Getting Started in GRC

all right well i hope everybody has been enjoying um this b-side that's had a lot of really good talks mark had a good conversation good talk about the cmmc protocol which goes right along with with where i'm going to and then stephen kirby talked about pci dss which is one of the most common frameworks that covers most businesses but sometimes when it comes down to this people just kind of wonder where does it all start from where do we go so let's talk about grc and what grc is grc stands for governance risk and compliance governance addresses how you make what's your plan how's your business going to be set up how's it going to work what's

going to happen if you have a disaster or for instance a ransomware attack governance would be where you would determine how you're going to handle your business then you get into risk and that's looking at what are the threats what's what's your issues what are your problems what are things that we need to deal with and those will vary from industry to industry and then finally compliance and compliance is one of the areas that is the most changing in our industry because as you can see it's based upon laws regulations standards it's things that are changing and constantly being modified and updated so grc well it seems like this kind of a little nutshell it really has a lot of complexity to it

and when you look at this graphic you'll see there's different pieces to grc and each one of these pieces kind of blends into the next one and so you know for instance if you're doing audits those audits are going to bring about a strategy management what am i going to do what the audit findings what am i going to do but it's also going to bring about what are the controls i'm going to bring into place to make myself compliant for the next audit so why do grc first of all most businesses are or will be needing to meet some type of compliance you go down to the mall even though they may be there at that little

vendor in the middle and they're selling their credit card stuff if something happened and that person was found out to be storing all the credit card data they would be out of compliance and they would now face the laws and the penalties of the law for keeping that data and not securing it and then you get into the larger corporations and for many of the corporations in order to do business with the people that they do business with they've got certain compliancy requirements that they have to meet you also have it's not a one-time event so when i go in and write a compliance document and i say okay i've evaluated my business i've looked at what's going

on in my business and i've set out all my plans and i've written them all up i'm not done now i need to go back and look at each one of these documents again i need to start over and reassess where am i at where has what has changed what's come up you know ransomware malware spam fishing all of that stuff is continually evolving and so our compliance is going to be changing to keep up with that mitigation becomes more and more difficult if you don't have a standard you know a lot of people go into the industry and they just kind of focus in their one place and they don't think about the fact that that little piece of the

industry that they're working in is doing what it's doing because there's a standard some of you are greenville tech students there's a standard in order to complete the class and that class sets up that standard and if you don't want to comply with it you're not going to be successful in completing the class well businesses are exactly the same way but the nasty part for businesses is they're not the ones necessarily who are creating the requirements it's it's the bad guys it's the people who are trying to get into their system that are going to have to affect enforce how that business is going to react and how they're going to respond to those risks and that mitigation and that's

what compliance is all about is looking at that changing landscape and determining how am i going to deal with it what what am i going to do to deal with these risks and finally it's an open job market on the 31st of september i did just a quick search in zip recruiter under grc and as you can see almost 6 000 jobs were listed out there under grc on zip recruiter with a salary ranging between 102 and 171 000. you know it's an open industry we have so many requirements coming by if you listen to mark's uh presentation on this channel the first presentation on cmmc that's a a new standard that everybody is talking about becoming compliant for

especially if you want to do anything with purchasing or connecting your business into the federal market you're going to have to be cmmc report compliant but cmmc compliance is still still changing and still molding and so getting into these jobs are going to be a little bit easier now than it will be later but there's going to be a growing number of jobs needed to be able to fill these compliance spots for the gr for the cmmc so where do you start you know for a lot of people they don't know what to do i want to kind of do grc but it can be a daunting task i remember with the university when i started my job in 2018

while we were doing many of the things that made us compliant and would show us to be compliant we didn't have didn't have any idea where we were going well we had the privilege that the federal government came to us and said you're going to need to be compliant to this 800-171 so i didn't have to go search and find the standard steven just gave a great presentation on using pci dss as a data standard just replace credit card information with secure information and you have a compliance standard you have a place to start from so the beginning of where to start is find a standard then determine what industries will be need to be covered by that standard you

know sometimes we do it the other way you're interested in a specific industry and so you'll go look for the standards that meet the industry but you can do it backwards you can look at the standards and say you know i'm kind of interested in this standard this standard kind of keeps my attention i see where i could kind of fit into this market and then you'll find the industries that'll be covered but you can go either way either either way we'll keep everything flowing just the way we want it to then gather the information attend b-side events attend training events you get on youtube you can find all kinds of information on youtube about hey here's the standard here's

what's going on in the standard here's how to be compliant in the standard now of course you have to be careful you can also find information out on youtube that's not going to lead you in the right direction so gather information see what goes on with the industry see what goes on in that compliance standard and what are you going to do and finally maybe the place to start is with people you currently work for there's a lot of companies out there that while they in practice are compliant with standards they really don't have the paperwork because when it comes down to grc much of the grc work is the paperwork it's the creation of

the documents that say here's what our standards are going to be it's the documents that say hey here's how we've got our network configured or here's how we've got our information secured or here's the practices for account creation and how we determine what a user can or can't do on our network because when it comes down to the standards the reviewers will look and see what you're doing but they're also going to see what you have in writing and when you're dealing with the federal government which i have to in my case if i don't have it in writing as far as the federal government is concerned it's not going on it's not happening and

so many times you can be working for somebody and they just need somebody to help with the paperwork they need somebody to help with the reviews so sometimes the place to start is to go to your employer find out what they're doing and find out if they need assistance in this finally you can look at the different standards organizations nist has been mentioned a couple times in some of the different presentations and pretty much if you're going to do anything that deals with any kind of data from the federal government this is going to be the standard that you're going to comply to but nist covers more than just cyber security you'll notice it's the national

institute of standards and testing nist is the one who determines how they're going to be uh what what the standard for crypt cryptological work is they determine what the standards are for determining uh the atomic clock determining what a unit of measure is nist covers this very broad area but one of the areas they cover is cyber security but nist is pretty much related only to the united states iso is an international organization so you've heard of iso ratings like the 27 0001 which was mentioned in a previous uh previous presentation but there's also in industry standards that really don't have anything to do with cyber security but it's still a grc event because you're looking to set up a

standardization of how something is produced how something is manufactured so that it can be determined to be compliant with other entities from an international point of view so that they know they can work together pc idss again this one's pretty much the united states only but we are seeing it move out into some other countries that deal a lot into the united states gdpr this has been in the news a lot but this pretty much only deals with europe but maybe you're working for a small organization who is building a product or is offering a service and they pick up a customer who happens to reside in france well your company is now going to have

to show how you're going to be gdpr compliant with the data that comes from those users there in france what you're going to do here in the united states gdpr is really a guideline for us we don't have any real requirements here in the united states to be compliant to gdpr but the practices that it outlines many many organizations have sought to put into place because california with their ccpa is a very similar guideline to gdpr and so if you deal with transactions and deal with individuals in california you're going to have to make sure that your data protections for those individuals is ccpa compliant i worked in the education industry so ferpa is a big

big compliancy standard for us but ferpa really only deals with just student data and student records it doesn't deal with the rest of the data that goes on in our organization but ferpa is that overarching certification that we have to keep up and there's many others again depending on the industry in you may find a standard that's very specific because of what you're doing i have a friend who runs a air aircraft parts organization and they've got some very specific standards that they have to meet to be able to sell aircraft parts even though they're not manufacturing they're just basically a wholesaler they're buying parts and selling parts they still have a whole bunch of standards that they

have to keep up and be able to stay in compliance with in order to sell these aircraft parts and so depending on the organization that you're working with the the requirements and those standards may change so you need to see what are the standards that i would need to be working on during the industry that i'm looking toward finally how do you help a business well this chart shows a risk reward and that's really what grc is what we're looking for in grc is we're looking to find out what the risks are before i can figure out what my rewards are i've got to know what the risks are so categorize them by level find the risk find out are

they severe are they moderate are they low what's the category that they're going to fall on and then give a priority to the items in each level once you've determined what your risks are then you have to deciding how do i prioritize them where am i going to put the priority and when we do the priority we're going to create a plan and that plan is going to start with the items that are going to fix the highest risks that we can but have the greatest reward sometimes those risks are going to be low risk but they're going to have a great reward sometimes they're going to be high but you want to start with that

highest risk as high as you can get with the least amount of effort mfa everybody hears about it it's almost become the standard buzzword but it's amazing to me the number of people who still don't know what mfa is when you mention the term to them most people do it you know if you have google account or if you have a yahoo account or if you've got some account on the internet if it's doing what it's supposed to do they're going to want to know that you are who you say you are when you try to access your account and that's the purpose for mfa and turning on mfa has a really high reward and it really doesn't

take much effort in most systems it's a click of a button that says we're going to turn on multi-factor authentication now getting people to comply or getting people to put the things in place for multi-factor authentication can have a little bit higher cost to it but that's going to be determined on your industry in my industry having a cell phone and then getting a text a code and typing a code in is more than sufficient for me to be able to authenticate my users but you may work in an in an organization or an industry that needs to be so more secure so you may have to be able to put in biometrics or you may have to have multiple

layers of multi-factor authentication to determine who the user is based upon the uh security of the information that that user is supposing is supposed to be using another one of those things that gives you fixes a high risk but doesn't take a lot of effort is turning encryption on all mobile devices and systems if you've got a computer or your user's got a computer that accesses or uses company information it should have encryption on it and that just protects you in the case of it being lost if that users you know we have this happen from time to time someone is traveling and i'll get a phone call my laptop's been stolen well in our case all mobile devices for

the university require that data encryption is put in place and so i can go out into our management system i can click a couple buttons and i can lock the device down nobody's going to use it nobody's going to get to it even if they destroy the device and pull the hard drive out of it because encryption has been turned and turned on for all those devices i'm not worried about somebody getting to the data that we want protected and that's a really easy thing to do is start with those high risk low effort items and then look for ways for gold to meet goals without high expenditures money is always tight you know everywhere i've ever worked at

including when i worked for myself there were a lot of things that i saw that i'd be like oh that'd be really cool i wish i could do that but the money just wasn't there but especially when it comes to grc there doesn't have to always be a large outlay of money there are so many government services and so many industry services now that are offering you great risk to reward benefits for instance one of the best ways to help protect your users is data security training take the time to have the users go through training quarterly annually semi-annually whatever you determine is the best method for you but put them through training well that means

somebody's got to create the content not everybody is a creative genius i for one am not we contract with the company to do our data security training but there are a whole lot of government services stay safe online is a government service the cici is another government service and many of these services will offer free data training yeah they might be simplistic yeah they may not cover everything that a company needs but in to get started when money is tight get these free services use these free services to go out and train your users to go out and gather those resources as was mentioned the dss in the last uh last session was mentioned that many of the documents to

create this are free out there on their websites you can go to their website again you don't have to pay for a large service with a large organized documentation system to be able to make yourself compliant or start to reach toward compliance you can reach out and use the free services and also to understand that the best way sometimes to fix the problem is just get engaged with the users when i started our risk system in 2018 at the university one of the biggest things that i learned very quickly is that i had to get out and i had to seek opportunities to talk in front of our faculty and staff to talk to them about

the need to be secure the need to be compliant the need to pay attention to the emails they're receiving because we we live in the higher ed realm we are one of the prime targets for malicious actors they are sending emails into our system all the time trying to get our users to give up their username and password or even even more common nowadays they're trying to get our users to buy apple gift cards uh so that they can you know give them to somebody who's busy and so that's sometimes the best resolution to fix your problem is just get involved with the users go out and talk with them take the fear and the worry about what

they're going to do and what's going to happen if they accidentally click on the wrong thing get rid of that fear help them to feel comfortable in being safe once you've got your plan work the plan don't give up because of a failure so many places they create a plan and they look at this plan as though this is going to be the thing that's going to keep this issue from happening we all work with people we're people ourselves we all have times where we're sitting there flipping through our email we're really busy there's a whole bunch of stuff going on and all of a sudden this email comes through and oh it looks like

it's so valuable it looks like it's so real i need to i need to respond to this quick and then find out oh oops i shouldn't have done that those type of things happen but failures aren't the end of a program failures are opportunities to re-evaluate the plan let's look at the plan what could i do or what could i have done to either help train my users or help the company to put things in place to protect the data in my organization if something were to happen and then be willing to update that plan again grc is not a one-time event it's something that we have to understand that we have to continually go back and

change and update and be willing to float and flex based upon what's going on and then update your knowledge get involved in organizations like b-sides that will help you learn new things my market that i work in is grc but i'm also involved in the defcon 864 group they're a little more pointed toward penetration testing toward that side of the market but i enjoy going to the meetings and i enjoy listening and being involved in webinars about penetration testing i don't do any of that for a living most of what goes on when it comes to that goes over my head i watched ben's uh presentation about his tool which i think is a really cool tool

most of it goes over my head because i don't do anything with penetration testing but by my getting to know what he does and how he finds the issues that he finds and how he does his test it helps me in creating my documentation to say okay wait a minute if this is the way that the bad guys usually go about what what can i do to get stuff put in place and then i can document that hey these are issues and we need to now go resolve these issues take any training you can afford it's wonderful that some of the things that are being given away some of the items that are are being given out are

testing penetration testing classes or times opportunities to get onto penetration systems to to practice and test your skills take training go out and learn something maybe it's not even something that you feel is associated to the the item that you're doing it's just the fact that you're willing to expand your mind expand your thought process expand what you know because sometimes that new little piece of information that you gain from something is that little thing you needed to give a nudge to help you understand how i can better prepare for an event that i wouldn't be expecting and by going through those trainings you can get that or even better get someone to pay for you to go to

training because remember knowledge is power never become complacent with your accomplishments never get to your to a place where you're oh i understand this i know what i'm doing i'm just in a great place i'm going to continue on when we get to that place in this industry you're going to find yourself being left behind because the industry will continue to move the continue the industry will continue to expand and change yes i might be compliant from you know 10 years ago but the industry changed and those things that i know probably are not as relevant anymore so now what well determine your model what are you going to do are you going to work for someone

or maybe work for yourself as was mentioned in the cmmc chat in this channel in the first chat there's a lot of people who are going to be needed to go out and do these evaluations for these companies maybe the the model that you're going to work in is not that you're going to work for someone else but you're going to get yourself the training education you needed you need to be able to become a cmmc auditor and now you're going to make the engagements maybe through other companies who are doing this and you're going to offer services you can work as a contractor maybe that's the model that's going to work we've got all kinds of small and

medium businesses around us many of them have no kind of plan in place they've got nothing in place to help protect their systems help protect their data because they just see themselves as a nobody but the bad guys want them just as bad as they want the fortune 500 and so maybe you can work for yourself and go out and offer services to these companies to help them to become compliant help to protect their networks helps protect their data or you can go to work for someone else narrow your focus when i started in the computer industry back in 1993 i had the mindset that i was gonna learn everything i was gonna know how to do

everything there was to do with a computer well back in 1993 there wasn't a lot that could be done with a computer but it was still bigger than ultimately one person could become a master of and and do really well and today we really need to narrow the focus find the part that you like find the area that you want to focus on and focus there but don't be afraid to change that you may work in the grc industry and as you work in the compliancy and you create the policies and you create the procedures you evaluate the risks you may all of a sudden decide you know hey that thought of being able to go out and

detect the risk those that thought of being able to go out and and expose the risks by penetration seems really really interesting to me and so your focus may start out at one side but you may change and be willing to make that change be willing to step away from maybe what is the comfort zone and move on into something else but again keep a focus find a spot that you want to work in and then stay there once you've narrowed the focus create a plan determine how am i going to get there how am i going to get a job for someone else or how am i going to be able to work for myself what training what

certifications what things do i need to be able to come to a company and say i'm valuable i'm worth hiring i'm worth employing once you've created your plan work the plan just keep at it don't give up maybe you've got to start out in an area where i'm not quite in the area that i want to but it gets my foot in the door to get me started i always chuckle when i see the ads you know this is a this is an opening entry level position but we want you to have four years of experience how do you can you do entry level and have four years of experience so sometimes you've got to try to get

yourself into those situations and you you give your experience by showing that hey i went out and i did this training on the side that gave me give me some experience i got involved in this organization to give me some experience going to b-sides going to capture the flag events just getting involved in things that would build up a resume and show that hey i have the knowledge and the skills to show that i can be of benefit to your company and then as i said earlier never be afraid to change because sometimes in working our industry you hit a point where you get burned out and that's a really tough place to be in

when you hit that burnout stage and for a lot of people their way of responding to burnout is they just completely walk away from it because they don't want to make a change they're afraid to move to somewhere else they're afraid they'd maybe fail or they maybe wouldn't be good enough never be afraid to make a change sometimes a model that you're following is going to come to an end because the industry has just changed so much that model doesn't work anymore so be paying attention be watching what's going on and always be willing to tweak and change just a little bit about what you do and how you do it i knew my plan my my conversation wasn't

going to take up the whole time so i'm to the end of my presentation but i'm more than willing to answer questions and help anybody in any way i can here's my email address you're more welcome to email me i'll be glad to respond back to you and help to offer to help assistance in whatever way i can and thank you so much for being here and for paying attention