Download presentation
Presentation is loading. Please wait.
1
Making Information Security Actionable with GRC
Shane Westrup CRISC Manager, Professional Services
2
What you will learn GRC concepts and components
What InfoSec data is used in GRC programs What actions can I take with this data What will I get and who will care
3
What is GRC?
4
Governance, Risk Management and Compliance (GRC)
an integrated capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance].
5
Why GRC? Breach + Company Name = Late phone calls 16 hour days
Auditors s from leadership who now know your name
6
Why GRC? What do we put in place to keep that call from happening?
Password complexity Infrastructure design Data classification Device/asset provisioning Vulnerability scanning Alignment with regulatory expectations
7
Common GRC Concepts in InfoSec
Risk-based security initiatives Gap analyses between controls and processes Escalation of critical threats and incident response transparency Board-level reporting of security metrics, trend analyses and financial impacts
8
Info Sec Components
9
Technology What existing toolsets have the information we will want to use? CMDB – assets, applications, config validation Tools – scanners, pen tests, Angry IP Information Feeds How do I discover and evaluate their status? What risks do I have because of them?
10
Process What action is taken from this and what decision does it help make? Policies Standards Procedures Are those steps repeated and predictable for all involved? Where does that Technology data come from, any dependencies to obtain the data?
11
People Who has responsibility to create, deliver, and act on the data?
Who do they rely on? Who ensures it is done? Functions Protect, monitor, maintain, recover Roles Application security, event monitoring, security governance, threat response Accountability Everyone
12
Employing GRC GRC Compliance IT Operations Governance
Understand how the industry, the Board, and management expects us to function Communicate guidance and allow operations the flexibility on how to integrate It would be nice if we actually knew what was done operationally and could focus our guidance appropriately GRC IT Operations We know what we protect and its current level of protection. We tell the people who we’ve been told are responsible for those things We also know what isn’t protected or has no one responsible for it. We wish it was easier to know we are protecting is what we should Governance Knows what should be protected and to what extent, based on what we use it for. Rely on others to tell us when it doesn’t meet expectations, and get it corrected as long as it doesn’t affect our ability to operate. Hope to find an easy way to operate without getting permission from others before taking action. Security Operations Continually evaluate threats and risks present that could prevent us from meeting management’s goals Share roll-up information to provide management insights for decision making on matters that could impact objectives Work with management to gauge the likelihood of meeting operational goals, but are met with resistance when identifying potential hazards to the organization
13
Case Study University of Chicago - Biosciences Division
14
Challenges Speed to Act Prioritization
Scan start to vulnerability assignment days Vulnerability remediation 1.5 hours per system 1.5 FTE’s needed per 100 systems for IS tasks Prioritization 15 System owners and 20 IT Custodians offered guidance 32 Department defined and agreed on priorities Exceptions cannot become rule for 5,000 faculty Those accountable for 800 servers expected a framework
15
Results with a GRC Platform
Respond With Defined Purpose Assign immediately – 100% assignment Effort on action, not analysis – 77% decrease Efficiency and distribution of tasks Adopt and Implement For Everyone Solve problems that need a solution Adopt activities that align with needs Stakeholders help prioritize, then stop Context and reason are required for adoption
16
GRC Ecosystem 11/15/2018
17
The Keylight Platform 11/15/2018
18
Questions? Shane Westrup LockPath Manager, Professional Services
LockPath lockpath.com @LockPath
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.