Archive for the ‘Industry’ Category
How to Simplify Your Governance, Risk Management and Compliance Process
Filed under: Best Practice, Industry, Technology | Tags: compliance, GRC, IT risk, IT-GRC, Maturity model
Leave a Comment This week’s eWeek has my article on how to simplify governance, risk management and compliance processes with a new model.
Table of Contents:
- How to Simplify Your Governance, Risk Management and Compliance Process
- Roadblocks of Traditional Maturity Model
- Process-Only Technologies Can’t Scale
- A Better Deployment Maturity Model
- Benefits of Vertical Maturity Model
Please give it a read. I would love to hear your feedback on the article.
PCI 2.0 encourages risk-based process: Three things you need to know
Filed under: Best Practice, Industry, Technology | Tags: compliance, eGRC, IT risk, IT-GRC, PCI, PCI Changes, PCI DSS 2.0, Risk-based compliance
Leave a Comment Your compliance efforts should be risk-based, rather than merely security-focused. Understanding your enterprise’s risk profile and prioritizing compliance and remediation efforts based on risk has been a growing industry trend since Agiliance was founded five years ago, and the evolution of the PCI standard reflects that.
The PCI Security Standards Council recently offered a preview of the PCI DSS 2.0 and PA-DSS 2.0, to be released at the end of October. The new standard includes clarifications, additional guidance, and evolving requirements—but no dramatic new requirements. The most significant change, especially in terms of your compliance budget, is the tilt toward a risk-based process. Responding to stakeholder feedback, section 6.2 will now “allow vulnerabilities to be ranked and prioritized according to risk” as part of an effort to “align with changes in industry best practices.” This is an approach that Agiliance has been encouraging for some time.
Risks That Matter
The new PCI standard will formally recognize an organization’s need to identify the risks that matter most to their business and to focus finite remediation resources on their top priorities. In embracing a risk-based approach, PCI is following industry standards such as ISO 27001.
Enterprise executives have complained that they are spending a ton on compliance and security, but can’t get enough visibility, and are not seeing much benefit from their investment. What they are really saying is that compliance efforts are not focused on the risks that matter to their specific business.
Many merchants have chosen only partial PCI compliance, according to Computerworld blogger Eric Ogren, due to the “prohibitive costs…and people to administer it all.” By allowing companies to assess vulnerabilliities based on risk, an enterprise can now be fully PCI compliant while only paying to remediate the exposures that really matter. Your organization evaluates its risk posture in the context of its risk tolerance, and other unique factors, and pulling this integrated view together can be effectively automated.
Risk and the accountability for risk acceptance are, and should be, owned by the businesses that are creating and managing those risks. Tools can automate effective risk management processes, but the results delivered by these tools will be only as good as the underlying frameworks, processes and data structures. Risk managers should develop enterprise-specific definitions of risk, as well as an organizational structure that eliminates conflicts and overlaps in responsibilities among all risk-related specialists.
PCI Security Standards Council General Manager Bob Russo mentioned that the new rules mean that “you can talk about a vulnerability with a Qualified Security Assessor (QSA) and economize for risk tolerance within your business circumstances to make it more flexible.”
Using an IT risk management tool to assess and categorize your risk profile across the enterprise helps identify those remediation efforts with the biggest impact.
Focus on the Big Picture
When you are prioritizing vulnerabilities, you need to consider the big picture, the whole enterprise. The top priority in a small department of your organization might not be important relative to the overall situation.
Security products often bring a narrow, tactical perspective that can create data silos and distract from the strategic view. Gartner Research, in response to the PCI 2.0 preview, recommends “Continue to avoid working with assessors or vendors that push their own remediation services or software.”
The rumors (started by security vendors) that the PCI 2.0 standard would mandate specific tools such as Data Leak Prevention applications turned out to be unfounded. The new standard seems to require a formal process or methodology, not necessary a product, that locates and documents all sensitive data in an enterprise, which has been a practice that IT-GRC products like Agiliance have promoted for years.
Some of the security products can lead to “audit-fatigue” by producing false-positives in thousands or millions. The output of such products needs to be analyzed with a risk-based lens.
Security tools generally produce low-level information, rather than risk-based analysis that is actionable by business users, auditors, or high-level business governance and policy decision makers. As the diagram below illustrates, the Risk Management function supports prioritized remediation, for example, unlike security tools alone.
In contrast with a tactical, security approach, a risk-based assessment of the entire enterprise can take remediation efforts to the next level. By pulling all the issues into a central repository for analysis, the enterprise gains visibility, eliminates silos, and can cut down on manual or repetitive tasks.
All compliance expenditures should be driven by a risk profile. Each item—vulnerabilities, compensating controls, findings, exceptions, or other elements—should be presented in an IT Risk Management tool in a risk context.
When selecting an IT Risk Management tool, make sure that it automates data collection and offers regular synchronization with your assets and patch management tools. Some products start with a one-time import and grow outdated over time. Others require manual effort to link vulnerabilities to your enterprise IT. A tool that receives automated feeds from your environment and automatically correlates the data for analysis, not only reduces manual effort, but also gives you continuous visibility of risk across your enterprise. The new PCI standards encourage you to prioritize risk management based on this holistic view.
PCI DSS 2.0 and PA-DSS 2.0
PCI has been a rapidly changing standard, but in response to feedback received, the standard will begin a new three-year lifecycle from now on. While this may not be great news for vendors who tout their gadgets for addressing upcoming PCI standards, we see this as good for companies that comply with the standard. However, it puts more responsibility on individual companies to follow a proper process to identify and manage their risks.
Besides emphasizing a risk-based approach and switching to a three-year update cycle, other notable highlights are a new scoping methodology, coverage of virtualization, and a PA-DSS requirement for centralized logging. The new standard does not seem to require any new security tools. Although Visa published a separate best practices for Tokenization, even it did not make the cut for this PCI revision. The new PCI standards will be released October 28 and will be effective January 1, 2011. Agiliance will release revised PCI content within days of the standard’s availability.
Specific Recommendations
- Use risk-based techniques for prioritizing compliance efforts. Expect some savings in compliance costs in 2011 from this change alone.
- Defer unnecessary security products sold as PCI requirements, in favor of an enterprise-wide understanding of your risk exposure and your organization’s prioritized risk. Invest in IT risk management systems and processes to cut compliance cost.
- With the new three-year lifecycle, plan for the next evolution of the PCI standard (v3.0) no sooner than end of 2013. There may be minor updates with clarification and guidance, but new requirements are not anticipated until PCI 3.0, which would be effective Jan 2014. This would provide stability and significant cost savings.
The PCI standard released at the end of October may not exactly match this month’s preview, but changes this late in the standards process usually amount to fine tuning. I’ll discuss other PCI 2.0 changes in more detail in future articles.
Article: How can healthcare organizations get started with GRC?
Filed under: Best Practice, Industry | Tags: compliance, GRC, Industry, policy, Risk Management
Leave a Comment 
Pravin Kothari
This is a nice article just published on Health Management Technology. It is written by my colleague Ed King. It spells out some very concrete ways a healthcare organization can start using GRC solutions to manage risk and achieve continuous compliance. The 3 top level suggestion are:
- Improve the integrity and efficiency of compliance
- Improve visibility and effectiveness of policies
- Improve awareness of and ability to mitigate risks
Give it a read and I would love to hear your feedback on the article.
Forrester’s Robert Whiteley: Note to CISOs – Be the Automator, Not The Automated
Filed under: Industry | Tags: GRC, Industry, Risk Management, Security
Leave a Comment Pravin Kothari
Here is an insightful blog entry from Robert Whitley of Forrester Research. This is very timely with our recent discussion threads around how CISO must take a more risk centric approach to security and you cannot manage risk effectively without automation. The more progressive CISOs are actively looking to increase the degree of automation around security operations, and at the same time increasing their scope of responsibility to become the Chief Risk Officer for the organization.
GRC and the Cloud
Pravin Kothari
This is RSA Conference week, so let’s take a short break from our threat management discussion and talk about RSA Conference a little bit.
It’s always interesting attending the RSA Conference. You meet new people and catch up with old friends. Besides seeing new technologies, one of the most fun thing to do is hear how different vendors do the marketing spin and try to align to the theme of the conference, and trust me, some spins are really stretching it. This year’s theme is Cloud Security. A few announcements came out from GRC vendors (and their parent companies 
), almost all high level with no details, but just to get the company name and the word cloud in the same press release.
So what exactly does cloud mean to GRC, and vice versa?
- GRC solution in the cloud: This is being able to buy GRC solutions using the SaaS model and being able to consume it as another solution from the cloud. Nothing too new and exciting here. No different than people using salesforce.com for CRM. Any GRC vendor worth its salt has a SaaS offering.
- Integrate GRC to the cloud: As companies are starting to buy IT solutions that are cloud based, GRC solutions must be able to connect to cloud based applications to provide data collection and automation. Unlike on-premise systems where you can always resort to the flat file dump and import method of integrations, not all cloud based solution vendors can support such manual processes. GRC solutions must be able to offer out-of-the-box integrations to these cloud based solutions, for example, Agiliance product can connect to cloud based Verisign iDefense and QualysGuard to collect the data and evidences to drive automated compliance and risk management,
- Assess the risk of the cloud services: When a system is on premise, it is easier to assess its risks. You know where the server is located, you know how data flows, you can control who has access to the machine and the data, you do the back up and disaster recovery. All these things we know about on-premise solutions become “cloudy” when the solution goes to the cloud, pun intended . For an organization to embrace cloud based solutions, an organization must be able to assess the risk of these cloud based solutions and IT service providers, or it will risk violating international regulations and industry mandates on data privacy, exposing intellectual properties and other business data to competition, unable to ensure system availability and business continuity, just to name a few. An organization must have robust vendor risk management process and solutions in place before it can adopt cloud based solutions for critical business and IT systems. For example, salesforce.com, an Agiliance customer, performs security risk assessment on all of its 1,200+ partner applications available on its AppsExchange. Salesforces.com needs to ensure its platform and the customer data are not put at risk due to a poorly designed partner application.
- Certification of the cloud: While it is a challenge for a company to assess the risk of all its cloud solution vendors, it is an equal challenge for a cloud solution vendor to meet the assessment requirements from all of its customers. This many-to-many assessment model is highly redundant and not scalable for both the customers and the vendors. What is needed is a certification standard for the cloud. This can be based on either industry standards such as Cloud Security Alliance and BITS Shared Assessments or proprietary ones from a trusted authority. A solution vendor can earn a seal of endorsement by putting its solution through such a certification program periodically. Buying organizations can trust the integrity of the solution knowing the solution has been rigorously assessed by trusted third party. A number of Agiliance customers like Cisco Systems and Bell Canada are already using Agiliance based solutions to automate their security and privacy assessment services. The use of an automated GRC system ensures the consistency and integrity of the assessment process, as well as the quality and consistency of the outputted reports and recommendations. It doesn’t take a strong imagination to think that this can easily translate into a formal certification program, much like what the Big 4 audit firms do for financial reporting integrity.
I would like to hear what insights or comments you may have on how GRC and cloud impact each other.
Martin Kuppinger blog: What business has to learn so that IT can align
Pravin Kothari
Martin is really on a roll now. A nice follow up from Martin about how security and business functions must be better aligned. This is very timely to my current series of blogs on a risk based approach to security management. GRC and security functions must be better aligned if an organization wants to excel.
Michael Rasmussen’s blog: What Is GRC?
Pravin Kothari
In the last 3 months there has been many threads and blog posts on-line trying to define GRC. Some bloggers and analysts go as far as saying GRC doesn’t exist. Michael Rasmussen’s latest blog offers some very nice ways to look at what GRC is.
Gartner Blog: We Come to Kill GRC, Not to Praise IT
Pravin Kothari
Here is another great Gartner blog entry. This one is by French Caldwell. There is a long discussion thread happening on the LinkedIn GRC group about what is GRC. Thanks to French for bringing some cool-head thinking to this. Let’s not get so caught up on terminology and labels. They are simply short hands to help people identify category of solutions. See if the products in the GRC category can add value to your enterprise. If it does, embrace it and call it whatever you want.
Gartner Blog: Is your software provider choking at the maintenance trough?
Filed under: Best Practice, Industry | Tags: Gartner, Industry
Leave a Comment Pravin Kothari
Here is an interesting blog post by Michael Maoz of Gartner. I like his proposed strategy of keeping non-differentiating products from the big software companies at the core, then surround that core with products from smaller innovators to gain a competitive advantage for your business. You can clearly see how this scenario is playing out in the security solution space, and is now happening in the GRC solution space.
Operationalize Risk Management
Filed under: Best Practice, Industry | Tags: Automation, compliance, control automation, enterprise risk, ERM, Framework, IT risk
Leave a Comment Pravin Kothari
The last topic of discussion at the Accenture CISO Roundtable was “Operationalize Risk Management”. If you recall, we started the session with Bob West of Echelon One discussing the need for CISO to speak about and measure risk. Then Scott Charbo of Accenture discussed what risks to measure and how to measure them. Mark Lockareff of Agiliance then discussed how do you operationalize these measurements and how technologies can help. Here are some of the key discussion points.
When the analyst community coined the term “GRC” a few years back, they positioned the 3 terms in order of theoretical maturity level. In theory, an organization should figure out how it wants to run its business and operations (Governance), then figure out how to manage risks they face that may prevent it from running its business, then figure out how to assess and report for compliance requirements. This is a maturity model that is perfectly logical, but very difficult to achieve given real world constraints. Given most organizations are on-going operations and must “keep the lights on”, compliance became priority number one. Compliance is relatively the most well understood requirement and the consequence for non-compliance is clear cut. By now most organizations have significant investments in various aspects of compliance, in terms of people, processes, and technologies. Most big organizations are becoming “compliant” and have matured to a point of wanting to fill out the rest of the GRC functions, namely Risk and Governance . Risk is the natural next step since it is better understood and more measurable than governance. So, the real-world maturity model is really “CRG”. Not the way things should be, but it is the way things are.
The next logical questions is how does an organization that has invested heavily in compliance, make the transition to proactive risk management? Can an organization leverage its compliance investments for its risk management initiative? Where are the gaps and what are the next steps?
Organizations that have invested in compliance programs have usually defined set of controls and testing procedures. Most organizations have also invested in some control technologies, such as vulnerability scanners, data leakage prevention, identity management, segregation of duties, log monitoring, etc. The good news is that these control points are some of the same ones required to gauge risk for security, operations, disaster recovery and so on. The fact that controls have already been defined and being tested and enforced is a great start. The issue is that the testing and reporting on these controls are generally done with manual audit processes, involving lots and lots of spreadsheets and processes that are error -prone. As risk is inherently real-time, risks do not cease to exist in-between the audit cycles. So in order to leverage control investments for risk management, an organization needs to be able to make control assessment and reporting near real-time and continuous. To move from a compliance centric GRC program to a risk centric GRC program, an organization needs to invest in automation for control assessment and reporting as well as new processes for risk management.
New automated and integrated GRC solutions leverage existing control technology investments and elegantly combine automated data from the environment and deployed controls with the information from operational controls, audit processes and mapped risk models. By such integration, GRC solution can enables continuous risk and compliance management.
The key to success for most IT projects is to roll out incrementally and achieve realistic goals with clearly demonstrable business benefits at each phase. GRC automation projects are no exceptions. There is no need to boil the ocean or throw the baby out with the bath water. Build on existing investments and processes – is the key to move up the “CRG” maturity cycle.
This will probably be my last post for the year. So happy holidays and a very happy new year to my fellow GRC professionals.
