O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
It’s Time to Rethink Everything:A Governance, Risk, and Compliance (GRC) PrimerJames Tarala, Enclave Security
Problem Statement• News agencies are reporting new data breaches  almost on a daily basis• Resources to protect informatio...
Proposed Solution - IT GRC• One proposed solution therefore would be a proactive  program for GRC• When it comes to IT GRC...
What is GRC (OCEG definition)?• A system of people, processes, and technology that  enables an organization to:   – Unders...
IT Governance – Defined• The Institute of Internal Auditors defines IT Governance as the  following:       “Information Te...
Business, Strategy, & Risk•   These three concepts definitively walk hand in hand•   Businesses are run via strategies•   ...
A General Framework• Business goals lead to…• Strategy, which leads to…• Policies, which are defined by…• Procedures, whic...
Business Goals• An organization needs to understand why they exist• Once a business understands their purpose, they can  d...
Business Strategy – Defined• BNET.com defines business strategy as:   “a long-term approach to implementing a firms busine...
Defining / Documenting Strategy• Somehow businesses have to document what their strategy is• These are documented for clar...
Influences to Strategy• There are a number of forces which influence an  organization’s strategy• These forces define the ...
Policies – Defined• ISACA defines a policy as:   “A document that records a high-level principle or course of   action whi...
Policy & Senior Executives• Policy is the result of documented business strategy• Senior executives are the ones to set st...
Policy Creation• Someone has to actually write the policies though• The draft author should be someone who understands the...
Necessary Policies in a Library• One of the first steps in creating or auditing policies is to  generate a list of policie...
Sample Information Security Policies • Some sample security policies to consider are:    – Acceptable system use policy   ...
Consensus Audit Guidelines (CAG)• Known as Consensus Audit Guidelines (CAG) and as the  Twenty Critical Security Controls ...
IT Governance Frameworks• There are two major frameworks that are used by auditors to  assess IT governance:   – ISACA’s C...
Using the Frameworks• These frameworks are meant to be a help for your  organization as you make GRC decisions• Organizati...
Formal Risk Management Models• Formal risk management models are meant to be the next  step after an organization follows ...
Formal vs. Ad hoc Models• Ad hoc models – how organizations will describe nonexistent,  informal, or half hearted risk pro...
Choosing the Right Risk Model• One of the more important risk management decisions an  organization will make is which mod...
Open Source / Free Risk Mgmt Tools • SOMAP ORICO • Practical Threat Analysis (PTA) Professional • OSSIM Open Source SIEM  ...
SOMAP ORICO• Tool created by the Security Officers Management and  Analysis Project (SOMAP)• The ORICO tool, self-describe...
SOMAP ORICO Visualized  A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
PTA Professional• Practical Threat Analysis (PTA) for Information Security  Professions• Self described, it’s role is to: ...
PTA Professional Visualized  A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
OSSIM Open Source SIEM• Open Source Security Information Management (OSSIM)• Created & maintained by Alienvault• OSSIM’s g...
OSSIM VisualizedA Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Problem Statement• News agencies are reporting new data breaches  almost on a daily basis• Resources to protect informatio...
Further Questions• James Tarala   – E-mail: james.tarala@enclavesecurity.com   – Twitter: @isaudit, @jamestarala   – Blog:...
Próximos SlideShares
Carregando em…5
×

Its time to rethink everything a governance risk compliance primer

Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.

  • Seja o primeiro a comentar

Its time to rethink everything a governance risk compliance primer

  1. 1. It’s Time to Rethink Everything:A Governance, Risk, and Compliance (GRC) PrimerJames Tarala, Enclave Security
  2. 2. Problem Statement• News agencies are reporting new data breaches almost on a daily basis• Resources to protect information are limited• Senior executives have not engaged to protect data• What we’re doing to secure enterprises isn’t working• It’s time to rethink how we protect our data A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  3. 3. Proposed Solution - IT GRC• One proposed solution therefore would be a proactive program for GRC• When it comes to IT GRC, there are three primary components: – Governance – Risk – Compliance A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  4. 4. What is GRC (OCEG definition)?• A system of people, processes, and technology that enables an organization to: – Understand and prioritize stakeholder expectations – Set business objectives that are congruent with values and risks – Achieve objectives while optimizing risk profile and protecting value – Operate within legal, contractual, internal, social, and ethical boundaries – Provide relevant, reliable, and timely information to appropriate stakeholders – Enable the measurement of the performance and effectiveness of the system A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  5. 5. IT Governance – Defined• The Institute of Internal Auditors defines IT Governance as the following: “Information Technology Governance consists of leadership, organizational structures, and processes that ensure the enterprise’s information technology sustains and supports the organization’s strategies and objectives.” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  6. 6. Business, Strategy, & Risk• These three concepts definitively walk hand in hand• Businesses are run via strategies• Strategies define & inspire business operations• Risk appetite & culture helps to influence strategies• The three are a team, and to understand which controls are appropriate for an organization, the interaction between these concepts must be understood A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  7. 7. A General Framework• Business goals lead to…• Strategy, which leads to…• Policies, which are defined by…• Procedures, which are clarified by…• Standards & Guidelines, which necessitates…• Risk Management, which causes the evaluation of business goals• And so the process repeats A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  8. 8. Business Goals• An organization needs to understand why they exist• Once a business understands their purpose, they can determine which tools can assist them to reach their goals• Technology may be one of those tools• Technology is simply an enabler for business goals• Technology should never be implemented simply for the sake of new technology – there must be a business goal A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  9. 9. Business Strategy – Defined• BNET.com defines business strategy as: “a long-term approach to implementing a firms business plans to achieve its business objectives”• Also often known as business: – Objectives / Goals – Vision / Mission – Etc, etc… A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  10. 10. Defining / Documenting Strategy• Somehow businesses have to document what their strategy is• These are documented for clarity, consistency, and to help educate workforce members• Different business gurus recommend different methods of documentation, some options include: – Mission statements – Vision statements – 3 / 5 / 10 year plans – Strategic roadmaps – Etc A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  11. 11. Influences to Strategy• There are a number of forces which influence an organization’s strategy• These forces define the business & shape their plans• Some forces include: – Corporate culture – The competitive marketplace – Government / industry regulations – Individual executive personalities / goals A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  12. 12. Policies – Defined• ISACA defines a policy as: “A document that records a high-level principle or course of action which has been decided upon. A policy’s intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams.” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  13. 13. Policy & Senior Executives• Policy is the result of documented business strategy• Senior executives are the ones to set strategy• Therefore senior executives should be the ones to charter policy based initiatives• Senior executives do not have to write the policies, but they do need to approve of the policies• Typically the IS Steering Committee is the group with the responsibility to write & recommend policy documents A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  14. 14. Policy Creation• Someone has to actually write the policies though• The draft author should be someone who understands the issue being addressed & relevant business goals• Do not be afraid to start with policy templates & build off of other people’s work• Generally the drafting process is done by a team, delegated by the IS Steering Committee• Auditors certainly can engage in the drafting process – it does not violate the spirit of auditor independence A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  15. 15. Necessary Policies in a Library• One of the first steps in creating or auditing policies is to generate a list of policies that should be included in the policy library• What policies should be documented in the library?• References to consider are: – The SANS Policy Project – Information Security Policies Made Easy (Wood) – T2P Policy Wiki A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  16. 16. Sample Information Security Policies • Some sample security policies to consider are: – Acceptable system use policy – Acceptable encryption policy – Remote network access policy – Data access authorization policy – User authentication policy – Network monitoring policy – Incident handling policy – Business continuity / disaster recovery policy – Physical security policy A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  17. 17. Consensus Audit Guidelines (CAG)• Known as Consensus Audit Guidelines (CAG) and as the Twenty Critical Security Controls for Effective Cyber Defense• Released in 2009 by CSIS and the SANS Institute• Collaborative effort by over 100 US agencies & private sector researcher groups• Purpose is to “establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  18. 18. IT Governance Frameworks• There are two major frameworks that are used by auditors to assess IT governance: – ISACA’s Control Objectives for Information & Related Technologies (COBIT) – IIA’s GTAG 15: Information Security Governance A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  19. 19. Using the Frameworks• These frameworks are meant to be a help for your organization as you make GRC decisions• Organizations should not attempt to write their own• When it comes to governance, pick a framework and use it as the foundation for your GRC program• Senior executives and all business owners should be on board with the decision• Next, as you go through the next sections, use the framework you chose as the basis of answering the questions that are raised A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  20. 20. Formal Risk Management Models• Formal risk management models are meant to be the next step after an organization follows the steps from the previous section• If an organization follows those steps, but wants more from risk management, then a formal model makes sense• Organizations need to know why they are doing risk management & what they hope to achieve from it• What are the business objectives you hope to achieve? A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  21. 21. Formal vs. Ad hoc Models• Ad hoc models – how organizations will describe nonexistent, informal, or half hearted risk programs• Formal models – defined, thoughtful methods of performing risk management• Formal models enable businesses to create a plan for managing risk in light of business strategies• If an organization is not using a formal model, they likely are not doing risk management A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  22. 22. Choosing the Right Risk Model• One of the more important risk management decisions an organization will make is which model to follow• The model an organization chooses: – Has to fit the culture of the organization – Has to be supported by executive management – Has to be consistent across all business units – Has to be used comprehensively – Has to be useable and produce valuable outputs A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  23. 23. Open Source / Free Risk Mgmt Tools • SOMAP ORICO • Practical Threat Analysis (PTA) Professional • OSSIM Open Source SIEM A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  24. 24. SOMAP ORICO• Tool created by the Security Officers Management and Analysis Project (SOMAP)• The ORICO tool, self-described by SOMAP: “is the reference implementation of our OGRCM3 methodology and follows the risk assessment and analysis workflow as described in our Guide.”• There are two versions, a Windows desktop version and a Java / web based version• The web version is the more fully functional version with custom views for different business roles in an enterprise A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  25. 25. SOMAP ORICO Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  26. 26. PTA Professional• Practical Threat Analysis (PTA) for Information Security Professions• Self described, it’s role is to: “Identify system vulnerabilities, map system assets, asses the risk of the threats and define an effective risk mitigation plan for a specific system architecture, functionality and configuration.”• It is distributed as a Windows based client application for managing this information A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  27. 27. PTA Professional Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  28. 28. OSSIM Open Source SIEM• Open Source Security Information Management (OSSIM)• Created & maintained by Alienvault• OSSIM’s goal, self described, is to: “provide a comprehensive compilation of tools which, when working together, grant network/security administrators with a detailed view over each and every aspect of his or her networks, hosts, physical access devices, server, etc.”• Can be installed as a VMWare appliance or by using an installer script to setup & configure each of the components A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  29. 29. OSSIM VisualizedA Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  30. 30. Problem Statement• News agencies are reporting new data breaches almost on a daily basis• Resources to protect information are limited• Senior executives have not engaged to protect data• What we’re doing to secure enterprises isn’t working• It’s time to rethink how we protect our data A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  31. 31. Further Questions• James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit, @jamestarala – Blog: http://www.enclavesecurity.com/blogs/• Resources for further study: – SANS Audit Program – Audit 407 Beta in Orlando (July) – 20 Critical Controls Project – The Balanced Scorecard (by Kaplan & Norton) – Security Metrics (by Andrew Jaquith) A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011

×