SlideShare a Scribd company logo
http://www.enterprisegrc.com
Does Audit Make us Secure?
Presented at ISACA SV Spring Conference
May 15th 2015
Robin Basham, M.Ed, M.IT, CISA, CRISC, CGEIT, HISP, CRP, VRP
Founder EnterpriseGRC Solutions
Companies that passed audit and had a major breach
 March 18, 2015 “Three weeks before hackers infiltrated
Premera Blue Cross, federal auditors warned the company
that its network-security procedures were inadequate.”
 The Heartland intrusion began in May 2008, even though the
company had passed multiple audits, including one
conducted on Apr. 30. At the time, the Princeton (N.J.)
company was in compliance with industry standards for data
security, Carr says. Still, shortly afterward, 13 pieces of
malware that capitalize on weaknesses in Microsoft (MSFT)
software infiltrated one or more network servers.
 "We get pinged 200,000 times per day by people trying to hack into
our system," Carr says. "You do everything you can to make sure one
of those pings doesn't get through, and we thought we had done
everything we could do."
Does audit make us secure?
Why not?
“We get pinged more than 200,000 times per day”
So what?
Is it just me?
 We establish “scope” and imply permission for less
secure practices on lower impact systems
 We audit what we understand and miss the most
important areas of risk
 We expose a wide range of people to known areas of
weakness
 We distract people from their core responsibilities
 We create a false sense of security by under
representing complex and broken processes
Did I Pick the Right form of Risk Assessment?
 If our goal is to determine if we are secure,
pick the right risk assessment methods
 If our goal is to enable a more secure
enterprise, engage business partners to
provide meaningful metrics that inform
choices and decisions about the architecture
 Integrated Audit (GRC) assists management to
set compliance goals, track where process
evidence is stored, and enable continuous
improvement through internal control self
assessment.
GRC Contributes by using a Cyber Security Model
 Identify – CMDB, People, Process, Technology, relationships,
alignment to controls
 Protect – Architecture, Infrastructure, Monitoring
 Detect – Defined Sources, Collection, Interpretation, Reporting
Methods
 Respond – RCA, Corrective Action, Management Meetings, Plans,
Optimization Targets
 Recover – Configuration baselines, response plans, lessons
learned, Wiki, documentation, BIA
Configuration Management using Cobit®5
GRC Team Tracks to Inform Control Design & Risk
 Intrusion Detection Systems (IDS) events
 Virus Alerts and corresponding HelpDesk cases
to clean infected systems
 DLP events and confirmation on false positives,
loss events and corrective actions
 Vulnerabilities Identified, risk ranking, effort and
plan to remediate, status to remediate
 Patch requirements and mean time to remediate
MTTR
 Daily Anti-Virus status (Red, Yellow, Green), # of
events blocked, cleaned, definition updates
 Daily end point patching, # of systems in and out
of compliance
 Daily system backups – systems not backed up
 Number of Volume copies made, saved, purged
 Security Project Plans, Milestones, Issues or
Blockers
 Infrastructure remediation through tickets and
change requests
 Post Implementation Effectiveness for
corrected security problems (ROI)
 Template Configurations
 NON template configurations
 Systems Monitored
 Services per systems
Confirm Incident Definitions, Review, Response
 Scheduled outputs to central mailbox (restrict delete)
 Track incident notifications
 Establish and RUN Rules for follow up
 Set Flags to communicate closed corrective action
People and Access – Focus on Integrated Reporting
Access Governance
 Use PowerShell to gather all local
Admin accounts on all systems
 Use ADManager or other tools to
pull all members in all groups
 Compare active users in HR
Systems to Roles granted to all
identities
 Track effectiveness of department
security roles and access grants
 Publish exception policy and have
management sign off at least
quarterly
How can audit drive security? Manage Corrective Actions!
Data System Relationships to Audit, Classification, Risk
 Assets include
Applications, Products,
Services, File Shares,
Devices, OS,
Infrastructure
 Assets are owned,
administered,
developed, supported,
classified, documented
 Data and transactions
source audit
information
Get The Data – Trend and Report – Examples of Data Sources
Inversion of Control v. Faith
– Managing Complexity through Framework
 Each control is a data point with related Information Security
Governance Processes – Policies - SOP, Corporate Strategic
Objectives, Department Strategic and Tactical Objectives, Business
Risks, Control RACI, Control Programs, Initiatives, People, Tools,
Access Profiles and Asset Profiles.
 The GRC must Collectively represent reliable information to inform
our management shareholders and customers that we manage our
risks.
 GRC has to Help Management to make us more secure
Document and Follow a Data Collection Practice
Implement a meaningful output process
 Data collection strategy
 Source coverage – the architecture stack
 Test mapping
 Validation process
 Imports, Reference Tables, Audit Queries
 Output to Corrective Actions tracking
Give Management Knowledge – Fact based observations
Answer Their Questions
Continuous Feedback – GAP in ISMS
Risk Reporting – Tie Controls to Corporate Risks (The 10K)
 Use the data collection
strategy to inform corporate
risk
 Make all reports “personal” by
assigning programs,
departments and key
initiatives
 Incorporate notification
strategies
 Maintain and gain consensus
The risks identified have actual probability – get the lessons
learned
REMEMBER: It’s always about money – (Materiality)
 Financial statement audits measure materiality in monetary terms
 Integrated Audit provides IT assurance on non-financial items and,
requiring alternative measures (maturity models and process assurance
methodology).
 We meet objectives so we can make money or retain money.
Focus on Effectiveness GAP v. Audit Bar
Control
IDJ15J2A1:J
19
Control Objective Control
Effectiveness
Test ID Heat
In place GAP
Accountable
DS5 DS5 Ensure Systems
Security
Needs
Strengthening
(Important)
DS5 5.1 Management ofITSecurity;#143;#DS5
5.2 ITSecurity Plan;#144;#DS5 5.3 Identity
Management;#145;#DS5 5.4 User Account
Asset Provisioning and De-
Provisioning;#146;#DS5 5.5 Security Testing,
36 3/31/2015 -2
240;#170000 IT:Sr. VP, IT &
CIO;#586;#170000 IT:Chief
Security
Officer;#209;#740000 Saas
Operations:VP, SAAS
DS2 DS2 Manage Third-party
Services
Needs
Strengthening
(Minor)
DS2 2.1 Identification Supplier
Relationships;#124;#DS2 2.3 Supplier Risk
Management;#126 34 3/31/2015 -2
692;#170000 IT;#215;#170000
IT:Director, Information
Risk Mgt
AI1 AI Identify Automated
Solutions
Needs
Strengthening
(Important)
AI1 1.1 Definition Maintenance Business
Functional Technical Requirement;#75;#AI1
1.4 Requirements and Feasibility Decision
and Approval;#78;#ISMS_6.1.5 Information
security in project management;#654
27 3/31/2015 -2
240;#170000 IT:Sr. VP, IT &
CIO;#293;#310000 Product
Development:EVP, CTO
DS10 DS10 Manage Problems Needs
Strengthening
(Minor)
DS10 10.1 Identification and Classification of
Problems;#169;#DS10 10.2 Problem Tracking
and Resolution;#170;#DS10 10.3 Problem
Closure;#171;#DS10 10.4 Integration of
Change, Configuration and Problem
26 3/31/2015 -2
209;#740000 Saas
Operations:VP, SAAS
Operations
DS4 DS4 Ensure Continuous
Service
Needs
Strengthening
(Minor)
DS4 4.1 ITContinuity Framework;#133;#DS4
4.2 Continuity Plans for Accounting and MIS
Transaction Services;#134;#DS4 4.3 Critical IT
Resources;#135;#DS4 4.4 Maintenance ofthe
ITContinuity Plan;#136;#DS4 4.5 Testing of
26 3/31/2015 -2
240;#170000 IT:Sr. VP, IT &
CIO
DS9 DS9 Manage the
Configuration
Needs
Strengthening
(Minor)
DS9 9.1 Configuration Repository and
Baseline Servers and Standard
desktop;#166;#DS9 9.2 Identification and
Maintenance ofConfiguration
Items;#167;#DS9 9.3 Configuration Integrity
14 3/31/2015 -2
209;#740000 Saas
Operations:VP, SAAS
Operations
AI5 AI5 Procure IT Resources Needs
Strengthening
(Minor)
AI5 5.4 Software Acquisition;#100;#AI5 5.3
Supplier Selection;#99;#AI5 5.2 Supplier
Contract Management;#98;#AI5 5.1
Procurement Control;#97
12 3/31/2015 -2
215;#170000 IT:Director,
Information Risk Mgt
DS13 DS13 Manage IT
Operations
Needs
Strengthening
(Minor)
DS13 13.5 Preventive Maintenance for
Hardware;#188;#DS13 13.4 Sensitive
Documents and Output Devices;#187;#DS13
13.3 Infrastructure Monitoring;#186;#DS13
13.2 Event Monitoring data Transaction
12 3/31/2015 -1
209;#740000 Saas
Operations:VP, SAAS
Operations
AI7 AI7 Install and Accredit
Solutions and Changes
Needs
Strengthening
(Minor)
AI7 7.1 Release Planning and Training
;#106;#AI7 7.2 Release Test Plan;#107;#AI7
7.3 Implementation Plan;#108;#AI7 7.4 Test
Environment;#109;#AI7 7.5 System and Data
Conversion;#110;#AI7 7.6 Testing ofProduct
10 3/31/2015 -2
316;#720000 Technical
Support:VP, Technical
Support
DS1 DS1 Define and Manage
Service Levels
Needs
Strengthening
(Minor)
DS1 1.1 Service Level Management
Framework -Encompass;#118;#DS1 1.2
Definition ofServices -PSAand
Encompass;#119;#DS1 1.3 Service Level
Agreements -SBP -PSAand
9 3/31/2015 -1
237;#740000 Saas
Operations:Sr. IT Services
Manager
 Use control effectiveness to predict and prepare for external audit
 Have detailed corrective actions plan
 Measure heat, impact, likelihood, controllability, plus GAP to strategic maturity
 If a control isn’t owned, find out how important it is to the board
Risk Reports distributed to VP and executives
Management uses Executive Strategy to determine Risk Response
Avoid - Action
• PROHIBIT unacceptable
high risk activities,
transactions, financial
losses, and asset exposures
through appropriate limit
structures and corporate
standards.
• STOP specific activities by
redefining objectives,
refocusing strategies or
redirecting resources.
• ELIMINATE at the source by
designing and
implementing internal
preventive processes.
Accept and Control
• ACCEPT risk at its present
level taking no further
action.
• PLAN for well-defined
contingencies by
documenting a responsive
plan and empowering
people to make decisions
and periodically test and, if
necessary, execute the plan.
• CONTROL risk through
internal processes that
reduce the likelihood of
events occurring to an
acceptable level.
Share - Directions
• SHARE risk/rewards of
investing in new markets
and products by entering
into alliances or joint
ventures.
• CREATE new value-adding
products, services and
channels.
• RENEGOTIATE existing
contractual agreements to
reshape risk profile, i.e.
transfer or reduce.
Thank You for your time

More Related Content

What's hot

Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221
SALIH AHMED ISLAM
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
Michael Nickle
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
MHumaamAl
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework  isc2 quanticoNist cybersecurity framework  isc2 quantico
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
Donald E. Hester
 
GDPR
GDPRGDPR
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
newbie2019
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST  CSF compliance BrochureHappiest Minds NIST  CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
Suresh Kanniappan
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
Chaitanya Bhatt
 
Rothke secure360 building a security operations center (soc)
Rothke   secure360 building a security operations center (soc)Rothke   secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
Priyanka Aash
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
CMR WORLD TECH
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 

What's hot (20)

Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework  isc2 quanticoNist cybersecurity framework  isc2 quantico
Nist cybersecurity framework isc2 quantico
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
 
GDPR
GDPRGDPR
GDPR
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST  CSF compliance BrochureHappiest Minds NIST  CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
Rothke secure360 building a security operations center (soc)
Rothke   secure360 building a security operations center (soc)Rothke   secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 

Viewers also liked

Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
EnterpriseGRC Solutions, Inc.
 
Procedures and Controls Documentation Guidelines
Procedures and Controls Documentation GuidelinesProcedures and Controls Documentation Guidelines
Procedures and Controls Documentation Guidelines
EnterpriseGRC Solutions, Inc.
 
Cryptographic lifecycle security training
Cryptographic lifecycle security trainingCryptographic lifecycle security training
Cryptographic lifecycle security training
EnterpriseGRC Solutions, Inc.
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009
Goutama Bachtiar
 

Viewers also liked (6)

Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
 
Incident response
Incident responseIncident response
Incident response
 
Procedures and Controls Documentation Guidelines
Procedures and Controls Documentation GuidelinesProcedures and Controls Documentation Guidelines
Procedures and Controls Documentation Guidelines
 
Cryptographic lifecycle security training
Cryptographic lifecycle security trainingCryptographic lifecycle security training
Cryptographic lifecycle security training
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009
 
ERM - Überblick
ERM - ÜberblickERM - Überblick
ERM - Überblick
 

Similar to Does audit make us more secure

Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
Manish Dixit Ceh
 
Security Governance Isp Eng
Security Governance Isp EngSecurity Governance Isp Eng
Security Governance Isp Eng
Maurizio Milazzo
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
SidneyGiovanniSimas1
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
Adaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyAdaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_study
Rob Johnston, MBA
 
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES  ADAPTIVEGRC SUITE  TO MANAGE RISK & COMPLI...GLOBAL LIFE SCIENCES COMPANY USES  ADAPTIVEGRC SUITE  TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
D. Scott Clark
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
Lumension
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
Core Security Technologies
 
Sage Solutions Brief.Mjo
Sage Solutions Brief.MjoSage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
mjo57
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, inc
FixNix Inc.,
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk Management
Ahmed Sayed-
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s  IT GRC Tools – Key Issues and TrendsMaclear’s  IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear LLC
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
Absar Husain
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-Latest
Hank Eng, CISSP, CISA, CISM
 
ClockworkISMS
ClockworkISMSClockworkISMS
ClockworkISMS
Delaney
 
Corporate Cyber Program
Corporate Cyber ProgramCorporate Cyber Program
Corporate Cyber Program
Ignyte Assurance Platform
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
vertical in CISA certification and Five Domains are in CISA
vertical in CISA certification and Five Domains are in CISAvertical in CISA certification and Five Domains are in CISA
vertical in CISA certification and Five Domains are in CISA
arjunnegi34
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 English
guest5bd7a1
 

Similar to Does audit make us more secure (20)

Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
 
Security Governance Isp Eng
Security Governance Isp EngSecurity Governance Isp Eng
Security Governance Isp Eng
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Adaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyAdaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_study
 
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES  ADAPTIVEGRC SUITE  TO MANAGE RISK & COMPLI...GLOBAL LIFE SCIENCES COMPANY USES  ADAPTIVEGRC SUITE  TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
Sage Solutions Brief.Mjo
Sage Solutions Brief.MjoSage Solutions Brief.Mjo
Sage Solutions Brief.Mjo
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, inc
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk Management
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s  IT GRC Tools – Key Issues and TrendsMaclear’s  IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-Latest
 
ClockworkISMS
ClockworkISMSClockworkISMS
ClockworkISMS
 
Corporate Cyber Program
Corporate Cyber ProgramCorporate Cyber Program
Corporate Cyber Program
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
vertical in CISA certification and Five Domains are in CISA
vertical in CISA certification and Five Domains are in CISAvertical in CISA certification and Five Domains are in CISA
vertical in CISA certification and Five Domains are in CISA
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 English
 

More from EnterpriseGRC Solutions, Inc.

CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
EnterpriseGRC Solutions, Inc.
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
EnterpriseGRC Solutions, Inc.
 
2012 Summer Conference Brochure
2012 Summer Conference Brochure2012 Summer Conference Brochure
2012 Summer Conference Brochure
EnterpriseGRC Solutions, Inc.
 
2011 Summer Conference Brochure
2011 Summer Conference Brochure2011 Summer Conference Brochure
2011 Summer Conference Brochure
EnterpriseGRC Solutions, Inc.
 
The Perils of Mount Must Read
The Perils of Mount Must ReadThe Perils of Mount Must Read
The Perils of Mount Must Read
EnterpriseGRC Solutions, Inc.
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
EnterpriseGRC Solutions, Inc.
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studies
EnterpriseGRC Solutions, Inc.
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
EnterpriseGRC Solutions, Inc.
 
The value of our data
The value of our dataThe value of our data
The value of our data
EnterpriseGRC Solutions, Inc.
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
EnterpriseGRC Solutions, Inc.
 
Green Tech
Green TechGreen Tech

More from EnterpriseGRC Solutions, Inc. (12)

CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
 
2012 Summer Conference Brochure
2012 Summer Conference Brochure2012 Summer Conference Brochure
2012 Summer Conference Brochure
 
2011 Summer Conference Brochure
2011 Summer Conference Brochure2011 Summer Conference Brochure
2011 Summer Conference Brochure
 
The Perils of Mount Must Read
The Perils of Mount Must ReadThe Perils of Mount Must Read
The Perils of Mount Must Read
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studies
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
The value of our data
The value of our dataThe value of our data
The value of our data
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
 
Green Tech
Green TechGreen Tech
Green Tech
 

Recently uploaded

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 

Recently uploaded (20)

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 

Does audit make us more secure

  • 1. http://www.enterprisegrc.com Does Audit Make us Secure? Presented at ISACA SV Spring Conference May 15th 2015 Robin Basham, M.Ed, M.IT, CISA, CRISC, CGEIT, HISP, CRP, VRP Founder EnterpriseGRC Solutions
  • 2. Companies that passed audit and had a major breach  March 18, 2015 “Three weeks before hackers infiltrated Premera Blue Cross, federal auditors warned the company that its network-security procedures were inadequate.”  The Heartland intrusion began in May 2008, even though the company had passed multiple audits, including one conducted on Apr. 30. At the time, the Princeton (N.J.) company was in compliance with industry standards for data security, Carr says. Still, shortly afterward, 13 pieces of malware that capitalize on weaknesses in Microsoft (MSFT) software infiltrated one or more network servers.  "We get pinged 200,000 times per day by people trying to hack into our system," Carr says. "You do everything you can to make sure one of those pings doesn't get through, and we thought we had done everything we could do."
  • 3. Does audit make us secure? Why not?
  • 4. “We get pinged more than 200,000 times per day” So what?
  • 5. Is it just me?  We establish “scope” and imply permission for less secure practices on lower impact systems  We audit what we understand and miss the most important areas of risk  We expose a wide range of people to known areas of weakness  We distract people from their core responsibilities  We create a false sense of security by under representing complex and broken processes
  • 6. Did I Pick the Right form of Risk Assessment?  If our goal is to determine if we are secure, pick the right risk assessment methods  If our goal is to enable a more secure enterprise, engage business partners to provide meaningful metrics that inform choices and decisions about the architecture  Integrated Audit (GRC) assists management to set compliance goals, track where process evidence is stored, and enable continuous improvement through internal control self assessment.
  • 7. GRC Contributes by using a Cyber Security Model  Identify – CMDB, People, Process, Technology, relationships, alignment to controls  Protect – Architecture, Infrastructure, Monitoring  Detect – Defined Sources, Collection, Interpretation, Reporting Methods  Respond – RCA, Corrective Action, Management Meetings, Plans, Optimization Targets  Recover – Configuration baselines, response plans, lessons learned, Wiki, documentation, BIA
  • 9. GRC Team Tracks to Inform Control Design & Risk  Intrusion Detection Systems (IDS) events  Virus Alerts and corresponding HelpDesk cases to clean infected systems  DLP events and confirmation on false positives, loss events and corrective actions  Vulnerabilities Identified, risk ranking, effort and plan to remediate, status to remediate  Patch requirements and mean time to remediate MTTR  Daily Anti-Virus status (Red, Yellow, Green), # of events blocked, cleaned, definition updates  Daily end point patching, # of systems in and out of compliance  Daily system backups – systems not backed up  Number of Volume copies made, saved, purged  Security Project Plans, Milestones, Issues or Blockers  Infrastructure remediation through tickets and change requests  Post Implementation Effectiveness for corrected security problems (ROI)  Template Configurations  NON template configurations  Systems Monitored  Services per systems
  • 10. Confirm Incident Definitions, Review, Response  Scheduled outputs to central mailbox (restrict delete)  Track incident notifications  Establish and RUN Rules for follow up  Set Flags to communicate closed corrective action
  • 11. People and Access – Focus on Integrated Reporting Access Governance  Use PowerShell to gather all local Admin accounts on all systems  Use ADManager or other tools to pull all members in all groups  Compare active users in HR Systems to Roles granted to all identities  Track effectiveness of department security roles and access grants  Publish exception policy and have management sign off at least quarterly
  • 12. How can audit drive security? Manage Corrective Actions!
  • 13. Data System Relationships to Audit, Classification, Risk  Assets include Applications, Products, Services, File Shares, Devices, OS, Infrastructure  Assets are owned, administered, developed, supported, classified, documented  Data and transactions source audit information
  • 14. Get The Data – Trend and Report – Examples of Data Sources
  • 15. Inversion of Control v. Faith – Managing Complexity through Framework  Each control is a data point with related Information Security Governance Processes – Policies - SOP, Corporate Strategic Objectives, Department Strategic and Tactical Objectives, Business Risks, Control RACI, Control Programs, Initiatives, People, Tools, Access Profiles and Asset Profiles.  The GRC must Collectively represent reliable information to inform our management shareholders and customers that we manage our risks.  GRC has to Help Management to make us more secure
  • 16. Document and Follow a Data Collection Practice Implement a meaningful output process  Data collection strategy  Source coverage – the architecture stack  Test mapping  Validation process  Imports, Reference Tables, Audit Queries  Output to Corrective Actions tracking
  • 17. Give Management Knowledge – Fact based observations Answer Their Questions
  • 18. Continuous Feedback – GAP in ISMS
  • 19. Risk Reporting – Tie Controls to Corporate Risks (The 10K)  Use the data collection strategy to inform corporate risk  Make all reports “personal” by assigning programs, departments and key initiatives  Incorporate notification strategies  Maintain and gain consensus
  • 20. The risks identified have actual probability – get the lessons learned
  • 21. REMEMBER: It’s always about money – (Materiality)  Financial statement audits measure materiality in monetary terms  Integrated Audit provides IT assurance on non-financial items and, requiring alternative measures (maturity models and process assurance methodology).  We meet objectives so we can make money or retain money.
  • 22. Focus on Effectiveness GAP v. Audit Bar Control IDJ15J2A1:J 19 Control Objective Control Effectiveness Test ID Heat In place GAP Accountable DS5 DS5 Ensure Systems Security Needs Strengthening (Important) DS5 5.1 Management ofITSecurity;#143;#DS5 5.2 ITSecurity Plan;#144;#DS5 5.3 Identity Management;#145;#DS5 5.4 User Account Asset Provisioning and De- Provisioning;#146;#DS5 5.5 Security Testing, 36 3/31/2015 -2 240;#170000 IT:Sr. VP, IT & CIO;#586;#170000 IT:Chief Security Officer;#209;#740000 Saas Operations:VP, SAAS DS2 DS2 Manage Third-party Services Needs Strengthening (Minor) DS2 2.1 Identification Supplier Relationships;#124;#DS2 2.3 Supplier Risk Management;#126 34 3/31/2015 -2 692;#170000 IT;#215;#170000 IT:Director, Information Risk Mgt AI1 AI Identify Automated Solutions Needs Strengthening (Important) AI1 1.1 Definition Maintenance Business Functional Technical Requirement;#75;#AI1 1.4 Requirements and Feasibility Decision and Approval;#78;#ISMS_6.1.5 Information security in project management;#654 27 3/31/2015 -2 240;#170000 IT:Sr. VP, IT & CIO;#293;#310000 Product Development:EVP, CTO DS10 DS10 Manage Problems Needs Strengthening (Minor) DS10 10.1 Identification and Classification of Problems;#169;#DS10 10.2 Problem Tracking and Resolution;#170;#DS10 10.3 Problem Closure;#171;#DS10 10.4 Integration of Change, Configuration and Problem 26 3/31/2015 -2 209;#740000 Saas Operations:VP, SAAS Operations DS4 DS4 Ensure Continuous Service Needs Strengthening (Minor) DS4 4.1 ITContinuity Framework;#133;#DS4 4.2 Continuity Plans for Accounting and MIS Transaction Services;#134;#DS4 4.3 Critical IT Resources;#135;#DS4 4.4 Maintenance ofthe ITContinuity Plan;#136;#DS4 4.5 Testing of 26 3/31/2015 -2 240;#170000 IT:Sr. VP, IT & CIO DS9 DS9 Manage the Configuration Needs Strengthening (Minor) DS9 9.1 Configuration Repository and Baseline Servers and Standard desktop;#166;#DS9 9.2 Identification and Maintenance ofConfiguration Items;#167;#DS9 9.3 Configuration Integrity 14 3/31/2015 -2 209;#740000 Saas Operations:VP, SAAS Operations AI5 AI5 Procure IT Resources Needs Strengthening (Minor) AI5 5.4 Software Acquisition;#100;#AI5 5.3 Supplier Selection;#99;#AI5 5.2 Supplier Contract Management;#98;#AI5 5.1 Procurement Control;#97 12 3/31/2015 -2 215;#170000 IT:Director, Information Risk Mgt DS13 DS13 Manage IT Operations Needs Strengthening (Minor) DS13 13.5 Preventive Maintenance for Hardware;#188;#DS13 13.4 Sensitive Documents and Output Devices;#187;#DS13 13.3 Infrastructure Monitoring;#186;#DS13 13.2 Event Monitoring data Transaction 12 3/31/2015 -1 209;#740000 Saas Operations:VP, SAAS Operations AI7 AI7 Install and Accredit Solutions and Changes Needs Strengthening (Minor) AI7 7.1 Release Planning and Training ;#106;#AI7 7.2 Release Test Plan;#107;#AI7 7.3 Implementation Plan;#108;#AI7 7.4 Test Environment;#109;#AI7 7.5 System and Data Conversion;#110;#AI7 7.6 Testing ofProduct 10 3/31/2015 -2 316;#720000 Technical Support:VP, Technical Support DS1 DS1 Define and Manage Service Levels Needs Strengthening (Minor) DS1 1.1 Service Level Management Framework -Encompass;#118;#DS1 1.2 Definition ofServices -PSAand Encompass;#119;#DS1 1.3 Service Level Agreements -SBP -PSAand 9 3/31/2015 -1 237;#740000 Saas Operations:Sr. IT Services Manager  Use control effectiveness to predict and prepare for external audit  Have detailed corrective actions plan  Measure heat, impact, likelihood, controllability, plus GAP to strategic maturity  If a control isn’t owned, find out how important it is to the board
  • 23. Risk Reports distributed to VP and executives
  • 24. Management uses Executive Strategy to determine Risk Response Avoid - Action • PROHIBIT unacceptable high risk activities, transactions, financial losses, and asset exposures through appropriate limit structures and corporate standards. • STOP specific activities by redefining objectives, refocusing strategies or redirecting resources. • ELIMINATE at the source by designing and implementing internal preventive processes. Accept and Control • ACCEPT risk at its present level taking no further action. • PLAN for well-defined contingencies by documenting a responsive plan and empowering people to make decisions and periodically test and, if necessary, execute the plan. • CONTROL risk through internal processes that reduce the likelihood of events occurring to an acceptable level. Share - Directions • SHARE risk/rewards of investing in new markets and products by entering into alliances or joint ventures. • CREATE new value-adding products, services and channels. • RENEGOTIATE existing contractual agreements to reshape risk profile, i.e. transfer or reduce.
  • 25. Thank You for your time

Editor's Notes

  1. Significance of 200,000 times a day. What is the answer to “everything we could”
  2. My approach is heavily based on Configuration Management using CobiT
  3. How can governance, risk and compliance programs help management to make us more secure?
  4. In 2002, I had to study this concept to pass an exam for Java Enterprise – JBOSS concept
  5. This is from the DevOps training AND the benchmark slides on Resilience delivered by Jason Chan of Netflix.