NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case...
Transcript of NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case...
![Page 1: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/1.jpg)
NextGen GRC
A Case Study
Andy Clauson, GRC Analyst, Cyber Security
K i P tKaiser Permanente
Wednesday, October 2, 2013
CRISCCGEIT
CISMCISA2013 Fall Conference – “Sail to Success”
![Page 2: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/2.jpg)
Case Study ContentsCase Study Contents
• Background and challengesBackground and challenges
• Our take on NextGen GRC
C d i i• Case study #1: DLP integration
• Case study #2: findings
• Lessons learned
• Q & AQ & A
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 3: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/3.jpg)
Kaiser Permanente: Key Facts• Nation's largest
not‐for‐profit health plan
ll b• Over 9 million members
• 37 hospitals
• 618 medical offices and other• 618 medical offices and other facilities
• More than 175,000 employees2012: Five star rating
• 17,157 physicians; 49,034 nurses
• $50.6 billion operating revenue
from CMS for Medicare plans in
California• Largest Private Electronic Medical
Records Program
• More than 19 million visits to mobile
California.
• More than 19 million visits to mobile‐optimized kp.org
![Page 4: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/4.jpg)
Regulatory EnvironmentRegulatory Environment• PCI• HIPAA• SOX• State regulations • Many others• Gaining in complexity• Relatively rapid changes• Compounded by Kaiser Permanente’s highly federated organizational structure
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 5: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/5.jpg)
Security EnvironmentSecurity Environment
• Thousands of applicationsThousands of applications
• Tens of thousands of servers
d d f h d f d i• Hundreds of thousands of endpoints
• Hundreds of thousands of internal users
• Millions of external (web, etc) users
• Standard array of emerging challengesStandard array of emerging challenges (mobile, IP enabled medical devices, etc)
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 6: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/6.jpg)
GRC Org Structure: hConvergence within IT
• Multiple IT security and compliance functions reorganized into a Technology Risk Office
• Shift in focus from a department’s silo (eg compliance or security) to the common goal of risk management
• Mandate to share information and processes
• Long term good idea that causes short term uncertainty in business process and therefore technology need
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 7: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/7.jpg)
SummarySummary
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 8: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/8.jpg)
What NextGen GRC isWhat NextGen GRC is .
.
Next Gen GRCClassic GRC Approach
Primarily for Mapped Control Set ‐> Assessments ‐> Findings ‐> Remediation workstream, and compliance reporting
Productivity for G or R or C personnel ; compliance and other reporting as a natural byproduct
Do All At Once / a single implementation
Go for small wins (add value where you can with eye on bigger picture)
Attempt to make a single softwareaccomplish data aggregation
Recognize you need a full suite of tools, at a minimum a RDBMS for your big data aaccomplish data aggregation,
transactional needs, history, assessment, security, etc etc
minimum a RDBMS for your big data, a transactional / workflow engine, sophisticated reporting capability‐‐ and lots integration potential to smash value ceilings.
Architect for full automation of an often pie in the sky future state business process. Assume the auditor can be replaced with computer logic.
Architect for simplicity, flexibility and future growth. Automate only mature operational processes. Do not attempt to replace the CISA / professional human judgment. Instead aim to add
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
replaced with computer logic. professional human judgment. Instead aim to add productivity.
![Page 9: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/9.jpg)
What NextGen GRC is NOTWhat NextGen GRC is NOT
• Totally unstructuredTotally unstructured
• Make up requirements as you go
• Without testing (must have a test script populated with expected outcomes)
• Without project managementWithout project management
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 10: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/10.jpg)
Sample NextGen GRC Architecture
PresentationLayerSources
Archer
Enterprise Directory
Multi LayerScanning Solutions
KP Executives
KP Operations
BI Reporting
Archer
Data MartsETL
Host BasedMitigations
NetworkMitigations
Application Layer
ExecutiveDashboards
Metrics/Scorecards
KP Operations
BusinessExecutives
Application LayerMitigations
Data LossPrevention
Transactional Workspaces
IT Security
Bi D t
Predictive Analytics
Machine Learning
Big Data
Other Tools
Predictive Analytics
![Page 11: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/11.jpg)
Simple Example: DLP IntegrationSimple Example: DLP Integration
Violators ReportingDLP System
Escalation Points
Reporting and Metrics
Violations
SOC Analyst
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 12: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/12.jpg)
Issues and optionsIssues and options
• DLP API may be nascentay be asce t• Process may be still ramping up• Requirements for what we would need in theRequirements for what we would need in the future may lead to speculation and many possible future outcomes
• Option A: Wait and discuss (analysis paralysis)• Option B: Chip off and implement the pieces that add value now
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 13: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/13.jpg)
ImplementationImplementation• Break the total project into bite‐sized pieces to score incremental gainsincremental gains.
• Smash the value ceiling in our DLP and GRC system by writing a custom script to export and transform the g p pdata
• Enable flow of metrics data between departments by l i i f t tleveraging common infrastructure
• Bring only the data that’s needed for transactional work into GRC, leave the rest in an external data storework into GRC, leave the rest in an external data store
• Subsequent phases to do the email and other enforcement actions
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 14: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/14.jpg)
Implementation Overview
Archer
Implementation Overview
Archer
DLP SystemMetrics/Scorecards
CSV File SQL Violators
Transactional Workspaces
CSV File
IDM System
Server Escalation Points
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 15: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/15.jpg)
Example 2: Processing findings k din a risk–oriented environment
ICompliance
Security
Ad‐hoc Identified Risk Issues
IComplianceAssessments Incident Root
Cause Analysis
Controls i
Sample Sources
Security Assessments Integration
Assessment
Vendor Assessment
Audit Findings
Risk Findings
Application Assessment
Large Program
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 16: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/16.jpg)
Issues and optionsIssues and options
• Risk rating mapping etc needs to be injectedRisk rating, mapping , etc needs to be injected
• Multiple moving targets makes process automation a challengeautomation a challenge
• Option A: Wait and discuss (analysis paralysis)
• Option B: Chip off and implement the pieces p p p pthat add value now
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 17: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/17.jpg)
Implementationp
• ETL (extract transform load) to gather, systematically classify and prioritize findings
• Use GRC system to provide a common workspace and basis for reporting
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 18: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/18.jpg)
ImplementationImplementation
ETLArcher
Metrics/Scorecards
ETL
•Standardization•Mapping
Transactional Workspaces
MySQLServer
Multiple Source Systems
•Mapping•Default Assignment•etc
Collaborators / Resp. Parties
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 19: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/19.jpg)
Lessons learnedLessons learned
P idi l l i th l t• Providing value early is the only way to go
• Do not jettison discipline in the rush to provide value
• Flexibility and simplicity go hand in hand
• Use software for its strength
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013
![Page 20: NextGen GRC sept 24 cp edits€¦ · 2013 Fall Conference – “Sail to Success” CISA. Case Study Contents • Background and challenges • Our take on NextGen GRC • Case study](https://reader033.fdocuments.in/reader033/viewer/2022060605/605a6abf50fd360aac74aa17/html5/thumbnails/20.jpg)
Q & AQ & A
2013 Fall Conference – “Sail to Success”September 30 – October 2, 2013