Governance,Risk,Compliancecdn.ttgtmedia.com/Syndication/SECURITY/GRCeBook511v2.pdfCHAPTER 1 »RISK...

A SEARCHCOMPLIANCE.COM/SEARCHSECURITY.COM E-BOOK

Governance, Risk, CompliancePOLICY MANAGEMENT: METHODS AND TOOLS

IT managers are looking to governance structuresand the discipline of risk management to help them

make decisions and create sustainable processesaround regulatory compliance.

CHAPTER 1:Risk Management: The Right Balance

CHAPTER 2:A Risky Approach

CHAPTER 3:Buyer Beware: The Complexitiesof Evaluating GRC Solutions

RiskManagement:The Right BalanceInformation security is a business issue

and not an IT issue, and must involvea cross-functional approach.

BBYY EE RR II CC HH OOLL MM QQ UU II SSTT

ONE OF THE most critical componentsof any information security programis the risk assessment. It is also oneof the most misunderstood and poor-ly executed.In truth, a good information securi-

ty program is not based on one riskassessment, but a series of them atvarious levels of granularity. Forinstance, an organization with Webservers is likely to hire an outsidesecurity firm to perform a specificvulnerability assessment on thoseservers. But every organization,regardless of size, complexity or busi-ness model, should have a core,enterprise-wide information securityrisk assessment that is foundationalto its risk management activities.This “foundational” aspect high-

lights one of the central challenges ofdeveloping this risk assessment, andthat is the tension between managingrisk by “intuition” versus by “fact.”This is particularly pronounced in the

field of information security, becausethere is a perception that the risk isobvious—that the data could be com-promised. Therefore, people oftenhave a tendency to build controlsbased largely on their perception ofthe risks without fully analyzingexactly where the risks are and thenfocusing a commensurate amount ofmitigating activities on those areas. A holistic, risk-based approach to

managing information security (IS)will always be a balance betweenintuition and some sort of framework.The challenge is in finding that bal-ance and using a framework that isrelevant, culturally acceptable andactionable. The purpose of this articleis to outline one framework forassessing information security riskbased entirely on awareness andaccountability.The worst possible approach that

an organization could take in devel-oping an information security risk

CHAPTER 1 » RISK MANAGEMENT: THE RIGHT BALANCE

2 GOVERNANCE, RISK, COMPLIANCE

aCHAPTER 1RISK MAN-

AGEMENT: THE RIGHT BALANCE

aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3

BUYER BEWARE: THE COMPLEXITIES

OF EVALUATING GRC SOLUTIONS



assessment would be to task it to ITto develop. Information security is notsolely an IT issue; it is a businessissue and must be managed that way.In that light, the first structural ele-ments of the information security riskassessment are the focal points,which are:

� Information systems (IT)� Electronic data (business heads)� Physical files (department heads)� Third parties (relationship owners)

What is critical to note here is thateach of these four areas has a distinct-ly different owner. It is reasonable toask IT to take ownership of the inter-nal systems and to assess the inher-ent risk to those systems. The otherthree areas, however, are each repre-sented by unique business owners.Whereas IT should be asked to

document and assess the systemsinfrastructure, this is different thanthe actual data. It would be unreason-able to expect the IT staff to be inevery case intimately aware of exactlywhat data is being populated intoevery data source, particularly thingslike analytic and ad hoc reportingdatabases. Instead, these should havespecific business owners that canidentify the use and content of everydatabase. Likewise, department heads must

be responsible for documenting whatthey maintain in physical files within

their respective areas and third-partybusiness owners must be responsiblefor certifying their third parties interms of what information is sharedwith them and what controls are uti-lized by those third parties. When viewed in this context, it

becomes immediately obvious whyinformation security is a businessissue and not an IT issue, as it mustinvolve a cross-functional approach.Next, in terms of developing a

rough calculation of actual informa-tion security risk, the followingmethodology is one I have developedover the years, which has proved fair-ly effective as a tool to help prioritizeefforts and validate the application ofinternal controls. IS risk can be gener-ally grouped into four broad cate-gories:

� What is at risk?� What would be the impact?� What could be the source?� What can we mitigate?

We’ll look at each one of thesebriefly to consider the parameters tobe evaluated and how these factorscontribute to an overall risk score.

What is at risk? This is the datacategorization step. Every organiza-tion should utilize some form of datacategorization strategy to help defineits data sources. In my model I usefive categories: Customer/applicant,corporate, operational, prospect and

aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



third party. Within each of these I usea subcategorization of confidential,sensitive or public to indicate level ofconfidentiality. Therefore, we first askhow much and what type of dataresides within any given system,database, physical area or third party.These “quantity” plus “sensitivity”values create the first data point.

What would be the impact? Thesecond factor is an impact factor inthe event of a data compromise. Thiscategory is made up of four criteria:Financial, operational, regulatory andreputation. The score in this case rep-resents the degree of impact withineach of those four criteria, whichwould be somewhat dependent onthe data categorization but may con-sider other factors as well.

What could be the source? Thiscategory contains five values: a per-son inside the company, a person out-side the company, a system inside thecompany (that, say, malfunctioned,inadvertently exposing data), a sys-tem outside the company and a natu-ral disaster. Within this category theweight factor is the degree of likeli-hood, which is represented both bythe number of people or systemsinvolved (the more people accessinga given database, the more sourcerisk there is) as well as some estimateof the likelihood of something goingwrong. This is the assessment cate-gory that is used to capture things like

systems vulnerabilities as well asscope of data access.

What can we mitigate? Finally,whereas the previous three areas pro-vide an increase in risk scores, thisarea reduces those scores. The threeaspects of mitigation are prevention,monitoring and recovery. Unfortu-nately, the best that one can usuallyexpect is a high score under preven-tion, a moderate score under moni-toring (since some data movementscan be monitored) and virtually noscore under recovery, since once thedata is gone, it’s gone and you’re notgoing to get it back.The important thing to remember

is the goal is not to develop a perfectrisk score. The goal is to understandwhich systems, databases, physicalenvironments and third parties areriskier than others, which should pro-vide a basis to prioritize controls andrisk management activities.The fact is there is no perfect model

for assessing information securityrisk. The key is to develop somethingand use it to create dialogue. The realvalue in this exercise is not necessari-ly the numbers that are produced, butthe awareness that it creates in re-searching and analyzing data sourcesand potential risks. Anything thatincreases awareness and accountabil-ity is a good thing. �

Eric Holmquist is a consultant and former directorof operational risk management at Advanta BankCorp. Write to him at [email protected].



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



mailto:[email protected]

How secure & compliant is my network?What are the top 10 things we need to do?Who is accountable & how are they doing?

Three critical questions...

One Suite answer.

nCircle Suite360™

The Leader in Security & Compliance Auditing

Get the reports your boss wants: www.ncircle.com/answer

www.ncircle.com/answer

WHEN CANDY ALEXANDER lists the com-pliance obligations of the Greenland,N.H., insurance company where sheruns security, she homes in on theFederal Information Security Manage-ment Act of 2002 (FISMA). That’sbecause Long Term Care PartnersLLC, formed in 2002 to provide feder-al long-term care insurance and ad-minister medical benefits for federalemployees, is a U.S. prime contractor.“If we are not compliant with

FISMA we don’t run the business,”says Alexander, chief informationsecurity officer at Long Term CarePartners, owned jointly by Boston-based John Hancock Life InsuranceCo. and New York-based Metropoli-tan Life Insurance Co. “That’s our firstand foremost compliance driver.” Ranking second on Alexander’s list

are the data privacy laws enacted by44 states. The Health InsurancePortability and Accountability Act of1996 (HIPAA) comes in a close third.But dare to suggest these big threemandates drive her organization’s

security strategy, and Alexander setsthe record straight.“I have been in organizations where

my main focus was to meet compli-ance, nothing more, nothing less. Peo-ple who are doing security for compli-ance purposes are putting theirorganizations at risk,” Alexander says.Regulations, she adds, should be thebaseline. Alexander practices what’s known

in compliance circles as a risk-basedapproach to regulatory mandates, asopposed to compliance by checklist.What constitutes a risk managementstrategy for compliance differsdepending on who’s talking. But thegist is this: Rather than allowing theever-multiplying regulatory mandatesto determine its compliance program,an organization focuses on thethreats that really matter to its busi-ness—operational, financial, environ-mental and so on—and implementsthe controls and processes requiredto protect against them. “You need to do information

CHAPTER 2 » A RISKY APPROACH


aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



A Risky Approach A risk-based methodology to regulatory mandates

is all the rage in compliance circles, but it’s not for beginners.

BBYY LL II NN DDAA TT UU CC CC II

security, not to meet compliance butto protect the business. There is ahuge difference between those twomethodologies,” Alexander explains.

PROTECTING THE BUSINESS FROM RISKFocusing on protecting the businesswill result in a risk program that, intheory, will answer compliance regu-lations but in some cases go wellbeyond the mandate. A risk manage-ment approach, say advocates, alsosaves money by reducing the redun-dant controls and disparate processesthat result when companies take anad hoc approach.The scope of protection against

threats and degree of compliancedepends on an organization’s riskappetite. The appetite for risk canwax and wane, depending on exter-nalities such as a data breach, a glob-al economic crisis or an angry mob ofcustomers outraged by executive paypackages. When companies are mak-ing big profits, they can spend theirway out of a compliance disaster. Infinancially rocky times, however,there is much less margin for error.IT pros like Alexander and a variety

of experts suggest that while a risk-based approach might be the rightthing to do, it is also difficult, requir-ing:

� Defining the organization’s riskappetite.

� Inventorying the compliance obli-gations facing the organization.

� Understanding the threats thatput the various aspects of thebusiness at risk.

� Identifying vulnerabilities.� Implementing the controls andprocesses that mitigate thosethreats.

� Measuring the residual riskagainst the organization’s riskappetite.

� Recalibrating the organization’srisk appetite to reflect internal and external changes in the threatlandscape.

A risk-based approach to compli-ance requires a certain level of orga-nizational maturity and, some expertshasten to add, is ill-advised for youngcompanies. Risk-based compliancecan be done manually, or by Excelspreadsheets, but vendors promisethat sophisticated governance, riskand compliance (GRC) technologyplatforms will ease the pain. Mean-time, those baseline compliance regu-lations still need to be met to an audi-tor’s satisfaction.

$1 MILLION CONTROL FOR $100K WORTH OF RISKThe assumption in a risk manage-ment approach to compliance is thebusiness knows best about the risklevel it can tolerate. But there’s therub, says Eric Holmquist, a risk man-



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



agement expert.“When it comes to risk manage-

ment, getting your head around a tol-erance level is extremely difficult,”says Holmquist, former director ofoperational risk management atAdvanta Bank Corp. Then there’s thedirty little secret of every organiza-tion, he adds.“For hundreds of years, businesses

have been managing risk intuitively. Iperceive there to be a risk; therefore I

build control. But most controls arebuilt to a perception of the risk and aperception of the scope of the risks,without really stopping to considerwhat is the real risk and is this theright control.” By not doing the risk-benefit analy-

sis, companies get the controls wrong.“I can’t tell you how many times I’veseen a $1 million control mitigating a $100,000 risk,” Holmquist says. That’s putting a good face on it.



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



PAYING THE PRICE: HOW MUCH IS BEING SPENT ON IT?A look at where regulatory compliance requirements spending fits into the overall IT budgets for North American (NA) and Europe, Middle East and Africa(EMEA) companies:

NUMBER OF EMPLOYEES

EMEA NA ALL EMEA ALL NAPERCENTAGE OF 2006 BUDGET ALLOCATED TO: <10,000* <10,000 10,000+ 10,000+

Transforming the business 16.29 11.34 17.61 13.38

Strengthening competitive position 12.08 11.48 12.86 11.97

Improving productivity and efficiency 13.63 12.34 12.91 11.37within IT organization

Improving productivity and efficiency 12.91 12.88 11.92 11.67outside IT organization

Operations (running and supporting 15.79 27.89 15.75 25.9the business)

Maintaining/improving IT staff skills 10 7.1 9.06 6.13

Meeting regulatory requirements 9.62 7.64 9.87 9.92

Maintaining/improving information 9.44 9.07 9.73 9.39security

Other 0.25 0.25 0.28 0.28

SOURCE: GARTNER INC. SURVEY OF IT MANAGERS (JANUARY 2007)

Back in the 1970s, Ford Motor Co.was sued for allegedly making thecallous calculation that it was cheap-er to settle with the families of Pintoowners burnt in rear-end collisionsthan to redesign the gas tank. Thecase against Ford, as it turns out, wasnot so cut and dried, but the Pintolives on in infamy as an example of a company applying a cost-benefitanalysis and opting against the publicwelfare.“Regulations introduce externalities

that risk management itself would not have brought to bear,” says TrentHenry, a security analyst at Midvale,Utah-based Burton Group Inc. “Regu-lations make it a cost of doing busi-ness.”A recent example concerns new

laws governing data privacy. For manyyears in the U.S., companies that col-lected personally identifiable informa-tion owned that data. In the past, los-ing that information didn’t hurt thecollector much but could cause greatharm to the consumer, Henry says,“hence the regulations.”But the degree to which a business

decides to meet the regulation varies,depending—once again—on its toler-ance for risk. Organizations must decide whether

they want to follow the letter of thelaw to get a checkmark from the audi-tor, Henry says, or more fully embracethe spirit of the law. “Is your philoso-phy as an organization minimal ormaximal? And if it is minimal, you

may decide that it is worth it to get a small regulatory fine rather thancomply,” he says. Indeed, “businesses now are cut-

ting costs so narrowly that some

know their controls are inadequateand are choosing not to spend that $1 million to put the processes, thepeople and infrastructure in place for that $100,000 fee,” Henry says,echoing Holmquist. “They calculatethey’re still $900,000 ahead.” Butdon’t expect a business to own up tothat. “They never let that cat out ofthe bag.”

SOX DRIVES RISK MANAGEMENT STRATEGYCompliance is expensive. It is hardlysurprising that companies are lookingfor ways to reduce the cost of compli-ance or, better yet, use compliance tocompetitive advantage. According toBoston-based AMR Research Inc.’s2008 survey of more than 400 busi-ness and IT executives, GRC spendingtotaled more than $32 billion in 2008,



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



“I can’t tell you how many times I’ve seen a $1 million control mitigating a $100,000risk.” —ERIC HOLMQUIST, CONSULTANT

a 7.4% increase from the prior year.The year-over-year growth was actu-ally less than the 8.5% growth from2006 to 2007, but the data showsthat spending among companies isshifting from specific GRC projects to a broad-based support of risk.In addition to risk and compliance,

respondents told AMR they are usingGRC budgets to streamline businessprocesses, get better visibility tooperations, improve quality andsecure the environment. “In prioryears, compliance as well as risk ofnoncompliance was the primary driv-ing force behind investments in GRCtechnology and services. GRC hasemerged as the new compliance,”says AMR analyst John Hagerty.Folding regulatory mandates into

the organization’s holistic risk strate-gy gained momentum in the wake of the Sarbanes-Oxley Act of 2002(SOX), one of the most expensiveregulations imposed on companies.SOX was passed as protection forinvestors after the financial fraud per-petrated by Enron Corp. and otherpublicly held companies, but it wasquickly condemned by critics as ayoke on American business, costingbillions of dollars more than projectedand handicapping U.S. companies inthe global marketplace. Indeed, thelaw’s initial lack of guidance on theinfamous Section 404 promptedmany companies to err on the(expensive) side of caution, treatingthe law as a laundry list of controls.

By 2007, under fire from businessgroups, the Securities and ExchangeCommission and Public CompanyAccounting Oversight Board issued a new set of rules encouraging a

more top down-approach to SOX. “There are certain areas mandated

you wouldn’t want to meddle with—it is legal and no exceptions—butinstead of checking every little box,companies were advised to take amore risk-based approach,” says RaviShankar, head of assurance servicesat Capgemini’s business process out-sourcing division in Bangalore, India.

STABLE PROCESSES VS. COMPLIANCE WHACK-A-MOLERisk management frameworks are not new, and neither, really, is a risk-based approach to compliance,



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



“In prior years, compliance as well asrisk of noncompliancewas the primary drivingforce behind investmentsin GRC technology andservices. GRC hasemerged as the newcompliance.”—JOHN HAGERTY, ANALYST, AMR RESEARCH INC.

Let them

budgets

laptops

auditcut

roamlosesurf

who cares You do! Liberating your people and freeing up time and resources makes productive sense. Sophos security and data protection solutions deliver: Install, set and forget. Easy on your time, easy on your system and easy on your business, everything from Endpoint to Compliance, Email, Web and Encryption is covered and all accessed and controlled with refreshing simplicity.

Now, with security taken care of, you’ve got the rest of the day to do all the other things that can’t wait.

See for yourself – learn more about Sophos today.

http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/data-protection.html

Shankar points out. But the strategyhas been gaining ground, driven inlarge part by IT as well as by IT bestpractices frameworks such as COBITand the IT Infrastructure Library. Ten years ago at any well-managedorganization, 75% of controls weremanual. “Today, the industry bench-mark is the other way around. ITdrives about 70% of the controls and 30% are manual.” The endpointis to move the 30% manual controlsto automated controls, Shankar says. Two fundamental building blocks

are essential to adopting a risk-basedapproach to compliance, in Shankar’sview: stable systems and processes,and a strong business ethos. “If a com-pany has absolutely diverse processes,it is not a good choice,” he says.Burton Group's Henry concurs. “It’s

more like crisis management than riskmanagement for those guys—compli-ance Whack-a-Mole.”Formulating a sound risk strategy

also requires a clear definition of thevalues and principles that drive theorganization’s business—in otherwords, a certain level of maturity,Shankar says. “If the ethos is looselydefined, then it is not safe to take aholistic approach to compliance.” Companies that make the grade,

that give consistent guidance toinvestors, indeed any that operatesuccessfully in the SOX arena, areprobably ready for a risk-basedapproach, Shankar says.

A GLIMPSE INTO THE TOOLBOXShankar gets no argument on thatpoint from Alexander Paras, whojoined LeapFrog Enterprises Inc. in2006 to manage the educational toymaker’s SOX compliance. LeapFrogrecently bought GRC managementsoftware from BWise to support SOXcompliance and manage enterpriserisk. “What did we have before? We

had a nightmare! We had a bunch of Excel schedules and Word docu-

ments and Microsoft Project to man-age things,” says Paras, senior man-ager for compliance at Emeryville,Calif.-based LeapFrog until March2009, when he was named divisionalcontroller for the company’s Mexicodivision. “As you can imagine from aversion control standpoint, this creat-ed quite a bit of frustration for theauditors, business process owners



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



“What did we havebefore? We had a night-mare! We had a bunch of Excel schedules andWord documents andMicrosoft Project tomanage things.” —ALEXANDER PARAS, DIVISIONAL CONTROLLER, MEXICO DIVISION, LEAPFROG ENTERPRISES INC.

and senior management.”LeapFrog needed greater trans-

parency into its compliance effortsand controls. Unlike come of theother 20 solutions vetted, BWiseGRC works at a process level, Parassays, capturing changes as they aremade to documents and automatical-ly ensuring those changes are reflect-ed in all the other relevant systems inthe compliance process. “You haveone point of contact in the systemand all the information cascadesdown,” Paras says. “SOX is just part of the routine, rather than an onerousproject, which is what it should be.”Luc Brandts, BWise founder and

chief technology officer, says thestarting point for most customers ismoney. “GRC to improve business is a great story, but we come in to solvea pain point. The cost of complianceis too high. Customers see they aredoing the same thing eight times andwant to get a grip on this, and as asecond result they get a grip on theirbusiness. In the process they find outthey have 16 different ways of doingaccounts payable and there is no rea-son on earth to do so.”

THE GOOD OLD DAYS—NOT!In an era of increasing regulation andmore guidelines likely on the way,companies might be excused for see-ing the auditor as the next threat. Butdon’t tell that to Long Term Care Part-ners’ Alexander, who got her start at

Digital Equipment Corp. (DEC) “in the days before there were regula-tions.” Security folks had to jump upand down to try to get the business toprotect information. “And they would

say, ‘We really don’t need that, orthere is no ROI.’” DEC quickly learnedthe value of data protection after itssource code was stolen by notorioushacker Kevin Mitnick, she says. Butthe response from the business sidewas often that it would take the risk—to an absurd degree, Alexanderrecalls.“That risk acceptance level was

getting higher and higher and higheruntil it got to a ridiculous point, andthat is when they came out withthese regulations, with HIPAA, withGramm- Leach-Bliley, with FISMA. A lot of folks in the security businesswent, ‘Phew! At least now we can getit done.’” �

Linda Tucci is a senior news writer for SearchCom-pliance.com. Write to her at [email protected].



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



“GRC to improve business is a great story, but we come in to solve a pain point. The cost of compliance is too high.”—LUC BRANDTS, FOUNDER AND CTO, BWISE

mailto:[email protected]

WHEN YOU GO shopping for a car, youlikely have an inkling of what youwant and shop at the appropriatedealer. If you want a truck, you’re notgoing to shop at a Mini dealership; if you’re after a sports car, you’re notstopping by the Hummer dealer.But what if every dealership adver-

tised generic vehicles, and vehiclemeant anything from cars to skate-boards to locomotives? What if youcouldn’t tell who sold what becausethe product space was so big youcouldn’t differentiate one from theother? How would you start making a decision? This is the position buyersare in with governance, risk and com-pliance (GRC) products.

MASTERING THE SPIN CYCLEGRC is a huge market with many ven-dors, each with its own GRC story.

These products are extraordinarilyvaried in the type of functionality theyprovide, the areas in which they exceland the aspects of the complete GRCpicture where they have utility. Andthe way they’re being sold? Well, say-ing it’s difficult to tell which vendordoes what is one whopper of anunderstatement. And it’s not madeany easier by the fact that there aremultiple types of GRC: IT GRC, finan-cial GRC, enterprise risk manage-ment, etc.Vendors are spinning their prod-

ucts—everything from documentmanagement to technical control vali-dation, risk analysis and identity man-agement—to claim a slice of the GRCpie. IT and security managers withbuying power are left confused andunsure about where to spend theirGRC dollars. And at the end of theday, confusion is bad for everyone.

CHAPTER 3 » BUYER BEWARE


aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



Buyer Beware:The Complexities of

Evaluating GRC SolutionsGRC is about more than governance,

risk and compliance; it’s about integration and streamlined management.

BBYY EE DD MMOOYY LL EE

For vendors, it means reduced adop-tion and a more difficult sales pitch.And for practitioners, it’s an obstacleto a workmanlike approach to infor-mation security management and togetting internal traction for a GRCdeployment. Confusion is, as is usual-ly the case in IT, the enemy.It isn't just the market—GRC as a

product is huge as well. Breaking it

down, governance is the ability ofmanagement to ensure that activitiesare performed according to set,defined processes; risk managementis about identifying and quantifyingrisk and making sure the organizationoperates within its risk tolerance; andcompliance is the process by whichthe organization operates on theappropriate side of the law, industry



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



PROMISING PRODUCTSMapping GRC’s claims to your company’s requirements:

E-BUSINESS DRIVER GRC “PROMISE”

Multiple overlapping regulations. Regulatory framework construction allowsmultiple regulations to be mapped to oneset of controls.

Demonstration of regulatory Mapping of policy to controls and regula-compliance to management/auditors. tory requirements allows you to keep track

of compliance activities.

Difficulty managing numerous Monitoring tools for technical controls, controls across multiple environments. ability to record which controls are imple-

mented at what locations (and to satisfywhat requirements).

Complexity of business makes risk Ability to assign risk based on criticality of evaluation difficult. components and sensitivity of stored data.

Ability to correlate changes in environmentand controls to overall risk.

Burdensome tracking of policy excep- Ability to track policy exceptions, ownerstions including exception expiration. of components in exception scope.

Inefficient, complicated or expensive Ability to automate workflow for security security program management. program tasks such as exception approval,

policy authorship and incidents.

regulation and policy.Looking at it logically, vendors

could make the argument that anidentity management solution is ITGRC because it enforces governance,i.e., it helps ensure personnel followthe policies and procedures set downby management. Antivirus? Sure, whynot? AV software that monitors itssignature version and provides feed-back about what machines don’t have the software installed is policyenforcement at its finest. In fact, peo-ple could make the argument thatevery security product plays in thegovernance, risk and compliancespace, to one degree or another—and they’d be correct.But the point of GRC isn’t just to

govern, manage risk and comply; infact, you’re probably doing them allalready. The point is instead how youdo those three things. It’s about trans-parency and integration—ultimately,by sharing a common vocabulary,these aspects of management canbecome more measurable, repeatableand, in the best case, efficient.It’s an evolution away from man-

agement processes that grew organi-cally over time and a movementtoward more streamlined, integratedand manageable processes that bet-ter serve the needs of your business.It’s not about doing something new;it’s about taking what you already doand refining it. And it doesn’t take anyparticular product (or set of prod-ucts) to get there.

In fact, many customers may noteven realize they can get pretty faralong in their GRC goals in-housewithout relying on a particular vendor.All it takes is an understanding oftheir requirements, a bit of organiza-tion and some planning.

So in the interest of doing morewith less, let’s look at what you cando with tools you already have and try to move toward GRC nirvana.Once you know what you need andhave started to chart out how far youcan go without making a purchase,filling in the gaps with the products in the market becomes a totally dif-ferent experience. Once you changeyour discussions with vendors from“What does your product do?” to“Does your product do this?” theprocess becomes much less stressful,less time consuming and, ultimately,easier to figure out.

DESIGN, THEN BUILDThe first step to implementing GRC is



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



People could make theargument that everysecurity product plays in the GRC space, to onedegree or another—andthey’d be correct.

Check out our PCI Resource Center at:

PCI Complianceacross your virtual and physical infrastructures.

www.tripwire.com/pci

www.tripwire.com/pci

to understand how you’re currentlyrunning these aspects of your busi-ness, specifically how you’d like toimprove and for what purpose. Figur-ing this out should be a group effort—what you’re doing should have abroad impact on the whole organiza-tion and should be about integra-tion—so this is not the time to createnew silos in your organization. Reachout to all the stakeholders: IT, compli-ance, business, risk management,internal audit and counsel, and getthem on board to help define require-ments.Some questions to ask in each

aspect of GRC:

Governance: How are you currentlyorganizing and publishing your poli-cies and procedures? Do you evenhave policies and procedures? Howare you enforcing them throughoutthe organization? Are you interestedin just one particular set of policiesand procedures, or is your interestmore general—for example, are youjust interested in IT or are you inter-ested in business processes as well?

Risk management:What is yourcurrent process for identifying, classi-fying and treating risk? Are you usinga formalized approach or an ad hocone? Is that method quantitative orqualitative? Are you interested in justIT risk, or are you interested in otherareas such as operational or financialrisk?

Compliance: What is the extent ofwhat you currently do for compliance?Are you currently using a complianceframework approach, or have all yourefforts gone into targeting one or twospecific regulations? Are you in aheavily regulated industry such ashealth care or financial services?

Coming to a quick and dirty under-standing of where you are in each ofthese areas is a good first step andcan give you valuable insight on

where you might see the most benefitfrom your investment. For example, if you’re a health care provider andyou’ve already spent more than a fewdollars on risk assessment—i.e., tocomply with the Health InsurancePortability and Accountability Act(HIPAA)—maybe risk management in your firm is in pretty good shape.Whereas if you’re a small retailer, youmight not have any formalized riskmanagement in place—and so you



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



Reach out to all the stakeholders: IT, compliance, business,risk management, internal audit and counsel, and get them on board to help definerequirements.

can benefit more from investment in this area. On the other hand, thatsame health care provider might havespent quite a bit of time and energytargeting HIPAA, and might not havea broad approach to compliance thatcovers other regulations that havedeveloped since HIPAA was intro-duced. So maybe dollars are betterspent expanding the complianceapproach instead of concentrating on risk management.Be honest with yourself about

where you are and your maturity inthese areas. If you’re looking to movebeyond a quick and dirty analysis andare looking for something a little bitmore formal, take a look at the OpenCompliance and Ethics Group’s GRCCapability Model (the Red Book).This document provides a systematic(and highly detailed) outline fororganizations looking to refine theiroverall GRC posture and seeking toimplement these concepts withintheir organizations.But at the end of the day, if it’s a

choice between setting the bar highand not making progress versus set-ting the bar low and moving forward,set the bar low. If you have the time,funding and patience for a thorough,formal and rigorous approach, somuch the better. But if you don’t, it’sbetter to do something than nothing.The IT Policy Compliance Group in its 2008 annual report draws a directparallel between IT GRC maturity anda firm’s revenue; specifically, firms on

the highest end of the IT GRC maturi-ty spectrum have 17 percent higherrevenue than those at the lowest end.Meaning, it’s in the best interest ofyour bottom line to do something.

REPACKAGE AND REPURPOSEOnce you have some idea of whereyou need help, determine whetherthere are tools in one area that youcan expand to cover other areas.Remember again that the point ofgovernance, risk and compliance isintegration, so use this as an opportu-nity to find out what’s working welland bring it into a broader fold. Forexample, maybe that tool that you’re

using just for the internal audit crowdmight be useful in other areas as well.Or maybe the IT tool that you’re usingto manage technical compliancecould be repackaged for reporting



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



If you’re looking to move beyond a quick and dirty analysis, andare looking for somethinga little bit more formal,take a look at the OpenCompliance and EthicsGroup’s GRC CapabilityModel (the Red Book).

outside of just IT.If you’re a large organization, don’t

skimp on figuring out what youalready have (chances are good thatyou already have something some-where). This could include commer-

cial tools that you’ve already pur-chased—for example, auditing-centric tools used to drive risk man-agement, policy authorship and publi-cation tools, management reportingtools or any number of other com-mercial products that have an impactin any of these categories. Technicaltools that provide feedback onwhether or not individual machinesand user accounts are in line withdefined policy are in scope as well.Take a thorough inventory of whatyou’ve already purchased so youdon’t buy something new with over-lapping functionality (or so you can atleast decide purposefully that you’re

going to replicate functionality ratherthan discovering it after the fact), andso you can integrate what you alreadyhave into the broader scope of whatyou’re trying to do.Include also in-house tools that you

may have developed. This could be anin-house tool with all the bells andwhistles, but it could also be morehumble tools such as the spread-sheets and reports provided for taskssuch as reporting the status of audititems, tracking compliance withindustry regulation or learning moreabout just about anything else thatgathers or packages data about con-trol effectiveness. If you’ve alreadybuilt a compliance framework basedon standards such as the ISO 27000series, NIST SP 800-53, COBIT or any other baseline, fold that processand documentation in as well. If youhaven’t done that already, that’s fine,too, but if you have, making sure thatyour approach reuses what you’vealready done will save time in thelong run and avoid stepping on toes.

THINGS TO REMEMBERAfter you’ve done these things, you’llprobably realize a couple of thingsabout your organization:

NO. 1: You’re probably more interest-ed in some areas of GRC versus oth-ers based on your particular needs.

NO. 2: You’ve probably already spent



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



If you’ve already built a compliance frameworkbased on standards such as the ISO 27000series, NIST SP 800-53,COBIT or any other baseline, fold thatprocess and documenta-tion in as well.

a dump truck full of money on toolsand processes to help automate cer-tain aspects of a complete GRC pic-ture.

You may also realize that there aresome areas where you haven’t spentmuch in the way of time, effort orresources. Now you’re ready to comeup with a purchasing strategy fortools. And you should have a prettyclear idea about where a tool wouldbe the most valuable.Are you just interested in IT? Does

your company have mostly manualprocesses in place? Maybe a turnkeytechnical solution is for you? Whenyou shop around (and pilot those sys-tems), you’ll find out pretty rapidlythat a vendor focused solely on riskmanagement absent control valida-tion is probably not the right choice.Do you have fairly sophisticated

technical processes and a heap ofregulations to comply with (and not much in the way of compliancespending to date)? Maybe the vendor selling the technically focusedsolution isn’t the right pick for yourcompany.Take a cue from the Oracle in The

Matrix and “know thyself.” Knowingwhat products you need before youinvite the vendors in is the only waygovernance, risk and compliance willmake any sense. �

Ed Moyle is founding partner of consultancy Security Curve.



aCHAPTER 1RISK MAN-


aCHAPTER 2

A RISKY APPROACH

aCHAPTER 3



GRC and Policy Management: Methods and Tools is produced by CIO/IT Strategy Media and Security Media,

© 2009 by TechTarget.

MANAGING EDITOR CIO/IT STRATEGY MEDIA GROUP

Jacqueline Biscobing

ART DIRECTOR

Linda Koury

CONTRIBUTING WRITERS

Eric Holmquist and Ed Moyle

SENIOR NEWS WRITER CIO/IT STRATEGY MEDIA GROUP

Linda Tucci

EXECUTIVE EDITOR CIO/IT STRATEGY MEDIA GROUP

Scot Petersen

EDITORIAL DIRECTOR SECURITY MEDIA GROUP

Kelley Damore

SENIOR TECHNOLOGY EDITOR SECURITY MEDIA GROUP

Neil Roiter

FOR SALES INQUIRIES:

Stephanie Corby, Senior Director of Product Management,

[email protected](781) 657-1589

BUSINESS STAFF

SENIOR VICE PRESIDENT AND GROUP PUBLISHER

Andrew Briney

PUBLISHER, SALES

Jillian Coffin

RESOURCES FROM OUR SPONSORS


q IT Compliance Reporting: Delivering Continuous, Consistent IT Compliance

q nCircle Suite360: Automated Security & Compliance Auditing

q Stopping Data Leakage: Making the Most of Your Security Budget

q Beyond Payment Card Industry (PCI) Checklists: Securing Cardholder Data with Tripwire’s Enhanced File Integrity Monitoring

q Configuration Control for Virtual and Physical Infrastructures: How the Visible Ops Approach Offers Solutions to the Problemof Unplanned Work

q File Integrity Monitoring: Secure Your Virtual and Physical IT Environments

http://www.tripwire.com/

www.sophos.com

http://www.bitpipe.com/detail/RES/1223678618_190.html







http://www.bitpipe.com/detail/RES/1237232757_552.html?psrc=SRS

http://www.ncircle.com/answer/Suite360-Brochure.php

www.ncircle.com/answer

http://www.ncircle.com/

Date post:	02-Aug-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Governance,Risk,Compliancecdn.ttgtmedia.com/Syndication/SECURITY/GRCeBook511v2.pdfCHAPTER 1 »RISK...

Documents