Module 3 Governance, Risk and Compliance Flashcards
Two Governance Components
- Separation of Duties
2. Policy Definition
GRC
Governance
Risk
Compliance
3 Characteristics of GRC
- Integrated and holistic
- Organization structures
- Process oriented
Two Risk Management Components
- Change Management
2. Configuration Management
Two Compliance Components
- Adherence to Regulations
2. Industry Aligned
Integrated approach to organization-wide governance, risk management, and compliance.
GRC
Helps ensure that an organization acts ethically correct and in accordance with its risk appetite, internal policies and external regulations.
GRC
Integrated, holistic, and organization-wide
GRC
Managed and supported through GRC
Operations
Defines the guidelines and performance goals of an organization.
Governance
Must include measurements of success to determine if the operation is performing to the company’s standard and, if not, what type of remediation is required.
Governance
Four Consequences of Bad / Failed / No GRC
- Risk of fines for failed audits.
- Compliance concerns stall virtualization and Cloud.
- Audits - time consuming and costly.
- Concerns of identifying risk and proper valuation.
Examples of external events that drive a company to have a GRC program
- A breach where information is lost and has to be reported due to regulations.
- A new Federal regulation
Companies usually accept the risk of exposure until what?
Until they have an actual breach
Why GRC is important
- Breach
- Regulation
- Other?
Is security GRC?
No. Security is not GRC.
- Related to information processing systems.
2. Mechanisms and techniques that control who may use or modify the computer or the information stored in it.
Security
Three key security tenets
- Confidentiality
- Integrity
- Availability
CIA
CIA
Confidentiality
Integrity
Availability
Purpose of IT security
To mitigate risks
IT risks are coupled with what?
Business risks
A framework for decision making, accountability, and measuring success.
Governance
Data protection and regulatory laws require what?
Security controls
How does Compliance relate to Security?
- Data protection and regulatory laws require security controls.
- Access to information and enforcement.
Related to information processing systems
Security
Mechanisms and techniques that control who may use or modify the computer or the information stored in it.
Security
Key security rule regarding information
Always ensure that your company owns the information; retain ownership no matter who stores / maintains it.
Key security rule regarding the Cloud
Make your information Cloud ready - clearly understand:
- Data you’re putting in the Cloud.
- Regulations and legislation surrounding that data.
- Worst case outcomes related to a breach of this information.
Required for data
A creation-to-deletion plan
Layered Security Approach
Take a layered approach to protections with defense-in-depth, measuring against the CIA model, and keep roles segregated.
Term for End-to-end Data Lifecycle
Information Lifecycle Management
Key because most regulated data has data lifecycle requirements and should be how all data is handled.
The end-to-end data lifecycle (Information Lifecycle Management)
Four GRC Requirements for Virtualize Step
- Visibility into virtual infrastructure
- Privileged user monitoring
- Access management
- Network security
Four GRC Requirements for Operationalize Step
- Security compliance
- Information-centric
- Risk-driven policies
- IT & security operations alignment
Three GRC Requirements for IT-as-a-Service Step
- Secure hyrbid Clouds
- Secure multi-tenancy
- Chain of trust
3 Infrastructure Characteristics for Virtualize Step
- Automation
- Efficiency
- Integration of virtual OS and infrastructure
3 Infrastructure Characteristics for Operationalize Step
- On-demand
- Service Level Management
- Increased range of capability
3 Infrastructure Characteristics for IT-as-a-Service Step
- Metering and charge-back
- Federation of resources
- Geographically independent
Must be included when securing hybrid Clouds
Secure multi-tenancy and hardware root of trust
How do enterprises need to look at the Cloud?
As an extension of the data center
Looking at the Cloud as an extension of the data center means what?
That security and GRC controls should already be in place and be enforceable with measurable results.
Most large enterprises fall between what two stages?
Between the Virtualize and Operationalize stages
7 Top Threats - Cloud Security Alliance (CSA)
- Abuse and nefarious use of Cloud computing
- Insecure interface and APIs
- Malicious insiders
- Shared technology issues
- Data loss or leakage
- Account or service hijacking
- Unknown risk profile
7 Top Threats - ENISA
- Loss of governance
- Lock-in
- Isolation failure
- Compliance risks
- Data protection
- Insecure or incomplete data deletion
- Malicious insider
True or False: Currently, there are few tools, procedures, standard data formats, or services interfaces to guarantee data, application, and service portability.
True
Dependency on a particular hypervisor for service provisioning, especially if data portability is not enabled.
Lock-in
Includes the failure of mechanisms separating storage, memory, routing - and even reputation between different tenants (e.g., guest-hopping attacks).
Isolation Failure
True or False: Attacks on resource isolation mechanisms (e.g., against hypervisors) are less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.
True
Compliance risks of migration to the VDC
- If the VDC cannot provide evidence of their own compliance with the relevant requirements.
- If the VDC does not permit audit by the VDC customer.
- If using a multi-tenant infrastructure implies that certain kinds of compliance cannot be achieved (e.g., Electronic Healthcare Records).
True or False: Management interface compromise is not a Cloud security risk.
False
Threat associated with requests to delete a Cloud resource
As with most OSs, may not result in true wiping of the data - insecure or incomplete data deletion
Definition of Enterprise Governance
The active distribution of decision-making rights and accountability among different stakeholders in an organization and the rules and procedures for making and monitoring those decisions to determine and achieve desired behaviors and results.
Questions related to Enterprise Governance
- Who makes directing, controlling and executing decisions?
- How will the decision be made?
- What info is required to make the decisions?
- What decision-making mechanisms should be required?
- How will exceptions be handled?
- How should governance results be reviewed and improved?
Directors should govern ICT through which three main tasks?
- Evaluate the use of ICT.
- Direct preparation and implementation of plans and policies.
- Monitor conformance to policies, and performance against the plans.
Four applications that require GRC
- Accounts Payable
- Accounts Receivable
- Expense Management
Defines the rules of electronics discovery
U.S. Federal Rules of Civil Procedure (FRCP)
FRCP
Federal Rules of Civil Procedure
Requires improved transparency in financial services reporting methods, data collection, and aging standards.
Graham Leach Bliley Act (GLBA) - Financial Modernization Act of 1999
GLBA
Graham Leach Bliley Act - Financial Modernization Act of 1999
SOX
Sarbanes Oxley Act of 2002
Requires improved transparency in public company filings.
Sarbanes Oxley Act of 2002
Requires supporting information be kept in compliance with specifications around: ease of restore, length of data retention, types of data retained, and auditing processes.
Sarbanes Oxley Act of 2002 (SOX)
PII
Personally Identifiable Information
Usually includes Social Security Number (government ID), name, address, and credit card numbers
Personally Identifiable Information (PII)
PCI DSS
Payment Card Industry Data Security Standard
PCI DSS
Worldwide standard that specifies how cardholder information is collected, stored, processed, and shared with requirements for the processes (monitoring, audits) as well as the technology (encryption) used to manage PCI data.
Payment Card Industry Data Security Standard (PCI DSS)
US regulations which apply to email
FRCP
GLBA
SOX
HIPAA
US regulations which apply to accounts payable
GLBA
SOX
US regulations which apply to accounts receivable
GLBA
SOX
US regulations which apply to expense management
GLBA
SOX
PII
PCI
Typical security requirements for email, accounts payable, accounts receivable, and expense management applications.
2 factor authentication
45 day password expiration
The potential that a specific action or activity (including no action) will lead to an undesirable outcome
Risk
3 VDC Risk & Risk Assessment Considerations
- What decision-making mechanisms should be required?
- How will exceptions be handled?
- How should governance results be reviewed and improved
3 Cloud Risk & Risk Assessment Considerations
- Potential for data flow across boundaries in the public Cloud?
- Third party controls need to be clearly documented.
- Handoffs.
- Clear process to manage information flow.
True or False: Traditional data centers have risk assessment considerations and they should be the foundation of any VDC and Cloud GRC implementation.
True
Tenancy GRC Consideration
When data is no longer kept on a system dedicated to just one business unit or application and is now in a multi-tenant shared resource pool - what are the implications from a risk perspective?
Auto-migration GRC Consideration
Does automatically migrating a VM and/or the data to another system or location have an impact on the risk level?
Auto-scaling GRC Considerations
As workloads scale up is there an availability risk or performance risk?
Can the environment automatically scale up to handle the workload and what happens when it scales down?
Are all the systems left “clean” of residual data that could be exposed?
Virtual provisioning GRC Considerations
Can it be considered a risk if it exhausts resources?
Has that consideration been included in the risk assessments?
Cloud boundary GRC Considerations
With a public Cloud environment there are new risks such as the potential for data to be flowing across boundaries. Does the environment have adequate controls to assure that the data won’t cross borders if it is not allowed to due to rules of law or regulation?
Cloud GRC considerations for trusted 3rd parties
Are there clearly understood controls for trusted 3rd parties, such as the Cloud SP?
Are they clearly documented to mitigate the risks as much as possible.
Cloud GRC Considerations for Incidents
When an incident occurs, is there a clear definition of where / when / who handoffs are done to facilitate efficient incident response escalation and post mortems?
Cloud GRC Consideration for Service Provider Information Flow
Do you as the customer have a clear process in place that manages the information flow and timing from the SP into your own organization and vice versa?
5 Steps in the Risk Assessment Process
- Perform a quick, very high level risk check.
- Based on the risk score, determine what mitigation needs to be applied to allow the asset to be placed in a VDC or Cloud environment.
- Perform a full, detailed risk assessment. Understand all exposures; any further mitigations can be applied as necessary.
- Deploy the asset within the shared environment. Security controls are in place with compliance requirements being met.
- Re-evaluate the environment with another assessment and potentially an external audit.
3 levels of a risk scoring system
Low
Medium
High
5 Steps in Risk Assessment Process (Abbreviated Version)
- Quick Risk (L/M/H)
- Mitigation
- Full Risk Assessment
- Deploy
- Evaluate
3 Quick Risk (L/M/H) Components
- Asset Valuation
- Pass / Fail
- For VDC or Cloud
2 Mitigation Components
- Apply Standards
2. Apply Internal Mitigation
3 Components of Full Risk Assessment
- Perform Deeper Assessment
- Determine Exposures
- Apply Mitigations
2 Components of Deploy Stage in Risk Assessment Process
- With Security Controls
2. With Compliance Controls
2 Components of Evaluate Stage of Risk Assessment Process
- People, Process and Technology
2. Execute Full Audits Internal and External
Assessment usually applied to a whole business unit’s IT infrastructure and processes - or even a whole company.
ISO 27002 Assessment
IRM
Information Rights Management
True or False: Risk determination must be asset-centric.
True
3 Risk Determination Quick Scoring Systems
- Balanced Scorecard
- Pre-Assessment
- Blended Methor
What does a Balanced Scorecard risk determination evaluate?
Business and technology risk
Pre-assessment usually pertains to privacy assessments.
True
Pre-assessment IOS standard designed for financial services
ISO/IEC 22307
4 Primary Risk Determination Considerations
- CIA - Confidentiality, Integrity, Availability
- Management and organization
- Value of application and data
- Leverage standards for mitigation
Most important dimension to evaluate the risk
The value of the application and data to the company
3 Information Security Questions
- Where is this application hosted?
- How are support processes performed for the application?
- Are there documented vulnerabilities in the application or associated infrastructure?
3 Business Considerations for Risk Scoring
- Classify Data Sensitivity
- Cost of Financial Damage
- Value of Application Product and Data
ALE
Average Loss Expectancy
A state of being in accordance with established guidelines, specifications, or legislation
Compliance
Compliance Issues
- Inventory applications
- Pre-assessment for risk level for the VDC and Cloud
- Deploy / apply rating system
- Evaluate based on regulatory requirements
- Evaluate compliance criteria for virtualization / Cloud
- If data will handled by SP, evaluate them for transitive risks
- Evaluate for vendor lock-in and future need to migrate to another provider.
Generally used before the asset is to be placed in a new environment
Privacy Assessments
Regulation which applies to financial data (personal and corporate)
PCI
Regulations which apply to healthcare data
HIPAA
HITECH/HER
Regulation which applies to financial data (corporate)
SOX
Regulation which applies to personal information data
PII
Examples of 3rd party audit
SAS 70 Type II
