Lloyd Evans: GRC Engineering Automating Compliance
awschicago
24 views
27 slides
Jun 13, 2024
Slide 1 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
About This Presentation
AWS Community Day Midwest 2024 | GRC Engineering - Automating Compliance Assessments with Audit Manager | Lloyd Evans
Slide Content
GRC Engineering Automating Compliance Assessments with Audit Manager
Lloyd Evans VP of GRC
What is GRC Engineering? The practice of developing and integrating automated GRC capabilities to measure, reduce, and report risk. This practice enables continuous monitoring and compliance to align systems to effective governance.
The Goal: Fast, Reliable, Secure & Compliant Delivery of Valu e Value = Software which enables user/customer outcomes
Secure and Compliant Authority to Operate Ongoing Authorization NIST SP 800-53 rev 5
What is a System Security Plan (SSP)? “Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.” - NIST (FIPS 200, NIST SP 800-18 Rev.1) System Security Plans are one of the largest lifts involved in an Authority to Operate (within CMS, a SSP is roughly 80% of the total ATO work.) What format is a System Security Plan? This depends largely on the organization authorizing the Authority to Operate (ATO). Formats differ from agency to agency but the underlying control framework is largely the same
System Security Plans “In all of my experiences, this is the cleanest System Security Plan (SSP) evaluation that I have been involved in.” - Lead Assessor during ATO assessment - 0 Findings during Assessment - 3 months, 23 days from start of ATO process to signed ATO - 8 months, 26 days from the first control written to 1st app in prod - SSP developed by a core team of 8 (4 security, 4 engineers) in a platform team of 50+ Moderate Baseline: 352 controls 782 control elements
NIST 800-53 rev5 Moderate System
What’s in a Control? AU-02 (a). Identify, based on a risk assessment and mission/business needs, the types of events specified in Implementation Standard 1 that the system is capable of logging in support of the audit function; Std.1 (a) Server alerts and error messages;
NIST 800-53 rev5 Moderate System
Secure & Compliant* *Cost: Time and Labor
Our Challenge Finding speed and reliability amidst these constraints. The current approach is manual review. 352 controls, 782 control elements per system 200+ Systems = 156,400 controls to assess across ATO enterprise lifecycle ( 5,213 controls per year per assessor for a team of 10)
GRC Engineering
AWS Audit Manager Control Framework Automated Evidence Collection (AWS Config, SecurityHub, API Integrations) Reports
Audit Manager Custom Assessment
Audit Manager Custom Assessment
Audit Manager Custom Assessment
Audit Manager Custom Assessment
Audit Manager Custom Assessment
Audit Manager Custom Assessment
Audit Manager Custom Assessment
Outcomes 26% of controls are policy 10% are physical infrastructure 10% are personnel/administrative Results in ~42% reduction in manual technical control assessment for AWS systems 1 Assessment Deployment = Automated Assessment of 184 out of 782 control elements 23% control coverage
Scalable assessment of existing system state/configuration across accounts 313 hours ($18,816 at $60/hr) + cost of running Audit Manager+Config ($1,000) per assessment New Constraint: Flexible cost of running automation Manual Approach GRC Engineering Approach 2 Months of manual effort and toil for an assessment team of 4 560 hours ($33,600 at $60/hr) Constraint: Time and Effort (Cost of Security and Development Team Labor). Scaling manual Assessor processes to meet enterprise demands
Our Challenge Finding speed and reliability amidst these constraints. We’ve now leveraged engineering practices to reduce the amount of manual assessment time by 42% and saved $13.7k per assessment 352 controls, 782 control elements per system 200+ Systems = 156,400 controls to assess across ATO enterprise lifecycle ( 5,213 2,085 controls per year per assessor for a team of 10)
The Goal: Fast, Reliable, Secure & Compliant Delivery of Value The Outcome: Faster, More reliable, Secure & Compliant Delivery of Value at a reduced cost
www.aquia.us Thank You
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 24
- Slides 27
- Age 536 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
28 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
28 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
27 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
30 views