LSEC - Leaders in Security

Truth or Dare – Course and Seminar on GRC, Governance Risk & Compliance

Just before the economic crisis, the next big acronym was blasted into the market promising an overall strategy for a very old challenge : GRC. GRC could stand for Getting Reasonably Cold, Growing Rapidly Clean, Green Recyclable Costs, General Restructuring Climate, Given Reaction Challenge – or in our case Governance, Risk & Compliance.

The last two to three years, an ever growing set of regulations, requirements to become compliant, additional components, various measurements, whaling, correlated events, … have resulted not only in increased security measures, but also the necessity to provide comprehensive reporting, instant-available real-time situation overviews, anticipating audits and providing sufficient means and information to report on them.

Introduction

Any company has to deal with a variety of disruptive changes evolving : threats, technology, business, economics, compliance. Corporate boundaries are disappearing with opportunities such as ever growing mobile, internet web 2.x and cloud offerings. Reduction of cost, centralization, mergers and consolidation provide challenges of maintaining environments less familiar than the homegrown systems.

Governance, Risk and Compliance, collectively GRC is an acronym that creates headaches and a challenge for many IT and security managers, but also legal officers and business executives. Having tools and technologies to support management, maintenance and enforcing is already one major element, but allowing for comprehensive reporting on an executive level and bringing results of reporting back into the development area could be more challenging.

During the following seminar, we are trying to get an understanding of the evolution of the market, by presenting some live experiences, some key lessons learned during and beyond implementation, challenges for integration and maintenance, potential for in-house or outsourced GRC, and ways of seizing the internal and external audits. We’ll have a look at potential tools, their benefits and advantages and their deficits. We will try to present an evolutionary landscape and roadmap, following some other available examples with a view of the impact of virtualization and cloud environment.

Program Outline

Program
9.30 : Welcome & Registration
9.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC
Coffee continuously available during the morning.
10.00 : Introduction to GRC, understanding the basic and overview, by Wouter Janssen, Axl-Trax
Abstract : 
Managing risk through GRC (Governance, Risk & Compliance)
- Short overview of (SAP)GRC components(?)
- SAP and risk management (IT , security & process risks)
- Categorization of SAP risks and types of controls for mitigation
- Access risks (GRC AC), segregation of duties and the art of automation
- Process risks and business process control
- An approach for selecting risks and establishing appropriate control measures
Risk assessment & selection/identification
Establishing control objectives and key controls
Documentation, automation and process-orientation
Roles & responsibilities
Closing the circle: continuous monitoring of controls effectiveness
About : About : Wouter Janssen CISSP CISA CISM CGEIT CFE is a security specialist working as a director for Axl & Trax in Belgium. Working in the security consulting and audit field for many years, he has combined his technical skills and security knowledge with business insight and experience to assist customers in finding tailored solutions for security challenges. He has over 10 years of professional experience in the areas of IT security, identity & access management, SAP security, governance, compliance and control. He has been involved in and managed large-scale IT security projects and advised various multinationals across Europe.

10.45 : Governance, Risk & Compliance further investigated, by Els Houbrechts, Information Security Officer SPE Luminus & Carlo Schüpp Partner Vinti-Q &
Abstract :
Access Control does not enjoy a lot of sympathy with every business manager. It is often seen as a barrier that focuses too much on confidentiality and too little on reliability of data and process-driven controls. The business manager, however, expects the Security Officer to recognize the role of reconciliation processes and the review of operational reports in maintaining trust in data. This session provides a case study of how SAP GRC was used to set up a constructive dialogue between business and IT during reorganizations.
About : Els Houbrechts is currently Information Security Officer at SPE Luminus. Prior to that she worked as a security consultant with Telindus after having been security engineer at Utimaco and Security consultant at Utimaco Safeware AG before it was acquired by Sophos.
About : Carlo co-founded Vinti-Q, a high-end management advisory and engineering firm focused on information security and information-driven innovation. Prior to that, Carlo led Deloitte’s European practice of Security & Privacy. His clients typically seek for security assessments, business continuity planning, application audits, IT governance questions, computer forensics and incident response, and compliance reviews. Carlo has had a career managing business lines and new initiatives. He served twelve years at Swift as a leader in product and market management. He participated in The Way Forward programme to transform Swift from a passive institution to a commercial enterprise. He built Swift’s first data warehouse to analyse all daily financial transactions and helped transform Swift from a proprietary network to a service provider facing the security challenges of the internet. He conducted process audits and provided top-management consultancy to banks in the global top-100, etc. He also served five years at Ubizen (today Verizon Security Business Solutions) as CIO leading the managed security services. Carlo was part in founding LSEC together with K.U.Leuven-COSIC en K.U.Leuven LRD, from a clear need within Ubizen to position Leuven as a center of expertise on Information Security that is recognised worldwide. Upon his departure at Ubizen, Carlo is a Board Member of LSEC.

11.30 : An economic approach to GRC, by Rudy Meert, Senior Security Consultant (Risk MGT & IT Governance), CISSP-CISA-CISM-CGEIT-CRISC, Belgacom ICT
Abstract : Challenges for GRC supporting methods & tools, like maturity, complexity, effectiveness, efficiency, improvement simulation, transparent reporting to business & decision support, and the way Belgacom deals with these by adopting an economic approach
Objective of presentation: share our experience in the GRC - & information risk management area Important challenges for GRC & risk management supporting methods & tools + lessons learned:
• Basic requirements
• Reinventing the wheel problem & complexity
• Configuration Management syndrome & efficiency
• Low maturity - & less scientific approaches
• The effectiveness, efficiency & flexibility requirements
• The simulation capability requirement
• The added value of quantitative approaches
About : Computer scientist, more than 25 years of experience in information security and risk management. Financial, pharmaceutical & consultancy industry. Specialised in cryptography, risk management and optimisation methods & techniques. Professional certifications: CISM, CISA, CISSP, CGEIT, CRISC Developed several algorithms & methods in the area of cryptography and risk management. Optimisation techniques. New approaches on risk - and value management.

12.10 : Human Behaviour and IT Security No Longer Need to Be In Conflict, by Dave Vijzelman, Security Consultant, CA Technologies
Abstract : how challenges in the environment are being managed with a series of tools that consider the changing landscape.
About : About : Dave Vijzelman has worked in several large heterogeneous environments and has a large experience in designing and implementing architectural RBAC solutions. His focus is primarily on RBAC strategies and role mining. Besides this, he also has a wide knowledge towards the technical approach regarding identity and access management (IAM) strategies. Previously he was as a Senior Information Security Consultant at Ascure where he was responsible for the architectural approach of analyzing and designing RBAC strategies for clients. Before this, he was an RBAC Consultant at BHOLD Company. Today, Dave is Principal Security Consultant with CA Technologies, supporting large associations in their Identity Management challenges.

12.50 : Walking Lunch & Networking

14.00 : See more, Act faster and Spend less in your compliance domain, Solutions Specialist Europe, RSA the Security Division of RSA
Abstract : In our increasingly globalized business environment, economies and enterprises are steadily becoming interrelated. Yet many key functions and departments that deal with related information and business processes remain siloed. As competition escalates, as organizations become more dispersed, and as regulations increase in number and complexity, risk inevitably grows. So, too, does the demand—from markets, regulators and customers—for increased accountability.The answer is to bring governance, risk management and compliance together in an integrated program where policies, data and controls are strategically managed and visible throughout the enterprise. An enterprise governance, risk and compliance (eGRC) strategy, supported by a common technology platform, creates consistency and transparency, enables collaboration, fosters operational efficiencies, and ensures the continuity and success of the business. See more, Act faster and Spend less in your compliance domain is key in a complex environment.
About : Since 2009 René Pieëte is working as a Consultant at RSA, the Security Division of EMC. After his graduation at the Groningen University, Phd economics, he works several years as a economist. René has 25 years experience in several positions in enterprise software development, sales, consultancy and implementation. Currently he leads different areas of expertise such as Authentication, Data Loss Prevention, Anti Fraud, SIEM and Governance Risk and Compliancy. René has a wide expertise as security leader with an inspiring view on end-to-end security.

15.00 : How security tools can accelerate GRC projects, by Johan Hermans, Partner CSI-Tools
Abstract :
Full integrated GRC system perfect, helpful etc BUT
- How to implement it what are the requirements
- There is according to me only one approach Top Down & Bottom Up
- The bottom up approach requires specific (small) security tools
- In which faze are they used and for what
- We end the presentation with lessons learned (of our 200 customers the last 10 years)
The idea of the presentation is Bruce Schneier statement: “If you think technology can solve your security problems, then you do not understand the problems and you don’t understand the technology”
About : Johan is CEO of Axl-Trax (former CSI-Belgium) and CSI-tools. Previously, Johan was IT Auditor at Coopers & Lybrand and Financial Auditor at C&L. Being pioneers in the GRC business, CSI from experience which solution best matches specific needs where gradually extended the scope of our services to meet the more complex demands, expectations and legal requisites of the current business world.

15.45 : Information Security Doesn’t matter, by Geert Vandenbranden, CISSP, CISM, CISA, CIRM, MBCI, P2FC, Information Risk Management Consultant, Competence Center Leader Information Security Governance, Ascure
Abstract : In a lot of companies information security is still not handled with care. IT and information is becoming more and more important, nevertheless information security governance does not show the same growth in value to those companies.
About : Geert Vandenbranden has an extensive experience in ICT and Information Security related disciplines both at the strategic, tactical and technical levels.  In his current position as Senior Information Security Consultant, he focuses on Information Security Governance / Program Management, Information Security Policy design/implementation, Information Risk management, Information Security Awareness Programs, Business Continuity Planning, Business Continuity Testing, Intrusion Detection/Prevention techniques and Security Architectures and Infrastructures.

16.30 : Panel Discussion & Coffee Break

17.15 : Case Study : Security Management at the Olympic Games, by Chris Van den Abbeele, Solution Manager, Atos Origin
Abstract : For the Vancouver 2010 Olympic Winter Games, the Atos Origin security team collected almost 9 million security related events each day to detect any potential IT security risk for the Olympic Games IT systems. Thanks to extensive correlation and filtering, only a hundred were identified as issues and were investigated. All were resolved, so there was no impact at all on the Olympic Games.This session gives a view behind the scenes of how Atos protects the most visible IT environment in the world.
About : Chris Van Den Abbeele is Solution Manager for Identity and Security solutions at Atos Origin. He is responsible for managing the Identity Security offering at Atos Origin Belgium.  Chris has over ten years experience in designing Identity solutions.  He has a clear view on the technology, the market and the players.  Prior to joining Atos Origin, Chris worked as a Technology Specialist at Novell for about ten years.

18.15 : Closing Notes & Networking Reception

19.30 : Close of Seminar

Other subjects to be discussed :
1. Where to start with GRC? Data to be easily obtained? Get results and refine, or dig deep and deliver later? What to present and what not (yet)?
2. How to identify the core security data that reflects performance? Some practical examples that apply everywhere?
3. GRC and ISO 27k – is there a match in heaven to be made, or even more of a nightmare?
4. The collection of stupid data is still stupid, or isn’t it?
5. Defining performance indicators in information security that matter.
6. Systems integration, the long and windy road …
7. So you have GRC environment, now what? What does it do?
8. GRC, taking security management beyond the basics
9. From security tools and systems to comprehensive risk management
10. Applying the CSA Cloud Security Matrix in GRC
11. Experiences with Cloud Service Providers
12. Is there room for benchmarking?
13. Did we forget anything : risk monitoring and control
14. …

Unfortunately the following two presentations were cancelled.

AI & Digital Forensics and ISO Compliance, by Godfried Williams, Intellas UK (cancelled)
Abstract : AI techniques are effective for problems that require pattern recognition, as well as analyzing complex data and problems. This presentation explores a standard framework for guiding the use of artificial intelligence tools for digital forensics activities. AI forensics technology has the potential to effectively solve web counter-terrorism surveillance, fighting Internet fraud, masking identities online and data mining for managing online digital footprints. Intelligence gathered from analyzing multiple sources of information could be useful for providing leads to digital investigations. This presentation focus on ongoing work by standard bodies and assesses requirements that are likely to facilitate the adoption of such frameworks by the forensic community.
About : Godfried Williams is the CEO of Intellas UK, the Artificial Intelligence and Information Security and Forensics Company based at London Canary Wharf. A Course Leader, at the department of Computing, University of Gloucetershire UK, and visiting Professor in information security to many universities.
He has approximately 20 years professional experience in the IT industry. A Graduate of Cornell University’s Johnson’s School of Management where he studied Leadership and Strategic Management. is undergraduate computer training from the prestegious WANG Computer Laboratories in Boston USA. Previously worked as Senior Systems Analyst and Project Leader for the International Development Association (IDA) of the World Bank resident at the Accounting and Management Information Systems Unit, (AMISU), between. 1995 and 1997. He assisted in the Planning and Management Information Systems Unit in handling the World Bank Highway Sector Investment Credit (IDA Credit 2858-GH) on behalf of the Ministry of Roads and Transport Ghana.
A Fellow of British Computer Society(BCS). Fellow of Royal Society for the Encouragement of Arts and Manufacturing.

and

iGRC, Cyber Protection by Mike Popham, Infogov

Large-scale ICT networks are now the fundamental basis for UK critical infrastructure and economic activity. However, there is an urgent need to develop the underlying science and engineering principles required to support such complex systems. In particular, the application of autonomous AI techniques and self-organising networks has the potential to create CNI systems that are an order-of-magnitude more resilient and dependable than current methods.
In order to manage this growing system complexity the SATURN programme will demonstrate how self-managing intelligent services can enable the rapid discovery and fusion of critical network data feeds in real-time. SATURN will also develop and validate novel tools and techniques for visualising and understanding the complex interdependencies between the service layer, and the underlying physical networks. In addition the project will enhance the underlying theory of complex networks in the CNI domain, and create new modelling and simulation capabilities.
The key output will be an advanced demonstrator that displays ultra-resilient ICT service capabilities. The system will also enable automated knowledge management and integrated data fusion. (A key requirement for improved CNI decision support.) Northrop Grumman, as part of our contribution to TSB Project SATURN, will develop a cyber range capability that can be leveraged for use in evaluating cyber effects on large scale, complex, heterogeneous and cooperative network structures.  This range will provide the United Kingdom with a new ability to conduct meaningful cyber experiments and assessments of infrastructure survivability and assurance.

CyberProtection iGRC by Mike Popham

Workshop Day 2

During the second day, a lecture by Peter Houtmeyers - Titans Consulting on the use of ISO 27k and GRC was followed by a workshop with the attendees.

The results of the workshop will be shared in an overview paper.

Participants to the workshop were given the details of the results.