What does ‘GRC’ stand for?
Governance, Risk, Compliance
Who are involved in the team?
- Organization
- End User
- Physical access
- System
- Software
- Network
- Data
Challenges that business face
Value/Cost
Aligning IT with Business requirement
Security
Managing Complexity
Regulatory compliance
What is GRC?
GRC is a set of processes and procedures to help organizations to achieve business objective, address uncertainty and act with integrity.
GRC also refers to a strategy for managing an organization’s overall governance, enterprise risk management and compliance with regulation
What is the aim of GRC
To protect corporate assets
What is the Governance?
Set the rules: Aligning IT objective and operations with organizational/business objective
How does governance involved with businesses?
Refer to the strategies and policies implemented by an organization to ensure that the IT system align with the business goals
Structures, policies and practices are put in place to ensure that the controls are adequately communicated, carried out and enforced by engaging direction and support at the appropriate organizational level
What is Risk?
Ensuring the correct controls are in place and functioning
How does risk involved in business?
Involves identifying potentials threats to systems and taking measures to mitigate them
Act of making decisions about the loss that the company is willing to accept given a breach of security and building the appropriate mitigating risk strategies to reduce the risk to acceptable range defined by the business.
What are under the risk management?
Risk: Potential loss/harm
Control: Safeguard
Type: Organization/Third Party
What is compliance?
Adhering to the legal and regulatory standards applicable to the organization’s IT systems
Confirming with stated requirements
Set out internally(policies)
Through extrinsic requirement(Law/regulation/etc)
Ensure that the controls are being adhered to on ongoing basis/regularly to help to reduce the risk and increase the adherence to the governance intended by the organization
What are the steps to compliance?
Adapt
Audit
Monitor
What is audit?
Internal and external security audit -> Outcome of security certificate/reports
What is adapt?
Adaptation of compliance framework
What is monitor?
Continuous monitoring for process/system changes
What is the 8 function of GRC
- Organize and oversee
- Access and align
- Prevent and promote
- Detect and discern
- Respond and resolve
- Monitor and measure
- Inform and integrate
- Context and culture
GRC Tools used
Archer (Tools by RSA)
Practical Threat Analysis (PTA)
Open Risk & Compliance Framework and Tool (ORICO)
GPLI
STREAM
How does GRC help the industry?
It helps identify, access and mitigate risk effectively and ensure compliance with regulations and industry standard that helps to promote accountability and transparency in cybersecurity practices
What is the purpose of GRC?
It provides a structured framework for managing security efforts and aligns cybersecurity strategies with business objective
What is IM8?
Instruction Manual(IM) 8
- It is a government policy that specifies IT security policies for IT security
- Requirement for government sector
- All agencies must comply
What is the relationship between laws, regulations, standards, and security frameworks?
Laws and regulations state what must happen to protect information. Standards and security frameworks provide structured steps to plan, implement, test, and monitor those requirements
What are some examples of sectors with different regulatory requirements?
Finance, credit card, healthcare, etc.
Government vs Private Sector
(Government must comply with IM8)
Regulated industries (Banks, medicine, power plant) have stricter regulations
Laws & Regulations - Finance
Sarbanes-Oxley Act (SOX) of 2002 - US law that was created to protect investors from fraudulent accounting activities by corporations.
Section 302
Purpose: To make company leaders accountable for truthful financial reporting and strong internal control systems.
