerships with software development partners
Story of controls required for ODCs
End to end value to the customers
Identify times, handovers, waiting times and queues
Encourage collaboration between functional silos
Build empathy, trust, partners and shared understanding
In example above, Planning and setup takes 3 – 4 weeks elapsed time, Actual time to do the work – 3 – 4 days,
Identify where to start experimenting
Scientific based on measurement baseline to improve
"In solving problems you get the best outcome by imagining the ideal solution and then working backward to where you are today" –Ackoff
Stories Segregation of Duties
Privacy by Design – consider type of information
Access Control – Authentication, Authorization, Accountability
Mastery – encryption, vulnerability prevention, design for detection and recovery
Security, internal Risk and Compliance part of the team
Applicable compliance issues
Threat modeling
Automated security and compliance testing
Sony, MoM, UK Gov
Sony, MoM, UK Gov
Move decisions to lowest level of responsibility, based on relative risk and defined boundaries
Story of PCI and Segregation of duties - Etsy
Create visibility and transparency into who has done what and when. Leave a trail of evidence
Auditor code: ‘If it isn't written, it doesn’t exist’
Demand participation –standups, showcases, pairing exercises, inceptions and iteration planning.
Leave a trail of evidence
Create visibility
Monitors and screens
Kanban boards,
Lightweight documentation
Be disciplined, be consistent
Add notes regarding the situation
Transparency
- into process and progress
- and what is happening
Gov UK Digital transformation dashboard
https://www.gov.uk/transformation
Companies with over a billion dollars in annual revenue
What are the things that need to be considered beyond technology i.e. automation, software craftsmanship
Set people up for success i.e. vision statement for you team, define what you believe to be your purpose and engage leadership to get their feedback
Consider end to end flow for value i.e. create a value stream map with stakeholders involved to start the understanding and collaboration
Get comfortable with uncertainty i.e. create safe-to-fail experiments