the tao of grc

The Tao of GRCDanny Lieberman

Software Associates

2

GRC 1.0

3

The Tao of GRC

4

Agenda

• The flavors• The Tao• Why it works

5

GRC comes in 3 flavors

• Government• Industry• Vendor-neutral standards

6

Government

• SOX, HIPAA, EU Privacy• Protect consumer • Top-down risk analysis

7

Industry

• PCI DSS• Protect card associations • No risk analysis

8

Vendor-neutral standards

• ISO2700x• Protect information assets • Audit focus

9

4 mistakes CIOS make

• Focus on process while ignoring that hackers attack software

• Relabel vendors as partners• Confuse business alignment with risk

reduction

10

Both attackers and defenders have imperfect knowledge in making

their decisions.

11

Mobile clinical assistants

• Unplanned Internet access, 300 devices infected by Conficker.

• Regulatory:

Hospitals had to wait 90 days before applying remedy.

12

The Tao of GRC

13

The Tao of GRC

1. Adopt common threat language2. Learn to speak well3. Go green

14

1. Common threat language

The threat analysis base class

Threats People Methods

15

Players

Decision makers• Encounter threats that

damage their assets• Risk is part of running a

business

Attackers• Create threats & exploit

vulnerabilities• Fame, fortune, sales

channel

Consultants• Assess risk, recommend

countermeasures• Billable hours

Vendors• Provide countermeasures• Marketing rhetoric,

pseudo science

Threat scenario

16

• Threats exploit vulnerabilities to damage assets.

• Countermeasures mitigate vulnerabilities to reduce risk.

AssetVulnerability

Attacker

17

Methods

Set asset value

Set asset damage

Set countermeasure

effectiveness

Set threat probability

18

Countermeasure C4 1– Disable USB Countermeasure C5 3– Use UbuntuCountermeasure C6 7– Software security assessment

Sample threat scenario

Attackers

ePHI

Weak or

well-know

n password

s

Software

defects

OS vulnerabilit

ies

19

VaR

ValueAtRisk = Asset Value x Threat Probability x (1 – Countermeasure Effectiveness)

20

2. Learn to speak well

• Practice• What threats count• Prioritize

21

Understand what threats count

Prioritize countermeasures

23

3. Go green

• Security is about economics• Attention to root causes• Recycle control policies

24

Why the Tao works

• Threat models are transparent and recyclable.

• Transparency means more eyeballs can look at issues.

• Recycling reduces cost

• More eyeballs improves security.

• Better security means safer products for customers

• Safer products is good for business.

25

Acknowledgements

1. Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks

2. Wlodek Grudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics

3. My clients ,for giving me the opportunity to teach them the language of threats.

4. My colleagues at PTA Technologies for doing a great job.