2. Greetings and Welcome
Special thanks to MOSTI & CSM for arranging this
Summary Value Points:
• Infrastructure Risk Management Takes Time
• MOSTI & CSM have initiated strong benchmarks to success
• Tools & Technology should be considered AFTER Process
• Managing expectations is key to long-term strategy
• Start with what you have, fix what you know
• Discover (quickly) what you don’t know you don’t know
3. Greetings and Welcome
If you are here, then you are interested in:
• Identifying the issues and challenges with regard to
infrastructure security and preservation.
• Researching & recommending the types of best practices and
courses of action to assess, mitigate and prevent risk in your
infrastructure.
• Increasing your organization’s competitiveness and business
position safely, while keeping risk in check.
• The potential costs/risks associated with the introduction of
GRC mandates in the region, and how they may impact the
sustainability and growth of your organization.
4. You are sacrificing 3 hours of your day for
what?
We’re going to provide a fast-track view into GRC/CNII
• Information that you can take back and use today.
• Relevant data as it pertains to risk management.
• Awareness of trends that will impact your business.
• Insight into MY cyber-security mandates.
• Preview of ConZebra’s greater value as a VAS.
5. Caveat & Disclaimer
#1: Many citations are U.S. / ISO originated policies
#2. These policies DO APPLY if your organization has some
form of relevant business or operational relationship with
the U.S. or its partners
#3. Use the following information as guidelines for potential
trending of potential mandates on Asia’s horizons
7. 1. GRC Scope in the APAC Region
Throughout Asia:
• 1:5 companies have started and stopped infrastructure
upgrades because of uncertainty about expenses related to
GRC
• IT / Web infrastructures are not fully controllable any longer
(BYOD)
• “Server Talk” is shifting to “Protecting virtual business assets”
(credit card access, e-transactions, mobile computing, etc.)
• “ROI” has become guesswork for “CYA”
• SEA has been traditionally a global tech-driver
Now it needs to be an “early adopter” process implementer
8. Defining GRC
Governance, Risk [management], Compliance
• A system of people, processes, and technology that
enables an organization to:
– Understand and Prioritize stakeholder expectations.
– Set business objectives: congruent with Values & Risks.
– Meet objectives / value while Managing Risk profile.
– Operate within Boundaries
legal, contractual, internal, social, ethical.
– Provide relevant, reliable, and timely information to
appropriate stakeholders (“Accountability”).
9. What is “Governance?”
Focusing on the achievement of long-term success
• Ensures the fit between the organization's mission and
its performance.
• It’s about being in control and taking responsibility for
the work and actions of your company.
• Uses transparent decision-making processes to direct its
resources and exercise power in an effective and
accountable way.
• Is accountable for what your organization does and how
it does it.
10. What is “Governance?”
MOSTI is clearly articulated, but vague in delivery
• Centralize coordination of national cyber security
initiatives
• Promote effective cooperation between public and
private sectors
• Establish formal and encourage informal information
sharing exchanges
12. What is “Risk?”
Risk (and its Management)
• The effect of uncertainty on objectives
– positive or negative
• Coordinated & economical application of resources to:
– Minimize,
– Monitor,
– Control the probability and/or impact of unfortunate events
• Mgt = Identification, assessment, prioritization of risks
13.
14. What is “Compliance?”
Risk (and its Management)
• The effect of uncertainty on objectives
– positive or negative
• Coordinated & economical application of resources to:
– Minimize,
– Monitor,
– Control the probability and/or impact of unfortunate events
• Mgt = Identification, assessment, prioritization of risks
17. Defining Critical Infrastructure
“Big Picture”
• Basic, essential systems, services and resources
needed for an organization, designated
population or region, to maintain its existence.
18. Defining Critical Infrastructure
Traditional Definition—
• Resources and “hard assets” vital to the security,
governance, public health and safety, economy
and public confidence of a state entity
(U.S. National Security Agency)
19. Defining Critical Infrastructure
Health
Defense
Government (Non-defense)
Communications
Energy & Utilities
Transportation
Finance
Commerce & Economy
Agriculture & Food
Water
Emergency Services
20. Part 2: Sector Profiling: Health
Relevant Parameters
• Physical conditions must be evaluated first
• Technical controls must consider how EPHI is managed
– Patient health information
– Patient billing information
– This includes insurance plans, etc.
• Administrative controls must be reviewed
21. Part 2: Sector Profiling: Health
GRC Mandates
• Payment Card Industry Data Security Standard (PCI DSS)
• National mandatory disclosure laws
• Model Audit Rule (applies to health insurance companies)
• Sarbanes-Oxley (SOX)
These legal and compliance obligations and exposure require
that health care organizations proactively manage compliance.
Compliance risk in health care needs to be a coordinated effort
that brings together a cohesive compliance process in a
Constantly changing environment—you must remain current.
— SAMPLE HIPAA POLICY
22. Part 2: Sector Profiling: Defense
Relevant Parameters
• Physical controls exist to limit physical access to the system
• There is a suitable access control policy in place to confirm the identity of the
user prior to
• accessing the system;
• Configured to guarantee accountability with proper auditing functions
enabled;
• Configured to ensure integrity of data.
– This is includes proper backups, permissions, contingency planning
• Latest appropriate patches
• Users trained regarding system security awareness;
• Procedures exist for handling security incidents;
• Risk management analyses performed
– Assess value of additional security measures vs. the increased cost of
those measures;
• Security planning / implementation performed throughout system lifecycle
• Periodic reviews of security postures assure consistent application
23. Part 2: Sector Profiling: Defense
GRC Mandates
– DoD
– NIST FISMA
– Specific Branches
– Classified Document Handling Protocols
– DefCons
– Border Patrol Policies
– Operational Handling of Secure Processes
— SAMPLE DoD / DoAF POLICIES
— ISO 27K (excerpt)
24. Part 2: Sector Profiling: Gov’t
Admin
Relevant Parameters
• Critical Infrastructure Protection and Compliance
Policy coordinates the inter-department development
and implementation of policies
– Protection of the critical infrastructure of the non-
defense government sectors
– Development of certain other statutes and
regulations within the specific sectors
26. Part 2: Sector Profiling:
Communications
Relevant Parameters
• Create a flexible framework to manage both control definition
& regulatory requirements with compliance measurements
• Load balancing & consistent NOC reporting mechanisms
• Manage telecommunications-targeted enterprise risks within
enormous infrastructures
• Carrier plans may vary from region to region
• Wireless & data stream management parameters differ
• Platform compliance (SAP applications, Oracle, etc.)
27. Part 2: Sector Profiling: Communications
GRC Mandates
• FCC
• SOX
• GLBA
• PCI / DSS
• ISO27K
— ISO 27K (excerpt)
— T-Mobile Case Study
28. Part 2: Sector Profiling: Energy
Relevant Parameters
• Maintaining support during Disasters
• Grid Management & Physical Exposure to risk/threat
• Policies may vary depending on location of infrastructure
• “Energy” is Multi-faceted
– Power
– Natural Gas
– Other sources
29.
30. Part 2: Sector Profiling: Energy
This model overlays
energy
infrastructure
networks on a
specific location.
The vertical lines
identify system
interdependencies.
31. Part 2: Sector Profiling: Energy
GRC Mandates
• FEMA (U.S.)
• MY DoE guidelines
— ISO 27K (excerpt)
32. Part 2: Sector Profiling: Finance
Relevant Parameters
• Traded companies must comply with SEC rules by reporting on the
effectiveness of their internal controls in the annual report.
• The content must contain
– A statement of management’s responsibilities for establishing and maintaining an adequate
system.
– The identification of the framework used to evaluate the internal controls.
– A statement as to whether or not the internal control system is effective as of
yearend
– The disclosure of any material weaknesses in the system.
– A statement that the company’s auditors have issued an audit report on
management’s assessment.
• Senior management require CPA input
• Must determine whether there are any material weaknesses
39. Part 3: GRC Fail-points
Why (how) do efforts fail?
• Five Key Reasons:
– Redundant and inefficient processes
– Inconsistent focus across the environment (enterprise)
– It’s complicated!
– Lack of business agility
– Incomplete, reaction-based point solutions
40. Part 3: GRC Fail-points
Redundant & Inefficient Processes
• Band-Aid Approach
– Compartmentalize risk management efforts
– Contrary to “Big Picture” oversight
• Overlook how to leverage & integrate resources
– Offer greater impact & timeliness to respond
• Varying levels of success (“Hit & Miss”)
• Inconsistent responses to individual risk and compliance
requirements.
• More expensive: multiple initiatives to build independent GRC
systems
41. Part 3: GRC Fail-points
Inconsistent focus across the environment (enterprise)
• “Island Management”
– Creates silos of isolationism
– Nobody knows what the others are doing
– Creates “Scope Creep” and drains budgets
• No common framework for activity
– COSO / CobIT / IIA / SANS
• CIO can’t create consistent management patterns ($, resources)
– Creates FUD about overall efforts at high levels
– Nobody “downstairs” wants to follow the plan, sees no value
42. Part 3: GRC Fail-points
“It’s Complicated!”
• Adding layers of GRC initiatives creates complex, reactive-based
conditions.
• GRC is “Distractive” by its very nature
– Most in-house departments focus on their sector, not GRC issues
– Complexity increases inherent risk and results in processes that are
not streamlined and managed consistently
• More confusion fosters lack of trust in processes
– Discredits departments and individuals
– . . . As well as the organization itself—should something happen!
– Also breeds confusion in regulators, stakeholders, business partners
43. Part 3: GRC Fail-points
Lack of Business Agility
• Reaction-based policies are not flexible
• Limitations caused by including complex plans, hundreds of
disconnected documents and spreadsheets
• Dynamic distributed business structures need simple traffic
patterns for disseminating policy
• Point solutions have some impact but often miss the large-scale
risk management solution framework and objectives
– Data can become disconnected and difficult to manage / resolve
44. Part 3: GRC Fail-points
Incomplete, reaction-based point solutions
• Requires a top-down AND holistic view
• Unravel one thread at a time
• “Immediate Reaction” does not equal “Immediate Response”
• GRC point solutions often focus on assessment
– They might replace spreadsheets,
– They usually don’t deliver on analytics
– They usually don’t align with business applications.
• Gaps develop in the GRC plan, causing internal misalignment
45. Part 3: 10 Critical Fail-points in GRC Planning
Intelligence reporting
• Needed to support decision-making:
– Risk awareness / mitigation and compliance areas
Identifying consistent risk patterns & dependencies
Inconsistent, inaccurate system and operational data reports
Cost of consolidating disparate / inconsistent data streams
Liabilities of fines for failing to report and trend GRC across
required assessment and reporting periods
46. Part 3: 10 Critical Fail-points in GRC Planning
Unreliable or irreconcilable risk assessment results
• Different formats & approaches
(e.g., human monitoring without automation)
Redundant risk management & compliance efforts
Inconsistent approaches to risk/compliance activities
Different vocabulary and processes that limit correlation,
comparison and integration of information
• Not following a common criteria standard or framework
Limitations in response times to changing environments
47. Part 3: GRC Fail-points—ASK FIRST!!
High-level questions need to be answered first:
• What does our end-to-end GRC program look like today?
– Budget, Planning, C-level Buy-in, Org-wide understanding
• How can we align GRC requirements with our policies
and day-to-day business operations?
• What is our real exposure and what controls need to be
implemented to address/mitigate/recover from risks?
• How can we leverage technology to manage GRC holistically
across the enterprise?
• How can we govern our GRC processes across silos and
stakeholders?
48. Content Acknowledgements. . .
National Institute of Standards & Technology
Deloitte
Cisco
U.S. DoD
SANS Institute
Modulo
Michael Rasmussen
IIA / ISACA
49. 3 Key Target Trends
for CNII/NCSP implementation
Text
54. Elements of a successful GRC roadmap
High-level questions need to be answered first:
• What does your end-to-end GRC program look like today?
– Budget, Planning, C-level Buy-in, Org-wide understanding
• How can you align GRC requirements with your policies
and day-to-day business operations?
• What is your real exposure and what controls need to be
implemented to address/mitigate/recover from risks?
• How can you leverage technology to manage GRC holistically
across the enterprise?
• How can you govern your GRC processes across silos and
stakeholders?
64. Your ConZebra Point of Value . . .
We Created a scenario for how to establish a critical
infrastructure, and identified our GRC plans
We Established a common parameter of understanding for
each respective operational sector of a Critical
Infrastructure
We Identified potential gaps that may appear from our
analysis of our respective sector-by-sector activities
We Recognized consequences and fail-points when configuring
an effective GRC strategy