Weitere ähnliche Inhalte Ähnlich wie Its time to rethink everything a governance risk compliance primer (20) Mehr von EnclaveSecurity (17) Kürzlich hochgeladen (20) Its time to rethink everything a governance risk compliance primer1. It’s Time to Rethink Everything:
A Governance, Risk, and Compliance (GRC) Primer
James Tarala, Enclave Security
2. Problem Statement
• News agencies are reporting new data breaches
almost on a daily basis
• Resources to protect information are limited
• Senior executives have not engaged to protect data
• What we’re doing to secure enterprises isn’t working
• It’s time to rethink how we protect our data
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
3. Proposed Solution - IT GRC
• One proposed solution therefore would be a proactive
program for GRC
• When it comes to IT GRC, there are three primary
components:
– Governance
– Risk
– Compliance
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
4. What is GRC (OCEG definition)?
• A system of people, processes, and technology that
enables an organization to:
– Understand and prioritize stakeholder expectations
– Set business objectives that are congruent with values and risks
– Achieve objectives while optimizing risk profile and protecting
value
– Operate within legal, contractual, internal, social, and ethical
boundaries
– Provide relevant, reliable, and timely information to appropriate
stakeholders
– Enable the measurement of the performance and effectiveness of
the system
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
5. IT Governance – Defined
• The Institute of Internal Auditors defines IT Governance as the
following:
“Information Technology Governance consists of
leadership, organizational structures, and processes
that ensure the enterprise’s information technology
sustains and supports the organization’s strategies and
objectives.”
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
6. Business, Strategy, & Risk
• These three concepts definitively walk hand in hand
• Businesses are run via strategies
• Strategies define & inspire business operations
• Risk appetite & culture helps to influence strategies
• The three are a team, and to understand which controls are
appropriate for an organization, the interaction between
these concepts must be understood
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
7. A General Framework
• Business goals lead to…
• Strategy, which leads to…
• Policies, which are defined by…
• Procedures, which are clarified by…
• Standards & Guidelines, which necessitates…
• Risk Management, which causes the evaluation of business
goals
• And so the process repeats
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
8. Business Goals
• An organization needs to understand why they exist
• Once a business understands their purpose, they can
determine which tools can assist them to reach their goals
• Technology may be one of those tools
• Technology is simply an enabler for business goals
• Technology should never be implemented simply for the sake
of new technology – there must be a business goal
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
9. Business Strategy – Defined
• BNET.com defines business strategy as:
“a long-term approach to implementing a firm's business
plans to achieve its business objectives”
• Also often known as business:
– Objectives / Goals
– Vision / Mission
– Etc, etc…
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
10. Defining / Documenting Strategy
• Somehow businesses have to document what their strategy is
• These are documented for clarity, consistency, and to help
educate workforce members
• Different business gurus recommend different methods of
documentation, some options include:
– Mission statements
– Vision statements
– 3 / 5 / 10 year plans
– Strategic roadmaps
– Etc
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
11. Influences to Strategy
• There are a number of forces which influence an
organization’s strategy
• These forces define the business & shape their plans
• Some forces include:
– Corporate culture
– The competitive marketplace
– Government / industry regulations
– Individual executive personalities / goals
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
12. Policies – Defined
• ISACA defines a policy as:
“A document that records a high-level principle or course of
action which has been decided upon. A policy’s intended
purpose is to influence and guide both present and future
decision making to be in line with the philosophy, objectives
and strategic plans established by the enterprise’s
management teams.”
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
13. Policy & Senior Executives
• Policy is the result of documented business strategy
• Senior executives are the ones to set strategy
• Therefore senior executives should be the ones to charter
policy based initiatives
• Senior executives do not have to write the policies, but they
do need to approve of the policies
• Typically the IS Steering Committee is the group with the
responsibility to write & recommend policy documents
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
14. Policy Creation
• Someone has to actually write the policies though
• The draft author should be someone who understands the
issue being addressed & relevant business goals
• Do not be afraid to start with policy templates & build off of
other people’s work
• Generally the drafting process is done by a team, delegated by
the IS Steering Committee
• Auditors certainly can engage in the drafting process – it does
not violate the spirit of auditor independence
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
15. Necessary Policies in a Library
• One of the first steps in creating or auditing policies is to
generate a list of policies that should be included in the policy
library
• What policies should be documented in the library?
• References to consider are:
– The SANS Policy Project
– Information Security Policies Made Easy (Wood)
– T2P Policy Wiki
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
16. Sample Information Security Policies
• Some sample security policies to consider are:
– Acceptable system use policy
– Acceptable encryption policy
– Remote network access policy
– Data access authorization policy
– User authentication policy
– Network monitoring policy
– Incident handling policy
– Business continuity / disaster recovery policy
– Physical security policy
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
17. Consensus Audit Guidelines (CAG)
• Known as Consensus Audit Guidelines (CAG) and as the
Twenty Critical Security Controls for Effective Cyber Defense
• Released in 2009 by CSIS and the SANS Institute
• Collaborative effort by over 100 US agencies & private sector
researcher groups
• Purpose is to “establish a prioritized baseline of information
security measures and controls that can be continuously
monitored through automated mechanisms”
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
18. IT Governance Frameworks
• There are two major frameworks that are used by auditors to
assess IT governance:
– ISACA’s Control Objectives for Information & Related
Technologies (COBIT)
– IIA’s GTAG 15: Information Security Governance
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
19. Using the Frameworks
• These frameworks are meant to be a help for your
organization as you make GRC decisions
• Organizations should not attempt to write their own
• When it comes to governance, pick a framework and use it as
the foundation for your GRC program
• Senior executives and all business owners should be on board
with the decision
• Next, as you go through the next sections, use the framework
you chose as the basis of answering the questions that are
raised
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
20. Formal Risk Management Models
• Formal risk management models are meant to be the next
step after an organization follows the steps from the previous
section
• If an organization follows those steps, but wants more from
risk management, then a formal model makes sense
• Organizations need to know why they are doing risk
management & what they hope to achieve from it
• What are the business objectives you hope to achieve?
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
21. Formal vs. Ad hoc Models
• Ad hoc models – how organizations will describe nonexistent,
informal, or half hearted risk programs
• Formal models – defined, thoughtful methods of performing
risk management
• Formal models enable businesses to create a plan for
managing risk in light of business strategies
• If an organization is not using a formal model, they likely are
not doing risk management
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
22. Choosing the Right Risk Model
• One of the more important risk management decisions an
organization will make is which model to follow
• The model an organization chooses:
– Has to fit the culture of the organization
– Has to be supported by executive management
– Has to be consistent across all business units
– Has to be used comprehensively
– Has to be useable and produce valuable outputs
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
23. Open Source / Free Risk Mgmt Tools
• SOMAP ORICO
• Practical Threat Analysis (PTA) Professional
• OSSIM Open Source SIEM
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
24. SOMAP ORICO
• Tool created by the Security Officers Management and
Analysis Project (SOMAP)
• The ORICO tool, self-described by SOMAP:
“is the reference implementation of our OGRCM3
methodology and follows the risk assessment and analysis
workflow as described in our Guide.”
• There are two versions, a Windows desktop version and a Java
/ web based version
• The web version is the more fully functional version with
custom views for different business roles in an enterprise
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
26. PTA Professional
• Practical Threat Analysis (PTA) for Information Security
Professions
• Self described, it’s role is to:
“Identify system vulnerabilities, map system assets, asses the
risk of the threats and define an effective risk mitigation plan
for a specific system architecture, functionality and
configuration.”
• It is distributed as a Windows based client application for
managing this information
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
28. OSSIM Open Source SIEM
• Open Source Security Information Management (OSSIM)
• Created & maintained by Alienvault
• OSSIM’s goal, self described, is to:
“provide a comprehensive compilation of tools which, when
working together, grant network/security administrators with a
detailed view over each and every aspect of his or her networks,
hosts, physical access devices, server, etc.”
• Can be installed as a VMWare appliance or by using an installer
script to setup & configure each of the components
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
30. Problem Statement
• News agencies are reporting new data breaches
almost on a daily basis
• Resources to protect information are limited
• Senior executives have not engaged to protect data
• What we’re doing to secure enterprises isn’t working
• It’s time to rethink how we protect our data
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
31. Further Questions
• James Tarala
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit, @jamestarala
– Blog: http://www.enclavesecurity.com/blogs/
• Resources for further study:
– SANS Audit Program – Audit 407 Beta in Orlando (July)
– 20 Critical Controls Project
– The Balanced Scorecard (by Kaplan & Norton)
– Security Metrics (by Andrew Jaquith)
A Governance, Risk, & Compliance (GRC) Primer © Enclave Security 2011
Hinweis der Redaktion Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.