OWASP Presentation On PRISM

Chasing the R in
GR C
Drew Williams
President, Condition Zebra, inc.
drew@conzebra.com
ZebraCon
International IT Risk Management Forum
27-29 August Berjaya Times Square
Were talking about
RISK
And its consequences
when left unchecked
ZebraCon
This is
YOUR
ORGANIZA
TION
RIGHT
NOW
ZebraCon
Risk means trying to do it alone . . .
Im not
worried.
Ive locked
away all my
assets into
this computer.
NOBODY will
find me in
here!
Hahaha!
ZebraCon
Risk means sharing more info than we should
This has to be the best

conversation
ZebraCon
Risk comes at the worst times

What? Your plane is leaving in an
hour?
ZebraCon
Risk can catch us off-guard
Hey Mom, can U Plz Bring the

TP?
ZebraCon
And Risk can really make us look stupid
Dude, OMG! I just saw myself

on TV, LOL
ZebraCon
Risk Management means Awareness 24x7
ZebraCon
GRC: Its like going to the dentist

The [ethical/moral/business] dilemma
Nobody looks into it until it hurts

too much
Im not in the financial sector, so why should I
bother?
Im not a big enough organization to warrant the
attention
Cant afford it
Its boring, its distracting, and it doesnt deliver a
clear ROI
Am I really going to get fined if I dont comply?
GRC doesnt make me any more secure
ZebraCon
. . . Chasing the R through Social Networking
Top Five Social Network Security

Risks (NOT in order)
Inconsistent messaging
Damage to brand reputation
Introduction of malware
Identity theft
(business AND individual)
Loss, leak, stolen critical

assets
or information
ZebraCon
1. R means Inconsistent Messaging

Defining the scope/intent of
your organization is critical to
gain
credibility and influence
Is there a single V V M P?
Do you keep it simple?
Does everyone know it?
How do you distribute it?
Incentives for org-wide support?
ZebraCon
2. R means Damage to Brand Reputation
Be aware of how/where your

organization is aligned
Questionable sites leverage you
to legitimize themselves
Your staff might be clever to
align
with news issues
Your partners might not share
your perspective of who you are
ZebraCon
3. R means Introduction of Malware

Trojans, Viruses, Spyware,
Adware, all get uploaded from
unsuspecting surfers on YOUR
computers
Its like tracking mud in on your
shoes
Do you have a physical / logical
policy
for accessing your systems
remotely?
How are you managing BYOD?
What security controls do you have
ZebraCon
4. R means Identity Theft

Its not just about people. Just
ask our friends at MYNiC
ZebraCon
4. Identity Theft (What recently happened)
Its not just about people. Just

ask our friends at MYNiC
Malaysia Network Information
Centre (MYNiC) got Hacked
DNS Poisoning is a 13-year-old
server farm target attack
Other sites affected but not hacked
Problem based on a hole in how
DNS registrations are
authenticated
ZebraCon
5. R means Stolen Critical Assets or Information
And then theres
THIS GUY . . .
How do you trust who you hire?
How do you define Policy ?
How do you access critical data?
What controls do you have in place?
How do you evaluate your business
external exposures?
What if you cant control the outcome at
all?
ZebraCon
Chasing the R throughout Asia
ZebraCon
GRC: Asia, youre not moving fast enough!

GRC Analysis in Asia:
1:5 companies have started and stopped infrastructure
upgrades because of uncertainty about expenses
related to GRC
IT / Web infrastructures are not fully controllable any
longer
(BYOD)
Server Talk is shifting to Protecting virtual business
assets
(credit card access, e-transactions, mobile computing,
etc.)
ROI has become guesswork for CYA
ter
n
e
m
e
pl
m
I
s
SEA has been traditionally a global
s
tech-driver
Proce
Now it needs to be an early adopter
ZebraCon
GRC: First, you have to define its relevance
Governance, Risk [management], Compliance

A system of people, processes, and technology that
enables an organization to:
Understand and Prioritize stakeholder expectations.
Set business objectives: congruent with Values & Risks.
Meet objectives / value while Managing Risk profile.
Operate within Boundaries
legal, contractual, internal, social, ethical.
Provide relevant, reliable, and timely information to
appropriate stakeholders (Accountability).
ZebraCon
GRC: Where did the C go? (C M+P)
80%+
businesses have epresence
1.2 billion Facebook users

(11% of the worlds population)
700
billion minutes per month
on FB
190 million tweets per day

92 billion YouTubers (monthly)
3,000 Flickr uploads
per
Ready-made,
global market for
minute
any product,
any service, any recruiting
effort,
Source: Statistic Brain
any campaign . . .
ZebraCon
GRC: Defining Governance

Focusing on the achievement of long-term
success
Ensures the fit between the organization's mission and
its performance.
Its about being in control and taking responsibility for
the work and actions of your company.
Uses transparent decision-making processes to direct
its resources and exercise power in an effective and
accountable way.
Is accountable for what your organization does and
how it does it.
ZebraCon
GRC: Defining Governance

G is clearly articulated (from a technology
perspective)
Centralize coordination of national cyber security
initiatives
Promote effective cooperation between public
and private sectors
Establish formal and encourage informal
information sharing exchanges
ZebraCon
Governance-- At the pinnacle of implementation
ZebraCon
GRC: Defining Risk

Risk (and its Management)
The effect of uncertainty on objectives
positive or negative
Coordinated & economical application of resources
to:
Minimize,
Monitor,
Control the probability and/or impact of unfortunate
events
Mgt = Identification, assessment, prioritization of

risks
ZebraCon
ZebraCon
GRC: Defining Compliance

Baseline Definition
The capability to reliably achieve
organizational objectives while addressing
uncertainty and acting with integrity and
adherence to a pre-determined set of rules
and parameters.
ZebraCon
GRC: Defining Compliance

Regulations & Mandates & Rules
Industry-specific
Government-based oversight
Auditing-based review of protecting personal
data
Sector-based assessment for Critical Assets
Finance is #1
Commerce is #2
Healthcare is #3but its a far third-place behind
#1 & #2
ZebraCon
GRC Landscape
ZebraCon
Lets go back to Risk

Virtually 100 percent of ALL
attacks/breaches/exploits:
Policy . . . Where the rules of engagement are

defined
Controls . . . Where systems are

defined/configured
Exposure . . . Where the first line of risk

often occurs
ZebraCon
GRC: Defining Critical Infrastructure
Big Picture
Basic, essential systems, services and
resources needed for an organization,
designated population or region, to maintain
its existence.
ZebraCon
GRC: Defining Critical Infrastructure
Traditional Definition
Resources and hard assets vital to the
security, governance, public health and
safety, economy and public confidence of a
state entity
(U.S. National Security Agency)
ZebraCon
Critical
Assets
Infrastructur
e
ZebraCon
Governance
Governance
Critical
Critical Assets
Assets
Infrastructure
Infrastructure
Risk
Risk
Management
Management
ZebraCon
Compliance
Compliance
Objectives
Policies / Mandates
Development Pathway
Relevance
Factoring
Governance
Governance
Do we
need to
do this?
Critical
Critical Assets
Assets
Infrastructure
Infrastructure
Risk
Risk
Management
Management
Gap Assessment
Physical Reviews
Audits
Contingency / Continuity Mgmt
ZebraCon
Compliance
Compliance
Internal Assessment
Technology Assurances
Business Rules
Common Criteria
GRC: When it all goes really really wrong
ZebraCon
GRC: Fail-points
Why (how) do efforts fail?
Five Key Reasons:
Redundant and inefficient processes
Inconsistent focus across the environment
(enterprise)
Its complicated!
Lack of business agility
Incomplete, reaction-based point solutions
ZebraCon
GRC: Fail-points (Procedures get messy)
Redundant & Inefficient Processes

Band-Aid Approach
Compartmentalize risk management efforts
Contrary to Big Picture oversight
Overlook how to leverage & integrate resources

Offer greater impact & timeliness to respond
Varying levels of success (Hit & Miss)

Inconsistent responses to individual risk and compliance
requirements.
More expensive: multiple initiatives to build independent
GRC systems
ZebraCon
GRC: Fail-points (Message is confusing)

Inconsistent focus across the environment
(enterprise)
Island Management
Creates silos of isolationism
Nobody knows what the others are doing
Creates Scope Creep and drains budgets
No common framework for activity

COSO / COBIT/ IIA / SANS
CIO cant create consistent management patterns ($,

resources)
Creates FUD about overall efforts at high levels
Nobody downstairs wants to follow the plan, sees no value
ZebraCon
GRC: Fail-points (Implementation is annoying)
Its Complicated!
Adding layers of GRC initiatives creates complex, reactivebased conditions.
GRC is Distractive by its very nature
Most in-house departments focus on their sector, not GRC issues
Complexity increases inherent risk and results in processes that
are not streamlined and managed consistently
More confusion fosters lack of trust in processes

Discredits departments and individuals
. . . As well as the organization itselfshould something happen!
Also breeds confusion in regulators, stakeholders, business
partners
ZebraCon
GRC: Fail-points (Process is too rigid)

Lack of Business Agility
Reaction-based policies are not flexible
Limitations caused by including complex plans, hundreds
of disconnected documents and spreadsheets
Dynamic distributed business structures need simple
traffic patterns for disseminating policy
Point solutions have some impact but often miss the
large-scale risk management solution framework and
objectives
Data can become disconnected and difficult to manage /
resolve
ZebraCon
GRC: Fail-points (Tech doesnt always help)
Incomplete, reaction-based point solutions

Requires a top-down AND holistic view
Unravel one thread at a time
Immediate Reaction does not equal Immediate
Response
GRC point solutions often focus on assessment
They might replace spreadsheets,
They usually dont deliver on analytics
They usually dont align with business applications.
Gaps develop in the GRC plan, causing internal

misalignment
ZebraCon
GRC: 10 things you can do RIGHT NOW
Govern WITHIN the system

1. Monitor but dont spy
2. Engage your staff, dont
scare them off
3. Look first to your current
Policies (are they current?)
4. Your Controls only work
when you tell them to
5. Monitor (and mitigate)
your external digital
footprint: Youre Exposed!
ZebraCon
GRC: The dentist isnt so bad . . .

Elements of a successful GRC roadmap
Go back to your office and ask the following questions:
6. Are we budgeting/educating our team on Risk?
Policy? Controls? Exposure?
7. How can we align GRC requirements with our policies
and day-to-day business operations?
8. Which area of our business can we begin RIGHT
NOW?
9. How can we leverage GRC Best Practices to reduce
risk?
10.How can we govern our GRC processes across silos
and stakeholders?
ZebraCon
Thank You
Dont forget to attend
ZEBRACON
International Risk Management Forum
August 27-29 / Berjaya Times Square
zebra-con.com for more information
Drew Williams
President, Condition Zebra, inc.
drew@conzebra.com
ZebraCon

OWASP Presentation On PRISM

Uploaded by

Copyright:

Available Formats

You might also like

OWASP Presentation On PRISM

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OWASP Presentation On PRISM

Uploaded by

Copyright:

Available Formats

Chasing the R in

Were talking about

Risk means trying to do it alone . . .

Risk means sharing more info than we should

This has to be the best

Risk comes at the worst times

Risk can catch us off-guard

Hey Mom, can U Plz Bring the

And Risk can really make us look stupid

Dude, OMG! I just saw myself

Risk Management means Awareness 24x7

GRC: Its like going to the dentist

Nobody looks into it until it hurts

. . . Chasing the R through Social Networking

Top Five Social Network Security

Loss, leak, stolen critical

1. R means Inconsistent Messaging

2. R means Damage to Brand Reputation

Be aware of how/where your

3. R means Introduction of Malware

4. R means Identity Theft

4. Identity Theft (What recently happened)

Its not just about people. Just

5. R means Stolen Critical Assets or Information

And then theres

Chasing the R throughout Asia

GRC: Asia, youre not moving fast enough!

GRC: First, you have to define its relevance

Governance, Risk [management], Compliance

GRC: Where did the C go? (C M+P)

businesses have epresence

1.2 billion Facebook users

billion minutes per month

190 million tweets per day

GRC: Defining Governance

GRC: Defining Governance

Governance-- At the pinnacle of implementation

GRC: Defining Risk

Mgt = Identification, assessment, prioritization of

GRC: Defining Compliance

GRC: Defining Compliance

Lets go back to Risk

Policy . . . Where the rules of engagement are

Controls . . . Where systems are

Exposure . . . Where the first line of risk

GRC: Defining Critical Infrastructure

GRC: Defining Critical Infrastructure

GRC: When it all goes really really wrong

GRC: Fail-points (Procedures get messy)

Redundant & Inefficient Processes

Overlook how to leverage & integrate resources

Varying levels of success (Hit & Miss)

GRC: Fail-points (Message is confusing)

No common framework for activity

CIO cant create consistent management patterns ($,

GRC: Fail-points (Implementation is annoying)

More confusion fosters lack of trust in processes