building a grc practice - fspgroup.cafspgroup.ca/docs/fsp201210_04.pdf · building a grc practice...

© 2011 Sentry Metrics Inc.

Building a GRC Practice

Tactical Focuses for enabling a GRC program

October 26’th, 2012

© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential 2

Agenda

§ Introduction

§ About GRC

§ Tactical focuses for enabling GRC – Technology in a GRC program

© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential

Introduction and Opening salvo….

3


Introductions

§  My name is Mike Otto. I am the Director of GRC services for Sentry Metrics.

§  Today I will be sharing some things I have learned about GRC, and hopefully some of what I share will be meaningful to you and what you are doing on a daily basis.

§  The idea is to provide some visibility into some key tactical activities that will expedite and enable effective GRC

4


Before we begin - Acknowledging the wisdom of the GRC community, best practices and known guidance

§  ISACA (Information Systems Audit and Control Association) and, respectively the ITGI (IT Governance Institute) – Fantastic resources

–  Some of the worlds leading of professionals furthering Governance, Risk Management and Compliance

5

•  Much of what we share with you today is derived from our experience in actualizing the guidance established by ISACA

•  COBIT 5 – STRONGLY recommend you become familiar with COBIT 5 if you have an interest in GRC

•  Stands for Control Objectives for Information and Related Technologies •  Industry Standards Organization (ISO) (27000 series, 38500) •  Other recognized methodologies and frameworks (ITILv3, NIST Special

Publications, NERC-CIP) •  Audit and compliance frameworks, (PCI-DSS v2, SOX, etc.)


How much is involved in turning on a light?

We often forget how much goes into turning on a light. It’s a significant process.(how much do we take for granted?)

6

IT GRC - implements a way to ensure we get a positive result with IT – that all the complexity is managed against an expected result.

Getting the light bulb to “turn on” is complicated – like IT.


An overview of a GRC program

7


Starting at the beginning: Defining GRC – What it is

§ GRC is not ONE thing, it is, as the acronym puts forward, THREE things:

§ Governance – Ensuring alignment to the needs of the business, including value realization in the IT investment

§ Risk (management) – Ensuring that anything that could impede or negatively effect the business is controlled

§ Compliance - Ensuring the demands of external

regulators are satisfied

8


GRC – a simplification

§  Why do companies invest in IT? SIMPLE – to enable the achievement of BUSINESS GOALS. IT is an enabler.

§  Businesses don’t invest in IT for IT sake. (IT is not art J)

§  Even IT businesses have to invest in IT to enable their businesses!

§  If you were/are a business owner you, want to make sure that business, stakeholder and shareholder goals are enabled by IT services. You want to make sure IT is:

9

•  Providing value for the investment made •  Not introducing or creating risk to your business (includes regulatory

issues) •  Minimizing the use of all types of resources while maximizing their value

This is why GRC programs are created!


The backbone of GRC

MAXIMIZE THE BUSINESS VALUE IN THE IT INVESTMENT

Ensure benefit is realized IT services

Manage the Risk tied to the use of IT

Services Compliance

Optimize the use of IT resources

10

In principle, the need for GRC can be succinctly summarized as follows:


What then, are the Goals of a GRC Program? (In general)

To create a structured, systematic and measureable means to:

§  Ensure IT is aligned with the business

§  Ensure IT delivers value to the business

§  Ensure IT appropriately manages risk

§  Ensures IT appropriately manages resources

§  Ensures IT appropriately manages performance

11


In observation: Where the industry is largely at:

GRC 12


Why a lopsided focus? Two reasons that we are seeing:

1)  THE BAD: Simply put, there are, in many cases, consistently fewer ramifications for companies failing to respond to internally identified issues

2)  THE “GOOD”: Due to the impact of compliance, many organizations are leveraging compliance related requirements to get ahead on risk management activities

13

•  As an example, IAM •  IAM can be solve many problems, but

with no budget, where does the money from?

•  Certain control and compliance standards demand control over AAA functions that can be tied to an IAM technology (e.g. PCI-DSS sections 7 and 8)

•  Organizations use compliance to justify purchases for big cost solutions used to manage larger risks


Actualizing the GRC program

14


The rest of this presentation – focusing on the tactical

Throughout the rest of the presentation, I will be sharing tactical activities that we have found help companies accelerate a GRC program

15

Before we begin – how big can this GRC thing get?

GRC can exist throughout the entire IT lifecycle in every aspect of an IT operation – in other words, a GRC program can be as big as your IT organization – HUGE!


Seven Stages of a GRC program as per ISACA

16


Tactical priority 1:

Phase 2/3 – Define Current State and Where to go

17


Enabling Phase 2/3:

Activities Include, but are not limited to : §  Understand how IT must to support the current business goals

§  Identify key IT goals supporting business goals.

§  Establish the significance and nature of IT’s contribution (solutions and services) required to support business objectives.

§  Identify and select the IT processes critical to support IT goals and, if appropriate, key control objectives for each selected process.

§  Define roles relevant to the GRC function

18


Phase 2/3: Starting at the beginning – how do we know what IT should be doing?

19

•  Business goals ultimately

shape IT goals. •  This is flow is called the

GOALS CASCADE – it is vital to understanding appropriate objectives for IT and for discerning what is important to the business


Phase 2/3: Defining Enterprise and IT Goals

Examples of the Enterprise Goals

§  Ensure customer-oriented service culture

§  Agile responses to a changing business environment

Example of the IT Goals

§  Ensure delivery of IT services in line with business requirements

§  Ensure adequate use of applications, information and technology solutions relevant to business requirements

20


Phase 2/3: Enter the Control Objectives A control Objective is itself a goal that, when realized, ensures that certain risks in the IT investment are managed and benefits in the IT investment are realized

21

AWESOME!!


A note on frameworks and how they overlap

22


Phase 2/3: When all the goals are defined, how are the goals achieved?

CONTROLS are introduced to ensure that Control Objectives are realized

CONTROLS: Artefacts, activities, occurrences or events that help manage risk or realize value.

What are examples of controls?

23

•  Policies •  Standards •  Processes •  Guidelines •  Procedures •  Technologies


Phase 2/3 : Making it REAL – Goals Cascade – From Enterprise Goals to Controls

Enterprise Goals LEAD to

IT GOALS which LEAD TO

Specific Control Objectives

which LEAD TO

Specific Controls

24

CONTROLS ARE ESTABLISHED TO MANAGE RISK AND TO ENSURE BUSINESS BENEFITS ARE REALIZED

CONTROLS ARE CRITICAL IN REALIZING ENTERPRISE GOALS


Phase 2/3: Example – from Control Objective to Control

25

Ensure that endpoints are secured at a level that is equal to or greater than the defined security requirements of the information processed, stored or transmitted.

COBIT 5 Management Practice: DSS05.03 Manage endpoint security.

ABSTRACT What has to be achieved – THE GOAL

1. Configure operating systems in a secure manner. 2. Implement device lockdown mechanisms. 3. Encrypt information in storage according to its classification. ETC…

LESS ABSTRACT What has to be done To realize the goal

MORE CONCRETE Defined Context of systems or business units

SERVERS WORKSTATIONS MOBILE COMMUNICTION DEVICES

CONCRETE Control Points

PROCESSES STANDARDS PRACTICES PROCEDURES

Control requirements must be contextualized to be effective


Phase 2/3: Capability – Defining WHAT you are achieving and measuring

26


Phase 2/3: Theoretical roles : Governance versus Management

§  Governance –  “Where the glass hits the boardroom table” – Mike Otto

“Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.” (COBIT 5 Implementation Guidance)

§  Management –  “Where the rubber hits the road” – Anyone who ever put Mike Otto in his place

“Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.” (COBIT 5 Implementation Guidance)

27


Phase 2/3: The Theoretical model for GRC roles – “Governance” versus “Management”

28

NOTE: The Balance matters – don’t let one override the other


Phase 6 – Monitoring and Measuring

29

Tactical priority 2:


Phase 6: Defining what needed to be done

Activities Include, but are not limited to : §  Monitor the overall performance of the program against the business

case objectives.

§  Monitor the investment performance (cost against budget and realization of benefits).

§  Document lessons learned (both positives and negatives) for subsequent improvement initiatives.

30


Phase 6: Why proving and measuring a control takes so long or ends up being ineffective: 1)  Measurement of operating effectiveness and design effectiveness is typically

not made to be an intrinsic part of the day-to-day operations

2)  If measurement exists, methods for measuring are usually MANUAL – this causes significant delay in measuring the effectiveness of control

3)  Sampling reduces visibility – if a limited sample of thousands of events of taken, it’s the equivalent of driving with your eyes open every 2 seconds – chances are you will hit something

4)  The teams that measure are not usually the same teams that conduct the work – this leads to external, non operational teams measuring effectiveness of control… the teams entrench themselves and….

5)  There are only SO many hours in a day where a person can measure.

31


Phase 6: Enter Internal Audit – One means of measurement

§  Auditors exist as a vehicle for organizations to assess the state of control

§  Auditors exist to provide objective visibility to the stakeholders/shareholders and executive

§  In summary, audit examines –  DESIGN EFFECTIVENESS –  OPERATING EFFECTIVESS

Of all controls as they may or may not exist in the environment

§  Audit is introduced to ensure that the controls are in place to

MANAGE RISK ENSURE VALUE

32


Phase 6: The Trenches…(like it or not, its real… )

33

Operational Teams -  Responsible for

operationalizing controls

-  Service delivery is judged in many cases based on team performance and how well controls are executed

Audit/Assessment teams -  Responsible for

determining design and operating effectiveness

-  Responsible for classifying IT risks and reporting issues to the board

The conflict ensues and measurement fails – GRC

Suffers


Phase 6: You need to measure – however, the results may be unexpected…

– Audit Fatigue!!! – Multiple audiences need to interact with the

GRC Program – they have a need for different levels and types of visibility and access

–  Sampling is not always an effective way to determine the quality of a control

34


Phase 6: Overcoming the limitations of current methods

35

The idea: Its all about ….DATA! (Not him. System data!)

What we have learned is that by getting the data from systems in REAL TIME

1)  Audit fatigue can be reduced or eliminated 2)  Teams can have visibility into the reality of what is unfolding on systems

and in processes 3)  The management layer can quickly adapt to control failures


Phase 6: An example

Just so you don’t think I am making this whole thing up….

36

COBIT 4.1 Scorecard


Phase 6: Using Technology to help – Process specific example

37


Phase 6: Using Technology to help – Technology Specific example

38


Phase 6: A note on technology and GRC

WORKFLOW AUTOMATION

VS.

AUTOMATED CONTROL/COMPLIANCE TESTING

39


Questions and possible answers?

40


THANK YOU!

41

[email protected]

building a grc practice - fspgroup.cafspgroup.ca/docs/fsp201210_04.pdf · building a grc practice...

Documents