building a grc practice - fspgroup.cafspgroup.ca/docs/fsp201210_04.pdf · building a grc practice...
TRANSCRIPT
© 2011 Sentry Metrics Inc.
Building a GRC Practice
Tactical Focuses for enabling a GRC program
October 26’th, 2012
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential 2
Agenda
§ Introduction
§ About GRC
§ Tactical focuses for enabling GRC – Technology in a GRC program
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Introduction and Opening salvo….
3
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Introductions
§ My name is Mike Otto. I am the Director of GRC services for Sentry Metrics.
§ Today I will be sharing some things I have learned about GRC, and hopefully some of what I share will be meaningful to you and what you are doing on a daily basis.
§ The idea is to provide some visibility into some key tactical activities that will expedite and enable effective GRC
4
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Before we begin - Acknowledging the wisdom of the GRC community, best practices and known guidance
§ ISACA (Information Systems Audit and Control Association) and, respectively the ITGI (IT Governance Institute) – Fantastic resources
– Some of the worlds leading of professionals furthering Governance, Risk Management and Compliance
5
• Much of what we share with you today is derived from our experience in actualizing the guidance established by ISACA
• COBIT 5 – STRONGLY recommend you become familiar with COBIT 5 if you have an interest in GRC
• Stands for Control Objectives for Information and Related Technologies • Industry Standards Organization (ISO) (27000 series, 38500) • Other recognized methodologies and frameworks (ITILv3, NIST Special
Publications, NERC-CIP) • Audit and compliance frameworks, (PCI-DSS v2, SOX, etc.)
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
How much is involved in turning on a light?
We often forget how much goes into turning on a light. It’s a significant process.(how much do we take for granted?)
6
IT GRC - implements a way to ensure we get a positive result with IT – that all the complexity is managed against an expected result.
Getting the light bulb to “turn on” is complicated – like IT.
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
An overview of a GRC program
7
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Starting at the beginning: Defining GRC – What it is
§ GRC is not ONE thing, it is, as the acronym puts forward, THREE things:
§ Governance – Ensuring alignment to the needs of the business, including value realization in the IT investment
§ Risk (management) – Ensuring that anything that could impede or negatively effect the business is controlled
§ Compliance - Ensuring the demands of external
regulators are satisfied
8
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
GRC – a simplification
§ Why do companies invest in IT? SIMPLE – to enable the achievement of BUSINESS GOALS. IT is an enabler.
§ Businesses don’t invest in IT for IT sake. (IT is not art J)
§ Even IT businesses have to invest in IT to enable their businesses!
§ If you were/are a business owner you, want to make sure that business, stakeholder and shareholder goals are enabled by IT services. You want to make sure IT is:
9
• Providing value for the investment made • Not introducing or creating risk to your business (includes regulatory
issues) • Minimizing the use of all types of resources while maximizing their value
This is why GRC programs are created!
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
The backbone of GRC
MAXIMIZE THE BUSINESS VALUE IN THE IT INVESTMENT
Ensure benefit is realized IT services
Manage the Risk tied to the use of IT
Services Compliance
Optimize the use of IT resources
10
In principle, the need for GRC can be succinctly summarized as follows:
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
What then, are the Goals of a GRC Program? (In general)
To create a structured, systematic and measureable means to:
§ Ensure IT is aligned with the business
§ Ensure IT delivers value to the business
§ Ensure IT appropriately manages risk
§ Ensures IT appropriately manages resources
§ Ensures IT appropriately manages performance
11
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
In observation: Where the industry is largely at:
GRC 12
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Why a lopsided focus? Two reasons that we are seeing:
1) THE BAD: Simply put, there are, in many cases, consistently fewer ramifications for companies failing to respond to internally identified issues
2) THE “GOOD”: Due to the impact of compliance, many organizations are leveraging compliance related requirements to get ahead on risk management activities
13
• As an example, IAM • IAM can be solve many problems, but
with no budget, where does the money from?
• Certain control and compliance standards demand control over AAA functions that can be tied to an IAM technology (e.g. PCI-DSS sections 7 and 8)
• Organizations use compliance to justify purchases for big cost solutions used to manage larger risks
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Actualizing the GRC program
14
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
The rest of this presentation – focusing on the tactical
Throughout the rest of the presentation, I will be sharing tactical activities that we have found help companies accelerate a GRC program
15
Before we begin – how big can this GRC thing get?
GRC can exist throughout the entire IT lifecycle in every aspect of an IT operation – in other words, a GRC program can be as big as your IT organization – HUGE!
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Seven Stages of a GRC program as per ISACA
16
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Tactical priority 1:
Phase 2/3 – Define Current State and Where to go
17
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Enabling Phase 2/3:
Activities Include, but are not limited to : § Understand how IT must to support the current business goals
§ Identify key IT goals supporting business goals.
§ Establish the significance and nature of IT’s contribution (solutions and services) required to support business objectives.
§ Identify and select the IT processes critical to support IT goals and, if appropriate, key control objectives for each selected process.
§ Define roles relevant to the GRC function
18
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 2/3: Starting at the beginning – how do we know what IT should be doing?
19
• Business goals ultimately
shape IT goals. • This is flow is called the
GOALS CASCADE – it is vital to understanding appropriate objectives for IT and for discerning what is important to the business
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 2/3: Defining Enterprise and IT Goals
Examples of the Enterprise Goals
§ Ensure customer-oriented service culture
§ Agile responses to a changing business environment
Example of the IT Goals
§ Ensure delivery of IT services in line with business requirements
§ Ensure adequate use of applications, information and technology solutions relevant to business requirements
20
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 2/3: Enter the Control Objectives A control Objective is itself a goal that, when realized, ensures that certain risks in the IT investment are managed and benefits in the IT investment are realized
21
AWESOME!!
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
A note on frameworks and how they overlap
22
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 2/3: When all the goals are defined, how are the goals achieved?
CONTROLS are introduced to ensure that Control Objectives are realized
CONTROLS: Artefacts, activities, occurrences or events that help manage risk or realize value.
What are examples of controls?
23
• Policies • Standards • Processes • Guidelines • Procedures • Technologies
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 2/3 : Making it REAL – Goals Cascade – From Enterprise Goals to Controls
Enterprise Goals LEAD to
IT GOALS which LEAD TO
Specific Control Objectives
which LEAD TO
Specific Controls
24
CONTROLS ARE ESTABLISHED TO MANAGE RISK AND TO ENSURE BUSINESS BENEFITS ARE REALIZED
CONTROLS ARE CRITICAL IN REALIZING ENTERPRISE GOALS
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 2/3: Example – from Control Objective to Control
25
Ensure that endpoints are secured at a level that is equal to or greater than the defined security requirements of the information processed, stored or transmitted.
COBIT 5 Management Practice: DSS05.03 Manage endpoint security.
ABSTRACT What has to be achieved – THE GOAL
1. Configure operating systems in a secure manner. 2. Implement device lockdown mechanisms. 3. Encrypt information in storage according to its classification. ETC…
LESS ABSTRACT What has to be done To realize the goal
MORE CONCRETE Defined Context of systems or business units
SERVERS WORKSTATIONS MOBILE COMMUNICTION DEVICES
CONCRETE Control Points
PROCESSES STANDARDS PRACTICES PROCEDURES
Control requirements must be contextualized to be effective
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 2/3: Capability – Defining WHAT you are achieving and measuring
26
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 2/3: Theoretical roles : Governance versus Management
§ Governance – “Where the glass hits the boardroom table” – Mike Otto
“Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.” (COBIT 5 Implementation Guidance)
§ Management – “Where the rubber hits the road” – Anyone who ever put Mike Otto in his place
“Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.” (COBIT 5 Implementation Guidance)
27
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 2/3: The Theoretical model for GRC roles – “Governance” versus “Management”
28
NOTE: The Balance matters – don’t let one override the other
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 6 – Monitoring and Measuring
29
Tactical priority 2:
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 6: Defining what needed to be done
Activities Include, but are not limited to : § Monitor the overall performance of the program against the business
case objectives.
§ Monitor the investment performance (cost against budget and realization of benefits).
§ Document lessons learned (both positives and negatives) for subsequent improvement initiatives.
30
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 6: Why proving and measuring a control takes so long or ends up being ineffective: 1) Measurement of operating effectiveness and design effectiveness is typically
not made to be an intrinsic part of the day-to-day operations
2) If measurement exists, methods for measuring are usually MANUAL – this causes significant delay in measuring the effectiveness of control
3) Sampling reduces visibility – if a limited sample of thousands of events of taken, it’s the equivalent of driving with your eyes open every 2 seconds – chances are you will hit something
4) The teams that measure are not usually the same teams that conduct the work – this leads to external, non operational teams measuring effectiveness of control… the teams entrench themselves and….
5) There are only SO many hours in a day where a person can measure.
31
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 6: Enter Internal Audit – One means of measurement
§ Auditors exist as a vehicle for organizations to assess the state of control
§ Auditors exist to provide objective visibility to the stakeholders/shareholders and executive
§ In summary, audit examines – DESIGN EFFECTIVENESS – OPERATING EFFECTIVESS
Of all controls as they may or may not exist in the environment
§ Audit is introduced to ensure that the controls are in place to
MANAGE RISK ENSURE VALUE
32
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 6: The Trenches…(like it or not, its real… )
33
Operational Teams - Responsible for
operationalizing controls
- Service delivery is judged in many cases based on team performance and how well controls are executed
Audit/Assessment teams - Responsible for
determining design and operating effectiveness
- Responsible for classifying IT risks and reporting issues to the board
The conflict ensues and measurement fails – GRC
Suffers
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 6: You need to measure – however, the results may be unexpected…
– Audit Fatigue!!! – Multiple audiences need to interact with the
GRC Program – they have a need for different levels and types of visibility and access
– Sampling is not always an effective way to determine the quality of a control
34
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 6: Overcoming the limitations of current methods
35
The idea: Its all about ….DATA! (Not him. System data!)
What we have learned is that by getting the data from systems in REAL TIME
1) Audit fatigue can be reduced or eliminated 2) Teams can have visibility into the reality of what is unfolding on systems
and in processes 3) The management layer can quickly adapt to control failures
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 6: An example
Just so you don’t think I am making this whole thing up….
36
COBIT 4.1 Scorecard
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 6: Using Technology to help – Process specific example
37
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 6: Using Technology to help – Technology Specific example
38
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Phase 6: A note on technology and GRC
WORKFLOW AUTOMATION
VS.
AUTOMATED CONTROL/COMPLIANCE TESTING
39
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
Questions and possible answers?
40
© 2012 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
THANK YOU!
41