The Tao of GRC<br />Danny Lieberman<br />Software Associates<br />
GRC 1.0<br />2<br />
The Tao of GRC<br />3<br />
Agenda<br />The flavors<br />The Tao<br />Why it works<br />4<br />
GRC comes in 3 flavors<br />Government<br />Industry<br />Vendor-neutral standards<br />5<br />
Government<br />SOX, HIPAA, EU Privacy<br />Protect consumer<br />Top-down risk analysis<br />6<br />
Industry <br />PCI DSS<br />Protect card associations<br />No risk analysis<br />7<br />
Vendor-neutral standards<br />ISO2700x<br />Protect information assets<br />Audit focus<br />8<br />
4 mistakes CIOS make<br />9<br />Focus on process while ignoring that hackers attack software<br />Relabel vendors as part...
Both attackers and defenders have imperfect knowledge in making their decisions. <br />10<br />
Mobile clinical assistants<br />Regulatory:Hospitals had to wait 90 days before applying remedy.<br />Unplanned Internet a...
The Tao of GRC<br />12<br />
The Tao of GRC<br />Adopt common threat language<br />Learn to speak well<br />Go green<br />13<br />
1. Common threat language<br />14<br />
Players<br />15<br />
Threat scenario<br /><ul><li>Threats exploitvulnerabilities to damage assets.
Countermeasures mitigate vulnerabilitiesto reduce risk.</li></ul>Attacker<br />16<br />
Methods<br />17<br />
Countermeasure C41– Disable USB Countermeasure C53–  Use Ubuntu<br />Countermeasure C67– Software security assessment<br /...
VaR<br />19<br />ValueAtRisk = Asset Value x Threat Probability x (1 – Countermeasure Effectiveness)<br />
2. Learn to speak well<br />Practice<br />What threats count<br />Prioritize<br />20<br />
Understand what threats count<br />21<br />
Prioritize countermeasures<br />
3. Go green<br />Security is abouteconomics<br />Attention to root causes<br />Recycle control policies<br />23<br />
Why the Tao works<br />Threat models are transparent and recyclable.<br />Transparency means more eyeballs can look at iss...
Upcoming SlideShare
Loading in …5
×

The Tao of GRC

1,047 views

Published on

Summary
The GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes-Oxley, industry compliance such as PCI DSS 1.2 and growing numbers of data security breaches and Internet acceptable usage violations in the workplace. $14BN a year is spent in the US alone on corporate-governance-related IT spending1.
Are large internally-focused GRC systems the solution for improving risk and compliance? Or should we go outside the organization to look for risks we’ve never thought about and discover new links and interdependencies2.
This article introduces a practical approach that will help the CISOs/CSOs in any sized business unit successfully improve compliance and reduce information value at risk. We call this approach “The Tao of GRC” and base it on 3 principles.
1. Adopt a standard language of threats
2. Learn to speak the language fluently
3. Go green – recycle your risk and compliance

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,047
On SlideShare
0
From Embeds
0
Number of Embeds
224
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The Tao of GRC

  1. 1. The Tao of GRC<br />Danny Lieberman<br />Software Associates<br />
  2. 2. GRC 1.0<br />2<br />
  3. 3. The Tao of GRC<br />3<br />
  4. 4. Agenda<br />The flavors<br />The Tao<br />Why it works<br />4<br />
  5. 5. GRC comes in 3 flavors<br />Government<br />Industry<br />Vendor-neutral standards<br />5<br />
  6. 6. Government<br />SOX, HIPAA, EU Privacy<br />Protect consumer<br />Top-down risk analysis<br />6<br />
  7. 7. Industry <br />PCI DSS<br />Protect card associations<br />No risk analysis<br />7<br />
  8. 8. Vendor-neutral standards<br />ISO2700x<br />Protect information assets<br />Audit focus<br />8<br />
  9. 9. 4 mistakes CIOS make<br />9<br />Focus on process while ignoring that hackers attack software<br />Relabel vendors as partners<br />Confuse business alignment with risk reduction<br />
  10. 10. Both attackers and defenders have imperfect knowledge in making their decisions. <br />10<br />
  11. 11. Mobile clinical assistants<br />Regulatory:Hospitals had to wait 90 days before applying remedy.<br />Unplanned Internet access, 300 devices infected by Conficker.<br />11<br />
  12. 12. The Tao of GRC<br />12<br />
  13. 13. The Tao of GRC<br />Adopt common threat language<br />Learn to speak well<br />Go green<br />13<br />
  14. 14. 1. Common threat language<br />14<br />
  15. 15. Players<br />15<br />
  16. 16. Threat scenario<br /><ul><li>Threats exploitvulnerabilities to damage assets.
  17. 17. Countermeasures mitigate vulnerabilitiesto reduce risk.</li></ul>Attacker<br />16<br />
  18. 18. Methods<br />17<br />
  19. 19. Countermeasure C41– Disable USB Countermeasure C53– Use Ubuntu<br />Countermeasure C67– Software security assessment<br />Sample threat scenario<br />18<br />Attackers<br />
  20. 20. VaR<br />19<br />ValueAtRisk = Asset Value x Threat Probability x (1 – Countermeasure Effectiveness)<br />
  21. 21. 2. Learn to speak well<br />Practice<br />What threats count<br />Prioritize<br />20<br />
  22. 22. Understand what threats count<br />21<br />
  23. 23. Prioritize countermeasures<br />
  24. 24. 3. Go green<br />Security is abouteconomics<br />Attention to root causes<br />Recycle control policies<br />23<br />
  25. 25. Why the Tao works<br />Threat models are transparent and recyclable.<br />Transparency means more eyeballs can look at issues.<br />Recyclingreduces cost <br />More eyeballs improves security.<br />Better security means safer products for customers<br />Safer products is good for business.<br />24<br />
  26. 26. Acknowledgements<br />25<br />Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks<br />WlodekGrudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics<br />My clients ,for giving me the opportunity to teach them the language of threats.<br />My colleagues at PTA Technologies for doing a great job.<br />

×