Nick Connor,

1
Security Innovation Technology Consortium
(SITC)   Governance, Risk Compliance Special
Interest Group (GRC SIG)   GRC Interoperability
Standard     Thursday, 22nd January 2009 CPNI,
London

• Nick Connor,
• Assuria Limited

Stephen Hall Infogov
Mike Popham Infogov
2
Agenda
1230 Arrival, Registration, Lunch 1300
Welcome and Introduction (Paul Osborne, SITC)
1310 Government perspective on GRC (Phil H,
CPNI) 1320 Industry perspective on GRC (Martin
Jordan, KPMG) 1330 GRC Presentation - Stephen
Hall 1400 GRC Interoperability Architecture -
Nick Connor and Mike Popham 1420 GRC
Interoperability Demonstration - Nick Connor and
Stephen Hall 1450 GRC Essential Features
Demonstration - Nick Connor and Stephen Hall
1515 QA
3
Stephen
GRC Presentation - Stephen Hall
Governance - setting business strategy
objectives, determining risk appetite,
establishing culture values, developing
internal policies and monitoring
performance. Risk Management - identifying and
assessing risk that may affect the ability to
achieve objectives, applying risk management to
gain competitive advantage and determine risk
response strategies and control
activities. Compliance - operating in accordance
with objectives and ensuring adherence with laws
and regulations, internal policies procedures,
and stakeholder commitments.
4
Stephen
GRC Framework for Corporate Objectives
GRC provides a framework and a methodology to
enable those people responsible for managing the
business to give confidence to those people who
are accountable to shareholders and to regulators
that corporate objectives are being met.
5
Business drivers for an integrated approach to
GRC
Stephen
Increased complexity due to globalisation
Increased competitive pressures
Increasing regulations
Governance Risk and Compliance
Ethical and financial scandals
New technologies
Integrity-driven performance expectations
Transparency and accountability demands
Increased demands from stakeholders
6
GRC Challenges PwC/META Group Research
Stephen
Strategic View Operational
Issues Future Trends

• Significant improvements are expected in the
  areas of data accuracy, quality of decision
  making, task redundancies, etc.
• Technology will be a critical GRC enabler
• Effective GRC can realise value in the areas of
  reputation and brand, employee retention and
  revenue

• See GRC as a value driver
• The need for connection among GRC is understood
  and valued although operational issues exist
• Exposure to substantial risk through
  insufficient commitment to risk management

• Manual processes are instrumental to meet GRC
  requirements
• Most do not have real-time GRC capability 1/3
  of regulated organisations are not even close
• Growing investment area, but light on cost and
  value measurement
• Investment shifting towards technology

7
Stephen
GRC What are the objectives?
Governance Ultimately, Governance determines what
the Board is responsible for and to what degree
it entrusts day-to-day administration to the CEO,
the management team and perhaps below. Knowledge
Management In creating a shared governance, risk
and compliance environment, software supports
performance objectives by regulation, standards
and policy to whatever degree the Board wants.
Process Crucially, software enables linkage of
roles, processes and assets. Plan, Do, Check.
Act (PDCA) processes should be effectively
managed in a single framework so the organization
as a whole is better governed Technology Convergen
ce of data, status, actions and incidents must be
easily monitored, providing visibility and
control to the business.
8
Stephen
What Do GRC Technologies Achieve
Online audit of external suppliers, saves time
money
Online audit any part of your organisation
against any standard Create an Information
Security focused asset register Define generic
work roles Do business impact analysis simply
easily Identify the key services, assets data
which need Business Continuity or DR Perform Risk
Assessments, simply easily Incident reporting
with a difference Build a central policy
register Helps you plan your security
investment Provides you with a real time
RiskView Allows you to report on anything
Links assets to legislation/controls
Roles linked to controls/policy/procedures
Quick win, keeps risk business focused
Reduce exposure
Reduces risks with countermeasures
Understand the financial operational impact
Supports the audit process
Spend effectively wisely
Manage more effectively
Reduces reliance on third partys
9
Stephen
Enterprise Scope of GRC Technologies
A dashboard bridges the gap between the
complexity of the subject and senior management
Flexible reporting to enable the audit committee
to quickly evaluate the companys risk
Gather information from subject matter
experts and add value through integration of data
Compliance (Gap Analysis) for any Standard,
Regulation, or Legislation
10
Mike
Requirement to Interoperate
Operational Requirement   Throughout supply
chain, dynamically sense, analyse and manage   -
Risks - operational, financial and IT   -
Compliance with regulations, standards, policies
and objectives   Need therefore for multiplicity
of sensors to interface with GRC technology so
that the management and reporting utility exists
for these operational requirements to be met and
actions taken
Sensors Heat, Light, Sound Locks, Alarms,
CCTV, Illumination, Physical, Wireless,
Information, Technologies such as for Identity
Management
11
Mike
Interoperability Architecture
Sense Host Enterprise
Upload current risk register (inherits current
values)
Link assets to process to roles carried out by
people
Adopt controls from internal or external standards
Effect Host Enterprise
Author own controls using Proteus self authoring
tool
Auto generation of Questionnaires, emailed,
delegated and responded to yes, no, partial with
evidence and action plans etc
Creates shared GRC environment with instant
reporting via www
Template Library Summary   ISO 27000 series, BS
25999, Physical Risk Audit, Gambling Commission,
CobiT 4.1, Data Protection Act, EU Data Privacy,
Civil Contingencies Act, Freedom of Information
Act, SOX, SAS70, PCI DSS, PAS8000, ISF
12
GRC SensorsInteroperability architecture

• Nick Connor, MBCS, CITP, MMIS
• Managing Director and Co-founder
• Assuria Limited

13
Sensors

• Introduction
• Sensor relation to GRC
• Sensor capabilities
• Sensors and GRC
• Required GRC Standard
• Summary

14
Sensors

• What do we mean by sensors?
• Tools (typically software) that monitor the
  status (state) of a process or asset.
• Our focus is anything that may impact the
  Confidentiality, Integrity or Availability of
  assets.
• Broadly
• IT assets and controls
• Physical assets and controls
• External / Environmental

15
Typical sensor
Management Console
Management Console
Summarise and report
Summarise and report
Summarise and report
Database
Summarise and report
Summarise and report
Aggregate / evaluate
Aggregate / evaluate
Aggregate / evaluate
Aggregate / evaluate
Aggregate / evaluate
Reports
Monitor, detect and report events and conditions
Agents Probes Detectors
Monitor, detect and report events and conditions
Monitor, detect and report events and conditions
16
Example IT sensors

• System monitors
• Vulnerability assessment, configuration and
  policy compliance t
• Network traffic monitors
• Intrusion detection, Intrusion prevention,
  Firewall/Router logs,
• Access and identity monitors
• Failed logins, privilege escalation, Bio-metric
  identities
• Web site monitors
• Vulnerabilities, Pages visited, referred from,
• End point monitoring
• Permitted user activity, Data leakage monitoring
• Anti-virus, anti-phishing, Malware detection
• Others
• Event and Audit log collection Operating
  System, Infrastructure, applications

17
GRC and Sensors
Governance, Risk and Compliance
Controls ISO 27001, ISO 13335, NIST 800-53, CIS
SENSORS
Software sensorsFor example Configuration
assurance, Vulnerability assessment, Policy
compliance, Change detection, Audit log management
Source Gartner (January 2006)
18
Sensors can .

• provide automated input from low level data to
• Identify changes in the risk posture of assets
• confirm compliance to legislation and regulation
• (or non-compliance)
• verify and confirm working controls (and not
  working controls)
• correlate / aggregate many events into state
  change
• highlight new risks / threats
• identify incidents
• identify possible data leakage
• identify potential reputation damage
• many more

19
To enable sensorsto provide data toGRC we need
aninterface.
GRC systems

• Common Language
• Connection technology
• Protocol

Management Console
Management Console
Summarise and report
Database
Summarise and report
Summarise and report
Summarise and report
Summarise and report
Aggregate / evaluate
Aggregate / evaluate
Aggregate / evaluate
Aggregate / evaluate
Aggregate / evaluate
Reports
Monitor, detect and report events and conditions
Agents Probes Detectors
Monitor, detect and report events and conditions
Monitor, detect and report events and conditions
20
GRC systems
GRC Interface mustsupport multiple sensors

• Common Language
• Connection technology
• Protocol

Different sensors
Summarise and report
Database
Summarise and report
Database
Aggregate / evaluate
Reports
Reports
Monitor, detect and report events and conditions
Monitor, detect and report events and conditions
Monitor, detect and report events and conditions
Aggregate / evaluate Monitor, detect and report
events and conditions
21
GRC and Sensors
Governance, Risk and Compliance
Controls ISO 27001, ISO 13335, NIST 800-53, CIS
GRC Interface for Information exchange
Software sensorsFor example Configuration
assurance, Vulnerability assessment, Policy
compliance, Change detection, Audit log management
Source Gartner (January 2006)
22
GRC Information Standard

• To facilitate the exchange of data between
  various sensors and GRC products.
• To include
• Common definition of terms, a GRC language
• Common connection technology how do the
  products talk to each other
• Common interchange protocol how do products
  interchange information

23
Proposed GRC standard proposed characteristics

• Open standard community developed. MITRE model
  is suggested
• Should be XML based
• Open ended and extensible allow for ISO 27001,
  ITIL, CVE, CVSS, XCCDF, OVAL.

24
Need for common language

• Common language computer and human readable
• Sensors and GRC often from different backgrounds
  and have own terminology for their information.
• What is a vulnerability?
• What is the impact of a vulnerability
• What is risk?
• What is a threat, how is it evaluated?

25
Standards and emerging standards.

• In IT Security the best established relevant
  standards are probably CVE and CVSS
• Common Vulnerabilities and Exposures, or CVE, is
  a dictionary of publicly-known information
  security vulnerabilities and exposures.
• Common Vulnerability Scoring System (CVSS) is an
  industry standard for assessing the severity of
  computer system security vulnerabilities.

26
Must be extensible..
Governance, Risk and Compliance
Controls ISO 27001, ISO 13335, NIST 800-53, CIS
Information exchange gap
Software sensorsFor example Configuration
assurance, Vulnerability assessment, Policy
compliance, Change detection, Audit log management
Source Gartner (January 2006)
27
XCCDF An exampleof an XML based standard
28
(No Transcript)
29
XCCDF - The Extensible Configuration Checklist
Description Format

• XCCDF is a specification language for writing
  security checklists, benchmarks, and related
  kinds of documents.  An XCCDF document represents
  a structured collection of security configuration
  rules for some set of target systems.
• The specification is designed to support
  information interchange, document generation,
  organizational and situational tailoring,
  automated compliance testing, and compliance
  scoring. The specification also defines a data
  model and format for storing results of benchmark
  compliance testing.
• The intent of XCCDF is to provide a uniform
  foundation for expression of security checklists,
  benchmarks, and other configuration guidance, and
  thereby foster more widespread application of
  good security practices.
• XCCDF documents are expressed in XML, and may be
  validated with an XML Schema-validating parser.
• XCCDF was designed to support integration with
  multiple underlying configuration checking
  'engines'.  The expected or default checking
  technology is MITRE's OVAL(tm). 
• Source NIST XCCDF web site - http//nvd.nist.gov
  /xccdf.cfm

30
Human readable
Automated testing
31
Community developed
Example OVAL email discussion list
32
Other Information Security Data Standards (US
centric)

• Enumerations
• (CVE) Common Vulnerabilities and Exposures -
  http//cve.mitre.org
• (CCE) Common Configuration Enumeration -
  http//cce.mitre.org
• (CPE) Common Platform Enumeration -
  http//cpe.mitre.org
• (CWE) Common Weakness Enumeration -
  http//cwe.mitre.org
• (CAPEC) Common Attack Pattern Enumeration and
  Classification
• (CVSS) Common Vulnerability Scoring System
  http//www.first.org/cvss/cvss-guide.html
• Languages
• (OVAL) Open Vulnerability and Assessment
  Language - http//oval.mitre.org
• (CRF) Common Result Format - http//crf.mitre.org
  
• (CEE) Common Event Expression -
  http//cee.mitre.org
• Repositories
• OVAL Repository
• (NVD) National Vulnerability Database
• (SCAP) NIST Security Content Automation Protocol
  
• Red Hat Repository
• (CIS) Center for Internet Security Benchmarks
• (STIGS) DISA Security Technical Implementation
  Guides

33
How the MITRE standards fit together
Attack taxonomy
CAPEC
CCE
CCE CWE CVE CVSS
CPE
XCCDF
OVAL
SCAP Content
NVD
34
MITRE standards and SITC GRC standard
Attack taxonomy
CAPEC
CCE
CCE CWE CVE CVSS
GRCStandard
GRC tools
Sensors
CPE
OVAL
XCCDF
SCAP Content
NVD
35
XML Schema example
36
Challenges for the GRC Standard

• Broad range of possible sensors, including
• configuration auditing
• identity and access management
• security information
• event information and management
• Beyond IT physical controls, environmental, and
  ?
• Not all are obviously security related but should
  be CIA (Confidentiality, Integrity, Availability)
  related
• Aggregation of information consolidate events
  (data) into GRC usable information state
  change?
• Reference and use to a wide range of relevant
  external standards
• Liaise with authors/authorities of emerging
  relevant standards
• Wide UK community participation balanced by speed
  of delivery
• Limited only by our imagination

37
Thank you

• Questions?

38
GRC Essential Features Demonstration
Nick
Stephen
GRC Sensor Technology
GRC Management Technology
39
SITC GRC Interoperability demonstration

• Sensor demonstration

40
Demonstration scenario
Tier 1 - The Web Server front end running
products such as Microsofts Internet
Information Services (IIS) or Apache HTTP
Server (Apache) these 2 products support over
80 of the worlds web sites. In this case the
web servers are running Microsoft IIS. Tier 2 -
The application servers, these servers that host
the business logic and business processes for
the web service. Tier 3 - The database server
provides the data storage and database services
to the other servers.
41
Demonstration

• Today we are looking at 2 systems.
• A Windows Server 2003 system
• A Windows VISTA system

42
Demonstration

• Sensors detect and report a state change.
• Sensors feed change information to GRC
• GRC reflects the change of state in asset status
• For example. A sensor detects that a server now
  has a serious vulnerability which did not
  previously exist on the server. The data to GRC
  is server state changed from non vulnerable to
  vulnerable supplementary data is the nature of
  the vulnerability and the current and previous
  state. Non-vulnerable to Vulnerable.

43
GRC Standard requirement
InfoGovPROTEUS
GRC world
Demonstration todayA very narrow slice of the
possible range of information
Small number of simple ISO 2700 checks
Sensor world
AssuriaSensors
Other sensors
44
Example checks

• ISO-27001-A.10.4 Protection against malicious
  and mobile code. Sensor can verify if the
  operating system is appropriately configured to
  provide protection against malicious code by
  checking that an Anti-virus product is installed
  and update to date. For Internet Explorer
  whether safe scripting is enabled.
• Demonstration See if an Anti-virus product is
  active and up-to-date.
• ISO-27001-A.10.10.1 Audit logs recording user
  activities, exceptions and information security
  events shall be produced and kept for an agreed
  period to assist in future investigations and
  access control monitoring.
• Many aspects of a System Audit log configuration
  can be checked for compliance.
• Demonstration Show that if a system auditing is
  not correctly configured that it can be reflected
  in the GRC Console.
• ISO-27001-A.11.2.2 The allocation and use of
  privileges shall be restricted and controlled
• Many aspects of User configuration can be
  checked and verified as being consistent with
  requirements.
• Demonstration For the demonstration we will use
  checks to show that the user Guest has
  privilege that can change passwords
• ISO-27001-A.11.3.1 Users shall be required to
  follow good security practices in the selection
  and use of passwords.
• Demonstration For the demonstration we will use
  the checks that show that a user has Maximum
  password age set to be too high.

45
Sensor / GRC information exchange
InfoGovPROTEUS
GRC world
Demonstration today
Information exchange viaan XML based interface
Sensor world
AssuriaSensors
Other sensors
46
Assuria Auditor

• Detects and reports potential security
  vulnerabilities and security configuration bad
  practice with detailed analysis and remediation
  recommendations
• Reports variations to security configuration
  policy
• Monitors ongoing compliance to external standards
  / policies
• Reports unauthorised system changes
• Allows regular scheduled scanning/monitoring as
  well as auditor snapshots
• Flexible Alerting
• Alert on Policies
• Alert on Event Log entries

47
Example Assuria Auditor report
48
Detail information in Sensor report
49
Demonstration

• Run sensor scan on 2 systems
• View results and show vulnerabilities detected
• Generate XML report
• Send to GRC

50
XML Output file
51
Questions?