Governance, Risk, and Compliance (GRC)
What is Governance, Risk Management and Compliance (GRC) in relation to cybersecurity?
Introduction to GRC
Governance, Risk, and Compliance (GRC) are functions performed by security teams to ensure that the company is acting responsibly, meeting industry and government regulations, and protecting its assets. These functions are critical to the success of any organization.
One way that GRC helps organizations is by providing a structured approach to aligning IT with business goals. This is important because it ensures that IT is being used in a way that supports the organization as a whole. GRC also helps manage risks by identifying and mitigating them. This can help companies avoid costly mistakes and be better prepared for unexpected events.
In addition, GRC provides tools and processes to unify an organization's governance and risk management with its technological innovation and adoption. This ensures that new technologies are being implemented in a way that is consistent with the company's goals and values. By doing so, organizations can avoid the risks of technology adoption and ensure that they are using technology to its fullest potential.
Overall, companies use GRC to achieve organizational goals, remove uncertainty, and meet compliance requirements. GRC is an essential part of any organization's security program and should be taken seriously.
Governance
Governance refers to the security program of an organization and the processes and procedures that are put in place to achieve the program's objectives. The business objectives drive governance. Although there are different types of governance, such as public and private, that may be applicable to specific sectors and organizations, this section focuses on internal or corporate governance. It encompasses the set of policies, rules, or frameworks that a company uses to achieve its business goals. Governance defines the responsibilities of key stakeholders, such as the board of directors and senior management.
Policy Hierarchy
There are differing naming conventions for each instruction set discussed, however the NSW Government - Digital NSW department provide a great synopsis for detailing the different types of documentation required in order to effectively communicate and manage governance. Policy is a tool that should be developed in order to protect the organization and its employees.
As we can see, Governance in this example is split into 4 key categories:
Strategic Objectives and Purpose: High-level documentation provided as a course of action. (Example: Acceptable Use Policy)
Specific Requirements: Medium-level documentation, identifies criteria to follow when applying policies. (Example: NIST CSF)
Task Instructions: Lower-level documentation that provide instruction statements for employees to follow. (Example: Incident Response Playbook)
Tools Required by Task Instructions: The most specific instructional document, provides step-by-step or configuration detail documentation (Example: Windows Server Hardening Configuration)
Governance Resources
Risk Management
Risk management is a method that organizations use to address potential issues that may disrupt their business. It enables them to prepare for negative situations that may occur in the future. Risk management is particularly vital for security personnel as it can prevent potential issues from happening.
Businesses can encounter various types of problems, including financial difficulties, legal issues, or security concerns. Risk management can assist businesses in identifying these risks and developing strategies to mitigate them. Programs can help businesses identify potential problems and provide solutions to fix them. These programs analyze computer systems to detect potential issues and provide solutions to resolve them.
Moreover, implementing a robust risk management program enables businesses to prevent potential issues by creating guidelines and procedures to stop issues before they occur. This involves conducting regular checks, developing contingency plans in case of an issue, and training employees on how to handle such situations. By preparing for potential issues, businesses can continue to operate and avoid losing anything important. Risk management is a crucial aspect of any organization's long-term success plan.
Risk Management Process
Risk Management is comprised of several key processes and activities. Risk Management is considered to be a long-term, continuous approach to managing security risks. Identifying lapses and deciding on appropriate risk mitigations continuously, in place of applying static security controls without operational or strategic business context. One of the core Risk Management frameworks, ISO 27005 - Information security, cybersecurity and privacy protection — Guidance on managing information security risks, defines the Risk Management process as per the below image.
Compliance
Compliance is a critical process that ensures an organization's information systems are secure. It involves implementing, enforcing, and assessing security controls against regulatory or contractual obligations, especially in industries like healthcare where laws such as HIPAA are mandatory. Compliance also involves following internal corporate policies.
In GRC, compliance means creating procedures that ensure business activities comply with regulations. This can include creating policies, procedures, and controls that outline how an organization plans to comply with specific regulations. Compliance also requires ongoing monitoring and review of these procedures to ensure they remain effective over time.
Although compliance is often seen as a burden on organizations, it also has many benefits. Compliance can improve an organization's reputation by demonstrating a commitment to protect sensitive information and customer privacy. It can also reduce the risk of legal or financial penalties that may result from non-compliance.
Compliance Examples
Compliance requirements can wildly differ, dependent on sector, region, business objectives and many other factors. Identification of required compliance regulations can be a daunting task and may take specialized consulting or audit assistance. Some of the more common frameworks and standards are listed below.
| Framework/Standard | Description |
|---|---|
United States federal law that mandates certain practices in financial record keeping and reporting for corporations. | |
United States regulation that defines standards for the protection of health information. | |
Australian law that defines standards for the protection of personal and sensitive information. | |
European Union (EU) law that defines standards for the protection of personal and sensitive information. | |
A suite of optional controls and accreditations to verify an organizations compliance with organizational and technical controls surrounding security programs. | |
A set of standards that ensuring the security of financial and personal information for organizations dealing with credit card information and transactions. | |
An optional set of controls and accreditation to verify an organization compliance with handling sensitive information. |
GRC Capability Model
The GRC Capability Model is a comprehensive set of guidelines designed to help companies implement GRC and achieve principled performance. It provides a framework that ensures effective communication, policies, and training to help organizations take a cohesive and structured approach to incorporating GRC operations across their business systems.
Learn
The first step towards achieving GRC proficiency is to learn about the context, values, and culture of your company. This initial phase is crucial in defining strategies and actions that can reliably achieve your objectives. By gaining an in-depth understanding of your company's culture, you can identify areas that require improvement and develop effective GRC strategies that align with your business goals.
Align
Once you have gained an understanding of the context, values, and culture of your company, it is essential to ensure that your strategy, actions, and objectives are in alignment. This can be achieved by considering opportunities, threats, values, and requirements when making decisions. By aligning your strategy with your business goals, you can maximize your company's performance, reduce the risks of non-compliance, and ultimately achieve better results.
Perform
GRC encourages you to take actions that bring results, avoid those that hinder goals, and monitor your operations to detect sudden changes. This step is crucial to ensure that your business achieves its objectives and that risks are minimized. By continuously monitoring your operations, you can identify areas that require improvement and implement effective strategies that align with your business goals.
Review
The final step in the GRC Capability Model is to revisit your strategy and actions to ensure they align with your business goals. Regulatory changes, new business requirements, and changes in the industry landscape may require a change of approach. By regularly reviewing your strategy and actions, you can ensure that you are always aligned with your business goals and that you achieve the desired results.
Resources
Last updated
