Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
To develop a strong governance, risk management and compliance (GRC) program, start by assessing the current state of eight primary components, including roles/responsibilities, legal requirements, policies/procedures and more. Using that information,
we recommend leveraging a standard framework (e.g., NIST, COBIT, etc.) to build a GRC program that ensures enterprise risk is effectively mitigated to acceptably low levels while still meeting all compliance requirements. This piece explains the challenges
and offers recommendations for setting up a strong GRC program foundation.
While organizations discussed and practiced GRC for over two decades, it is still a challenge for many to establish a GRC program. And even those with established GRC programs struggle to determine their program’s effectiveness. Challenges of setting
up a GRC program include, but are not limited to:
Once those challenges are addressed, organizations should be vigilant in ensuring the components are maintained, updated appropriately, and followed consistently throughout the entire business over time.
To get started setting up a solid foundation for your organization’s GRC program, you should understand the GRC program’s current state. The following questions are categorized in eight key program areas. Answering them will help you determine
where your current GRC processes stand in terms of coverage and maturity. The answers can help lead you to determine the appropriate actions to take to fill the gaps and build a solid GRC foundation.
1. Roles and Responsibilities
2. Legal and Compliance Requirements
3. Policies and Procedures
4. Training and Awareness
5. Risk Management
6. Vendor and Supply Chain Risk Management
7. Program Management
8. New and Emerging Practices and Technology
Answering those questions will provide insights to guide your new director’s decisions about where to prioritize actions to build or improve the GRC program, and to support establishing timelines for meeting its needs going forward.
We recommend using established, widely accepted, and authoritative cybersecurity and privacy management frameworks to support your GRC program. Such frameworks should be well-vetted and kept up-to-date. They should be risk-based, and guide organizations
in making decisions based on not only data and cyber risk, but also compliance risk.
A GRC leader or director should consider taking the answers and resulting work products used to determine the current state and try incorporating them into the chosen framework. The associated guidance from the frameworks can be used to plan for actions
to take, support risk determinations and make decisions involving both compliance issues and cybersecurity risk mitigation. Such frameworks both help balance decisions and establish priorities.
Two sources for such recommended frameworks are NIST and COBIT.
NIST provides multiple cybersecurity and privacy risk management and compliance guidance documents. Organizations in all sectors, of all sizes, throughout the world use NIST guidance documents.
The following resources, used collectively, provide a comprehensive framework most organizations can implement (they also are generally kept up-to-date and provide a wide variety of supplemental guidance and other types of resources):
ISACA is a large, long-standing, worldwide professional membership association that has developed a wide range of security, privacy, and audit certifications over the years, in addition to frameworks used by hundreds of thousands of organizations worldwide.
Its most recent COBIT 2019 framework provides guidance to help information assurance practitioners integrate the industry standards, guidelines, regulations, and best practices
in a customized way into business enterprise ecosystems.
The COBIT 20219 framework defines:
It is also flexible and allows guidance on new topics to be added.
We suggest beginning by reviewing the answers to the eight categories of questions used to determine your GRC program’s current state to help guide their areas of focus and set some associated timelines. From there we recommend using your established
experience and expertise to:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 19, 2023
By IANS Faculty
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.
September 12, 2023
Understand the main differences between first- and second-gen SAST tools and learn how to determine which will work best for your environment.