SITC - Security Innovation & Technology Consortium

Background

The Security Innovation & Technology Consortium's (SITC) Governance, Risk & Compliance Special Interest Group (GRC SIG) organised a consultation and demonstration workshop at Government offices in London on Thursday, 22nd January 2009. 

The purpose of this workshop was to demonstrate to Industry representatives and elicit their feedback on the initial (concept phase) results of a joint Government/SITC sponsored initiative to scope a GRC Interoperability Standard.

The meeting was attended by a number of invited representatives of financial institutions, UK Government departments including the MoD, and risk management consultancy firms.

Aims and Objectives

The aim of the meeting was to determine interest in the concept of linking together GRC sensor and management technologies via a common interoperability standard for regulatory, compliance and risk activities across complex supply chains and high value operational assets.

The objectives of the meeting were as follows:

• Within the auspices of SITC, to present leading GRC sensor and GRC management technology and, with these together, show how the standard would enable interoperability;
• Promote the value of the standard in augmenting interoperability between these and other GRC sensor and GRC management technologies;
• Seek feedback and guidance for phase 2 sufficient as an endorsement of the value of an industry-led GRC interoperability standard, particularly in a potentially broadening international regulatory environment.

Agenda

12:30 Arrival, Registration, Lunch

13:00 Welcome and Introduction (Paul Osborne, SITC)

13:10 Government perspective on GRC

13:20 Industry perspective on GRC (Martin Jordan, KPMG)
 
13:30 GRC Market* - Stephen Hall

14:00 GRC Interoperability Architecture* - Nick Connor and Mike Popham

14:20 GRC Interoperability Demonstration* - Nick Connor and Stephen Hall

14:50 GRC Essential Features Demonstration* - Nick Connor and Stephen Hall
 
15:15 Q&A

* These presentations are available for download below.

Discussion

The meeting involved presentations on GRC from an Industry and operability perspective by Assuria and Infogov management, both SITC members brought together by the SITC Board.

By way of introduction, SITC’s Paul Osborne outlined the thrust of the GRC SIG.  Martin Jordan, Principal Advisor at KPMG LLP also presented an industry view.  Infogov’s Stephen Hall then delivered a presentation on the GRC market. 

Following these introductions Assuria’s Nick Connor and Infogov's Mike Popham presentated their proposals for a GRC interoperability architecture and the interoperability mock-up was then demonstrated by Nick Connor and Stephen Hall. 

Questions were frequent and challenging throughout.

The meeting discussed sensors (typically software tools) that monitor status of a process or asset, in fact anything that may impact the confidentiality, integrity or availability of assets.  IT assets and controls, and physical assets and controls were described, both from an internal and external standpoint.
 
The range of sensors mentioned included system monitors, vulnerability assessment, configuration and policy compliance, network traffic monitors, intrusion detection, intrusion prevention, firewall/router logs, access and identity monitors, failed logins, privilege escalation, bio-metric identities, website monitors, vulnerabilities, pages visited and referred from. 

Also included were end-point monitoring, permitted user activity, data leakage monitoring, anti-virus, anti-phishing, malware detection, event and audit log collection – operating system, infrastructure and applications were listed as assets likely to supply output data important to a GRC management suite ready for processing, analysis and reporting.

Conclusions

The meeting was unanimous in its support for the concept of an interoperability standard.  It was therefore proposed that a second phase of the project be undertaken, as follows:    
 
Phase 2 Project Objectives

• With joint Government/SITC leadership, create consultative 3-part body consisting of GRC Interoperability Protocol (GRCIP) Steering Group and 2 stakeholder consultation elements, i.e. Stakeholder Group and Review Panel.
• Concept deepening, support acquisition (joint funding and trials platform), GRCIP design, trials platform build, performance review and maturity finalisation.
• By 31st March 2010, encourage development of a GRCIP standard that is appropriate for use in all sensor sectors and segments, with deployment on a contract of such breadth and depth that as many facets of the standard as possible will be demonstrated.

Following this phase of development, an open GRC SIG event would be organised by SITC to report on the outcome from this phase 2 (interoperability protocol development) work and set this work in the context of 3 case studies to illustrate the value of sensing real time event data in order to detect and rapidly respond to increases in risk level and a potential lack of compliance with risk management standards or policies.

SITC would welcome wider industry feedback on this phase 1 work and the phase 2 proposals.  Also, if you would be interested in being involved in the proposed project Steering Group, Stakeholder Group or Review Panel, or if your company has capabilities that could be integrated into an integrated GRC solution, please contect SITC to discuss how to get involved in the GRC SIG's activities.