Writing An Effective Security Procedure in 2 pages or less and make it stick
Grc tao.4
1. The Tao of GRC
Danny Lieberman
CTO – Software Associates, Israel
2. 2
I have heard of military operations that
were clumsy but swift, but I have never
seen one that was skillful and lasted a long
time.
Master Sun
(Chapter 2 – Doing Battle, the Art of War)
3. The Tao of GRC
• Practical
• Any business can cook
• Protect customers and
comply more
effectively with
regulation.
3
4. Agenda
• The flavors of GRC
• Why GRC 1.0 is broken
• The Tao of GRC
• Why it works
4
5. 3 flavors of GRC
• Government
• Industry
• Vendor-neutral standards
5
9. GRC 1.0
• Big Enterprise Software
• “automate the workflow and documentation
management associated with costly and complex GRC
processes”
Sword, Oracle, CA, Gartner, Forrester
9
10. Why GRC 1.0 is broken
10
Fixed control structures
Focusing on yesterday’s threats
11. 4 mistakes CIOS make
11
1. Focus on process while ignoring that
hackers attack software
2. Label vendors as partners
3. Confuse business alignment with risk
reduction
12. Both attackers and defenders have
imperfect knowledge in making
their decisions.
12
13. Mobile clinical assistants
• Mobile medical devices
used by hospital radiologists
had unplanned Internet
access.
• Over 300 devices infected
by Conficker and taken out
of service.
• Regulatory
requirements mandated
that the impacted
hospitals would have to
wait 90 days before the
systems could be
modified to remove the
infections and
vulnerabilities.
13
15. Step 1 - Adopt a standard language
15
The threat analysis base class
People Threats Methods
16. People entities
16
Decision makers
• Encounter threats that
damage their assets
• Risk is part of running a
business
Attackers
• Create threats & exploit
vulnerabilities
• Fame, fortune, sales
channel
Consultants
• Assess risk, recommend
countermeasures
• Billable hours
Vendors
• Provide countermeasures
• Marketing rhetoric,
pseudo science
17. Threat entities
17
• An attacker may
exploit vulnerabilities
to cause damage to
assets.
• Security
countermeasures
mitigate
vulnerabilities and
reduce risk.
Asset
Vulnerability
Counter
measures
Attacker
18. Threat T3 – Malicious code may be used in order to exploit
OS vulnerabilities and obtain patient information from
mobile medical devices
Vulnerability V3 – Unnecessary devices may be enabled
Countermeasure C4 – Hardware toggle USB on
Countermeasure C5 – Network isolation
Countermeasure C6 – Software security assessment
Example threat scenario
18
Attackers
ePHI
Weak or well-
known
passwords
Software
defects
OS
vulnerabilities
19. Methods
• SetThreatProbability
– estimated annual rate of occurrence of the threat
• SetThreatDamageToAsset
– estimated damage to asset value as a percentage
• SetCountermeasureEffectiveness
– estimated effectiveness as a percentage
• SetAssetValue , GetValueAtRisk
– in Dollars/Euro/Rupee
19
21. Learn on the job
Vis-à-vis the regulator
• Understand what audit
requirements count
Vis-à-vis your business
• Understand what
threats count
• Prioritize
• Increase profits
21
24. Step 3 Go green
• Measure risk reduction in money
• Attention to root causes
• Recycle controls & policies
24
25. Why the Tao of GRC works
• Threat models are
transparent and
recyclable.
• Transparency means
more eyeballs can look at
issues.
• Recycling & more eyeballs
reduces cost.
• More eyeballs means
safer products.
• Safer products means
more revenue.
25
26. Acknowledgements
26
1. Michel Godet, for sharing his work
reducing silos and creating reusable
risk building blocks
2. Wlodek Grudzinski, for sharing his
insights as a bank CEO and
introducing me to Imperfect
Knowledge Economics
3. My clients ,for giving me the
opportunity to teach them the
language of threats.
4. My colleagues at PTA Technologies
for doing a great job.