Making Information Security Actionable with GRC

Slides:



Advertisements
Similar presentations
Microsoft Operations Framework (MOF) 4.0
Advertisements

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Information Systems Controls for System Reliability -Information Security-
Information Technology Audit
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Continual Service Improvement Process
INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS.
GRC - Governance, Risk MANAGEMENT, and Compliance
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Roles and Responsibilities
Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.
Service Transition & Planning Service Validation & Testing
Hartley, Project Management: Integrating Strategy, Operations and Change, 3e Tilde Publishing Chapter 10 Risk Management Proactively managing the positive.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
Enterprise Risk Management Chapter One Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Presented to Managers. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an organization.
SecSDLC Chapter 2.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
GRC: Aligning Policy, Risk and Compliance
ICS Area Managers Training 2010 ITIL V3 Overview April 1, 2010.
“The Role of CPSB and CASB in the Transformation and Growth of Counties” By CS Peterson Mwangi.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
12-CRS-0106 REVISED 8 FEB 2013 EDM (Evaluate, Direct, and Monitor) CDG4I3 / Audit Sistem Informasi Angelina Prima K | Gede Ary W. KK SIDE
Getting to Know Internal Auditing
CPA Gilberto Rivera, VP Compliance and Operational Risk
Service Management World Class Operations - Impact Workshop.
Optimize the HR Department to Support the Organizational People Strategy Enhance your HR departmental structure, process, technology, and capability to.
Refine the HR Organizational Structure and Optimize Department Efficiency Whether your organization is requiring you to grow or asking you to cut down.
Data Architecture World Class Operations - Impact Workshop.
Good morning My name is Tony Rock. I am the VP of Business Development for Lockpath, a technology-enabler of enterprise risk and compliance solutions.
Integrated Management System and Certification
Getting to Know Internal Auditing
COSO and ERM Committee of Sponsoring Organizations (COSO) is an organization dedicated to providing thought leadership and guidance on internal control,
Getting to Know Internal Auditing
Leverage What’s Out There
Cybersecurity Policies & Procedures ICA
MANAGING APPLICATION SECURITY
Cybersecurity EXERCISE (CE) ATD Scenario intro
Cyber defense management
Transforming IT Management
Accountability and Internal Controls – Best Practices
Quality Management Systems – Requirements
Vision Facilitation Template
Making Information Security Manageable with GRC
Managing Change and Other Keys to Successful Implementation
ITSM Governance is Imperative to Succeed
Turning IT Risk Management into Business Value
Making Information Security Strategic through GRC
Internal control - the IA perspective
Our new quality framework and methodology:
Getting to Know Internal Auditing
The “Why” and “What” of Safety Management Systems
Cybersecurity ATD technical
Societal resilience analysis
SERVICENOW GOVERNANCE, RISK, AND COMPLIANCE
Third-party risk management (TPRM)
Managing IT Risk in a digital Transformation AGE
Cyber Security in a Risk Management Framework
GRC - A Strategic Approach
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
An overview of Internal Controls Structure & Mechanism
Presentation transcript:

Making Information Security Actionable with GRC Shane Westrup CRISC Manager, Professional Services

What you will learn GRC concepts and components What InfoSec data is used in GRC programs What actions can I take with this data What will I get and who will care

What is GRC?

Governance, Risk Management and Compliance (GRC) an integrated capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance].

Why GRC? Breach + Company Name = Late phone calls 16 hour days Auditors Emails from leadership who now know your name

Why GRC? What do we put in place to keep that call from happening? Password complexity Infrastructure design Data classification Device/asset provisioning Vulnerability scanning Alignment with regulatory expectations

Common GRC Concepts in InfoSec Risk-based security initiatives Gap analyses between controls and processes Escalation of critical threats and incident response transparency Board-level reporting of security metrics, trend analyses and financial impacts

Info Sec Components

Technology What existing toolsets have the information we will want to use? CMDB – assets, applications, config validation Tools – scanners, pen tests, Angry IP Information Feeds How do I discover and evaluate their status? What risks do I have because of them?

Process What action is taken from this and what decision does it help make? Policies Standards Procedures Are those steps repeated and predictable for all involved? Where does that Technology data come from, any dependencies to obtain the data?

People Who has responsibility to create, deliver, and act on the data? Who do they rely on? Who ensures it is done? Functions Protect, monitor, maintain, recover Roles Application security, event monitoring, security governance, threat response Accountability Everyone

Employing GRC GRC Compliance IT Operations Governance Understand how the industry, the Board, and management expects us to function Communicate guidance and allow operations the flexibility on how to integrate It would be nice if we actually knew what was done operationally and could focus our guidance appropriately GRC IT Operations We know what we protect and its current level of protection. We tell the people who we’ve been told are responsible for those things We also know what isn’t protected or has no one responsible for it. We wish it was easier to know we are protecting is what we should Governance Knows what should be protected and to what extent, based on what we use it for. Rely on others to tell us when it doesn’t meet expectations, and get it corrected as long as it doesn’t affect our ability to operate. Hope to find an easy way to operate without getting permission from others before taking action. Security Operations Continually evaluate threats and risks present that could prevent us from meeting management’s goals Share roll-up information to provide management insights for decision making on matters that could impact objectives Work with management to gauge the likelihood of meeting operational goals, but are met with resistance when identifying potential hazards to the organization

Case Study University of Chicago - Biosciences Division

Challenges Speed to Act Prioritization Scan start to vulnerability assignment 5-7 days Vulnerability remediation 1.5 hours per system 1.5 FTE’s needed per 100 systems for IS tasks Prioritization 15 System owners and 20 IT Custodians offered guidance 32 Department defined and agreed on priorities Exceptions cannot become rule for 5,000 faculty Those accountable for 800 servers expected a framework

Results with a GRC Platform Respond With Defined Purpose Assign immediately – 100% assignment Effort on action, not analysis – 77% decrease Efficiency and distribution of tasks Adopt and Implement For Everyone Solve problems that need a solution Adopt activities that align with needs Stakeholders help prioritize, then stop Context and reason are required for adoption

GRC Ecosystem 11/15/2018

The Keylight Platform 11/15/2018

Questions? Shane Westrup LockPath Manager, Professional Services shane.westrup@lockpath.com LockPath lockpath.com 913.601.4800 info@lockpath.com @LockPath

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.