How to design your lean GRC(governance, risk and

compliance) framework Bangkok – March 15th

Maxime CARPENTIER - CIO

Governance, Risks & Compliance

Page n° 2 P

Overview

What is the key of information security governance, risk & compliance?

How do you meet your governance, risk and compliance requirements and prevent a data breach?

Understanding the spirit of risk management.

Create a customized information security management system (ISMS) for your business.

Designing and implementing a cost-effective ISMS to minimize your risk of a breach.

Meet your legislative obligations (Data Protection Act), regulatory (Payment Card Industry), or industry standard (ISO-27001) compliance requirements.

Standard compliance requirements

Practical ISMS [information security management system ] documentation structure.

Scope, objectives & risk strategy examples.

Risk treatment plan, asset register & classification guide examples.

Policy frameworks.

Control objectives, evidence & policy examples.

Audit & testing documentation examples.

ALKIA IT Services © 2016 - maxime@alkia.org - All rights reserved Page n° 3 P

The 4 GRC key components

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved Page n° 4 P

Governance

Policy

Scope &

Objectives

Risk

Strategy

Management

Processes

Step 1 | Practical Questions

What are we trying to protect ?

Why are we trying to protect ?

Who’s responsible for protecting it?

What will we do to protect it ?

What will we do to ensure it is protected ?

What we will not do to ensure it is protected ?

What will happen if we fail to protect it ?

What are our escalation means should a breach happen?

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved Page n° 5 P

ISMS Practical format rules

Keep it simple

Concise writing, good visuals

Clear goals

Scalable

Mentioning Assigned Owners

Centrally located and easily accessible

Signed by the CEO

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved Page n° 6 P

Step 2 | Define your ISMS Structure

Scope & Objectives

Governance

Management • Responsibilities

Risk Strategy

• Identify• Risk treatment

• Minimize• Testing & Remediation

• Manage• Policies & Procedures

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved Page n° 7 P

ISMS

Scope & objectives

Locations

Staff

Systems

Suppliers

Partners

Clients

Page n° 8

Scope & Objectives

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

List all applicable entities:

Scope example

Scope : The XXXX ISMS is comprising the following:

Staff 1252

Locations 4 (Bangkok,Hong Kong,Singapore,Jakarta)

Systems 7

Suppliers 23 (IBM, EMC … )

Partners 5 (Alkia…)

Clients 168

Page n° 9

Scope & Objectives

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Objectives

This step defines the WHY that support the HOW. It’s the backbone of the ISMS, be clear, consistent and comprehensive.

Detect breach

Stop a breach

Comply to a PCI (Payment Card Industry)

Comply to a DPA (Data Protection Act)

Protect your IP (Intellectual property)

Protect your brand

Page n° 10

Scope & Objectives

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Objectives example

Objective: The objectives of the XXXX are ordered as follows:

To ensure the appropriate protection of XXXX sensitives information processed, stored or transmitted on corporate ICT systems

To ensure the appropriate protection of XXXX customer information processed, stored or transmitted on corporate ICT systems

To prevent a breach or unauthorized access to XXXX systems

To protect the XXX brand reputation

Page n° 11

Scope & Objectives

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Governance

List your requirements

Internal (your policies, anti money-laundering, anti

slavery, fair trade)

External:

PCI

DPA

ISO

Page n° 12

Governance

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Governance example

Information Security Management System Governance framework are defined as follows:

ISMS is implemented to meet the principles established by Singapore’s DPA

XXXX meets all parts of the PCI (Payment Card Industry) Data Security Standards (DSS) V3

XXXX meets the Sarbanes-Oxley Act 2002 requirements

Page n° 13

Governance

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Management

Management gives the operational framework and the top executive visibility of your operational security

Business accountability

Liability

Big picture

Leadership statements

Visibility

Audit landscape

Page n° 14

Board of directors

Executive Management

Senior Information Security management

Information Security Practitioner

Management

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Management example

The role and responsibilities for the ISMS management are as follows:Board of directors: shall be responsible for identifying the key corporate information assets and verifying that the protection levels and the priorities established in the ISMS are appropriate.Executive Management: Shall be responsible for setting the tone for the information security management and ensure that the necessary functions, resources and infrastructure are available an properly utilized to meet the objectives.Senior Information Security management: Shall be responsible for developing the security and risk mitigation strategies, implementing security and risk programs and managing security incidents & remediation activities.Information Security Practitioner: Shall be responsible for designing, implementing and managing processes and technical controls. Respond to events and incidents.

Page n° 15

Board of directors

Executive Management

Senior Information Security management

Information Security Practitioner

Management

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Risk Strategy

Page n° 16

What is it?

How will you address this?

What sequence of action?

State concise tactical statement

Your company risk appetite

Ensure Board support

Risk

Identify

MinimizeManage

Risk Strategy

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Risk Strategy example

Page n° 17

In order to meet the stated objectives XXX shall execute a strategy to identify, minimize and manage the risks to their information assets through the implementation of a Risk Treatment Plan.

Testing and remediation activities are implemented through the information security policies and procedure book.

Risk Strategy

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Responsibilities

This is the “Who” component of the security system.

Day to day accountability, assigned owners (position not people)

Detailed processes

Detailed actions

Designed to ensure ISMS is on-going

Page n° 18

Risk Strategy

ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Responsibility example

Page n° 19ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Step 3 | Risk Treatment Plan

The risk treatment plan is your method (the how).

Represents the execution plan, directly derived from your risk strategy.

List on one board the risks, their occurrence probability, their potential impacts and their criticity

Risk calculation formula based on Information asset value and risk tolerance & resilience.

Keep in mind: Risk criticity = Threat x Probability x Impact

Check it always answer well: What are we protecting? Why are you protecting?

Page n° 20ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Additional outputs

Information Classification Guide

Specific about what

you are protecting

Information Asset Risk Register

Stating why you are protecting it. What are the impacts on the

company operation, sales or reputation.

Page n° 21ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Step 4 | Risk management

5 fundamental steps:

1. Identify your assets

2. Identify the potential vulnerabilities and threats to these assets

3. For each threat, quantify the probability of occurrence

4. Calculate the impact of the incident on your business

5. Implement cost-effective controls

Page n° 22ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Testing & remediation strategy

Describes how the control and the remediation are effective. Check the coverage (are all assets covered according to their level of criticity).

Verification of controls

Things in place are working

What?

When?

Who?

How?

Remedial status

Page n° 23ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Policies & Procedures

Never write a policy that you can’t or won’t enforce

Example if you write a policy that state “download is strictly

forbidden” and it happen that a key employee inadvertively

did download and cannot be fired, it is all the value of your

policies and therefor their efficiency that is diminished.

Never write a policy that you can’t monitor or verify for compliance

Never state something you cannot prove it has been

complied with.

Page n° 24ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Example of framework

Page n° 25ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved

Q & A

How much security do I need?

An ISMS is exactly what you need, but do it well. By starting the

process you will define your needs by state you assets, what

protection they request and what budget they deserve. Without

starting this journey you will be lost, lacking strategy.

What is the core objective of building a GRC?

We are going to minimize the risks for this company, in a clear and

consistent way.

What is a good ISMS?

It’s a framework that effectively covers what the strategy plan

states. ALKIA IT Services © 2016 - maxime@alkia.net - All rights reserved Page n° 26 P