grc tao.4
DESCRIPTION
TRANSCRIPT
![Page 2: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/2.jpg)
2
I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time.
Master Sun (Chapter 2 – Doing Battle, the Art of War)
![Page 3: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/3.jpg)
3
The Tao of GRC
• Practical• Any business can cook• Protect customers and
comply more effectively with regulation.
![Page 4: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/4.jpg)
4
Agenda
• The flavors of GRC• Why GRC 1.0 is broken• The Tao of GRC• Why it works
![Page 5: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/5.jpg)
5
3 flavors of GRC
• Government• Industry• Vendor-neutral standards
![Page 6: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/6.jpg)
6
Government
• SOX, GLBA, HIPAA, EU Privacy, FDA• Protect consumer • Top-down risk analysis
![Page 7: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/7.jpg)
7
Industry
• PCI DSS 1.2• Protect card associations • No risk analysis
![Page 8: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/8.jpg)
8
Vendor-neutral standards
• ISO2700x• Protect information assets • Audit focus
![Page 9: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/9.jpg)
9
GRC 1.0
• Big Enterprise Software• “automate the workflow and documentation
management associated with costly and complex
GRC processes”Sword, Oracle, CA, Gartner, Forrester
![Page 10: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/10.jpg)
10
Why GRC 1.0 is broken
Fixed control structuresFocusing on yesterday’s threats
![Page 11: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/11.jpg)
11
4 mistakes CIOS make
1. Focus on process while ignoring that hackers attack software
2. Label vendors as partners3. Confuse business alignment with risk
reduction
![Page 12: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/12.jpg)
12
Both attackers and defenders have imperfect knowledge in making
their decisions.
![Page 13: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/13.jpg)
13
Mobile clinical assistants
• Mobile medical devices used by hospital radiologists had unplanned Internet access.
• Over 300 devices infected by Conficker and taken out of service.
• Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.
![Page 14: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/14.jpg)
14
The Tao of GRC
![Page 15: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/15.jpg)
15
Step 1 - Adopt a standard language
The threat analysis base class
Threats People Methods
![Page 16: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/16.jpg)
16
People entities
Decision makers• Encounter threats that
damage their assets• Risk is part of running a
business
Attackers• Create threats & exploit
vulnerabilities• Fame, fortune, sales
channel
Consultants• Assess risk, recommend
countermeasures• Billable hours
Vendors• Provide countermeasures• Marketing rhetoric,
pseudo science
![Page 17: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/17.jpg)
17
Threat entities
• An attacker may exploit vulnerabilities to cause damage to assets.
• Security countermeasures mitigate vulnerabilities and reduce risk.
AssetVulnerability
Attacker
![Page 18: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/18.jpg)
18
Threat T3 – Malicious code may be used in order to exploit OS vulnerabilities and obtain patient information from mobile medical devices
Vulnerability V3 – Unnecessary devices may be enabled
Countermeasure C4 – Hardware toggle USB on Countermeasure C5 – Network isolationCountermeasure C6 – Software security assessment
Example threat scenario
Attackers
ePHI
Weak or well-known passwords
Software defectsOS vulnerabilities
![Page 19: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/19.jpg)
19
Methods
• SetThreatProbability – estimated annual rate of occurrence of the threat
• SetThreatDamageToAsset – estimated damage to asset value as a percentage
• SetCountermeasureEffectiveness– estimated effectiveness as a percentage
• SetAssetValue , GetValueAtRisk– in Dollars/Euro/Rupee
![Page 20: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/20.jpg)
20
Step 2 - Learn to speak fluently
![Page 21: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/21.jpg)
21
Learn on the job
Vis-à-vis the regulator
• Understand what audit requirements count
Vis-à-vis your business
• Understand what threats count
• Prioritize• Increase profits
![Page 22: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/22.jpg)
22
Understand what threats count
![Page 23: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/23.jpg)
Prioritize countermeasures
![Page 24: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/24.jpg)
24
Step 3 Go green
• Measure risk reduction in money• Attention to root causes• Recycle controls & policies
![Page 25: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/25.jpg)
25
Why the Tao of GRC works
• Threat models are transparent and recyclable.
• Transparency means more eyeballs can look at issues.
• Recycling & more eyeballs reduces cost.
• More eyeballs means safer products.
• Safer products means more revenue.
![Page 26: Grc tao.4](https://reader035.vdocuments.mx/reader035/viewer/2022081413/5493fd78ac7959092e8b4a9d/html5/thumbnails/26.jpg)
26
Acknowledgements
1. Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks
2. Wlodek Grudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics
3. My clients ,for giving me the opportunity to teach them the language of threats.
4. My colleagues at PTA Technologies for doing a great job.