SlideShare ist ein Scribd-Unternehmen logo

Its time to rethink everything a governance risk compliance primer

E
EnclaveSecurity

Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.

Technologie
1 von 31
It’s Time to Rethink Everything: A Governance, Risk, and Compliance (GRC) Primer James Tarala, Enclave Security
Problem Statement • News agencies are reporting new data breaches almost on a daily basis • Resources to protect information are limited • Senior executives have not engaged to protect data • What we’re doing to secure enterprises isn’t working • It’s time to rethink how we protect our data A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Proposed Solution - IT GRC • One proposed solution therefore would be a proactive program for GRC • When it comes to IT GRC, there are three primary components: – Governance – Risk – Compliance A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
What is GRC (OCEG definition)? • A system of people, processes, and technology that enables an organization to: – Understand and prioritize stakeholder expectations – Set business objectives that are congruent with values and risks – Achieve objectives while optimizing risk profile and protecting value – Operate within legal, contractual, internal, social, and ethical boundaries – Provide relevant, reliable, and timely information to appropriate stakeholders – Enable the measurement of the performance and effectiveness of the system A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
IT Governance – Defined • The Institute of Internal Auditors defines IT Governance as the following: “Information Technology Governance consists of leadership, organizational structures, and processes that ensure the enterprise’s information technology sustains and supports the organization’s strategies and objectives.” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Business, Strategy, & Risk • These three concepts definitively walk hand in hand • Businesses are run via strategies • Strategies define & inspire business operations • Risk appetite & culture helps to influence strategies • The three are a team, and to understand which controls are appropriate for an organization, the interaction between these concepts must be understood A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
A General Framework • Business goals lead to… • Strategy, which leads to… • Policies, which are defined by… • Procedures, which are clarified by… • Standards & Guidelines, which necessitates… • Risk Management, which causes the evaluation of business goals • And so the process repeats A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Business Goals • An organization needs to understand why they exist • Once a business understands their purpose, they can determine which tools can assist them to reach their goals • Technology may be one of those tools • Technology is simply an enabler for business goals • Technology should never be implemented simply for the sake of new technology – there must be a business goal A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Business Strategy – Defined • BNET.com defines business strategy as: “a long-term approach to implementing a firm's business plans to achieve its business objectives” • Also often known as business: – Objectives / Goals – Vision / Mission – Etc, etc… A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Defining / Documenting Strategy • Somehow businesses have to document what their strategy is • These are documented for clarity, consistency, and to help educate workforce members • Different business gurus recommend different methods of documentation, some options include: – Mission statements – Vision statements – 3 / 5 / 10 year plans – Strategic roadmaps – Etc A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Influences to Strategy • There are a number of forces which influence an organization’s strategy • These forces define the business & shape their plans • Some forces include: – Corporate culture – The competitive marketplace – Government / industry regulations – Individual executive personalities / goals A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Policies – Defined • ISACA defines a policy as: “A document that records a high-level principle or course of action which has been decided upon. A policy’s intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams.” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Policy & Senior Executives • Policy is the result of documented business strategy • Senior executives are the ones to set strategy • Therefore senior executives should be the ones to charter policy based initiatives • Senior executives do not have to write the policies, but they do need to approve of the policies • Typically the IS Steering Committee is the group with the responsibility to write & recommend policy documents A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Policy Creation • Someone has to actually write the policies though • The draft author should be someone who understands the issue being addressed & relevant business goals • Do not be afraid to start with policy templates & build off of other people’s work • Generally the drafting process is done by a team, delegated by the IS Steering Committee • Auditors certainly can engage in the drafting process – it does not violate the spirit of auditor independence A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Necessary Policies in a Library • One of the first steps in creating or auditing policies is to generate a list of policies that should be included in the policy library • What policies should be documented in the library? • References to consider are: – The SANS Policy Project – Information Security Policies Made Easy (Wood) – T2P Policy Wiki A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Sample Information Security Policies • Some sample security policies to consider are: – Acceptable system use policy – Acceptable encryption policy – Remote network access policy – Data access authorization policy – User authentication policy – Network monitoring policy – Incident handling policy – Business continuity / disaster recovery policy – Physical security policy A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Consensus Audit Guidelines (CAG) • Known as Consensus Audit Guidelines (CAG) and as the Twenty Critical Security Controls for Effective Cyber Defense • Released in 2009 by CSIS and the SANS Institute • Collaborative effort by over 100 US agencies & private sector researcher groups • Purpose is to “establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
IT Governance Frameworks • There are two major frameworks that are used by auditors to assess IT governance: – ISACA’s Control Objectives for Information & Related Technologies (COBIT) – IIA’s GTAG 15: Information Security Governance A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Using the Frameworks • These frameworks are meant to be a help for your organization as you make GRC decisions • Organizations should not attempt to write their own • When it comes to governance, pick a framework and use it as the foundation for your GRC program • Senior executives and all business owners should be on board with the decision • Next, as you go through the next sections, use the framework you chose as the basis of answering the questions that are raised A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Formal Risk Management Models • Formal risk management models are meant to be the next step after an organization follows the steps from the previous section • If an organization follows those steps, but wants more from risk management, then a formal model makes sense • Organizations need to know why they are doing risk management & what they hope to achieve from it • What are the business objectives you hope to achieve? A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Formal vs. Ad hoc Models • Ad hoc models – how organizations will describe nonexistent, informal, or half hearted risk programs • Formal models – defined, thoughtful methods of performing risk management • Formal models enable businesses to create a plan for managing risk in light of business strategies • If an organization is not using a formal model, they likely are not doing risk management A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Choosing the Right Risk Model • One of the more important risk management decisions an organization will make is which model to follow • The model an organization chooses: – Has to fit the culture of the organization – Has to be supported by executive management – Has to be consistent across all business units – Has to be used comprehensively – Has to be useable and produce valuable outputs A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Open Source / Free Risk Mgmt Tools • SOMAP ORICO • Practical Threat Analysis (PTA) Professional • OSSIM Open Source SIEM A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
SOMAP ORICO • Tool created by the Security Officers Management and Analysis Project (SOMAP) • The ORICO tool, self-described by SOMAP: “is the reference implementation of our OGRCM3 methodology and follows the risk assessment and analysis workflow as described in our Guide.” • There are two versions, a Windows desktop version and a Java / web based version • The web version is the more fully functional version with custom views for different business roles in an enterprise A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
SOMAP ORICO Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
PTA Professional • Practical Threat Analysis (PTA) for Information Security Professions • Self described, it’s role is to: “Identify system vulnerabilities, map system assets, asses the risk of the threats and define an effective risk mitigation plan for a specific system architecture, functionality and configuration.” • It is distributed as a Windows based client application for managing this information A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
PTA Professional Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
OSSIM Open Source SIEM • Open Source Security Information Management (OSSIM) • Created & maintained by Alienvault • OSSIM’s goal, self described, is to: “provide a comprehensive compilation of tools which, when working together, grant network/security administrators with a detailed view over each and every aspect of his or her networks, hosts, physical access devices, server, etc.” • Can be installed as a VMWare appliance or by using an installer script to setup & configure each of the components A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
OSSIM Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Problem Statement • News agencies are reporting new data breaches almost on a daily basis • Resources to protect information are limited • Senior executives have not engaged to protect data • What we’re doing to secure enterprises isn’t working • It’s time to rethink how we protect our data A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit, @jamestarala – Blog: http://www.enclavesecurity.com/blogs/ • Resources for further study: – SANS Audit Program – Audit 407 Beta in Orlando (July) – 20 Critical Controls Project – The Balanced Scorecard (by Kaplan & Norton) – Security Metrics (by Andrew Jaquith) A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011

Empfohlen

Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
eeaches
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
Divya Tiwari
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
Dan Morrill
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 

Empfohlen

Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
eeaches
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
Divya Tiwari
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
Dan Morrill
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
Security metrics
Security metrics Security metrics
Security metrics
PRAYAGRAJ11
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
Steve Arnold
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
Tuan Phan
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
Tripwire
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
newbie2019
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
Tuan Phan
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
ecarrow
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
jojo82637
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdf
Karthick Panneerselvam
 

Weitere ähnliche Inhalte

Was ist angesagt?

security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
Steve Arnold
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 

Was ist angesagt? (20)

Security metrics
Security metrics Security metrics
Security metrics
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
 

Ähnlich wie Its time to rethink everything a governance risk compliance primer

Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
Emma Kelly
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
Prashant Singh
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014
Paul Simidi
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptx
koushikDutta62
 
The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field
Resolver Inc.
 
DAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty WordsDAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty Words
oGuild .
 
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
Mayk Campelo
 

Ähnlich wie Its time to rethink everything a governance risk compliance primer (20)

ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdf
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Optimizing Compliance Programs in Organizations: A Top Down Approach
Optimizing Compliance Programs in Organizations: A Top Down ApproachOptimizing Compliance Programs in Organizations: A Top Down Approach
Optimizing Compliance Programs in Organizations: A Top Down Approach
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
Gaining and Maintaining IT & Business Alignment.pptx
Gaining and Maintaining IT & Business Alignment.pptxGaining and Maintaining IT & Business Alignment.pptx
Gaining and Maintaining IT & Business Alignment.pptx
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014
 
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceJohn Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptx
 
The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field
 
DAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty WordsDAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty Words
 
Operation and strategy course 1.0
Operation and strategy course 1.0Operation and strategy course 1.0
Operation and strategy course 1.0
 
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
 
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxCELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - Webinar
 

Mehr von EnclaveSecurity

Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
EnclaveSecurity
 
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security Assessments
EnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
EnclaveSecurity
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
EnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security fail
EnclaveSecurity
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
EnclaveSecurity
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
EnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
EnclaveSecurity
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usual
EnclaveSecurity
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
EnclaveSecurity
 

Mehr von EnclaveSecurity (17)

Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for Defense
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security Assessments
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security fail
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protection
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usual
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 

Kürzlich hochgeladen

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Its time to rethink everything a governance risk compliance primer

  • 1. It’s Time to Rethink Everything: A Governance, Risk, and Compliance (GRC) Primer James Tarala, Enclave Security
  • 2. Problem Statement • News agencies are reporting new data breaches almost on a daily basis • Resources to protect information are limited • Senior executives have not engaged to protect data • What we’re doing to secure enterprises isn’t working • It’s time to rethink how we protect our data A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 3. Proposed Solution - IT GRC • One proposed solution therefore would be a proactive program for GRC • When it comes to IT GRC, there are three primary components: – Governance – Risk – Compliance A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 4. What is GRC (OCEG definition)? • A system of people, processes, and technology that enables an organization to: – Understand and prioritize stakeholder expectations – Set business objectives that are congruent with values and risks – Achieve objectives while optimizing risk profile and protecting value – Operate within legal, contractual, internal, social, and ethical boundaries – Provide relevant, reliable, and timely information to appropriate stakeholders – Enable the measurement of the performance and effectiveness of the system A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 5. IT Governance – Defined • The Institute of Internal Auditors defines IT Governance as the following: “Information Technology Governance consists of leadership, organizational structures, and processes that ensure the enterprise’s information technology sustains and supports the organization’s strategies and objectives.” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 6. Business, Strategy, & Risk • These three concepts definitively walk hand in hand • Businesses are run via strategies • Strategies define & inspire business operations • Risk appetite & culture helps to influence strategies • The three are a team, and to understand which controls are appropriate for an organization, the interaction between these concepts must be understood A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 7. A General Framework • Business goals lead to… • Strategy, which leads to… • Policies, which are defined by… • Procedures, which are clarified by… • Standards & Guidelines, which necessitates… • Risk Management, which causes the evaluation of business goals • And so the process repeats A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 8. Business Goals • An organization needs to understand why they exist • Once a business understands their purpose, they can determine which tools can assist them to reach their goals • Technology may be one of those tools • Technology is simply an enabler for business goals • Technology should never be implemented simply for the sake of new technology – there must be a business goal A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 9. Business Strategy – Defined • BNET.com defines business strategy as: “a long-term approach to implementing a firm's business plans to achieve its business objectives” • Also often known as business: – Objectives / Goals – Vision / Mission – Etc, etc… A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 10. Defining / Documenting Strategy • Somehow businesses have to document what their strategy is • These are documented for clarity, consistency, and to help educate workforce members • Different business gurus recommend different methods of documentation, some options include: – Mission statements – Vision statements – 3 / 5 / 10 year plans – Strategic roadmaps – Etc A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 11. Influences to Strategy • There are a number of forces which influence an organization’s strategy • These forces define the business & shape their plans • Some forces include: – Corporate culture – The competitive marketplace – Government / industry regulations – Individual executive personalities / goals A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 12. Policies – Defined • ISACA defines a policy as: “A document that records a high-level principle or course of action which has been decided upon. A policy’s intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams.” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 13. Policy & Senior Executives • Policy is the result of documented business strategy • Senior executives are the ones to set strategy • Therefore senior executives should be the ones to charter policy based initiatives • Senior executives do not have to write the policies, but they do need to approve of the policies • Typically the IS Steering Committee is the group with the responsibility to write & recommend policy documents A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 14. Policy Creation • Someone has to actually write the policies though • The draft author should be someone who understands the issue being addressed & relevant business goals • Do not be afraid to start with policy templates & build off of other people’s work • Generally the drafting process is done by a team, delegated by the IS Steering Committee • Auditors certainly can engage in the drafting process – it does not violate the spirit of auditor independence A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 15. Necessary Policies in a Library • One of the first steps in creating or auditing policies is to generate a list of policies that should be included in the policy library • What policies should be documented in the library? • References to consider are: – The SANS Policy Project – Information Security Policies Made Easy (Wood) – T2P Policy Wiki A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 16. Sample Information Security Policies • Some sample security policies to consider are: – Acceptable system use policy – Acceptable encryption policy – Remote network access policy – Data access authorization policy – User authentication policy – Network monitoring policy – Incident handling policy – Business continuity / disaster recovery policy – Physical security policy A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 17. Consensus Audit Guidelines (CAG) • Known as Consensus Audit Guidelines (CAG) and as the Twenty Critical Security Controls for Effective Cyber Defense • Released in 2009 by CSIS and the SANS Institute • Collaborative effort by over 100 US agencies & private sector researcher groups • Purpose is to “establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms” A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 18. IT Governance Frameworks • There are two major frameworks that are used by auditors to assess IT governance: – ISACA’s Control Objectives for Information & Related Technologies (COBIT) – IIA’s GTAG 15: Information Security Governance A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 19. Using the Frameworks • These frameworks are meant to be a help for your organization as you make GRC decisions • Organizations should not attempt to write their own • When it comes to governance, pick a framework and use it as the foundation for your GRC program • Senior executives and all business owners should be on board with the decision • Next, as you go through the next sections, use the framework you chose as the basis of answering the questions that are raised A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 20. Formal Risk Management Models • Formal risk management models are meant to be the next step after an organization follows the steps from the previous section • If an organization follows those steps, but wants more from risk management, then a formal model makes sense • Organizations need to know why they are doing risk management & what they hope to achieve from it • What are the business objectives you hope to achieve? A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 21. Formal vs. Ad hoc Models • Ad hoc models – how organizations will describe nonexistent, informal, or half hearted risk programs • Formal models – defined, thoughtful methods of performing risk management • Formal models enable businesses to create a plan for managing risk in light of business strategies • If an organization is not using a formal model, they likely are not doing risk management A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 22. Choosing the Right Risk Model • One of the more important risk management decisions an organization will make is which model to follow • The model an organization chooses: – Has to fit the culture of the organization – Has to be supported by executive management – Has to be consistent across all business units – Has to be used comprehensively – Has to be useable and produce valuable outputs A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 23. Open Source / Free Risk Mgmt Tools • SOMAP ORICO • Practical Threat Analysis (PTA) Professional • OSSIM Open Source SIEM A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 24. SOMAP ORICO • Tool created by the Security Officers Management and Analysis Project (SOMAP) • The ORICO tool, self-described by SOMAP: “is the reference implementation of our OGRCM3 methodology and follows the risk assessment and analysis workflow as described in our Guide.” • There are two versions, a Windows desktop version and a Java / web based version • The web version is the more fully functional version with custom views for different business roles in an enterprise A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 25. SOMAP ORICO Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 26. PTA Professional • Practical Threat Analysis (PTA) for Information Security Professions • Self described, it’s role is to: “Identify system vulnerabilities, map system assets, asses the risk of the threats and define an effective risk mitigation plan for a specific system architecture, functionality and configuration.” • It is distributed as a Windows based client application for managing this information A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 27. PTA Professional Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 28. OSSIM Open Source SIEM • Open Source Security Information Management (OSSIM) • Created & maintained by Alienvault • OSSIM’s goal, self described, is to: “provide a comprehensive compilation of tools which, when working together, grant network/security administrators with a detailed view over each and every aspect of his or her networks, hosts, physical access devices, server, etc.” • Can be installed as a VMWare appliance or by using an installer script to setup & configure each of the components A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 29. OSSIM Visualized A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 30. Problem Statement • News agencies are reporting new data breaches almost on a daily basis • Resources to protect information are limited • Senior executives have not engaged to protect data • What we’re doing to secure enterprises isn’t working • It’s time to rethink how we protect our data A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
  • 31. Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit, @jamestarala – Blog: http://www.enclavesecurity.com/blogs/ • Resources for further study: – SANS Audit Program – Audit 407 Beta in Orlando (July) – 20 Critical Controls Project – The Balanced Scorecard (by Kaplan & Norton) – Security Metrics (by Andrew Jaquith) A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011

Hinweis der Redaktion

  1. Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.