InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
To develop a strong governance, risk management and compliance (GRC) program, start by assessing the current state of eight primary components, including roles/responsibilities, legal requirements, policies/procedures and more. Using that information,
we recommend leveraging a standard framework (e.g., NIST, COBIT, etc.) to build a GRC program that ensures enterprise risk is effectively mitigated to acceptably low levels while still meeting all compliance requirements. This piece explains the challenges
and offers recommendations for setting up a strong GRC program foundation.
While organizations discussed and practiced GRC for over two decades, it is still a challenge for many to establish a GRC program. And even those with established GRC programs struggle to determine their program’s effectiveness. Challenges of setting
up a GRC program include, but are not limited to:
Once those challenges are addressed, organizations should be vigilant in ensuring the components are maintained, updated appropriately, and followed consistently throughout the entire business over time.
To get started setting up a solid foundation for your organization’s GRC program, you should understand the GRC program’s current state. The following questions are categorized in eight key program areas. Answering them will help you determine
where your current GRC processes stand in terms of coverage and maturity. The answers can help lead you to determine the appropriate actions to take to fill the gaps and build a solid GRC foundation.
1. Roles and Responsibilities
2. Legal and Compliance Requirements
3. Policies and Procedures
4. Training and Awareness
5. Risk Management
6. Vendor and Supply Chain Risk Management
7. Program Management
8. New and Emerging Practices and Technology
Answering those questions will provide insights to guide your new director’s decisions about where to prioritize actions to build or improve the GRC program, and to support establishing timelines for meeting its needs going forward.
We recommend using established, widely accepted, and authoritative cybersecurity and privacy management frameworks to support your GRC program. Such frameworks should be well-vetted and kept up-to-date. They should be risk-based, and guide organizations
in making decisions based on not only data and cyber risk, but also compliance risk.
A GRC leader or director should consider taking the answers and resulting work products used to determine the current state and try incorporating them into the chosen framework. The associated guidance from the frameworks can be used to plan for actions
to take, support risk determinations and make decisions involving both compliance issues and cybersecurity risk mitigation. Such frameworks both help balance decisions and establish priorities.
Two sources for such recommended frameworks are NIST and COBIT.
NIST provides multiple cybersecurity and privacy risk management and compliance guidance documents. Organizations in all sectors, of all sizes, throughout the world use NIST guidance documents.
The following resources, used collectively, provide a comprehensive framework most organizations can implement (they also are generally kept up-to-date and provide a wide variety of supplemental guidance and other types of resources):
ISACA is a large, long-standing, worldwide professional membership association that has developed a wide range of security, privacy, and audit certifications over the years, in addition to frameworks used by hundreds of thousands of organizations worldwide.
Its most recent COBIT 2019 framework provides guidance to help information assurance practitioners integrate the industry standards, guidelines, regulations, and best practices
in a customized way into business enterprise ecosystems.
The COBIT 20219 framework defines:
It is also flexible and allows guidance on new topics to be added.
We suggest beginning by reviewing the answers to the eight categories of questions used to determine your GRC program’s current state to help guide their areas of focus and set some associated timelines. From there we recommend using your established
experience and expertise to:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.