Buzz word IT-GRC , who doesn't know about it !! 17 billion dollar market as per Gartner report.
You must be wondering what is this GRC acronym stands for ? why people are talking about it ?
I would like to take this opportunity and dwell a bit in to IT-GRC and express my thoughts on this market. Let me answer the question what GRC is , G stands for Governance, R stands for Risk and C stands for Compliance, as easy as it sounds...well not really !:).
Why people are talking about GRC ? Simple because Government and Compliance industry combination have created havoc for institution specially for finance and medical insurance companies in US. Regulations like SOX, HIPAA, GLBA, FFIEC BASELII ,PCI and what not !!! Every country has its own standards, Europe will have its own version of SOX and HIPAA . To comply to this regulation smart marketing people came up with Frameworks, Initially BS-7799 now ISO -27001, COBIT and now I am hearing ITIL , all claiming to be master framework which can manage other frameworks regulation and standards. Each framework has its certification from which they create revenue.
All the regulation and standards has one thing in common , Due care/Due diligence, Which means there is sufficient effort to prevent something catastrophic from happening and if fatal event happenes then organization is ready for the same. Also it takes in to account that Risk to the business is known and either it is accepted or mitigated or transferred.
However , these giant frameworks and strict regulations are good to have but as they say "Everything in Excess is Poison". Too many regulations and too many framework will create chaos for the management and last but not least too many threats and vulnerability and hence too many RISK. Hence there is a need for GRC which can manage these many compliance to regulations.
If we see current scenario, compliance is merely a tick mark against the requirement. Do You have IDS? Yes ...complied ! woohoo ... Well if Auditor is good he might get in to the details of log management , sometimes they do but at the end of the day BufferOverflow in .dll sounds like latin to Auditor. He will see a process, is this bufferoverflow mitigated?, and my worry is most of compliance auditors doesn't have the expertise to question the mitigation efficacy !
Million dollar question if I am completely compliant to say PCI regulation does it mean that I am secure ? More often than not , answer is no. original scope of regulation is to strengthen security but the results are totally opposite !! In the burden of so many regulations, security takes the backseat ! Multiple issues, Internal security guys are loaded with too many regulations, External auditor can not be expert in all the areas, and if you go to Defcon you will realize that no matter what you do , you are always hackable ! so why create strict regulation to compliance , its better to provide some leeway to the companies in midst of so many regulations.
We have seen so many hacking incidence in the past , TJ MAX, and similar and Monster being the recent.
We will continue to be like Ostrich and will be happy looking at all the compliance reports and sending them to management to make them happy but at the end of the day it takes single Security breach to break that myth.
Finally you are as good as your people. You make sure that people has required ethical and technical skills and you should be good ! No compliance standard or regulation can beat the security that you get from your loyal employees !
You must be wondering what is this GRC acronym stands for ? why people are talking about it ?
I would like to take this opportunity and dwell a bit in to IT-GRC and express my thoughts on this market. Let me answer the question what GRC is , G stands for Governance, R stands for Risk and C stands for Compliance, as easy as it sounds...well not really !:).
Why people are talking about GRC ? Simple because Government and Compliance industry combination have created havoc for institution specially for finance and medical insurance companies in US. Regulations like SOX, HIPAA, GLBA, FFIEC BASELII ,PCI and what not !!! Every country has its own standards, Europe will have its own version of SOX and HIPAA . To comply to this regulation smart marketing people came up with Frameworks, Initially BS-7799 now ISO -27001, COBIT and now I am hearing ITIL , all claiming to be master framework which can manage other frameworks regulation and standards. Each framework has its certification from which they create revenue.
All the regulation and standards has one thing in common , Due care/Due diligence, Which means there is sufficient effort to prevent something catastrophic from happening and if fatal event happenes then organization is ready for the same. Also it takes in to account that Risk to the business is known and either it is accepted or mitigated or transferred.
However , these giant frameworks and strict regulations are good to have but as they say "Everything in Excess is Poison". Too many regulations and too many framework will create chaos for the management and last but not least too many threats and vulnerability and hence too many RISK. Hence there is a need for GRC which can manage these many compliance to regulations.
If we see current scenario, compliance is merely a tick mark against the requirement. Do You have IDS? Yes ...complied ! woohoo ... Well if Auditor is good he might get in to the details of log management , sometimes they do but at the end of the day BufferOverflow in .dll sounds like latin to Auditor. He will see a process, is this bufferoverflow mitigated?, and my worry is most of compliance auditors doesn't have the expertise to question the mitigation efficacy !
Million dollar question if I am completely compliant to say PCI regulation does it mean that I am secure ? More often than not , answer is no. original scope of regulation is to strengthen security but the results are totally opposite !! In the burden of so many regulations, security takes the backseat ! Multiple issues, Internal security guys are loaded with too many regulations, External auditor can not be expert in all the areas, and if you go to Defcon you will realize that no matter what you do , you are always hackable ! so why create strict regulation to compliance , its better to provide some leeway to the companies in midst of so many regulations.
We have seen so many hacking incidence in the past , TJ MAX, and similar and Monster being the recent.
We will continue to be like Ostrich and will be happy looking at all the compliance reports and sending them to management to make them happy but at the end of the day it takes single Security breach to break that myth.
Finally you are as good as your people. You make sure that people has required ethical and technical skills and you should be good ! No compliance standard or regulation can beat the security that you get from your loyal employees !
4 comments:
I concur to this - One example of what I have seen is to comply to auditor requirements, they need to have same config on all IPS's that were deployed on mulitple locations which makes sense until it goes on to say that even Signature tuning also to be same on all IPS - How can this be???
Even having complied to all these gives you only a feeling of security but actually you are still vulnerable..
I know of an organization that was passed by a well known big 4 consulting company in their annual PCI onsite audit.
This company ran redhat 5.1 on their production web servers which accept credit cards.. but not to worry.. they were given the PCI green light of approval ! =)
Hey TCP, good project!
I like it! you have a good way to express your Ideas, I will subscribe.
Regards
Good stuff !! SO true :)
Post a Comment