The latest and greatest security acronym: GRC! Arguably the acronym stands for Governance, Risk and Compliance or Governance, Risk and Controls; but what is it really speaking toward?
Due to a lack of scientific research associated with the topic, a survey among GRC professionals resulted in the following widely accepted definition: “GRC is an integrated, holistic approach to organization-wide governance, risk and compliance ensuring that an organization acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness.”
With this definition of GRC reasonably agreed upon, numerous diagrams were produced showing the interconnectivity of strategy, people, processes and technology, intermingled and ‘dotted-line’ associated with ethical behavior and improvements in efficiency and in effectiveness.
Does it really need to be that complicated?
From a governance and compliance standpoint, there are numerous regulatory standards and guidelines for a security framework, which include but are not limited to:
CObIT, FFIEC, PCI-DSS, HIPAA, GLBA, ISO27002 (formerly ISO17799, BS7799), MA 201 CMR17, NIST, SOX, MICS
Your organization will most likely need to be compliant with one or two of these standards, so what is the best approach? Find the one most applicable to your legal and/or industry requirements and implement the proper controls. In doing so you will likely overlap with other standards.
Here is a perfect example of overlap dealing with logical access controls of four very different standards:
CObIT DS5.3: Procedures exist and are followed to authenticate all users of the system (both internal and external) to support the existence of transactions.
FFIEC Information Security, B. Network Security, Objective 8: Determines that, where appropriate, authenticated users and devices are limited in their ability to access system resources and to initiate transactions.
PCI 7.1: Limits access to computing resources and cardholder information only to those individuals whose job requires such access.
HIPAA Security Rule, Technical Safeguard 164.312(d): Implements procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
How does risk incorporate into the mix? Without knowing the risk associated to your business, revenue or reputation, how can you adequately protect it? A complete understanding of the associated risks (whether they are people, processes, or technology) is a critical identification and qualification exercise before trying to enact governance and compliance/controls.
In conclusion, the first step in the implementation of a functional GRC program is to conduct a Business Impact Analysis to determine RISK, determine what GOVERNS your industry or organization and apply adequate COMPLIANCE and CONTROLS to meet the necessary standards.