Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making Information Security Manageable with GRC

Published byLeona Washington Modified over 6 years ago

Similar presentations

Presentation on theme: "Making Information Security Manageable with GRC"— Presentation transcript:

1 Making Information Security Manageable with GRC
Shane Westrup CRISC Manager, Professional Services

2 What you will learn GRC concepts and components
What InfoSec data is used in GRC programs What actions can I take with this data What will I get and who will care

3 What is GRC? Poll the audience on what they think GRC is

4 Governance, Risk Management and Compliance (GRC)
an integrated capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance].

5 Why GRC? Breach + Company Name = Late phone calls 16 hour days
Auditors s from leadership who now know your name

6 Why GRC? What do we put in place to keep that call from happening?
Password complexity Infrastructure design Data classification Device/asset provisioning Vulnerability scanning Alignment with regulatory expectations Multiple layers of processes and controls that validate we’ve put in place is actually working and evolving

7 Common GRC Concepts in InfoSec
Risk-based security initiatives Gap analyses between controls and processes Escalation of critical threats and incident response transparency Board-level reporting of security metrics, trend analyses and financial impacts

8 GRC Components

9 Technology What existing toolsets have the information we will want to use? CMDB – assets, applications, config validation Tools – scanners, pen tests, Angry IP Information Feeds How do I discover and evaluate their status? What risks do I have because of them?

10 Process What action is taken from this and what decision does it help make? Policies Standards Procedures Are those steps repeated and predictable for all involved? Where does that Technology data come from, any dependencies to obtain the data?

11 People Who has responsibility to create, deliver, and act on the data?
Who do they rely on? Who ensures it is done? Functions Protect, monitor, maintain, recover Roles Application security, event monitoring, security governance, threat response Accountability Everyone

12 Employing GRC GRC Compliance IT Operations Governance
Understand how the industry, the Board, and management expects us to function Communicate guidance and allow operations the flexibility on how to integrate It would be nice if we actually knew what was done operationally and could focus our guidance appropriately GRC IT Operations We know what we protect and its current level of protection. We tell the people who we’ve been told are responsible for those things We also know what isn’t protected or has no one responsible for it. We wish it was easier to know we are protecting is what we should Governance Knows what should be protected and to what extent, based on what we use it for. Rely on others to tell us when it doesn’t meet expectations, and get it corrected as long as it doesn’t affect our ability to operate. Hope to find an easy way to operate without getting permission from others before taking action. Security Operations Continually evaluate threats and risks present that could prevent us from meeting management’s goals Share roll-up information to provide management insights for decision making on matters that could impact objectives Work with management to gauge the likelihood of meeting operational goals, but are met with resistance when identifying potential hazards to the organization

13 Results Individual Contributors Managers Senior Leadership
Prioritize your work Increase awareness of dependencies Alert management of roadblocks Front line analysis of trends Bottom up view of operations Managers Prioritize the team direction and focus Identify, analyze and share trends Incorporate regulatory and best practices to your procedures Present leadership with important decision Adaptive approach to existing responsibilities with changing business models Senior Leadership Top down view of organization Resources focused on things that matter Alignment of regulation with controls offers reassurance Accomplished goals and increased awareness Comfort with big data and environment to create competitive advantages

14 Case Study University of Chicago - Biosciences Division

15 Challenges Speed to Act Prioritization
Scan start to vulnerability assignment days Vulnerability remediation 1.5 hours per system 1.5 FTE’s needed per 100 systems for IS tasks Prioritization 15 System owners and 20 IT Custodians offered guidance 32 Department defined and agreed on priorities Exceptions cannot become rule for 5,000 faculty Those accountable for 800 servers expected a framework

16 Results with a GRC Platform
Respond With Defined Purpose Assign immediately – 100% assignment Effort on action, not analysis – 77% decrease Efficiency and distribution of tasks Adopt and Implement For Everyone Solve problems that need a solution Adopt activities that align with needs Stakeholders help prioritize, then stop Context and reason are required for adoption

17 Keylight Advantage Configurable Workflow Dedicated Analytics Engine
Operational Risk Management Policy Management & Compliance IT Risk Management Business Continuity Management & Planning Audit Management Vendor Risk Management Configurable Workflow Dedicated Analytics Engine Scalable SaaS Platform On Premise to Cloud Security 11/8/2018

18 Keylight Ecosystem 11/8/2018

19 Questions? Shane Westrup LockPath Manager, Professional Services
LockPath lockpath.com @LockPath

Download ppt "Making Information Security Manageable with GRC"

Similar presentations

Internal Control–Integrated Framework

Internal Control–Integrated Framework
Microsoft Operations Framework (MOF) 4.0

Microsoft Operations Framework (MOF) 4.0
State of Indiana Business One Stop (BOS) Program Roadmap Updated June 6, 2013 RFI ATTACHMENT D.

State of Indiana Business One Stop (BOS) Program Roadmap Updated June 6, 2013 RFI ATTACHMENT D.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Welcome ISO9001:2000 Foundation Workshop.

Welcome ISO9001:2000 Foundation Workshop.
Information Technology Audit

Information Technology Audit
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
E QUUS software Delivering transparent data to Senior Management: Data Analytics & Dashboard Reporting Alan Bell, VP Technology Solutions.

E QUUS software Delivering transparent data to Senior Management: Data Analytics & Dashboard Reporting Alan Bell, VP Technology Solutions.
GRC - Governance, Risk MANAGEMENT, and Compliance

GRC - Governance, Risk MANAGEMENT, and Compliance
COBIT - IT Governance.

COBIT - IT Governance.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Roles and Responsibilities

Roles and Responsibilities
Service Transition & Planning Service Validation & Testing

Service Transition & Planning Service Validation & Testing
Hartley, Project Management: Integrating Strategy, Operations and Change, 3e Tilde Publishing Chapter 10 Risk Management Proactively managing the positive.

Hartley, Project Management: Integrating Strategy, Operations and Change, 3e Tilde Publishing Chapter 10 Risk Management Proactively managing the positive.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

Similar presentations

Ads by Google