Relationship of Security & GRC. Security and Operational Resiliency. GRC Framework. IT Governance Framework. Risk Management. GRC in Information ...
An Integrated Approach for Governance, Risk and Compliance Dr. Mohamed M. Elhefnawi, PhD, SM IEEE Abu Dhabi Company for Onshore Operations
Agenda Relationship of Security & GRC Security and Operational Resiliency GRC Framework IT Governance Framework Risk Management GRC in Information Systems Development GRC in Services Management Security Framework Overview Governance Slogans Recommendations Q&A 2
Relationship of Security & GRC Security is an operational risk management activity Security has two purposes: Prevent disruption to core business drivers Sustain the survivability of the Organization’s mission
Security is not an end, but a means to achieve higher organizational objectives. Security aims to achieve Operational Resilience Integrated GRC is the most effective way to achieve that aim in a proactive approach. 3
Security and Operational Resiliency Focus on keeping critical assets safe from harm Limiting threats and managing impacts Manage confidentiality, integrity, and
Information
People
availability of information Manage “condition” Technology
Process
4 Main Enterprise Assets 4
GRC Framework IT Governance • Structures • Communications • Processes
IT Risk Management
IT GRC
• Business partner • IT operational Risk • Technology
IT Compliance
• Best Practices • Corporate Compliance • Legal and regulatory compliance
5
IT Governance Framework ITG Definition: “the organizational capacity that control the formulation and implementation of IT strategy ensuring the fusion of business and IT. IT Governance is an integral part of Corporate Governance IT Governance “ensures” opposed to “executes” IT Governance scope spans: •
IT Functional Governance: Overall Business Performance & decisions to drive greater shareholder value
•
IT Portfolio Governance: Overall IT Performance decisions to drive greater business value
•
IT Project Governance: Project performance (i.e., on time, on budget, benefits captured)& Progress through Stage Gates
6
IT Governance Framework – Cont’d ITG Mechanism
ITG Structure
ITG Measures
ITG Processes
Governance Scorecard metrics
Roles
Demand Manag.
Policies
Forums
Security
Security
Performance Manag.
Portfolio Manag.
Standards
Sourcing Manag.
Proced. & Practices
Risk Manag.
Guidelines
ISO-27000 Security
Security
Security 7
Risk Management Definition: Risk = Threat x Vulnerability x Probability of Impact
Have Potential Impact
Driving Risk up
Threat Management
Risk Exploiting Vulnerabilities
Impact on business Value after threat, Vulnerability and impact management
Vulnerabilities Management
Impact Management
Threats Driving Risk Down
8
Managing Information Risk Risk Management - Cont’d Threat
Vulnerabilities
Detection & Prevention Controls
Fixing Controls No
Success Yes Risk Managed
Unmanaged Risk
Impact
Management Controls No
Success
No Success
Yes Risk Managed
Yes Risk Managed
9
Risk Management – Cont’d Create and Refine Policy Identify Risks
Prioritize Risks
Address Risks
Monitor and Report
Risk Mgmt Unit Responsibility Business / Functional Unit Responsibility
Security “Risk Map” of ABC High
Business Impact
• Dos safeguards • Disaster Recovery/Continuity • Infrastructure Vulnerabilities • Antivirus • User education • Information privacy • Application Security
• PKI-key management
• Access Management • Supply chain security • Web services
Get buy-in from all stakeholders Embed GRC in the Corporate Culture Get measurable answers for “Are we resilient?" or “Are we secure?” Focus on Vulnerabilities, not Threats. Balance between Cost & consequences.
× Concentrating too much on concept × Trying to redesign every organization process × Retarding openness and flexibility × Overselling technology 16