Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2013 > July

If we had a cyber war with China or Russia tomorrow, would they only attack our Pentagon information systems? Or would they attack our banks and power companies at the same time? I think the answer is obvious, and that is the point of this blog post. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, was passed in February to address this fact. The high level objectives:

  • ·         develop a technology-neutral voluntary cybersecurity framework
  • ·         promote and incentivize the adoption of cybersecurity practices
  • ·         increase the volume, timeliness and quality of cyber threat information sharing
  • ·         incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure
  • ·         explore the use of existing regulation to promote cyber security


The Pentagon is required to harden and monitor their systems to an insane degree, but the federal government cannot force those same requirements on the private sector. So, a “voluntary” framework needs to be developed.


For this reason, I had the good fortune to be able spend last week on the UC campus in San Diego. NIST was hosting the third in a series of workshops, the point of which is to develop a cybersecurity framework for our nation’s critical infrastructure. NIST was empowered by EO 13636 to develop this framework.


Here is an overview presentation from NIST


NIST has since been hosting these workshops and inviting security professionals to participate in its development. It is exciting and encouraging to me to see how NIST handled this process. Every industry was able to participate and contribute. At the workshop last week, approximately 300 people showed up ranging from financial, power, and telecommunications industries to DoD and intelligence community representatives. These few hundred were broken into groups, and those groups were divided again into sub-groups. Then we all set to the task of writing the outline for this new framework. I found the approach so cool because the subgroups were small enough so that every person could be heard. The best ideas of a subgroup made it to the group level. The best group level ideas made it to the NIST review board. It was very organic, democratic, egalitarian. I was pretty impressed.  The 4th workshop will be in Dallas in September and I’m looking forward to participating in that as well.


So far, the framework is still fairly open. It is based on five activities: Know, Prevent, Detect, Respond, and Recover, and uses a compendium of standards and controls from many industries. NIST intentionally avoided forcing 800-53 on them. We will see how the framework develops. This will make a good webcast topic for later this fall when it’s finally released. See you then!


Email me with any comments or questions

Thanks for reading!


All great shows must come to an end.  The curtain is nearly closed and the last echoes of my final song are waning as I finish up my series on the “Groove Theory of GRC”.   I hope you have enjoyed this running analogy and it has given you a few ideas on how to spice up the conversation in your company around GRC.   However, I have one last piece of the analogy.   Music, like all art, depends on a unique and sometimes instantaneous combination of skill, talent, experience and inspiration.  Music also has an interesting aspect as it has its own language and method of notation that can document the initial intention of the composer and allow recreation of the art.   Bach’s “Brandenberg Concerto No. 3 in G Major” played today is very close to the original performance as envisioned by the composer.  This is due to the meticulous annotation of the musical form.


This series of blogs has been a long and winding road leading to the release of the RSA Archer GRC Reference Architecture.  The following graphic has been developed by RSA Archer GRC strategy team in collaboration with the Archer Customer Advisory Council as a simple notation of GRC programs. 




My four postulates to the Groove Theory were meant to summarize what is encapsulated within the picture:

Postulate #1:  Optimizing Business Performance is the end goal; Visibility and Accountability is the method” highlights that optimizing business execution by providing management with visibility, efficiency, collaboration and accountability across the enterprise is the final objective of GRC.  The overlay and output of the program at the top of illustration identifies these outputs.


Postulate #2:  The more pieces of the business involved; the more complex the challenge but the greater the value” admits that GRC can turn complex as more pieces of the business are brought into the program.  The layers of Management, Functions and Operations depicted on the front of the cylinder shows this critical connection and when this bond is built, the value begins to truly impact the organization.


Postulate #3:  Great GRC programs are founded on Key Processes that guide the organization, make the end goals of risk and compliance personal and ultimately become part of the culture of the organization” underscores the need to have integrated, defined and responsive processes that bring cohesion to the GRC program.  This is denoted by both the GRC core of the cylinder and the flow of arrows indicating a continuous GRC lifecycle that connects GRC efforts through all layers of the organization.


And finally, Postulate #4:  The transactions and operations of the business come first and GRC must provide the framework to explore and exploit opportunities” recognizes that the GRC program must connect with the day to day business through the Transactions and Infrastructure that forms the foundation of the entire program.


The objective of the Reference Architecture is to help place processes, technology, projects or other components of a GRC program in the context of the bigger picture.  While the graphic may seem simple, it provides a multi-dimensional background to define where efforts are being initiated and help frame the discussion.   A picture may be worth a 1000 words but a concept as complex as GRC is difficult to capture in one picture.   Therefore, the Reference Architecture is just one tool available to help guide or frame a GRC program.


For those of you with access to the RSA Archer Community, I am pleased to offer this white paper, published in collaboration with the Archer Customer Advisory Council, as an overview of the architecture.  The paper also includes Guiding Principles and Key Objectives for GRC programs.  I hope this illustration, along with the “philosophical” framework with which the work was based, can help your organization create its own song sheet for its own masterpiece symphony – “Concerto No. 1 in GRC Major (success)”.

Filter Blog

By date: By tag: