How to design your lean GRC(governance, risk and
compliance) framework Bangkok – March 15th
Maxime CARPENTIER - CIO
Governance, Risks & Compliance
Page n° 2 P
Overview
What is the key of information security governance, risk & compliance?
How do you meet your governance, risk and compliance requirements and prevent a data breach?
Understanding the spirit of risk management.
Create a customized information security management system (ISMS) for your business.
Designing and implementing a cost-effective ISMS to minimize your risk of a breach.
Meet your legislative obligations (Data Protection Act), regulatory (Payment Card Industry), or industry standard (ISO-27001) compliance requirements.
Standard compliance requirements
Practical ISMS [information security management system ] documentation structure.
Scope, objectives & risk strategy examples.
Risk treatment plan, asset register & classification guide examples.
Policy frameworks.
Control objectives, evidence & policy examples.
Audit & testing documentation examples.
ALKIA IT Services © 2016 - [email protected] - All rights reserved Page n° 3 P
The 4 GRC key components
ALKIA IT Services © 2016 - [email protected] - All rights reserved Page n° 4 P
Governance
Policy
Scope &
Objectives
Risk
Strategy
Management
Processes
Step 1 | Practical Questions
What are we trying to protect ?
Why are we trying to protect ?
Who’s responsible for protecting it?
What will we do to protect it ?
What will we do to ensure it is protected ?
What we will not do to ensure it is protected ?
What will happen if we fail to protect it ?
What are our escalation means should a breach happen?
ALKIA IT Services © 2016 - [email protected] - All rights reserved Page n° 5 P
ISMS Practical format rules
Keep it simple
Concise writing, good visuals
Clear goals
Scalable
Mentioning Assigned Owners
Centrally located and easily accessible
Signed by the CEO
ALKIA IT Services © 2016 - [email protected] - All rights reserved Page n° 6 P
Step 2 | Define your ISMS Structure
Scope & Objectives
Governance
Management • Responsibilities
Risk Strategy
• Identify• Risk treatment
• Minimize• Testing & Remediation
• Manage• Policies & Procedures
ALKIA IT Services © 2016 - [email protected] - All rights reserved Page n° 7 P
ISMS
Scope & objectives
Locations
Staff
Systems
Suppliers
Partners
Clients
Page n° 8
Scope & Objectives
ALKIA IT Services © 2016 - [email protected] - All rights reserved
List all applicable entities:
Scope example
Scope : The XXXX ISMS is comprising the following:
Staff 1252
Locations 4 (Bangkok,Hong Kong,Singapore,Jakarta)
Systems 7
Suppliers 23 (IBM, EMC … )
Partners 5 (Alkia…)
Clients 168
Page n° 9
Scope & Objectives
ALKIA IT Services © 2016 - [email protected] - All rights reserved
Objectives
This step defines the WHY that support the HOW. It’s the backbone of the ISMS, be clear, consistent and comprehensive.
Detect breach
Stop a breach
Comply to a PCI (Payment Card Industry)
Comply to a DPA (Data Protection Act)
Protect your IP (Intellectual property)
Protect your brand
Page n° 10
Scope & Objectives
ALKIA IT Services © 2016 - [email protected] - All rights reserved
Objectives example
Objective: The objectives of the XXXX are ordered as follows:
To ensure the appropriate protection of XXXX sensitives information processed, stored or transmitted on corporate ICT systems
To ensure the appropriate protection of XXXX customer information processed, stored or transmitted on corporate ICT systems
To prevent a breach or unauthorized access to XXXX systems
To protect the XXX brand reputation
Page n° 11
Scope & Objectives
ALKIA IT Services © 2016 - [email protected] - All rights reserved
Governance
List your requirements
Internal (your policies, anti money-laundering, anti
slavery, fair trade)
External:
PCI
DPA
ISO
Page n° 12
Governance
ALKIA IT Services © 2016 - [email protected] - All rights reserved
Governance example
Information Security Management System Governance framework are defined as follows:
ISMS is implemented to meet the principles established by Singapore’s DPA
XXXX meets all parts of the PCI (Payment Card Industry) Data Security Standards (DSS) V3
XXXX meets the Sarbanes-Oxley Act 2002 requirements
Page n° 13
Governance
ALKIA IT Services © 2016 - [email protected] - All rights reserved
Management
Management gives the operational framework and the top executive visibility of your operational security
Business accountability
Liability
Big picture
Leadership statements
Visibility
Audit landscape
Page n° 14
Board of directors
Executive Management
Senior Information Security management
Information Security Practitioner
Management
ALKIA IT Services © 2016 - [email protected] - All rights reserved
Management example
The role and responsibilities for the ISMS management are as follows:Board of directors: shall be responsible for identifying the key corporate information assets and verifying that the protection levels and the priorities established in the ISMS are appropriate.Executive Management: Shall be responsible for setting the tone for the information security management and ensure that the necessary functions, resources and infrastructure are available an properly utilized to meet the objectives.Senior Information Security management: Shall be responsible for developing the security and risk mitigation strategies, implementing security and risk programs and managing security incidents & remediation activities.Information Security Practitioner: Shall be responsible for designing, implementing and managing processes and technical controls. Respond to events and incidents.
Page n° 15
Board of directors
Executive Management
Senior Information Security management
Information Security Practitioner
Management
ALKIA IT Services © 2016 - [email protected] - All rights reserved
Risk Strategy
Page n° 16
What is it?
How will you address this?
What sequence of action?
State concise tactical statement
Your company risk appetite
Ensure Board support
Risk
Identify
MinimizeManage
Risk Strategy
ALKIA IT Services © 2016 - [email protected] - All rights reserved
Risk Strategy example
Page n° 17
In order to meet the stated objectives XXX shall execute a strategy to identify, minimize and manage the risks to their information assets through the implementation of a Risk Treatment Plan.
Testing and remediation activities are implemented through the information security policies and procedure book.
Risk Strategy
ALKIA IT Services © 2016 - [email protected] - All rights reserved
Responsibilities
This is the “Who” component of the security system.
Day to day accountability, assigned owners (position not people)
Detailed processes
Detailed actions
Designed to ensure ISMS is on-going
Page n° 18
Risk Strategy
ALKIA IT Services © 2016 - [email protected] - All rights reserved
Step 3 | Risk Treatment Plan
The risk treatment plan is your method (the how).
Represents the execution plan, directly derived from your risk strategy.
List on one board the risks, their occurrence probability, their potential impacts and their criticity
Risk calculation formula based on Information asset value and risk tolerance & resilience.
Keep in mind: Risk criticity = Threat x Probability x Impact
Check it always answer well: What are we protecting? Why are you protecting?
Page n° 20ALKIA IT Services © 2016 - [email protected] - All rights reserved
Additional outputs
Information Classification Guide
Specific about what
you are protecting
Information Asset Risk Register
Stating why you are protecting it. What are the impacts on the
company operation, sales or reputation.
Page n° 21ALKIA IT Services © 2016 - [email protected] - All rights reserved
Step 4 | Risk management
5 fundamental steps:
1. Identify your assets
2. Identify the potential vulnerabilities and threats to these assets
3. For each threat, quantify the probability of occurrence
4. Calculate the impact of the incident on your business
5. Implement cost-effective controls
Page n° 22ALKIA IT Services © 2016 - [email protected] - All rights reserved
Testing & remediation strategy
Describes how the control and the remediation are effective. Check the coverage (are all assets covered according to their level of criticity).
Verification of controls
Things in place are working
What?
When?
Who?
How?
Remedial status
Page n° 23ALKIA IT Services © 2016 - [email protected] - All rights reserved
Policies & Procedures
Never write a policy that you can’t or won’t enforce
Example if you write a policy that state “download is strictly
forbidden” and it happen that a key employee inadvertively
did download and cannot be fired, it is all the value of your
policies and therefor their efficiency that is diminished.
Never write a policy that you can’t monitor or verify for compliance
Never state something you cannot prove it has been
complied with.
Page n° 24ALKIA IT Services © 2016 - [email protected] - All rights reserved
Q & A
How much security do I need?
An ISMS is exactly what you need, but do it well. By starting the
process you will define your needs by state you assets, what
protection they request and what budget they deserve. Without
starting this journey you will be lost, lacking strategy.
What is the core objective of building a GRC?
We are going to minimize the risks for this company, in a clear and
consistent way.
What is a good ISMS?
It’s a framework that effectively covers what the strategy plan
states. ALKIA IT Services © 2016 - [email protected] - All rights reserved Page n° 26 P