grc tao.4
DESCRIPTION
TRANSCRIPT
2
I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time.
Master Sun (Chapter 2 – Doing Battle, the Art of War)
3
The Tao of GRC
• Practical• Any business can cook• Protect customers and
comply more effectively with regulation.
4
Agenda
• The flavors of GRC• Why GRC 1.0 is broken• The Tao of GRC• Why it works
5
3 flavors of GRC
• Government• Industry• Vendor-neutral standards
6
Government
• SOX, GLBA, HIPAA, EU Privacy, FDA• Protect consumer • Top-down risk analysis
7
Industry
• PCI DSS 1.2• Protect card associations • No risk analysis
8
Vendor-neutral standards
• ISO2700x• Protect information assets • Audit focus
9
GRC 1.0
• Big Enterprise Software• “automate the workflow and documentation
management associated with costly and complex
GRC processes”Sword, Oracle, CA, Gartner, Forrester
10
Why GRC 1.0 is broken
Fixed control structuresFocusing on yesterday’s threats
11
4 mistakes CIOS make
1. Focus on process while ignoring that hackers attack software
2. Label vendors as partners3. Confuse business alignment with risk
reduction
12
Both attackers and defenders have imperfect knowledge in making
their decisions.
13
Mobile clinical assistants
• Mobile medical devices used by hospital radiologists had unplanned Internet access.
• Over 300 devices infected by Conficker and taken out of service.
• Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.
14
The Tao of GRC
15
Step 1 - Adopt a standard language
The threat analysis base class
Threats People Methods
16
People entities
Decision makers• Encounter threats that
damage their assets• Risk is part of running a
business
Attackers• Create threats & exploit
vulnerabilities• Fame, fortune, sales
channel
Consultants• Assess risk, recommend
countermeasures• Billable hours
Vendors• Provide countermeasures• Marketing rhetoric,
pseudo science
17
Threat entities
• An attacker may exploit vulnerabilities to cause damage to assets.
• Security countermeasures mitigate vulnerabilities and reduce risk.
AssetVulnerability
Attacker
18
Threat T3 – Malicious code may be used in order to exploit OS vulnerabilities and obtain patient information from mobile medical devices
Vulnerability V3 – Unnecessary devices may be enabled
Countermeasure C4 – Hardware toggle USB on Countermeasure C5 – Network isolationCountermeasure C6 – Software security assessment
Example threat scenario
Attackers
ePHI
Weak or well-known passwords
Software defectsOS vulnerabilities
19
Methods
• SetThreatProbability – estimated annual rate of occurrence of the threat
• SetThreatDamageToAsset – estimated damage to asset value as a percentage
• SetCountermeasureEffectiveness– estimated effectiveness as a percentage
• SetAssetValue , GetValueAtRisk– in Dollars/Euro/Rupee
20
Step 2 - Learn to speak fluently
21
Learn on the job
Vis-à-vis the regulator
• Understand what audit requirements count
Vis-à-vis your business
• Understand what threats count
• Prioritize• Increase profits
22
Understand what threats count
Prioritize countermeasures
24
Step 3 Go green
• Measure risk reduction in money• Attention to root causes• Recycle controls & policies
25
Why the Tao of GRC works
• Threat models are transparent and recyclable.
• Transparency means more eyeballs can look at issues.
• Recycling & more eyeballs reduces cost.
• More eyeballs means safer products.
• Safer products means more revenue.
26
Acknowledgements
1. Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks
2. Wlodek Grudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics
3. My clients ,for giving me the opportunity to teach them the language of threats.
4. My colleagues at PTA Technologies for doing a great job.