An Integrated Approach for Governance, Risk and

5 downloads 0 Views 1MB Size Report
Relationship of Security & GRC. Security and Operational Resiliency. GRC Framework. IT Governance Framework. Risk Management. GRC in Information ...
An Integrated Approach for Governance, Risk and Compliance Dr. Mohamed M. Elhefnawi, PhD, SM IEEE Abu Dhabi Company for Onshore Operations

Agenda Relationship of Security & GRC Security and Operational Resiliency GRC Framework IT Governance Framework Risk Management GRC in Information Systems Development GRC in Services Management Security Framework Overview Governance Slogans Recommendations Q&A 2

Relationship of Security & GRC Security is an operational risk management activity Security has two purposes:  Prevent disruption to core business drivers  Sustain the survivability of the Organization’s mission

Security is not an end, but a means to achieve higher organizational objectives. Security aims to achieve Operational Resilience Integrated GRC is the most effective way to achieve that aim in a proactive approach. 3

Security and Operational Resiliency  Focus on keeping critical assets safe from harm  Limiting threats and managing impacts  Manage confidentiality, integrity, and

Information

People

availability of information  Manage “condition” Technology

Process

4 Main Enterprise Assets 4

GRC Framework IT Governance • Structures • Communications • Processes

IT Risk Management

IT GRC

• Business partner • IT operational Risk • Technology

IT Compliance

• Best Practices • Corporate Compliance • Legal and regulatory compliance

5

IT Governance Framework ITG Definition: “the organizational capacity that control the formulation and implementation of IT strategy ensuring the fusion of business and IT. IT Governance is an integral part of Corporate Governance IT Governance “ensures” opposed to “executes” IT Governance scope spans: •

IT Functional Governance: Overall Business Performance & decisions to drive greater shareholder value



IT Portfolio Governance: Overall IT Performance decisions to drive greater business value



IT Project Governance: Project performance (i.e., on time, on budget, benefits captured)& Progress through Stage Gates

6

IT Governance Framework – Cont’d ITG Mechanism

ITG Structure

ITG Measures

ITG Processes

Governance Scorecard metrics

Roles

Demand Manag.

Policies

Forums

Security

Security

Performance Manag.

Portfolio Manag.

Standards

Sourcing Manag.

Proced. & Practices

Risk Manag.

Guidelines

ISO-27000 Security

Security

Security 7

Risk Management Definition: Risk = Threat x Vulnerability x Probability of Impact

Have Potential Impact

Driving Risk up

Threat Management

Risk Exploiting Vulnerabilities

Impact on business Value after threat, Vulnerability and impact management

Vulnerabilities Management

Impact Management

Threats Driving Risk Down

8

Managing Information Risk Risk Management - Cont’d Threat

Vulnerabilities

Detection & Prevention Controls

Fixing Controls No

Success Yes Risk Managed

Unmanaged Risk

Impact

Management Controls No

Success

No Success

Yes Risk Managed

Yes Risk Managed

9

Risk Management – Cont’d Create and Refine Policy Identify Risks

Prioritize Risks

Address Risks

Monitor and Report

Risk Mgmt Unit Responsibility Business / Functional Unit Responsibility

Security “Risk Map” of ABC High

Business Impact

• Dos safeguards • Disaster Recovery/Continuity • Infrastructure Vulnerabilities • Antivirus • User education • Information privacy • Application Security

• PKI-key management

• Access Management • Supply chain security • Web services

Risk

• Cyber crime

• Wireless LANs • PDAs/handhelds

• Email encryption • Secure IM application

Low Low

Likelihood of Threat

High

10

Risk Management Process – Cont’d

11

GRC in Information Systems Development Design

Development

Implementation

Operations

Risk/Cost

Business Requirements

Strategic Governance and Policies - Policies - Standards - Procedures - Guidelines

Tactical Applications & Sys. Development - Design Reviews - Risk Acceptance - New Technology Insertion

Operational

Operational

Active Security Posture - Anti-Virus - Vulnerability - Intrusion - Incident

IS Services - Access Manag. - Security Token - Other operational Services

12

GRC in Services Management ITIL or Corporate Processes Incident/Problem Management Legal and HR

GRC Requirements • Regulatory Compliance Requirements

GRC Processes Compliance

•Policy enforcement regimes • Investigatory frameworks

Policy Management

Change Management

•New or update controls

Configuration Management

•Asset and interdependency information

Continuity Management

• Risk and business impact analysis

Risk Management

Service Level Management

• Active: Maintain minimum operational SLAs • Planning: Input to warranty requirements

Log Management

Supplier Management

• Trust Relationships • Contract Management

Relationship Management

13

Security Framework Overview STRATEGIC ALIGNMENT

SECURITY EFFECTIVENESS

Strategic Business Drivers

Performance Dashboard BUSINESS ENABLEMENT

Compliance Compliance

Incident IncidentResponse Response

Help Help Desk Desk

Architecture Standards Architecture Standards

Production Readiness Production Readiness

Change Control Change Control

Sys Development Lifecycle System Development Lifecycle

PROCESS ENHANCEMENT Specialized Architectures

Facilities

Applications

Security Strategy & Policy

Internal Network

Desired Risk Profile

Perimeter Network

Legal/Regulatory Requirements

ProjectManagement Management Project

IT IT Strategies Strategies

Privacy Blueprint Identity Management Blueprint Application Integrity Blueprint Industry & Business Standards

SECURITY FOUNDATION

Logging, Monitoring & Reporting Logging, Monitoring & Reporting

ISO/IEC 27001 17799

TAILORED BEST PRACTICES

Systems & Network Infrastructure Systems & Network Infrastructure Physical & Environmental Physical & Environmental Information & Asset Baseline Information & Asset Baseline

Infrastructure Blueprint Infrastructure Blueprint

Business Continuity Management Blueprint Management Blueprint

14

GRC Slogans A stitch in time saves nine

An ounce of prevention is worth a pound of cure

‫ﺩﺭﻫﻢ ﻭﻗﺎﻳﺔ ﺧﻴﺮ ﻣﻦ ﻗﻨﻄﺎﺭ ﻋﻼﺝ‬ 'one year's seeds, seven year's weeds' 15

Recommendations

 Get buy-in from all stakeholders  Embed GRC in the Corporate Culture  Get measurable answers for “Are we resilient?" or “Are we secure?”  Focus on Vulnerabilities, not Threats.  Balance between Cost & consequences.

× Concentrating too much on concept × Trying to redesign every organization process × Retarding openness and flexibility × Overselling technology 16

Questions?

Thank you!