Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making Information Security Actionable with GRC

Published byΘυία Καραβίας Modified over 6 years ago

Similar presentations

Presentation on theme: "Making Information Security Actionable with GRC"— Presentation transcript:

1 Making Information Security Actionable with GRC
Shane Westrup CRISC Manager, Professional Services

2 What you will learn GRC concepts and components
What InfoSec data is used in GRC programs What actions can I take with this data What will I get and who will care

3 What is GRC?

4 Governance, Risk Management and Compliance (GRC)
an integrated capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance].

5 Why GRC? Breach + Company Name = Late phone calls 16 hour days
Auditors s from leadership who now know your name

6 Why GRC? What do we put in place to keep that call from happening?
Password complexity Infrastructure design Data classification Device/asset provisioning Vulnerability scanning Alignment with regulatory expectations

7 Common GRC Concepts in InfoSec
Risk-based security initiatives Gap analyses between controls and processes Escalation of critical threats and incident response transparency Board-level reporting of security metrics, trend analyses and financial impacts

8 Info Sec Components

9 Technology What existing toolsets have the information we will want to use? CMDB – assets, applications, config validation Tools – scanners, pen tests, Angry IP Information Feeds How do I discover and evaluate their status? What risks do I have because of them?

10 Process What action is taken from this and what decision does it help make? Policies Standards Procedures Are those steps repeated and predictable for all involved? Where does that Technology data come from, any dependencies to obtain the data?

11 People Who has responsibility to create, deliver, and act on the data?
Who do they rely on? Who ensures it is done? Functions Protect, monitor, maintain, recover Roles Application security, event monitoring, security governance, threat response Accountability Everyone

12 Employing GRC GRC Compliance IT Operations Governance
Understand how the industry, the Board, and management expects us to function Communicate guidance and allow operations the flexibility on how to integrate It would be nice if we actually knew what was done operationally and could focus our guidance appropriately GRC IT Operations We know what we protect and its current level of protection. We tell the people who we’ve been told are responsible for those things We also know what isn’t protected or has no one responsible for it. We wish it was easier to know we are protecting is what we should Governance Knows what should be protected and to what extent, based on what we use it for. Rely on others to tell us when it doesn’t meet expectations, and get it corrected as long as it doesn’t affect our ability to operate. Hope to find an easy way to operate without getting permission from others before taking action. Security Operations Continually evaluate threats and risks present that could prevent us from meeting management’s goals Share roll-up information to provide management insights for decision making on matters that could impact objectives Work with management to gauge the likelihood of meeting operational goals, but are met with resistance when identifying potential hazards to the organization

13 Case Study University of Chicago - Biosciences Division

14 Challenges Speed to Act Prioritization
Scan start to vulnerability assignment days Vulnerability remediation 1.5 hours per system 1.5 FTE’s needed per 100 systems for IS tasks Prioritization 15 System owners and 20 IT Custodians offered guidance 32 Department defined and agreed on priorities Exceptions cannot become rule for 5,000 faculty Those accountable for 800 servers expected a framework

15 Results with a GRC Platform
Respond With Defined Purpose Assign immediately – 100% assignment Effort on action, not analysis – 77% decrease Efficiency and distribution of tasks Adopt and Implement For Everyone Solve problems that need a solution Adopt activities that align with needs Stakeholders help prioritize, then stop Context and reason are required for adoption

16 GRC Ecosystem 11/15/2018

17 The Keylight Platform 11/15/2018

18 Questions? Shane Westrup LockPath Manager, Professional Services
LockPath lockpath.com @LockPath

Download ppt "Making Information Security Actionable with GRC"

Similar presentations

Microsoft Operations Framework (MOF) 4.0

Microsoft Operations Framework (MOF) 4.0
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Information Technology Audit

Information Technology Audit
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Continual Service Improvement Process

Continual Service Improvement Process
INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS.

INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS.
GRC - Governance, Risk MANAGEMENT, and Compliance

GRC - Governance, Risk MANAGEMENT, and Compliance
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Roles and Responsibilities

Roles and Responsibilities
Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.

Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.
Service Transition & Planning Service Validation & Testing

Service Transition & Planning Service Validation & Testing
Hartley, Project Management: Integrating Strategy, Operations and Change, 3e Tilde Publishing Chapter 10 Risk Management Proactively managing the positive.

Hartley, Project Management: Integrating Strategy, Operations and Change, 3e Tilde Publishing Chapter 10 Risk Management Proactively managing the positive.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

Similar presentations

Ads by Google