More Related Content
Similar to Security Governance by Risknavigator 2010
Similar to Security Governance by Risknavigator 2010 (20)
Security Governance by Risknavigator 2010
- 1. © Risknavigator™ Lennart Bredberg 2010
RISKNAVIGATOR tor
Security Governance
September 2010
Risknavigator Solutions;
Security Governance
Risknavigators model for Security Governance is built on the
true understanding of three important prerequisites needed to
build an integrated security governance solution where security
and risk management are treated and managed as any other
basic business process within the organization.
Management systems and process orientation
Security Convergence
GRC (Governance, Risk and Compliance)
Cost
How can I leverage my existing security infrastructure?
How can I reduce manual processes that can be labor intensive,
repetitive and may have many potential errors?
How do I optimize resources, technologies and security
operations?
Governance and Compliance
How can I keep up with government, organizational and industry
regulations?
How can I easily monitor infractions and proactively enforce my
security policies and rules?
How do I ensure that security governance and compliance
constantly are on the Board Agenda?
Risk
How can I implement best practices and standardize security
organization?
How can I lower liability and maximize asset protection?
How do I future-proof any security investment?
Security as a business process
Security should naturally be seen as a business process that
manages a security function, a process that is very closely
connected with the principles of quality assurance and
quality control.
Management of the risk inherent in an organization used to be
seen upon as a function embedded within individual roles of the
C-level. Traditionally the approach was to treat risks separately
and assign responsibility to individuals or small teams. To
manage a singular type of risk became a distinct job and to be
successful in the job you had to focus on only one particular
area. The big problem with this “stove piped” approach was that
it ignored the interdependence of many risks and that it sub-
optimized the financing of total risk for an organization.
Breaking stovepipes and seeing risk management and security
programs more like processes means that we need to bring
different stakeholders in the problem together and set them to
solve the problem – together.
Security convergence
© AESRM 2008
A major trend in the security arena today is security
convergence.
ASIS International defines security convergence as;
“The identification of security risks and interdependencies between
business functions and processes within the enterprise and the
development of managed business process solutions to address those
risks and interdependencies.”
- 2. © Risknavigator™ Lennart Bredberg 2010
Imperatives driving convergence are;
Rapid expansion of the Enterprise Ecosystem
Value migration from physical to information-based
and intangible assets
New protective technologies blurring functional
boundaries
New compliance and regulatory regimes
Continuing pressure to reduce cost
The convergence of IT and Physical Security is now a fact and as
IT has become a very important part of most organizations, new
international standards for physical security now also include IT
considerations for electronic documents.
Security convergence forces organizations to see beyond
security as a function and instead something that consists of
people, processes and strategies, being part of the overall
business life-cycle as a system.
Furthermore, organizations now start to appreciate the cost and
competitive advantages that can be leveraged when viewing
security not as a cost center but one of a value add - lowering
costs and providing cost efficiencies.
Risknavigator has identified the top convergence goals for
an organization to reach in order to converge with
greatest positive effect;
Aligning security with corporate business goals
Recruiting and retaining security staff
Measuring security organization efficiency
Using security for competitive breakthroughs
Reducing security costs
Demonstrating business value of security
Developing a long term security architecture
Improving security delivery
The issue of security convergence must work in conjunction
with the Business drivers of the organization. These business
drivers may be different for each organization but there are
some drivers that are shared and also common ground in both
logical security (IT) and physical security management. These
are;
Compliance
Cost control and productivity
Shareholder value
Asset and staff protection
Business continuity
To each business driver there are tightly connected activities on
different levels; Strategic, Tactical and Operational activities, that
are critical and fundamental to the success of the security
operations and the process of convergence.
Let us look at the business driver; Compliance and some
example of the activities on different levels that are connected
to it.
Strategic activities
Governance – e.g. a process to develop, implement and monitor
the security plan covering awareness, policies and standards.
The way to measure it is by direct response to critical breaches,
operational delays and unauthorized access.
Tactical activities
Audits – e.g. a process to audit logical and physical access
controls to IT and data to ensure only authorized people have
access. It can be measured by the number of access change
requests, time before acting on incidents and number of security
awareness training days.
Operational activities
Authentication and authorization – e.g. a process to safeguard
against unauthorized use, disclosure, modification or loss of
assets. This can measured by the number of employees in the
company, number of active access cards and the number of lost
badges still active.
GRC (Governance, Risk and
Compliance)
GRC, an acronym for Governance, Risk Management, and
Compliance, is covering an organization's approach across these
three areas. Being closely related issues, governance, risk and
compliance activities are increasingly being integrated and
aligned to some extent in order to avoid conflicts, overlaps and
gaps. While interpreted differently in some organizations, GRC
typically involves activities such as corporate governance,
enterprise risk management (ERM) and corporate compliance
with applicable laws and regulations.
Governance is the overall management approach through
which the C-level direct and control an organization, using a mix
of information and hierarchical management controls.
Governance activities ensure that strategies, directions and
instructions from management are carried out systematically
and effectively.
Risk management is a process to determine what controls
are necessary to protect sensitive or critical assets both
adequately and cost-effectively.
Two very important elements in a risk assessment process are
cost effectiveness and Return on Investment (ROI). Without
both these elements present any risk assessment falls short.
The response to risks typically depends on their perceived
gravity, and involves controlling, avoiding, accepting or
transferring them to a third party.
Compliance means conforming to e.g. relevant laws,
regulations, standards, strategies and policies
Widespread interest in GRC was sparked by the US Sarbanes-
Oxley Act and the need for US listed companies to design and
implement suitable governance controls for SOX compliance,
but the focus of GRC has now shifted towards adding business
value through improving operational decision making and
strategic planning.
- 3. © Risknavigator™ Lennart Bredberg 2010
Prerequisites for building a
Security Governance model
Implement Quality and Environmental Management
systems preferable based on ISO standards and
thereby work with Business process orientation.
Identify the operating levers that affect the Security
Convergence Roadmap in terms of people, processes
and strategy.
Implement an integrated framework to manage (G)
Processes and Policies, (R) true and perceived Risk
and (C) Compliance with relevant policies, standards
and laws.
Risknavigator and RiskWatch®
Risknavigator is a Partner and VAR of RiskWatch, the leading
Risk Assessment tool for regulatory compliance. For
regulatory compliance, RiskWatch is the most accurate,
comprehensive way to conduct governance, compliance and risk
assessments based on international standards including HIPAA,
ISO 17799, ISO 27001, COBIT 4.0 and Sarbanes Oxley (SOX).
The RiskWatch software includes an installed Windows
application and a simple web-based questionnaire application.
This can also be used on an internal server, or hosted, to
facilitate the gathering of responses from management and IT
system users. Respondents simply answer the questions, and
their answers are imported for analysis.
RiskWatch™ is the world top-rated provider of innovative
security risk assessment and compliance software that
automates the risk management process. RiskWatch clients
include over 2000 hospitals, health plans, investment banks,
business banks, credit unions, state agencies and Federal
agencies including the U.S. Federal Reserve Bank, the nuclear
Regulatory Commission and the Department of Defense.
The Risk assessment process