SlideShare a Scribd company logo

Grc tao.4

Download as PPTX, PDF
Flaskdata.io, profile picture
Flaskdata.io

The document discusses the shortcomings of traditional GRC (Governance, Risk management, and Compliance) approaches and proposes an alternative "Tao of GRC". It argues that traditional GRC 1.0 focuses too much on fixed processes and past threats. The Tao of GRC proposes adopting a standard threat analysis language to provide a common framework for understanding threats. It also advocates learning this language on the job to better understand regulatory and business priorities. Finally, it suggests taking a green approach by measuring risk reduction in monetary terms, focusing on root causes, and recycling controls and policies to reduce costs.

1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
The Tao of GRC Danny Lieberman CTO – Software Associates, Israel
2 I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time. Master Sun (Chapter 2 – Doing Battle, the Art of War)
The Tao of GRC • Practical • Any business can cook • Protect customers and comply more effectively with regulation. 3
Agenda • The flavors of GRC • Why GRC 1.0 is broken • The Tao of GRC • Why it works 4
3 flavors of GRC • Government • Industry • Vendor-neutral standards 5
Government • SOX, GLBA, HIPAA, EU Privacy, FDA • Protect consumer • Top-down risk analysis 6
Industry • PCI DSS 1.2 • Protect card associations • No risk analysis 7
Vendor-neutral standards • ISO2700x • Protect information assets • Audit focus 8
GRC 1.0 • Big Enterprise Software • “automate the workflow and documentation management associated with costly and complex GRC processes” Sword, Oracle, CA, Gartner, Forrester 9
Why GRC 1.0 is broken 10 Fixed control structures Focusing on yesterday’s threats
4 mistakes CIOS make 11 1. Focus on process while ignoring that hackers attack software 2. Label vendors as partners 3. Confuse business alignment with risk reduction
Both attackers and defenders have imperfect knowledge in making their decisions. 12
Mobile clinical assistants • Mobile medical devices used by hospital radiologists had unplanned Internet access. • Over 300 devices infected by Conficker and taken out of service. • Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities. 13
The Tao of GRC 14
Step 1 - Adopt a standard language 15 The threat analysis base class People Threats Methods
People entities 16 Decision makers • Encounter threats that damage their assets • Risk is part of running a business Attackers • Create threats & exploit vulnerabilities • Fame, fortune, sales channel Consultants • Assess risk, recommend countermeasures • Billable hours Vendors • Provide countermeasures • Marketing rhetoric, pseudo science
Threat entities 17 • An attacker may exploit vulnerabilities to cause damage to assets. • Security countermeasures mitigate vulnerabilities and reduce risk. Asset Vulnerability Counter measures Attacker
Threat T3 – Malicious code may be used in order to exploit OS vulnerabilities and obtain patient information from mobile medical devices Vulnerability V3 – Unnecessary devices may be enabled Countermeasure C4 – Hardware toggle USB on Countermeasure C5 – Network isolation Countermeasure C6 – Software security assessment Example threat scenario 18 Attackers ePHI Weak or well- known passwords Software defects OS vulnerabilities
Methods • SetThreatProbability – estimated annual rate of occurrence of the threat • SetThreatDamageToAsset – estimated damage to asset value as a percentage • SetCountermeasureEffectiveness – estimated effectiveness as a percentage • SetAssetValue , GetValueAtRisk – in Dollars/Euro/Rupee 19
Step 2 - Learn to speak fluently 20
Learn on the job Vis-à-vis the regulator • Understand what audit requirements count Vis-à-vis your business • Understand what threats count • Prioritize • Increase profits 21
Understand what threats count 22
Prioritize countermeasures
Step 3 Go green • Measure risk reduction in money • Attention to root causes • Recycle controls & policies 24
Why the Tao of GRC works • Threat models are transparent and recyclable. • Transparency means more eyeballs can look at issues. • Recycling & more eyeballs reduces cost. • More eyeballs means safer products. • Safer products means more revenue. 25
Acknowledgements 26 1. Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks 2. Wlodek Grudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics 3. My clients ,for giving me the opportunity to teach them the language of threats. 4. My colleagues at PTA Technologies for doing a great job.

More Related Content

PDF
Evidence-Based Security: The New Top Five Controls
Priyanka Aash
 
PDF
Accelerating OT - A Case Study
Digital Bond
 
PDF
Hunting for cyber threats targeting weapon systems
Fidelis Cybersecurity
 
PDF
Threat intelligence Primary Tradecraft and Research
Fidelis Cybersecurity
 
PDF
The State of Threat Detection 2019
Fidelis Cybersecurity
 
PDF
Game Changing Cyber Defensive Strategies for 2019
Fidelis Cybersecurity
 
PDF
Current & Emerging Cyber Security Threats
NCC Group
 
PPTX
Building an application security program
Outpost24
 
Evidence-Based Security: The New Top Five Controls
Priyanka Aash
 
Accelerating OT - A Case Study
Digital Bond
 
Hunting for cyber threats targeting weapon systems
Fidelis Cybersecurity
 
Threat intelligence Primary Tradecraft and Research
Fidelis Cybersecurity
 
The State of Threat Detection 2019
Fidelis Cybersecurity
 
Game Changing Cyber Defensive Strategies for 2019
Fidelis Cybersecurity
 
Current & Emerging Cyber Security Threats
NCC Group
 
Building an application security program
Outpost24
 

What's hot (20)

PDF
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
SaraPia5
 
PDF
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
PDF
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
North Texas Chapter of the ISSA
 
PDF
You can't detect what you can't see illuminating the entire kill chain
Fidelis Cybersecurity
 
PDF
Hardware Security on Vehicles
Priyanka Aash
 
PPTX
Security Monitoring using SIEM null bangalore meet april 2015
n|u - The Open Security Community
 
PDF
Jump Start Your Application Security Knowledge
Denim Group
 
PPTX
Malware evolution and Endpoint Detection and Response
Adrian Guthrie
 
PPTX
DC970 Presents: Defense in Depth
IceQUICK
 
PPTX
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24
 
PDF
Vulnerability Management – Opportunities and Challenges!
Outpost24
 
PDF
GDPR: The Application Security Twist
Security Innovation
 
PDF
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
PPTX
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Digital Bond
 
PDF
Slide Deck - CISSP Mentor Program Class Session 1
FRSecure
 
PDF
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
PDF
Security Operations and Response
xband
 
PPTX
An introduction to Cyber Essentials
Jisc
 
PDF
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
PDF
Chapter 15 incident handling
newbie2019
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
SaraPia5
 
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
North Texas Chapter of the ISSA
 
You can't detect what you can't see illuminating the entire kill chain
Fidelis Cybersecurity
 
Hardware Security on Vehicles
Priyanka Aash
 
Security Monitoring using SIEM null bangalore meet april 2015
n|u - The Open Security Community
 
Jump Start Your Application Security Knowledge
Denim Group
 
Malware evolution and Endpoint Detection and Response
Adrian Guthrie
 
DC970 Presents: Defense in Depth
IceQUICK
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24
 
Vulnerability Management – Opportunities and Challenges!
Outpost24
 
GDPR: The Application Security Twist
Security Innovation
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Digital Bond
 
Slide Deck - CISSP Mentor Program Class Session 1
FRSecure
 
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
Security Operations and Response
xband
 
An introduction to Cyber Essentials
Jisc
 
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
Chapter 15 incident handling
newbie2019
 
Ad

Similar to Grc tao.4 (20)

PPTX
The Tao of GRC
Flaskdata.io
 
PPTX
CMLGroup - What is GRC?
CML Group
 
PPTX
GRC Dynamics in Securing Cloud
Noman Bari PMP,CISSP,CCSP,AWSx4,CISM,CISA
 
PPTX
GRC– The Way Forward
Rochester Security Summit
 
DOCX
task 1
BIBEKCHAUDHARYBScHon
 
PPTX
Concept of Governance - Management of Operational Risk for IT Officers/Execut...
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
PDF
GRC Strategies in a Business_ Trends and Challenges.pdf
basilmph
 
PDF
Advantages of an integrated governance, risk and compliance environment
IBM Analytics
 
PPTX
7 Grc Myths Webinar 20110127 Final (2)
GBBLUME
 
PPTX
Risk Technology Strategy, Selection and Implementation
Risk Management Institution of Australasia
 
PDF
Sem 001 sem-001
SelectedPresentations
 
PPTX
Exploring the Impact of Governance Risk and Compliance
INTERCERT
 
PPSX
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
PDF
GRC: Identify and reduce business risks
write2kanika
 
PPT
CML Group GRCaaS Dashboard
Jim Robins
 
PPTX
FRAMEWORKS AND STANDARDS-GRC,GDPR,SOX,PCI DSS,SOX,ISO
alexangelmary99
 
PDF
Lets understand the GRC market well with Ponemon analysis- FixNix
FixNix Inc.,
 
PDF
Insights on grc grc technology au1488
Ashwin Kumar
 
PPT
SLVA - Developing an IT GRC Strategy
SLVA Information Security
 
PDF
How GRC software can help your business better manage governance, risk, and c...
ContinuSys
 
The Tao of GRC
Flaskdata.io
 
CMLGroup - What is GRC?
CML Group
 
GRC Dynamics in Securing Cloud
Noman Bari PMP,CISSP,CCSP,AWSx4,CISM,CISA
 
GRC– The Way Forward
Rochester Security Summit
 
task 1
BIBEKCHAUDHARYBScHon
 
Concept of Governance - Management of Operational Risk for IT Officers/Execut...
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
GRC Strategies in a Business_ Trends and Challenges.pdf
basilmph
 
Advantages of an integrated governance, risk and compliance environment
IBM Analytics
 
7 Grc Myths Webinar 20110127 Final (2)
GBBLUME
 
Risk Technology Strategy, Selection and Implementation
Risk Management Institution of Australasia
 
Sem 001 sem-001
SelectedPresentations
 
Exploring the Impact of Governance Risk and Compliance
INTERCERT
 
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
GRC: Identify and reduce business risks
write2kanika
 
CML Group GRCaaS Dashboard
Jim Robins
 
FRAMEWORKS AND STANDARDS-GRC,GDPR,SOX,PCI DSS,SOX,ISO
alexangelmary99
 
Lets understand the GRC market well with Ponemon analysis- FixNix
FixNix Inc.,
 
Insights on grc grc technology au1488
Ashwin Kumar
 
SLVA - Developing an IT GRC Strategy
SLVA Information Security
 
How GRC software can help your business better manage governance, risk, and c...
ContinuSys
 
Ad

More from Flaskdata.io (18)

PDF
Flaskdata - Observability for clinical data
Flaskdata.io
 
PDF
The travel industry does real-time. Why doesn't clinical research?
Flaskdata.io
 
PDF
Flaskdata.io automated monitoring for clinical trials
Flaskdata.io
 
PPTX
How to write secure code
Flaskdata.io
 
PDF
The insights that will help your medtech clinical trial succeed
Flaskdata.io
 
PDF
2017 02-05 en-eu-data-security_v2
Flaskdata.io
 
PPTX
Quick user guide to the Clear Clinica Cloud EDC system
Flaskdata.io
 
PPTX
Killed by code 2015
Flaskdata.io
 
PPTX
Killed by code 2015
Flaskdata.io
 
PPTX
Pathcare: Patient-issue oriented healthcare
Flaskdata.io
 
PDF
Will Web 2.0 applications break the cloud?
Flaskdata.io
 
PPTX
Killed by code - mobile medical devices
Flaskdata.io
 
PPT
Data Security For Compliance 2
Flaskdata.io
 
PDF
Data Security For SMB - Fly first class on a budget
Flaskdata.io
 
PDF
Data Security Metricsa Value Based Approach
Flaskdata.io
 
PDF
Homeland Security - strengthening the weakest link
Flaskdata.io
 
PDF
Selling Data Security Technology
Flaskdata.io
 
PDF
Writing An Effective Security Procedure in 2 pages or less and make it stick
Flaskdata.io
 
Flaskdata - Observability for clinical data
Flaskdata.io
 
The travel industry does real-time. Why doesn't clinical research?
Flaskdata.io
 
Flaskdata.io automated monitoring for clinical trials
Flaskdata.io
 
How to write secure code
Flaskdata.io
 
The insights that will help your medtech clinical trial succeed
Flaskdata.io
 
2017 02-05 en-eu-data-security_v2
Flaskdata.io
 
Quick user guide to the Clear Clinica Cloud EDC system
Flaskdata.io
 
Killed by code 2015
Flaskdata.io
 
Killed by code 2015
Flaskdata.io
 
Pathcare: Patient-issue oriented healthcare
Flaskdata.io
 
Will Web 2.0 applications break the cloud?
Flaskdata.io
 
Killed by code - mobile medical devices
Flaskdata.io
 
Data Security For Compliance 2
Flaskdata.io
 
Data Security For SMB - Fly first class on a budget
Flaskdata.io
 
Data Security Metricsa Value Based Approach
Flaskdata.io
 
Homeland Security - strengthening the weakest link
Flaskdata.io
 
Selling Data Security Technology
Flaskdata.io
 
Writing An Effective Security Procedure in 2 pages or less and make it stick
Flaskdata.io
 

Grc tao.4

  • 1. The Tao of GRC Danny Lieberman CTO – Software Associates, Israel
  • 2. 2 I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time. Master Sun (Chapter 2 – Doing Battle, the Art of War)
  • 3. The Tao of GRC • Practical • Any business can cook • Protect customers and comply more effectively with regulation. 3
  • 4. Agenda • The flavors of GRC • Why GRC 1.0 is broken • The Tao of GRC • Why it works 4
  • 5. 3 flavors of GRC • Government • Industry • Vendor-neutral standards 5
  • 6. Government • SOX, GLBA, HIPAA, EU Privacy, FDA • Protect consumer • Top-down risk analysis 6
  • 7. Industry • PCI DSS 1.2 • Protect card associations • No risk analysis 7
  • 8. Vendor-neutral standards • ISO2700x • Protect information assets • Audit focus 8
  • 9. GRC 1.0 • Big Enterprise Software • “automate the workflow and documentation management associated with costly and complex GRC processes” Sword, Oracle, CA, Gartner, Forrester 9
  • 10. Why GRC 1.0 is broken 10 Fixed control structures Focusing on yesterday’s threats
  • 11. 4 mistakes CIOS make 11 1. Focus on process while ignoring that hackers attack software 2. Label vendors as partners 3. Confuse business alignment with risk reduction
  • 12. Both attackers and defenders have imperfect knowledge in making their decisions. 12
  • 13. Mobile clinical assistants • Mobile medical devices used by hospital radiologists had unplanned Internet access. • Over 300 devices infected by Conficker and taken out of service. • Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities. 13
  • 14. The Tao of GRC 14
  • 15. Step 1 - Adopt a standard language 15 The threat analysis base class People Threats Methods
  • 16. People entities 16 Decision makers • Encounter threats that damage their assets • Risk is part of running a business Attackers • Create threats & exploit vulnerabilities • Fame, fortune, sales channel Consultants • Assess risk, recommend countermeasures • Billable hours Vendors • Provide countermeasures • Marketing rhetoric, pseudo science
  • 17. Threat entities 17 • An attacker may exploit vulnerabilities to cause damage to assets. • Security countermeasures mitigate vulnerabilities and reduce risk. Asset Vulnerability Counter measures Attacker
  • 18. Threat T3 – Malicious code may be used in order to exploit OS vulnerabilities and obtain patient information from mobile medical devices Vulnerability V3 – Unnecessary devices may be enabled Countermeasure C4 – Hardware toggle USB on Countermeasure C5 – Network isolation Countermeasure C6 – Software security assessment Example threat scenario 18 Attackers ePHI Weak or well- known passwords Software defects OS vulnerabilities
  • 19. Methods • SetThreatProbability – estimated annual rate of occurrence of the threat • SetThreatDamageToAsset – estimated damage to asset value as a percentage • SetCountermeasureEffectiveness – estimated effectiveness as a percentage • SetAssetValue , GetValueAtRisk – in Dollars/Euro/Rupee 19
  • 20. Step 2 - Learn to speak fluently 20
  • 21. Learn on the job Vis-à-vis the regulator • Understand what audit requirements count Vis-à-vis your business • Understand what threats count • Prioritize • Increase profits 21
  • 24. Step 3 Go green • Measure risk reduction in money • Attention to root causes • Recycle controls & policies 24
  • 25. Why the Tao of GRC works • Threat models are transparent and recyclable. • Transparency means more eyeballs can look at issues. • Recycling & more eyeballs reduces cost. • More eyeballs means safer products. • Safer products means more revenue. 25
  • 26. Acknowledgements 26 1. Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks 2. Wlodek Grudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics 3. My clients ,for giving me the opportunity to teach them the language of threats. 4. My colleagues at PTA Technologies for doing a great job.