Building a Converged IT GRC Program

triangledriprockInternet and Web Development

Aug 7, 2012 (5 years and 1 month ago)

347 views

BUILDING A CONVERGED
IT GRC PROGRAM

Scott M. Baron

National Grid

Agenda


Introductions


Section 1:
What is…


Section 2: IT GRC Convergence Stages


Section 3: Resources


Section 4: Tools, Automation and Metrics

INTRODUCTIONS

Building a Converged IT GRC Program

Welcome

About Me


Director


DR&S Governance


IS Governance, Risk &
Compliance


Former Compliance & Business
Continuity Program Manager for
Northwest Airlines


Founder of
iNETech
, Inc.


20 years of I.S. experience


Speaking Experience


ISACA NACACS


ISACA IT GRGC


ISACA International


Archer User Summit


Archer Roadshow



About National Grid

National
Grid is an international electricity and gas company and one of
the largest investor
-
owned energy companies in the world. We play a vital
role in providing energy to millions of customers across Great Britain and
the Northeast US in an efficient, reliable and safe manner
.



Electric Transmission


England / Wales


Upstate New York, Massachusetts, Rhode Island, New
Hampshire and Vermont


Electric Transmission


3.4 million customers in upstate New York,
Massachusetts,
Rhode Island and New
Hampshire.


Gas Transmission


Great Britain


Gas Distribution


82,000 miles of gas distribution in GB (10.8 million customers)


36,000 miles, servicing 3.5 million customers
(including upstate
New York, New York City,

Long Island, Massachusetts, New Hampshire and Rhode
Island)


Generation


57 Electric Generation Units in Long Island, capable of producing
4.1 GW of power


SECTION 1: WHAT IS…?

Building a Converged IT GRC Program

What is… IT GRC


“… consists of the leadership and organizational structures and processes that ensure that the
organization's IT sustains and extends the organization's strategies and objectives”

Governance


Risk Management is the process by which an organization sets the risk appetite, identifies potential
risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk
Management leverages internal controls to manage and mitigate risk throughout the organization.

Risk


Compliance is the process that records and monitors the policies, procedures and controls needed to
enable compliance with legislative or industry mandates as well as internal policies


Risk


Risk Management is the process by which an organization sets the risk appetite, identifies potential
risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk
Management leverages internal controls to manage and mitigate risk throughout the organization.

Compliance

Source: Wikipedia

SECTION 2: IT GRC
CONVERGENCE STAGES

Building a Converged IT GRC Program

Stage 1: Silo Compliance

Info. Security

Change
Management

Physical
Security

Project
Management



Access and Identity Management


Threat and Vulnerability Management


Policy / Standard Creation


Compliance Enforcement


Perimeter Security


Incident Response


Policy / Standard Creation


Compliance Enforcement


Project Methodology


Project Risk


Policy / Standard Creation


Compliance Enforcement

Job
Scheduling

Incident
Management

Disaster
Recovery

Data
Lifecycle

Records
Information
Mgmt

Human
Resources

Portfolio
Management

Server
Management

Network
Management

Stage 1: Silo Compliance

Pros


At least you’re doing
something… right?

Cons


Resource
constraints


Possibly perceived
as arbitrary


Lack of executive
support for policies


Difficult to gain
support for a cross
-
silo solution or vision

Stage 2: Regulatory Compliance

Info. Security


Identity and
Access Control


Threat and
Vulnerability
Management

Change
Management


System Priority


Change Review

Physical
Security


Perimeter
Security


Incident
Response

Project
Management


Project
Methodology


Project Risk

Regulatory Compliance Team


Sarbanes
-
Oxley


PCI
-
DSS


HIPAA


GLBA


NERC

Stage 2: Regulatory Compliance

Pros


Regulations force
change and often
provide funding


Focused compliance
team is created

Cons


Risk of Audit Fatigue


Dissimilar controls and
test plans between
regulations


Patches of Compliance


Uncommon solutions
for common problems



Stage 3: Converged IT GRC

Info. Security


Identity and
Access Control


Threat and
Vulnerability
Management

Change
Management


System Priority


Change Review

Physical
Security


Perimeter
Security


Incident
Response

Project
Management


Project
Methodology


Project Risk


Common Policy / Controls


IT Compliance Enforcement


Risk Management

Stage 3: Converged IT GRC

Converged

IT Governance, Risk and
Compliance program

Establish
Governance
Body for IT

Supported

Policies,
Standards
and Controls

Consistent
Risk
Analysis and
Management

Single

Empowered
Compliance
Team

Stage 3: Converged IT GRC

Pros


Executive support for
initiatives


Risk Management / Risk
based approach


Reduce

Audit Fatigue by
reducing “ask many”
scenarios


More efficient audit
process due to common
process

and terminology


Ability to create consistent
metrics

Cons


Difficult to convince others
to “let go”

Section Recap


Key take
aways
:


Three stages of IT GRC


Nearly all organizations have a GRC
program in varying stages… but may
not realize it


Work within your own company
processes



Questions?

SECTION 3: RESOURCES

Building a Converged IT GRC Program

ISACA / ITGI Resources


Governance


Val IT Framework


The Business Case Guide: Using Val IT 2.0


Value Management Guidance for Assurance Professionals: Using Val IT
2.0


ITGI Resources


Board Briefing on IT Governance


IT Governance Domains Practices and Competencies Series


Implementing and Continually Improving IT Governance


IT Governance Institute: “Taking Governance Forward”


Risk


Risk IT Framework


Risk IT Practitioner Guide


Compliance


CobiT


CobiT

Mapping Series


Cobit

Quickstart
, 2
nd

Edition


Cobit

Security
Basline
, 2
nd

Edition


IT Assurance Guide: Using
CobiT


IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals


ITAF: A Professional Practices Framework for IT Assurance





Other Resources


International Organization for Standardization


ISO 27000


Information Security


ISO 31000


Risk Management


Principles and Guidelines


National Institute of Standards and Technology (NIST)


SP 800
-
53
-

Recommended Security Controls for Federal Information
Systems and Organizations


SP 800
-
115
-

Technical Guide to Information Security Testing and
Assessment


COSO


COSO Enterprise Risk Management Framework


Unified Compliance Framework


PCI


Data Security Standard


Others…

Section Recap


Key take
aways
:


Knowledge of the numerous resources
available to members free of charge


Other useful resources available free
or nearly free on the Internet


Questions?

SECTION 4: TOOLS,
AUTOMATION AND METRICS

Building a Converged IT GRC Program

Tools, Automation and Metrics


Executive Reporting


Evaluate Priorities


Business Objective Metrics


Active Compliance Metrics


Automated / Technical


Manual / Process


Preventative


Anti
-
Virus


Intrusion Prevention


Change Management Apps


Detective


File Integrity Monitoring


Vulnerability Scan


Policy Management


Variance / Exception
Management


Risk Analysis


Workflow

Management
Tools

Enforcement
Tools

Reporting
Tools

Testing Tools

GRC
Suite


SharePoint


WebSphere


Workflow tools


Tripwire (Open Source
or Commercial)


SNORT


SharePoint


WebSphere


Workflow tools


MS Excel


CIS Audit Tools


NESSUS / Microsoft

Tools, Automation and Metrics

Establish /
streamline your
processes first

Tie your
automation back
to your control
objectives

Make sure there
is a clear ROI

Tools, Automation and Metrics

Automate where possible


Policy Management


Risk Assessment / Analysis


Assessment Questionnaires


Exception / Variance Handling


Technical Controls for System Hardening


Compliance Reporting


Section Recap


Key take
aways
:


No single tool will fill all GRC
requirements, it is important to focus
on interoperability


Other useful resources available free
or nearly free on the Internet


Questions?

Thank you


Questions?


Scott M. Baron

Director


Digital Risk & Security Governance

National Grid

Email: Scott.Baron@us.ngrid.com