A very practical approach on how to build your lean information security GRC (governance, risk and compliance) framework.

1. How to design your lean GRC
(governance, risk and
compliance) framework
Bangkok – March 15th
Maxime CARPENTIER - CIO
Governance, Risks & Compliance

2. Page n° 2 P
Overview
 What is the key of information security governance, risk &
compliance?
 How do you meet your governance, risk and compliance
requirements and prevent a data breach?
 Understanding the spirit of risk management.
 Create a customized information security management
system (ISMS) for your business.
 Designing and implementing a cost-effective ISMS to
minimize your risk of a breach.
 Meet your legislative obligations (Data Protection Act),
regulatory (Payment Card Industry), or industry standard
(ISO-27001) compliance requirements.

3. Standard compliance requirements
 Practical ISMS [information security management system ]
documentation structure.
 Scope, objectives & risk strategy examples.
 Risk treatment plan, asset register & classification guide
examples.
 Policy frameworks.
 Control objectives, evidence & policy examples.
 Audit & testing documentation examples.
ALKIA IT Services © 2016 - maxime@alkia.org - All rights reserved Page n° 3 P

4. The 4 GRC key components
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved Page n° 4 P
Governance
Policy
Scope &
Objectives
Risk
Strategy
Management
Processes

5. Step 1 | Practical Questions
 What are we trying to protect ?
 Why are we trying to protect ?
 Who’s responsible for protecting it?
 What will we do to protect it ?
 What will we do to ensure it is protected ?
 What we will not do to ensure it is protected ?
 What will happen if we fail to protect it ?
 What are our escalation means should a breach
happen?
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved Page n° 5 P

6. ISMS Practical format rules
 Keep it simple
 Concise writing, good visuals
 Clear goals
 Scalable
 Mentioning Assigned Owners
 Centrally located and easily accessible
 Signed by the CEO
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved Page n° 6 P

7. Step 2 | Define your ISMS Structure
Scope &
Objectives
Governance
Management • Responsibilities
Risk
Strategy
• Identify
• Risk treatment
• Minimize
• Testing & Remediation
• Manage
• Policies & Procedures
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved Page n° 7 P
ISMS

8. Scope & objectives
 Locations
 Staff
 Systems
 Suppliers
 Partners
 Clients
Page n° 8
Scope &
Objectives
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved
List all applicable entities:

9. Scope example
Scope : The XXXX ISMS is comprising the following:
 Staff 1252
 Locations 4 (Bangkok,Hong Kong,Singapore,Jakarta)
 Systems 7
 Suppliers 23 (IBM, EMC … )
 Partners 5 (Alkia…)
 Clients 168
Page n° 9
Scope &
Objectives
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

10. Objectives
This step defines the WHY that support the HOW. It’s the
backbone of the ISMS, be clear, consistent and
comprehensive.
 Detect breach
 Stop a breach
 Comply to a PCI (Payment Card Industry)
 Comply to a DPA (Data Protection Act)
 Protect your IP (Intellectual property)
 Protect your brand
Page n° 10
Scope &
Objectives
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

11. Objectives example
Objective: The objectives of the XXXX are ordered as
follows:
 To ensure the appropriate protection of XXXX sensitives
information processed, stored or transmitted on
corporate ICT systems
 To ensure the appropriate protection of XXXX customer
information processed, stored or transmitted on
corporate ICT systems
 To prevent a breach or unauthorized access to XXXX
systems
 To protect the XXX brand reputation
Page n° 11
Scope &
Objectives
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

12. Governance
 List your requirements
 Internal (your policies, anti money-laundering, anti
slavery, fair trade)
 External:
 PCI
 DPA
 ISO
Page n° 12
Governance
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

13. Governance example
Information Security Management System Governance
framework are defined as follows:
 ISMS is implemented to meet the principles established
by Singapore’s DPA
 XXXX meets all parts of the PCI (Payment Card
Industry) Data Security Standards (DSS) V3
 XXXX meets the Sarbanes-Oxley Act 2002
requirements
Page n° 13
Governance
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

14. Management
Management gives the operational framework and the top
executive visibility of your operational security
 Business accountability
 Liability
 Big picture
 Leadership statements
 Visibility
 Audit landscape
Page n° 14
Board of directors
Executive
Management
Senior Information
Security management
Information Security
Practitioner
Management
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

15. Management example
The role and responsibilities for the ISMS management are as
follows:
Board of directors: shall be responsible for identifying the
key corporate information assets and verifying that the
protection levels and the priorities established in the ISMS are
appropriate.
Executive Management: Shall be responsible for setting the
tone for the information security management and ensure that
the necessary functions, resources and infrastructure are
available an properly utilized to meet the objectives.
Senior Information Security management: Shall be
responsible for developing the security and risk mitigation
strategies, implementing security and risk programs and
managing security incidents & remediation activities.
Information Security Practitioner: Shall be responsible for
designing, implementing and managing processes and
technical controls. Respond to events and incidents.
Page n° 15
Board of
directors
Executive
Management
Senior
Information
Security
management
Information
Security
Practitioner
Management
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

16. Risk Strategy
Page n° 16
 What is it?
 How will you address this?
 What sequence of action?
 State concise tactical statement
 Your company risk appetite
 Ensure Board support
Risk
Identify
MinimizeManage
Risk
Strategy
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

17. Risk Strategy example
Page n° 17
 In order to meet the stated objectives XXX shall
execute a strategy to identify, minimize and manage
the risks to their information assets through the
implementation of a Risk Treatment Plan.
 Testing and remediation activities are implemented
through the information security policies and procedure
book.
Risk
Strategy
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

18. Responsibilities
This is the “Who” component of the security system.
 Day to day accountability, assigned owners (position not
people)
 Detailed processes
 Detailed actions
 Designed to ensure ISMS is on-going
Page n° 18
Risk
Strategy
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

19. Responsibility example
Page n° 19ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

20. Step 3 | Risk Treatment Plan
 The risk treatment plan is your method (the how).
 Represents the execution plan, directly derived from
your risk strategy.
 List on one board the risks, their occurrence probability,
their potential impacts and their criticity
 Risk calculation formula based on Information asset
value and risk tolerance & resilience.
 Keep in mind: Risk criticity = Threat x Probability x
Impact
 Check it always answer well:
 What are we protecting?
 Why are you protecting?
Page n° 20ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

21. Additional outputs
 Information Classification Guide
Specific about what
you are protecting
 Information Asset Risk Register
Stating why you are protecting it. What are the impacts on the
company operation, sales or reputation.
Page n° 21ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

22. Step 4 | Risk management
5 fundamental steps:
1. Identify your assets
2. Identify the potential vulnerabilities and threats to
these assets
3. For each threat, quantify the probability of
occurrence
4. Calculate the impact of the incident on your business
5. Implement cost-effective controls
Page n° 22ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

23. Testing & remediation strategy
Describes how the control and the remediation are
effective. Check the coverage (are all assets covered
according to their level of criticity).
 Verification of controls
 Things in place are working
 What?
 When?
 Who?
 How?
 Remedial status
Page n° 23ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

24. Policies & Procedures
 Never write a policy that you can’t or won’t enforce
Example if you write a policy that state “download is strictly
forbidden” and it happen that a key employee inadvertively
did download and cannot be fired, it is all the value of your
policies and therefor their efficiency that is diminished.
 Never write a policy that you can’t monitor or verify
for compliance
Never state something you cannot prove it has been
complied with.
Page n° 24ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

25. Example of framework
Page n° 25ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

26. Q & A
 How much security do I need?
An ISMS is exactly what you need, but do it well. By starting the
process you will define your needs by state you assets, what
protection they request and what budget they deserve. Without
starting this journey you will be lost, lacking strategy.
 What is the core objective of building a GRC?
We are going to minimize the risks for this company, in a clear and
consistent way.
 What is a good ISMS?
It’s a framework that effectively covers what the strategy plan
states.
ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved Page n° 26 P