the tao of grc
Post on 19-Dec-2014
652 Views
Preview:
DESCRIPTION
TRANSCRIPT
The Tao of GRCDanny Lieberman
Software Associates
2
GRC 1.0
3
The Tao of GRC
4
Agenda
• The flavors• The Tao• Why it works
5
GRC comes in 3 flavors
• Government• Industry• Vendor-neutral standards
6
Government
• SOX, HIPAA, EU Privacy• Protect consumer • Top-down risk analysis
7
Industry
• PCI DSS• Protect card associations • No risk analysis
8
Vendor-neutral standards
• ISO2700x• Protect information assets • Audit focus
9
4 mistakes CIOS make
• Focus on process while ignoring that hackers attack software
• Relabel vendors as partners• Confuse business alignment with risk
reduction
10
Both attackers and defenders have imperfect knowledge in making
their decisions.
11
Mobile clinical assistants
• Unplanned Internet access, 300 devices infected by Conficker.
• Regulatory:
Hospitals had to wait 90 days before applying remedy.
12
The Tao of GRC
13
The Tao of GRC
1. Adopt common threat language2. Learn to speak well3. Go green
14
1. Common threat language
The threat analysis base class
Threats People Methods
15
Players
Decision makers• Encounter threats that
damage their assets• Risk is part of running a
business
Attackers• Create threats & exploit
vulnerabilities• Fame, fortune, sales
channel
Consultants• Assess risk, recommend
countermeasures• Billable hours
Vendors• Provide countermeasures• Marketing rhetoric,
pseudo science
Threat scenario
16
• Threats exploit vulnerabilities to damage assets.
• Countermeasures mitigate vulnerabilities to reduce risk.
AssetVulnerability
Attacker
17
Methods
Set asset value
Set asset damage
Set countermeasure
effectiveness
Set threat probability
18
Countermeasure C4 1– Disable USB Countermeasure C5 3– Use UbuntuCountermeasure C6 7– Software security assessment
Sample threat scenario
Attackers
ePHI
Weak or
well-know
n password
s
Software
defects
OS vulnerabilit
ies
19
VaR
ValueAtRisk = Asset Value x Threat Probability x (1 – Countermeasure Effectiveness)
20
2. Learn to speak well
• Practice• What threats count• Prioritize
21
Understand what threats count
Prioritize countermeasures
23
3. Go green
• Security is about economics• Attention to root causes• Recycle control policies
24
Why the Tao works
• Threat models are transparent and recyclable.
• Transparency means more eyeballs can look at issues.
• Recycling reduces cost
• More eyeballs improves security.
• Better security means safer products for customers
• Safer products is good for business.
25
Acknowledgements
1. Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks
2. Wlodek Grudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics
3. My clients ,for giving me the opportunity to teach them the language of threats.
4. My colleagues at PTA Technologies for doing a great job.
top related