the tao of grc
DESCRIPTION
SummaryThe GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes-Oxley, industry compliance such as PCI DSS 1.2 and growing numbers of data security breaches and Internet acceptable usage violations in the workplace. $14BN a year is spent in the US alone on corporate-governance-related IT spending1. Are large internally-focused GRC systems the solution for improving risk and compliance? Or should we go outside the organization to look for risks we’ve never thought about and discover new links and interdependencies2.This article introduces a practical approach that will help the CISOs/CSOs in any sized business unit successfully improve compliance and reduce information value at risk. We call this approach “The Tao of GRC” and base it on 3 principles.1. Adopt a standard language of threats2. Learn to speak the language fluently3. Go green – recycle your risk and complianceTRANSCRIPT
The Tao of GRCDanny Lieberman
Software Associates
2
GRC 1.0
3
The Tao of GRC
4
Agenda
• The flavors• The Tao• Why it works
5
GRC comes in 3 flavors
• Government• Industry• Vendor-neutral standards
6
Government
• SOX, HIPAA, EU Privacy• Protect consumer • Top-down risk analysis
7
Industry
• PCI DSS• Protect card associations • No risk analysis
8
Vendor-neutral standards
• ISO2700x• Protect information assets • Audit focus
9
4 mistakes CIOS make
• Focus on process while ignoring that hackers attack software
• Relabel vendors as partners• Confuse business alignment with risk
reduction
10
Both attackers and defenders have imperfect knowledge in making
their decisions.
11
Mobile clinical assistants
• Unplanned Internet access, 300 devices infected by Conficker.
• Regulatory:
Hospitals had to wait 90 days before applying remedy.
12
The Tao of GRC
13
The Tao of GRC
1. Adopt common threat language2. Learn to speak well3. Go green
14
1. Common threat language
The threat analysis base class
Threats People Methods
15
Players
Decision makers• Encounter threats that
damage their assets• Risk is part of running a
business
Attackers• Create threats & exploit
vulnerabilities• Fame, fortune, sales
channel
Consultants• Assess risk, recommend
countermeasures• Billable hours
Vendors• Provide countermeasures• Marketing rhetoric,
pseudo science
Threat scenario
16
• Threats exploit vulnerabilities to damage assets.
• Countermeasures mitigate vulnerabilities to reduce risk.
AssetVulnerability
Attacker
17
Methods
Set asset value
Set asset damage
Set countermeasure
effectiveness
Set threat probability
18
Countermeasure C4 1– Disable USB Countermeasure C5 3– Use UbuntuCountermeasure C6 7– Software security assessment
Sample threat scenario
Attackers
ePHI
Weak or
well-know
n password
s
Software
defects
OS vulnerabilit
ies
19
VaR
ValueAtRisk = Asset Value x Threat Probability x (1 – Countermeasure Effectiveness)
20
2. Learn to speak well
• Practice• What threats count• Prioritize
21
Understand what threats count
Prioritize countermeasures
23
3. Go green
• Security is about economics• Attention to root causes• Recycle control policies
24
Why the Tao works
• Threat models are transparent and recyclable.
• Transparency means more eyeballs can look at issues.
• Recycling reduces cost
• More eyeballs improves security.
• Better security means safer products for customers
• Safer products is good for business.
25
Acknowledgements
1. Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks
2. Wlodek Grudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics
3. My clients ,for giving me the opportunity to teach them the language of threats.
4. My colleagues at PTA Technologies for doing a great job.