Building out a governance, risk management and compliance (GRC) program requires controls and frameworks to push consistency, build inventories and standardize processes. You need to engage with compliance, security, IT, finance and more to build a cross-functional task force. This piece provides steps to flesh out your GRC program using key components of risk management.
Cybersecurity Maturity: GRC and Org Teamwork
Cybersecurity maturity and GRC compliance don’t happen in a vacuum and don’t fall on the shoulders of one team. In all larger organizations, legal, finance, IT, information security, infrastructure, development and other groups must work together, particularly when it comes to addressing your GRC program.
This requires people to have enough time to meet and discuss, as well as the political will to create the appropriate committees, groups and task forces. This is almost impossible for all but the biggest companies, as it requires a high level of efficiency, organization and preparation.
How GRC Programs Connect to the Organization
Most GRC programs rely on risk registers, questionnaires and a few data-gathering sources, such as vulnerability scanners or asset scanners. Unfortunately, these usually exist in a disjointed environment, where the concept of policy, the implementation of process and the operationalization of procedure do not exist. Understanding the true place compliance and risk hold in a coherent environment is difficult and requires a maturity level most companies don’t reach for a long time, if ever.
What does a coherent GRC environment look like? Such organizations have:
- Asset inventories and information inventories that provide context for the data flow diagrams.
- Data classification schemas that provide the levels of data needed to decide which controls to wrap around which classification level.
- Data owner reviews that enable quick feedback and calibration as to who should have access to what data and levels of data.
- IAM, using the data owner review, that helps clear up and clean up entitlements in AD to make sure only the right people have access.
All these elements come together with the risk committee, vendor risk management committee, policy committee and other bodies. These groups work together to provide context, content and coherent application of quantifiable risk to appropriate libraries of classified, known data.
READ: Key Features to look for in a GRC Tool
How to Create a GRC Team Environment
What can your organization do to take these interweaving parts and create a coherent environment? Take the following steps:
- Build a risk committee that answers to the chief financial officer (CFO): The person holding the purse strings understands the quantification (in dollars) of risk and grasps the idea that you must spend money to save money by addressing massive amounts of risk.
- Build a set of diagrams to communicate risk prevention needs: These diagrams should include:
- Data classification levels
- Data flow diagrams
- Asset inventory
- Information inventory
- Roles (for role-based access control)
- Functional data libraries
- Determine who has access to the library of accounts payable data: Does literally all of accounting have access?
- Determine which systems touch what data and who has access to which data, applications and systems: You want to understand what you have, where it is and who has access to it. Know how each level of data is locked down and which security control frameworks are used to do so. Once you have this information, you’re in a far better position to evaluate risk objectively and correctly.
- A word of warning: Using fear, uncertainty and doubt to scare the C-suite and get budget out of them is a horrible idea that has come to the fore over the past five years or so. This is a good reason to advocate compliance and standards authorship.
Download: GRC Roles and Responsibilities Checklist
Tips for a Strong GRC Program
Some of the tasks ahead can be boring. Performing asset inventory, proper patch management and anomaly detection aren’t the most exciting tasks, but they are absolutely fundamental to maintaining a healthy GRC program.
As you expand and strengthen your program, strive to:
- Be detailed: When presenting to the board, always be prepared to provide specific details to help them understand the level of risk.
- Don’t go it alone: Build a cross-functional risk committee reporting to the CFO.
- Check your work—and everyone else’s: Just because someone at your organization has been building data flow diagrams or risk management frameworks doesn’t mean they’ve been building them properly. Verify the documentation you’re working from is accurate and handled appropriately.
Performing risk evaluation and quantification correctly is tedious, not glorious. There’s no thrill of catching the bad guy. What you’re really doing is securing the data so the bad guy can’t get in.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.