The Tao of GRC

•Download as PPTX, PDF•

1 like•776 views

Summary The GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes-Oxley, industry compliance such as PCI DSS 1.2 and growing numbers of data security breaches and Internet acceptable usage violations in the workplace. $14BN a year is spent in the US alone on corporate-governance-related IT spending1. Are large internally-focused GRC systems the solution for improving risk and compliance? Or should we go outside the organization to look for risks we’ve never thought about and discover new links and interdependencies2. This article introduces a practical approach that will help the CISOs/CSOs in any sized business unit successfully improve compliance and reduce information value at risk. We call this approach “The Tao of GRC” and base it on 3 principles. 1. Adopt a standard language of threats 2. Learn to speak the language fluently 3. Go green – recycle your risk and compliance

Technology Business

The Tao of GRC Danny Lieberman Software Associates

Agenda The flavors The Tao Why it works 4

GRC comes in 3 flavors Government Industry Vendor-neutral standards 5

Government SOX, HIPAA, EU Privacy Protect consumer Top-down risk analysis 6

Industry PCI DSS Protect card associations No risk analysis 7

Vendor-neutral standards ISO2700x Protect information assets Audit focus 8

4 mistakes CIOS make 9 Focus on process while ignoring that hackers attack software Relabel vendors as partners Confuse business alignment with risk reduction

Both attackers and defenders have imperfect knowledge in making their decisions. 10

Mobile clinical assistants Regulatory:Hospitals had to wait 90 days before applying remedy. Unplanned Internet access, 300 devices infected by Conficker. 11

The Tao of GRC Adopt common threat language Learn to speak well Go green 13

Countermeasures mitigate vulnerabilitiesto reduce risk.Attacker 16

Countermeasure C41– Disable USB Countermeasure C53– Use Ubuntu Countermeasure C67– Software security assessment Sample threat scenario 18 Attackers

VaR 19 ValueAtRisk = Asset Value x Threat Probability x (1 – Countermeasure Effectiveness)

2. Learn to speak well Practice What threats count Prioritize 20

3. Go green Security is abouteconomics Attention to root causes Recycle control policies 23

Why the Tao works Threat models are transparent and recyclable. Transparency means more eyeballs can look at issues. Recyclingreduces cost More eyeballs improves security. Better security means safer products for customers Safer products is good for business. 24

Do you know how to identify and respond to cyberattacks? As the size, severity and frequency of hacks continues to grow, A-LIGN President Gene Geiger looks to assist organizations in managing and minimizing the risk of cyberattacks. This presentation will evaluate different security trends and risks, review a client environment and account compromise through social engineering, and provide practical advice on how to avert your organization from becoming compromised. As hackers become increasingly savvy at accessing accounts and sensitive information, this session will help your organization build a security foundation to avoid becoming another target. This presentation reviews the current data breach landscape, reviewing examples of real-world breaches; security trends and risks, including the consequences of a data breach; a case study of a social engineering attack; Actionable prevention tips and IT audits to secure your organization

FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach

FireEye, Inc.

Tech Demo: Take the Ransom Out of Ransomware

marketingunitrends

Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...

Shawn Tuma

Shawn Tuma, a professional "breach guide" (aka, breach quarterback, coach, privacy counsel, etc), is an attorney who has practiced in cyber law since 1999. His day job as Co-Chair of Spencer Fane LLP's Data Privacy and Cybersecurity Practice is leading companies through the cyber incident response and recovery process. In this presentation, he provides a virtual tabletop exercise explaining the lifecycle of responding to a typical ransomware attack through a detailed timeline. The audio for this presentation, in podcast form, is here: https://www.secureworldexpo.com/resources/podcast-ransomware-attack-lifecycle

This presentation, Ransomware Rising, details the results of a survey of security professionals taken at RSA 2017, the world’s largest security conference, exploring their experiences with ransomware. Conducted Feb. 13-17, at RSA 2017, the in-person survey is based on responses from 170 attendees including IT professionals, managers and executives from the U.S. (77 percent), EMEA (13 percent) and other regions (11 percent). To learn more about preventing ransomware visit, http://bit.ly/2nwKICL

Vendor Landscape: Email Security Gateway

Info-Tech Research Group

The emails that you want are only the tip of the iceberg that you get. Your Challenge Within the email security gateway (ESG) marketplace, there are numerous vendors with varying options who all claim to be the perfect fit for your organization. It becomes challenging to sift through all the offerings and find the right one. An ESG must serve a multitude of functions for the organization, as well as meet an array of requirements, all of which can be hard to accurately assess and include confidently. IT security always struggles with costs. An email gateway can become expensive, but it is vital and thus needs to have a strong case made for implementation, improvement, or replacement scenarios. Our Advice Critical Insight Cloud adoption among business functions is already high. Moving email to the cloud is just another step. Take this into consideration when selecting an ESG. Advanced Persistent Threats (APTs) and Zero-Day attacks are changing the way organizations deal with threats. Recognize the need for greater visibility and tools that stay current with these developments. Impact and Result Understand developments within the ESG market to properly evaluate all capabilities and functions of an ESG. Evaluate ESG vendors and products based on your enterprise requirements. Determine which products are most appropriate for particular use cases and scenarios.

Outpost24 webinar - Improve your organizations security with red teaming

Outpost24

Achieving and Measuring Success with the Security Awareness Maturity Model

Priyanka Aash

Eliminating the Confusion Surrounding Cyber Insurance

Internetwork Engineering (IE)

Building an Android Scale Incident Response Process

Priyanka Aash

The Android ecosystem has over one billion active devices from hundreds of OEMs and carrier networks. The Android Security Team will explain how the ecosystem is able to respond quickly and effectively to security incidents. This will be part historical analysis of actual incidents, such as the Stagefright vulnerabilities, and part data-focused analysis of technology and processes we developed. (Source: RSA USA 2016-San Francisco)

Cyber Risk Management in the New Digitalisation Age - eSentinel™

Netpluz Asia Pte Ltd

The Board and Cyber Security

FireEye, Inc.

10 Steps to Better Security Incident Detection

Tripwire

* Why many organizations don’t successfully detect security breaches * How to best use existing security information and event management and log management tools * Other sources, including external ones, that can provide early indicators of a security breach * How to maximize the security resources you already have Watch the webcast here: http://www.tripwire.com/register/10-steps-to-better-security-incident-detection/

Aon Ransomware Response and Mitigation Strategies

CSNP

Grc tao.4Flaskdata.io

What's hot

Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...

EC-Council

What makes the IT industry tick?

Richard Stiennon

What endpoint protection solutions are available on the market today?

David Strom

10 Critical Corporate Cyber Security Risks

Heimdal Security

Netpluz | Protecting your Business with eSentinel | 360° Cyber Security Simpl...

Netpluz Asia Pte Ltd

2 factor authentication beyond password : enforce advanced security with au...

NetwayClub

2019 Cybersecurity Threats & Trends: The Chart Toppers & One-hit Wonders

Internetwork Engineering (IE)

2019 Cyber Security Trends

Internetwork Engineering (IE)

Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...

NetworkCollaborators

CRI Cyber Board Briefing

OCTF Industry Engagement

Survey: Insider Threats and Cyber Security

Imperva

Rise of Ransomware

Imperva

Vendor Landscape: Email Security Gateway

Info-Tech Research Group

Outpost24 webinar - Improve your organizations security with red teaming

Outpost24

Achieving and Measuring Success with the Security Awareness Maturity Model

Priyanka Aash

Eliminating the Confusion Surrounding Cyber Insurance

Internetwork Engineering (IE)

Building an Android Scale Incident Response Process

Priyanka Aash

Cyber Risk Management in the New Digitalisation Age - eSentinel™

Netpluz Asia Pte Ltd

The Board and Cyber Security

FireEye, Inc.

10 Steps to Better Security Incident Detection

Tripwire

What's hot (20)

Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...

What makes the IT industry tick?

What endpoint protection solutions are available on the market today?

10 Critical Corporate Cyber Security Risks

Netpluz | Protecting your Business with eSentinel | 360° Cyber Security Simpl...

2 factor authentication beyond password : enforce advanced security with au...

2019 Cybersecurity Threats & Trends: The Chart Toppers & One-hit Wonders

2019 Cyber Security Trends

Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...

CRI Cyber Board Briefing

Survey: Insider Threats and Cyber Security

Rise of Ransomware

Vendor Landscape: Email Security Gateway

Outpost24 webinar - Improve your organizations security with red teaming

Achieving and Measuring Success with the Security Awareness Maturity Model

Eliminating the Confusion Surrounding Cyber Insurance

Building an Android Scale Incident Response Process

Cyber Risk Management in the New Digitalisation Age - eSentinel™

The Board and Cyber Security

10 Steps to Better Security Incident Detection

Similar to The Tao of GRC

Aon Ransomware Response and Mitigation Strategies

CSNP

Grc tao.4Flaskdata.io

Security Intelligence: Finding and Stopping Attackers with Big Data Analytics

IBM Security

Attackers are using increasingly sophisticated methods to access your most sensitive data, and at the same time cloud, mobile and other innovations expand the perimeter you need to protect. This keynote discusses how to build a more secure enterprise with real-time analytics and behavior-based activity monitoring. Advanced Security Intelligence tools store, correlate and analyze millions of events and flows daily to identify critical incidents your security team needs to investigate. The volume, variety and velocity involved clearly defines Security as a “Big Data challenge.” Learn how advanced predictive analytics and incident forensics help defend against advanced attacks and respond to and remediate incidents quickly and effectively.

OSB50: Operational Security: State of the Union

Ivanti

Today's Breach Reality, The IR Imperative, And What You Can Do About It

Resilient Systems

Despite changing threats and the near certainty of compromise, most IT security programs are much the same as they were a decade ago. How have attacker motivations and tactics changed, and why? What does this mean for IT security departments, and how must they adapt? This webinar will detail the security challenges organizations face today, the implications of changes in attacker tactics and motivations, and what firms can do to better align their security program with today's reality. Our featured speakers for this webinar will be: - Ted Julian, Chief Marketing Officer, Co3 Systems - Colby Clark, Director of Incident Management, Fishnet Security

The 1% Who Can Take Down your Organization

CloudLock

Key Findings from the 2015 IBM Cyber Security Intelligence Index

IBM Security

View on-demand presentation: http://securityintelligence.com/events/ibm-2015-cyber-security-intelligence-index/ The cyber threat landscape is increasing in complexity and frequency. Organizations that have historically not been the target of cyber attacks now make headline news with large data losses and compromised transactions. Organizations need a clear point of view on how to respond to these threats, and one that incorporates not only the relevant technology but also the organizational changes needed. Nick Bradley, Practice Leader of the IBM Threat Research Group and the X-Force Threat Analysis Team, and Nick Coleman, Global Head Cyber Security Intelligence Services outline what organizations need to do now and in the future to stay ahead of the growing cyber security threat.

Cybersecurity - Sam Maccherola

TechBiz Forense Digital

Shariyaz abdeen data leakage prevention presentation

Shariyaz Abdeen

Data leakage prevention is one of the key topics which we have been talking in present. Due to the organizations moving towards big data, financial systems.. which resides in cyber space, there is an increasing number of frauds associated with the technology revolution in the cyberspace.This post highlights the threats and the counter measures, so we can protect the sensitive personal data. I prefer the approach of “ Trust but verify model ”.

IBM Security QRadar

Virginia Fernandez

The CISO Problems Risk Compliance Management in a Software Development 030420...

lior mazor

Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence

IBM Security

Although the majority of organizations subscribe to threat intelligence feeds to enhance their security decision making, it's difficult to take full advantage of true insights due to the overwhelming amounts of information available. Even with an integrated security operations portfolio to identify and respond to threats, many companies don't take full advantage of the benefits of external context that threat intelligence brings to identify true indicators of compromise. By taking advantage of both machine- and human-generated indicators within a collaborative threat intelligence platform, security analysts can streamline investigations and speed the time to action. Join this webinar to hear from the IBM Security Chief Technology Officer for Threat Intelligence to learn: How the IBM Security Operations and Response architecture can help you identify and response to threats faster Why threat intelligence is a fundamental component of security investigations How to seamlessly integrate threat intelligence into existing security solutions for immediate action

Cyber Security 4.0 conference 30 November 2016

InfinIT - Innovationsnetværket for it

ciso-platform-annual-summit-2013-Hp enterprise security overview

Priyanka Aash

final (2)Vishavjit Singh

Evidence-Based Security: The New Top Five Controls

Priyanka Aash

Most cybersecurity professionals know the CIS Top Five Critical Security Controls. Yet, the evidence that they are effective is slim. Using data on cyber-incidents, researchers looked at the attack paths used by adversaries and determined what controls could have disrupted these attack paths. The result is a new set of critical controls that organizations should implement on a priority basis. Learning Objectives: 1: Understand evidence-based approach to selecting controls. 2: Understand why the “new top five” controls were selected. 3: Chart a pathway to implementing the new top five controls. (Source: RSA Conference USA 2018)

Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...

IBM Security

In the wake of massive numbers of security breaches in 2014, enterprises are struggling to improve how they consume threat intelligence to better protect their networks. Over 65% of companies use external threat intelligence as part of their security analytics, but are dissatisfied with the time and resources needed to understand and analyze the data available. With a barrage of information coming in to your organization on vulnerabilities, malware, and potentially malicious sites on the Internet, how can you truly make sense of the data and take action when it’s required? During this presentation, you will learn how your enterprise can quickly research threats, integrate actionable intelligence and collaborate with peers using global threat intelligence.

Insider Threat Solution from GTRI

Zivaro Inc

Insider threats come in a variety of forms and may be malicious or simply the result of negligence. Insider attacks can cause more damage than outsider threats, so it is important that organizations understand how to protect against and remedy insider threats. Learn more about insider threats and GTRI's Insider Threat Security Solution in this presentation. (Source: GTRI) This presentation includes information about Cisco Stealthwatch, which goes beyond conventional threat detection and harnesses the power of NetFlow. With it, you get advanced network visibility, analytics, and protection. You see everything happening across your network and data center. And you can uncover attacks that bypass the perimeter and infiltrate your internal environment. (Source: Cisco)

201512 - Vulnerability Management -PCI Best Practices - stepbystepAllan Crowe PCIP

Failed Ransom: How IBM XGS Defeated Ransomware

IBM Security

View on-demand webinar: http://event.on24.com/wcc/r/1238398/409AE8848D4FF1210B56EC81538788EB Ransomware is a growing threat impacting organizations across all industries. But not all is lost. There are preventative measures that can be taken to help protect against ransomware attacks, including deploying a next-generation intrusion prevention system (IPS), such as the IBM XGS. Join our webinar to: Understand the current threats associated with ransomware Learn how leading-edge research from IBM X-Force powers the XGS to stop ransomware Hear how IBM XGS proactively blocked ransomware at a large healthcare insurance organization

Similar to The Tao of GRC (20)

Aon Ransomware Response and Mitigation Strategies

Grc tao.4

Security Intelligence: Finding and Stopping Attackers with Big Data Analytics

OSB50: Operational Security: State of the Union

Today's Breach Reality, The IR Imperative, And What You Can Do About It

The 1% Who Can Take Down your Organization

Key Findings from the 2015 IBM Cyber Security Intelligence Index

Cybersecurity - Sam Maccherola

Shariyaz abdeen data leakage prevention presentation

IBM Security QRadar

The CISO Problems Risk Compliance Management in a Software Development 030420...

Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence

Cyber Security 4.0 conference 30 November 2016

ciso-platform-annual-summit-2013-Hp enterprise security overview

final (2)

Evidence-Based Security: The New Top Five Controls

Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...

Insider Threat Solution from GTRI

201512 - Vulnerability Management -PCI Best Practices - stepbystep

Failed Ransom: How IBM XGS Defeated Ransomware

More from Flaskdata.io

Flaskdata - Observability for clinical data

The Tao of GRC

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to The Tao of GRC

Similar to The Tao of GRC (20)

More from Flaskdata.io

More from Flaskdata.io (18)

Recently uploaded

Recently uploaded (20)

The Tao of GRC