grc– the way forward

33
GRC The Way Forward James Finn MODULO [email protected]

Upload: rochester-security-summit

Post on 20-May-2015

1.020 views

Category:

Technology


4 download

DESCRIPTION

Are you managing GRC in the most effective manner? Is it contributing to business governance or becoming a burden ? We will discuss the current state of GRC and recognized business drivers as well as supportive risk management infrastructures. Strategies for the alignment of business interests with enterprise GRC programs to establish a complete, auditable, less time consuming program which benefits from management visibility and compliance readiness will additionally be presented. Utilize GRC to manage your business, not to burden it. James P Finn, Modulo James has twenty five years experience in security and disaster recovery consulting, managing and delivering enterprise solutions to more than 200 worldwide commercial and government clients. He has held various management and consulting positions in the information security field including as a worldwide IBM Corporate Auditor for Information Security reporting to the Corporation’s Board of Directors and the as the founding Principal of both the IBM and Unisys Security Consulting Practices and as Vice President of Risk Management for Modulo. He has consulted in more than 38 countries (U.S., Asia, Europe, South America) on business, technical security and recovery solutions to assist clients to achieve and maintain effective goverance across the full spectrum of security and business recovery disciplines. James is a Microsoft MSRA trained assessor, a KPMG trained SOX auditor and also holds Business Continuity certifications. He is frequently requested as a speaker at international industry conferences, live webcasts and TV and radio news shows and is the author of over 50 media articles on computer security

TRANSCRIPT

Page 1: GRC– The Way Forward

GRC The Way Forward

James FinnMODULO

[email protected]

Page 2: GRC– The Way Forward

Agenda

• GRC Current State• Business Risk• Risk Management Evolution• GRC Maturity Goals• Your Risk Management• Business Challenges• GRC Automation Best Practices • Questions ?

Page 3: GRC– The Way Forward

GRC Current State • A reactive and siloed approach to GRC is a recipe for disaster and leads to . . .

• Lack of visibility. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture.

• Wasted and/or inefficient use of resources. Silos of risk and compliance lead to wasted resources.

• Unnecessary complexity. Varying risk and compliance approaches introduce greater complexity to the business environment.

• Lack of flexibility. Complexity drives inflexibility -the organization is not agile to the dynamic business environment it operates in.

• Vulnerability and exposure. A reactive approach leads to greater exposure and vulnerability

Page 4: GRC– The Way Forward

Risk Management Challenges

• Multiple standards to choose from• Technology focused, not business centric• Control identification required for each standard• Lack of skilled auditors across all platforms• No documented, thorough, consistent methodology• Proper, effective, repeatable analysis not in place• Detailed recommendations not complete• No definable return on investment• No knowledgebase for additional assessments• Management visibility not faciliatated• This can all be automated using GRC software

Page 5: GRC– The Way Forward

Risks

• Your Brand• Stakeholders (e.g., board, management, employees)• Contractual Relationships (e.g., supply-chain,

vendors, contractors)• Informal Relationships (e.g., NGOs, media)• Your business information security and privacy

Are you trying to manage a problem or leveragebusiness information ?

Page 6: GRC– The Way Forward

Risk Management Evolution

Current State • Fragmented silos• Mostly reactionary• Individual projects • Separate from mainstream

processes and decision-making

• Spreadsheets, spreadsheets, spreadsheets

• Limited and fragmented use of technology

Future State • Integrated management &

performance• Proactive planning &

execution • Integrated capability• Embedded within

mainstream processes and decision-making

• Coordinated transactions & shared data

• Architected solutions

Page 7: GRC– The Way Forward

GRC Maturity Goals

• Achieve business objectives• Enhance organizational culture• Increase stakeholder confidence• Prepare & protect the organization• Prevent, detect & reduce adversity• Motivate /inspire desired conduct• Improve responsiveness & efficiency• Optimize economic & social value

Page 8: GRC– The Way Forward

• Automate the manual siloed approach to GRC management – Solution Required: Distributed database driven platform with common policy,

asset, reporting and incident repository

• Comply with multiple regulations– Solution Required : Effectively manage the policy lifecycle and map multiple

policies to common controls

• Lower IT and enterprise risk– Solution Required : Consistently measure and communicate risk posture across

enterprise

• Reduce cost of people resources and IT infrastructure overhead– Solution Required : Automate common tasks and leverage technology in place

without adding the complexity of agents

Customer Challenges

Page 9: GRC– The Way Forward

Business Risk• Where risk is understood and evaluated as part of corporate strategy and

performance, it is set in a business context and mapped to corresponding KPI. • Risk management aligned to business strategy results in:

– Risk aligned in the context of the business • Risk does not operate as an island unto itself, but is defined and managed

in the context of where the business is heading –its goals and objectives • Executives and management should clearly be able to see how risk

supports or hinders execution of business strategy

– Risk managed within the context of business cycles.

– Findings influence strategic planning and investments• Risk management supports and enables the business to execute a

strategic plan and maximize return on investments

Page 10: GRC– The Way Forward

Effective GRC SolutionComprehensive GRC Solution

• Enterprise and IT Risk Management

• Compliance Management• Policy Management• Vendor Risk Management• Remediation/Incident/

Exception Management • Security Reporting &

Remediation• Business Continuity

Management• Audit Management

Management Integrated GRC Platform

• Multi-language web based platform

• Integrated database driven distributed architecture

• Extensive knowledge base of frameworks, regulations and best practices

• Intelligent dashboard & reporting• Ready to implement with the

flexibility to configure• Integration services API• Role based access control• Encrypted

Page 11: GRC– The Way Forward

Today's Fragmented ApproachInventory

Evaluation

Remediation

Policies

This requires an automated GRC Management approach that brings together silos of risk and

compliance into a comprehensive management platform

Analysis

Page 12: GRC– The Way Forward

Risk Management Process• Sound risk-based decision making is critical to

the success of any risk management program • ..enterprises must move toward the formalization

of risk management processes with appropriate accountability, transparency and measurability

• Risk management must be undertaken as a new approach to addressing business threats

Gartner, April 2009

• Business risk is more than operational and financial

• Total enterprise risk management includes enterprise IT risk

Page 13: GRC– The Way Forward

Best Practices

GRC Automation

Page 14: GRC– The Way Forward

GRC Tool Manager modules

Basic Modules Service Modules GRC Portal

Knowledge Management

Organization

Policy Management Governance

Compliance Management

Continuity

Wor

kflow

Home

Administration

Das

hboa

rd

Risk Management ERM

Page 15: GRC– The Way Forward

Risk Management Cycle

• Inventory• People, Process,

Technology. Environment

• Relevance Levels

Inventory

• Knowledge Base• Automated

Collectors• Web Interviews• In person Interviews

Analyze• Reports• Indexes• Charts• Tables

Evaluate

• Recommendation follow-up

• Workflow Manager

Treat

Page 16: GRC– The Way Forward

SYSTEMS

BUSINESSPROCESSES

ASSETS

Top-Down “Governance” Approach

Page 17: GRC– The Way Forward
Page 18: GRC– The Way Forward

Eliminate Compliance Silos

Laws & Regulations

SOX

FISMA

BASEL II NIST

Frameworks

17799

COBIT

Evidence

DOC

BKP

PASSWORD

ControlsPEOPLE

POLICY

SERVER

Page 19: GRC– The Way Forward

GRC tools provides comprehensive support for the most commonly faced regulations, standards & frameworks, and more

• A130• Basel II• BS25999• COBIT• DIACAP• DOD 8500.2• FFIEC• FIPS 199• FISAP• FISMA

Sample Frameworks

• GLBA• HIPAA• ISO27001• ISO27002• ITIL• NERC-CIP• NIST 800-53a• OSHA• PCI DSS• SOX

Page 20: GRC– The Way Forward

Comprehensive Knowledge Base,

including…Technologies

Cisco Router w/IOS 12Oracle 8 and 9iMicrosoft SQL Server 7.0, 2000, 2005.Unix Solaris 8 and 9Microsoft Exchange 5.5, 2000, 2003 Microsoft IIS 4.0, 5.0, 6.0SAP AG R/3 4.0B, 4.6D Apache 1.3.27Windows XP, 2000, 2003, VistaLinuxAccess Point - WLAN Application System in ProductionCheck Point VPN 1/Firewall 1 NGIBM Lotus Notes R5Microsoft ISA Server 2000, 2004PDAFirewalls

PeopleIT TechnicianSenior ManagerSecurity OfficersArea or Process ManagerEnd User

ProcessesDeveloped Application System (15408)Change ManagementData and System BackupSystems Continuity ManagementContracts with VendorsBusiness Process Information FlowIT Security OrganizationISO 27001ISO 17799:2005CobiT 4.0 - IT Process MaturityFISMAPCI Data Security StandardHIPAA – NIST 800-66BITs - FISAP – AUP and SIG

Physical ControlsDatacenterOffice

Live

Update

350 Knowledge Bases

20,000 Controls

5000 Data

Collectors

Page 21: GRC– The Way Forward

Web

Ser

ver

Win

do

ws

Ro

ute

r

Ora

cle

Un

ix

Acc

ess

Co

ntr

ol

Ch

ang

e

Man

ag

emen

t

Ph

ysic

al

Co

ntr

ols

SOXSOX GLBA

GLBA

HIPAA

HIPAA PCIPCI Basel

IIBasel

II

The MetaFramework

Cobit

Automatic CollectorsWeb Interview

or Off-line

Collector

Regulations Standards &

Frameworks mapped into

ISO 27001

FISAPPCI-DSS

GRC METAFRAMEWORK

350 Checklists with 20,000+ Controls

5000 Automatic Evidence Collectors

1200 “Atomic” Control Objective Packets mapped

Page 22: GRC– The Way Forward

Contains Knowledge about Controls

Why is the control

important?

How to implement?

If NOT implemented

to which threats am I susceptible?

Where to learn more?

Page 23: GRC– The Way Forward

Why is the control

important?

How to implement?

If NOT implemented

to which threats am I susceptible?

Where to learn more?

Knowledge Base

Page 24: GRC– The Way Forward

Using Automatic Collectors

Page 25: GRC– The Way Forward

Risk Acceptance and Treatment

People TechnologyProcessFacility

ERP Order Entry

Financial IT Department Sales

Order Entry

Financial IT Department Sales

ERP

Accept risk and communicate

Unacceptable risk send to treatment

Page 26: GRC– The Way Forward

Final Results - Samples

Workflow Manager allows monitoring risk treatment

actions through the Internet

Real-time Scorecard (allows viewing events in real time)

Page 27: GRC– The Way Forward

Dashboard

Page 28: GRC– The Way Forward

Detailed Risk Report

Page 29: GRC– The Way Forward

Benefits in using GRC Automation

• Saves up to 25% project time due to automatic collectors, evidence storage and

automatic report generation

• Evidence repository stores artifacts such as access permissions, cryptography and

audit logs

• Management based on progress indicators

• Operational Risk Report that details each non-implemented control’s associated risk

level

• Role based access control

• Ease of common implementation across all GRC responsibilities

• Facilitates on-going compliance management

• Auditable repository

• Perpetual, Leased, Appliance or SaaS licenses

Page 30: GRC– The Way Forward

GRC Benefits

Better results through low

investment costs and high value

Integration between IT and business views

IT Risk Assessment metrics and indexes

Productivity improvements

through analysis automation

Compliance evaluation with COBIT, ISO/IEC27002

and PCI-DSS and more

Quicker results Recommendations and workflow for treating identified

risks

Supports decisions

Page 31: GRC– The Way Forward

GRC SHOULD SERVE YOU

YOU SHOULD NOT SERVE GRC

Page 32: GRC– The Way Forward

QUESTIONS ?

Page 33: GRC– The Way Forward

GRC The Way Forward

James FinnMODULO

[email protected]

703 336 3058