Operational security | How to design your information security GRC (governance, risk and compliance) framework

How to design your lean GRC
(governance, risk and
compliance) framework
Bangkok – March 15th
Maxime CARPENTIER - CIO
Governance, Risks & Compliance

Page n° 2 P
Overview
 What is the key of information security governance, risk &
compliance?
 How do you meet your governance, risk and compliance
requirements and prevent a data breach?
 Understanding the spirit of risk management.
 Create a customized information security management
system (ISMS) for your business.
 Designing and implementing a cost-effective ISMS to
minimize your risk of a breach.
 Meet your legislative obligations (Data Protection Act),
regulatory (Payment Card Industry), or industry standard
(ISO-27001) compliance requirements.

Standard compliance requirements
 Practical ISMS [information security management system ]
documentation structure.
 Scope, objectives & risk strategy examples.
 Risk treatment plan, asset register & classification guide
examples.
 Policy frameworks.
 Control objectives, evidence & policy examples.
 Audit & testing documentation examples.
ALKIA IT Services © 2016 - maxime@alkia.org - All rights reserved Page n° 3 P

The 4 GRC key components
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved Page n° 4 P
Governance
Policy
Scope &
Objectives
Risk
Strategy
Management
Processes

Step 1 | Practical Questions
 What are we trying to protect ?
 Why are we trying to protect ?
 Who’s responsible for protecting it?
 What will we do to protect it ?
 What will we do to ensure it is protected ?
 What we will not do to ensure it is protected ?
 What will happen if we fail to protect it ?
 What are our escalation means should a breach
happen?

ISMS Practical format rules
 Keep it simple
 Concise writing, good visuals
 Clear goals
 Scalable
 Mentioning Assigned Owners
 Centrally located and easily accessible
 Signed by the CEO

Step 2 | Define your ISMS Structure
Scope &
Objectives
Governance
Management • Responsibilities
Risk
Strategy
• Identify
• Risk treatment
• Minimize
• Testing & Remediation
• Manage
• Policies & Procedures
ISMS

Scope & objectives
 Locations
 Staff
 Systems
 Suppliers
 Partners
 Clients
Page n° 8
Scope &
Objectives
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved
List all applicable entities:

Scope example
Scope : The XXXX ISMS is comprising the following:
 Staff 1252
 Locations 4 (Bangkok,Hong Kong,Singapore,Jakarta)
 Systems 7
 Suppliers 23 (IBM, EMC … )
 Partners 5 (Alkia…)
 Clients 168
Page n° 9
Scope &
Objectives

Objectives
This step defines the WHY that support the HOW. It’s the
backbone of the ISMS, be clear, consistent and
comprehensive.
 Detect breach
 Stop a breach
 Comply to a PCI (Payment Card Industry)
 Comply to a DPA (Data Protection Act)
 Protect your IP (Intellectual property)
 Protect your brand
Page n° 10
Scope &
Objectives

Objectives example
Objective: The objectives of the XXXX are ordered as
follows:
 To ensure the appropriate protection of XXXX sensitives
information processed, stored or transmitted on
corporate ICT systems
 To ensure the appropriate protection of XXXX customer
information processed, stored or transmitted on
corporate ICT systems
 To prevent a breach or unauthorized access to XXXX
systems
 To protect the XXX brand reputation
Page n° 11
Scope &
Objectives

Governance
 List your requirements
 Internal (your policies, anti money-laundering, anti
slavery, fair trade)
 External:
 PCI
 DPA
 ISO
Page n° 12
Governance

Governance example
Information Security Management System Governance
framework are defined as follows:
 ISMS is implemented to meet the principles established
by Singapore’s DPA
 XXXX meets all parts of the PCI (Payment Card
Industry) Data Security Standards (DSS) V3
 XXXX meets the Sarbanes-Oxley Act 2002
requirements
Page n° 13
Governance

Management
Management gives the operational framework and the top
executive visibility of your operational security
 Business accountability
 Liability
 Big picture
 Leadership statements
 Visibility
 Audit landscape
Page n° 14
Board of directors
Executive
Management
Senior Information
Security management
Information Security
Practitioner
Management

Management example
The role and responsibilities for the ISMS management are as
follows:
Board of directors: shall be responsible for identifying the
key corporate information assets and verifying that the
protection levels and the priorities established in the ISMS are
appropriate.
Executive Management: Shall be responsible for setting the
tone for the information security management and ensure that
the necessary functions, resources and infrastructure are
available an properly utilized to meet the objectives.
Senior Information Security management: Shall be
responsible for developing the security and risk mitigation
strategies, implementing security and risk programs and
managing security incidents & remediation activities.
Information Security Practitioner: Shall be responsible for
designing, implementing and managing processes and
technical controls. Respond to events and incidents.
Page n° 15
Board of
directors
Executive
Management
Senior
Information
Security
management
Information
Security
Practitioner
Management

Risk Strategy
Page n° 16
 What is it?
 How will you address this?
 What sequence of action?
 State concise tactical statement
 Your company risk appetite
 Ensure Board support
Risk
Identify
MinimizeManage
Risk
Strategy

Risk Strategy example
Page n° 17
 In order to meet the stated objectives XXX shall
execute a strategy to identify, minimize and manage
the risks to their information assets through the
implementation of a Risk Treatment Plan.
 Testing and remediation activities are implemented
through the information security policies and procedure
book.
Risk
Strategy

Responsibilities
This is the “Who” component of the security system.
 Day to day accountability, assigned owners (position not
people)
 Detailed processes
 Detailed actions
 Designed to ensure ISMS is on-going
Page n° 18
Risk
Strategy

Step 3 | Risk Treatment Plan
 The risk treatment plan is your method (the how).
 Represents the execution plan, directly derived from
your risk strategy.
 List on one board the risks, their occurrence probability,
their potential impacts and their criticity
 Risk calculation formula based on Information asset
value and risk tolerance & resilience.
 Keep in mind: Risk criticity = Threat x Probability x
Impact
 Check it always answer well:
 What are we protecting?
 Why are you protecting?

Additional outputs
 Information Classification Guide
Specific about what
you are protecting
 Information Asset Risk Register
Stating why you are protecting it. What are the impacts on the
company operation, sales or reputation.

Step 4 | Risk management
5 fundamental steps:
1. Identify your assets
2. Identify the potential vulnerabilities and threats to
these assets
3. For each threat, quantify the probability of
occurrence
4. Calculate the impact of the incident on your business
5. Implement cost-effective controls

Testing & remediation strategy
Describes how the control and the remediation are
effective. Check the coverage (are all assets covered
according to their level of criticity).
 Verification of controls
 Things in place are working
 What?
 When?
 Who?
 How?
 Remedial status

Policies & Procedures
 Never write a policy that you can’t or won’t enforce
Example if you write a policy that state “download is strictly
forbidden” and it happen that a key employee inadvertively
did download and cannot be fired, it is all the value of your
policies and therefor their efficiency that is diminished.
 Never write a policy that you can’t monitor or verify
for compliance
Never state something you cannot prove it has been
complied with.

Example of framework

Q & A
 How much security do I need?
An ISMS is exactly what you need, but do it well. By starting the
process you will define your needs by state you assets, what
protection they request and what budget they deserve. Without
starting this journey you will be lost, lacking strategy.
 What is the core objective of building a GRC?
We are going to minimize the risks for this company, in a clear and
consistent way.
 What is a good ISMS?
It’s a framework that effectively covers what the strategy plan
states.

Operational security | How to design your information security GRC (governance, risk and compliance) framework

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to Operational security | How to design your information security GRC (governance, risk and compliance) framework

Similar to Operational security | How to design your information security GRC (governance, risk and compliance) framework (20)

Recently uploaded

Recently uploaded (20)

Operational security | How to design your information security GRC (governance, risk and compliance) framework