Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The Tao of GRC<br />Danny Lieberman<br />Software Associates<br />
GRC 1.0<br />2<br />
The Tao of GRC<br />3<br />
Agenda<br />The flavors<br />The Tao<br />Why it works<br />4<br />
GRC comes in 3 flavors<br />Government<br />Industry<br />Vendor-neutral standards<br />5<br />
Government<br />SOX, HIPAA, EU Privacy<br />Protect consumer<br />Top-down risk analysis<br />6<br />
Industry <br />PCI DSS<br />Protect card associations<br />No risk analysis<br />7<br />
Vendor-neutral standards<br />ISO2700x<br />Protect information assets<br />Audit focus<br />8<br />
4 mistakes CIOS make<br />9<br />Focus on process while ignoring that hackers attack software<br />Relabel vendors as part...
Both attackers and defenders have imperfect knowledge in making their decisions. <br />10<br />
Mobile clinical assistants<br />Regulatory:Hospitals had to wait 90 days before applying remedy.<br />Unplanned Internet a...
The Tao of GRC<br />12<br />
The Tao of GRC<br />Adopt common threat language<br />Learn to speak well<br />Go green<br />13<br />
1. Common threat language<br />14<br />
Players<br />15<br />
Threat scenario<br /><ul><li>Threats exploitvulnerabilities to damage assets.
Countermeasures mitigate vulnerabilitiesto reduce risk.</li></ul>Attacker<br />16<br />
Methods<br />17<br />
Countermeasure C41– Disable USB Countermeasure C53– Use Ubuntu<br />Countermeasure C67– Software security assessment<br /...
VaR<br />19<br />ValueAtRisk = Asset Value x Threat Probability x (1 – Countermeasure Effectiveness)<br />
2. Learn to speak well<br />Practice<br />What threats count<br />Prioritize<br />20<br />
Understand what threats count<br />21<br />
Prioritize countermeasures<br />
3. Go green<br />Security is abouteconomics<br />Attention to root causes<br />Recycle control policies<br />23<br />
Why the Tao works<br />Threat models are transparent and recyclable.<br />Transparency means more eyeballs can look at iss...
Upcoming SlideShare
Loading in …5
×
Upcoming SlideShare
Web application security in the cloud
Next
Download to read offline and view in fullscreen.
Technology, Business
Sep. 07, 2011
1,291 views

Share

The Tao of GRC

Download to read offline

Technology, Business
Sep. 07, 2011
1,291 views

Summary
The GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes-Oxley, industry compliance such as PCI DSS 1.2 and growing numbers of data security breaches and Internet acceptable usage violations in the workplace. $14BN a year is spent in the US alone on corporate-governance-related IT spending1.
Are large internally-focused GRC systems the solution for improving risk and compliance? Or should we go outside the organization to look for risks we’ve never thought about and discover new links and interdependencies2.
This article introduces a practical approach that will help the CISOs/CSOs in any sized business unit successfully improve compliance and reduce information value at risk. We call this approach “The Tao of GRC” and base it on 3 principles.
1. Adopt a standard language of threats
2. Learn to speak the language fluently
3. Go green – recycle your risk and compliance

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4.5/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(2/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(3/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4/5)
Free
Authentic: A Memoir by the Founder of Vans Louise Maclellan
(5/5)
Free
How I Built This: The Unexpected Paths to Success from the World's Most Inspiring Entrepreneurs Guy Raz
(4.5/5)
Free
The Ministry of Common Sense: How to Eliminate Bureaucratic Red Tape, Bad Excuses, and Corporate BS Martin Lindstrom
(4/5)
Free
How Innovation Works: And Why It Flourishes in Freedom Matt Ridley
(5/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(3.5/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(5/5)
Free
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier
(4/5)
Free
Second Nature: Scenes from a World Remade Nathaniel Rich
(5/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
Digital Renaissance: What Data and Economics Tell Us about the Future of Popular Culture Joel Waldfogel
(3.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free

The Tao of GRC

  1. 1. The Tao of GRC<br />Danny Lieberman<br />Software Associates<br />
  2. 2. GRC 1.0<br />2<br />
  3. 3. The Tao of GRC<br />3<br />
  4. 4. Agenda<br />The flavors<br />The Tao<br />Why it works<br />4<br />
  5. 5. GRC comes in 3 flavors<br />Government<br />Industry<br />Vendor-neutral standards<br />5<br />
  6. 6. Government<br />SOX, HIPAA, EU Privacy<br />Protect consumer<br />Top-down risk analysis<br />6<br />
  7. 7. Industry <br />PCI DSS<br />Protect card associations<br />No risk analysis<br />7<br />
  8. 8. Vendor-neutral standards<br />ISO2700x<br />Protect information assets<br />Audit focus<br />8<br />
  9. 9. 4 mistakes CIOS make<br />9<br />Focus on process while ignoring that hackers attack software<br />Relabel vendors as partners<br />Confuse business alignment with risk reduction<br />
  10. 10. Both attackers and defenders have imperfect knowledge in making their decisions. <br />10<br />
  11. 11. Mobile clinical assistants<br />Regulatory:Hospitals had to wait 90 days before applying remedy.<br />Unplanned Internet access, 300 devices infected by Conficker.<br />11<br />
  12. 12. The Tao of GRC<br />12<br />
  13. 13. The Tao of GRC<br />Adopt common threat language<br />Learn to speak well<br />Go green<br />13<br />
  14. 14. 1. Common threat language<br />14<br />
  15. 15. Players<br />15<br />
  16. 16. Threat scenario<br /><ul><li>Threats exploitvulnerabilities to damage assets.
  17. 17. Countermeasures mitigate vulnerabilitiesto reduce risk.</li></ul>Attacker<br />16<br />
  18. 18. Methods<br />17<br />
  19. 19. Countermeasure C41– Disable USB Countermeasure C53– Use Ubuntu<br />Countermeasure C67– Software security assessment<br />Sample threat scenario<br />18<br />Attackers<br />
  20. 20. VaR<br />19<br />ValueAtRisk = Asset Value x Threat Probability x (1 – Countermeasure Effectiveness)<br />
  21. 21. 2. Learn to speak well<br />Practice<br />What threats count<br />Prioritize<br />20<br />
  22. 22. Understand what threats count<br />21<br />
  23. 23. Prioritize countermeasures<br />
  24. 24. 3. Go green<br />Security is abouteconomics<br />Attention to root causes<br />Recycle control policies<br />23<br />
  25. 25. Why the Tao works<br />Threat models are transparent and recyclable.<br />Transparency means more eyeballs can look at issues.<br />Recyclingreduces cost <br />More eyeballs improves security.<br />Better security means safer products for customers<br />Safer products is good for business.<br />24<br />
  26. 26. Acknowledgements<br />25<br />Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks<br />WlodekGrudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics<br />My clients ,for giving me the opportunity to teach them the language of threats.<br />My colleagues at PTA Technologies for doing a great job.<br />

  • andraramana

    Apr. 14, 2015

Summary The GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes-Oxley, industry compliance such as PCI DSS 1.2 and growing numbers of data security breaches and Internet acceptable usage violations in the workplace. $14BN a year is spent in the US alone on corporate-governance-related IT spending1. Are large internally-focused GRC systems the solution for improving risk and compliance? Or should we go outside the organization to look for risks we’ve never thought about and discover new links and interdependencies2. This article introduces a practical approach that will help the CISOs/CSOs in any sized business unit successfully improve compliance and reduce information value at risk. We call this approach “The Tao of GRC” and base it on 3 principles. 1. Adopt a standard language of threats 2. Learn to speak the language fluently 3. Go green – recycle your risk and compliance

Views

Total views

1,291

On Slideshare

0

From embeds

0

Number of embeds

375

Actions

Downloads

18

Shares

0

Comments

0

Likes

1

×