the tao of grc
DESCRIPTION
SummaryThe GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes-Oxley, industry compliance such as PCI DSS 1.2 and growing numbers of data security breaches and Internet acceptable usage violations in the workplace. $14BN a year is spent in the US alone on corporate-governance-related IT spending1. Are large internally-focused GRC systems the solution for improving risk and compliance? Or should we go outside the organization to look for risks we’ve never thought about and discover new links and interdependencies2.This article introduces a practical approach that will help the CISOs/CSOs in any sized business unit successfully improve compliance and reduce information value at risk. We call this approach “The Tao of GRC” and base it on 3 principles.1. Adopt a standard language of threats2. Learn to speak the language fluently3. Go green – recycle your risk and complianceTRANSCRIPT
![Page 1: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/1.jpg)
The Tao of GRCDanny Lieberman
Software Associates
![Page 2: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/2.jpg)
2
GRC 1.0
![Page 3: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/3.jpg)
3
The Tao of GRC
![Page 4: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/4.jpg)
4
Agenda
• The flavors• The Tao• Why it works
![Page 5: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/5.jpg)
5
GRC comes in 3 flavors
• Government• Industry• Vendor-neutral standards
![Page 6: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/6.jpg)
6
Government
• SOX, HIPAA, EU Privacy• Protect consumer • Top-down risk analysis
![Page 7: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/7.jpg)
7
Industry
• PCI DSS• Protect card associations • No risk analysis
![Page 8: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/8.jpg)
8
Vendor-neutral standards
• ISO2700x• Protect information assets • Audit focus
![Page 9: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/9.jpg)
9
4 mistakes CIOS make
• Focus on process while ignoring that hackers attack software
• Relabel vendors as partners• Confuse business alignment with risk
reduction
![Page 10: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/10.jpg)
10
Both attackers and defenders have imperfect knowledge in making
their decisions.
![Page 11: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/11.jpg)
11
Mobile clinical assistants
• Unplanned Internet access, 300 devices infected by Conficker.
• Regulatory:
Hospitals had to wait 90 days before applying remedy.
![Page 12: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/12.jpg)
12
The Tao of GRC
![Page 13: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/13.jpg)
13
The Tao of GRC
1. Adopt common threat language2. Learn to speak well3. Go green
![Page 14: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/14.jpg)
14
1. Common threat language
The threat analysis base class
Threats People Methods
![Page 15: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/15.jpg)
15
Players
Decision makers• Encounter threats that
damage their assets• Risk is part of running a
business
Attackers• Create threats & exploit
vulnerabilities• Fame, fortune, sales
channel
Consultants• Assess risk, recommend
countermeasures• Billable hours
Vendors• Provide countermeasures• Marketing rhetoric,
pseudo science
![Page 16: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/16.jpg)
Threat scenario
16
• Threats exploit vulnerabilities to damage assets.
• Countermeasures mitigate vulnerabilities to reduce risk.
AssetVulnerability
Attacker
![Page 17: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/17.jpg)
17
Methods
Set asset value
Set asset damage
Set countermeasure
effectiveness
Set threat probability
![Page 18: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/18.jpg)
18
Countermeasure C4 1– Disable USB Countermeasure C5 3– Use UbuntuCountermeasure C6 7– Software security assessment
Sample threat scenario
Attackers
ePHI
Weak or
well-know
n password
s
Software
defects
OS vulnerabilit
ies
![Page 19: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/19.jpg)
19
VaR
ValueAtRisk = Asset Value x Threat Probability x (1 – Countermeasure Effectiveness)
![Page 20: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/20.jpg)
20
2. Learn to speak well
• Practice• What threats count• Prioritize
![Page 21: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/21.jpg)
21
Understand what threats count
![Page 22: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/22.jpg)
Prioritize countermeasures
![Page 23: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/23.jpg)
23
3. Go green
• Security is about economics• Attention to root causes• Recycle control policies
![Page 24: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/24.jpg)
24
Why the Tao works
• Threat models are transparent and recyclable.
• Transparency means more eyeballs can look at issues.
• Recycling reduces cost
• More eyeballs improves security.
• Better security means safer products for customers
• Safer products is good for business.
![Page 25: The Tao of GRC](https://reader033.vdocuments.us/reader033/viewer/2022051514/5493aa4db4795938238b4642/html5/thumbnails/25.jpg)
25
Acknowledgements
1. Michel Godet, for sharing his work reducing silos and creating reusable risk building blocks
2. Wlodek Grudzinski, for sharing his insights as a bank CEO and introducing me to Imperfect Knowledge Economics
3. My clients ,for giving me the opportunity to teach them the language of threats.
4. My colleagues at PTA Technologies for doing a great job.