How to harmonize IT GRC controls in your environment

GRC controlsIn this podcast recorded at RSA Conference 2017, Tim White, Director of Product Management, Policy Compliance at Qualys, talks about about achieving uniform compliance in risk management through harmonized GRC.

GRC controls

Here’s a transcript of the podcast for your convenience.

My name is Tim White, I’m the Director of Product Management at Qualys for compliance solutions. Today I’m going to talk about achieving uniform compliance in risk management through harmonized GRC. Heightened complaints in security environments require organizations to comply with regulations while mandating a security baseline. Top-down GRC provides structure, but little evidence data while bottom-up approaches miss the links between the bigger GRC picture. In this talk, I’m going to discuss the harmonized approach, a uniformed way that many of our customers are addressing many of their compliance and risk requirements.

So there’s 4 key challenges that we face in today’s challenging compliance environments. First and foremost is the need to comply with multiple regulations and mandates. There’s a whole breadth of standards out there that are available to help guide organizations on control selection, but then there are a lot of more broad regulatory requirements that don’t necessarily clearly state what it is that you need to implement from a technical perspective. So there’s a mismatch or a broken link between the security baseline and the regulatory requirements that’s a really significant challenge to overcome. And then there’s additional risk that gets captured in silos. Security happens in these different business functions and you lose the overall big picture, and it becomes a very significant challenge to tie all the general security controls and enforcement within each of these silos back to the original goals of the organization’s policy by segmenting the way we segment our IT infrastructure is a key example of that.

So, a little bit more on multiple regulations. I’m sure everyone is familiar with the fact that we continue to see more and more regulations as more and more breaches occur, the government gets involved in mandating as well as industry regulatory entities like PCI for example. So we have a lot of different overlapping requirements, HIPAA, PCI, NERC and CIS Top 20 controls is a good example where we have significant requirements for things like minimum password strength enforcement, minimum encryption standards. Having to deal with all these different regulations is a very significant challenge, to be able to show auditors that you meet the compliance controls across the board. And then there’s often times differing levels of enforcement required for those, so password strength for example, PCI 8.2.3 and 8.2.4 talk about the requirements of password strength. HIPAA Rule 164.308 has somewhat different requirements for safeguarding passwords, and then we see the same things in CIRC CIP 007-5 and CIS Top 20 Controls. So there’s a significant challenge in taking and interpreting all of these and bringing them back to a uniform standard.

If you look at just the breadth of industry-recommended mandate-based standards there’s so many of them available to choose from, it makes things a significant challenge. And then we deal with the fact that not only do we have to implement these senior environments, but you have to do it across a very broad set of technologies. There’s dozens and dozens of different operating systems with applications running on top of those. We have a variety of different mechanisms for access control and management, single sign-on adds to this complexity. So, as our systems are more interconnected and more complex, moving into the cloud we have a significant challenge in dealing with those. And then you add on top of that additional emerging technologies, Docker Containers is a good example where you have workloads that are not always available for assessment and they’re complex, and you’ve got multiple configuration baselines, and so how do you assess and manage risks in those in a uniform way?

Then there’s general challenges with IT GRC. You know, organizations have these broad goals of showing that they have a repeatable policy and process and placement enforcement measurement. They usually require a significant amount of work to be able to automate the enforcement and tracking of the policies and then measuring and handling exceptions within that becomes an even more significant challenge. And then you add on top of that the operational aspects of compliance and risk management during assessment in the design and configuration implementation phases of new technologies looking at the consistency and deployment across a broad array of infrastructure components as we roll systems out. And then keeping those baselines configured and measurable over time.

There’s a lot of things for us to face as IT GRC risk management individuals. And there’s, you know, some uniform ways of approaching this problem that can help. If you start out with a common security baseline for example, using a common mandate-base or common assessment framework for defining your controls where you start out with the clear definition of the mandate, the policy and the standards that are going to be enforced, then you look at those from the perspective of the people, the information technology and the processes involved in those applications and how the different mandates relate to those. And then you focus on mitigation strategies where we use threat tracking, vulnerability assessment, evaluation of risks, controls and checks across a consistent framework to implement those.

The way you come up with that is you start out, we tend to kind of lean towards the bottom up approach cause it’s definitely more tied to the technology or trying to solve the technology problem. We know how to implement controls, we start out with a clear definition of a baseline’s standard that we assess our organization against. If we can map that standard back to our security and risk objectives using a framework like NIST 800-53 for example where you have control objectives, it’s kind of a good jumping point to go from the technical operating system-focused control to something that’s granular enough to provide me separation, but general enough where I can map controls objectives to the next level of IT risk management objectives as well as mapping them back to my overall organizational policy.

From there, once I have this cross-mapping completed, I can then automate the process of risk management reporting, so I can roll up more easily. So a lot of the IT GRC tracking frameworks out there provide this top-down approach. You take the technology-based tool like the Qualys solution which provides the technical assessment of standards across the organization and you use the NIST 800-53 or similar type of control objective framework to map those technical standards to the higher level. By doing this, you can very quickly automate the reporting process so that you can get a continuous reporting to meet your quarterly and annual objectives while not getting lost in the weeds.

So, to do this is a fairly straightforward process. The technical controls in Qualys today we provide these mappings out of the box. So we’re helping our customers to make that step a lot more quickly. In the future we’re planning to provide access to those two GRC vendors so that they can quickly collect and automate the process of mapping technical controls to those controls objectives, their written policies to their controls objectives.

We do this across a variety of different auditing frameworks, COSO and COBIT, NIST 800-53, as I mentioned before, providing the technical and procedural control automation capabilities, vulnerability assessment data, asset discovery, change detection and assessment of wide applications for security. You can then take all that technical data from the Qualys platform and bring that out and tie it into your automated reporting for ongoing asset discovery and classification – you need to implement the automated control assessment through a technology like Qualys implement change tracking and notification. Tying those back into another auditing tool, something like RSA’s Archer – there’s a variety of other technologies on the market that many organizations are using for IT GRC reporting.

You can take that information and use it to drive intelligent benchmarks within your organization so that you can do vertical and industry comparisons. You can highlight the silos within your organization that are not meeting objectives, kind of taking the wall of shame approach. You can do comparative risk and compliance reporting for your business’ management and executive teams. And it also provides very good means of prioritizing response.

To summarize, start out with harmonizing your requirements, map the security baselines back to your control objectives, automate the assessment and reporting of your overall IT GRC initiatives, implement ongoing and automated monitoring to collect the information that you need to drive enforcement of these standards, and then finally use intelligent benchmarks and metrics to improve the overall security of your organization.

RSA Conference 2017