The Boundary Crossings of GRC

Rules and standards define the integrity of a business. Externally, they help to build trust, prove competence, and establish guidelines. Internally, they specify and create an action plan that supports resilience and assures compliance.  

Within today’s world of cybersecurity, imploring Governance, Risk Management, and Compliance (known as GRC), is a necessity. Practicing GRC helps an organization build resiliency in a way that quickly identifies and subsequently works to mitigate risk. It employs tech practitioners in developing, evaluating, and following a set of internal rules and instructions that establish measures to be taken during adversity, while meeting standards in risk management and regulatory compliance. 

The Roles of GRC

Role One: Governance 

Governance involves a collection of procedures that an organization puts in place to maintain and manage a security plan within the maturity model development process. Defined as ‘controlled security activities’, governance is used to strategically align an organization’s IT security program based on the needs of the business currently, and also with goals and growth in mind.  

The maturity model is a framework used to determine the current state and effectiveness of a process, system or organization while discerning the next step required to improve and achieve more. Part of an effective IT environment, the maturity model consists of stages or levels representing a higher level of maturity or capability.  

For business processes to be effective, an incident management plan must be implemented to help organize and establish an easy-to-follow battle rhythm for making decisions and improving security infrastructure. In an effort to minimize impact and provide restoration as quickly as possible, such a plan outlines the necessary steps that a business requires in order to respond appropriately to a security incident or breach.  

A successful incident management plan encompasses meeting the company’s strategic projections without violating company values, personnel, or legalities. It contains details for responding to security incidents, along with outlining processes for communicating with relevant people.  

Establishing governance is essential in guiding an organization on the right path as it continues to work towards meeting projected business goals and full potential, in a safe yet fruitful way.  

Role Two: Risk Management 

Risk management is the process of reducing the potential occurrence of a threat. Applied in real time, it includes evaluation of the current situation in order to lessen risks to an acceptable level.  

In order to assist businesses in generating proactive plans of action, there are multiple response strategies used within risk management. Four of the main approaches are: Mitigation, Avoidance, Acceptance, and Transfer.  

• Mitigation: The most common approach, risk mitigation involves reducing the probability and severity of a threat below the acceptability threshold. It is often implemented through a combination of policies, procedures, and technology. There are several approaches to mitigation.  

One approach involves the use of a False Rejection Rate (FRR) and a False Acceptance Rate (FAR). FRRs and FARs are important metrics in determining the effectiveness of the security controls put into place for mitigation. The FRR represents the likelihood of rejecting a valid access attempt. The FAR represents the likelihood of incorrectly accepting an invalid access attempt. For example, a low FRR and FAR would indicate that the security controls are effective at accurately identifying valid and invalid access attempts.  

A second approach to mitigation comes in the form of the integration of new security systems. New systems often include advanced technologies that allow for detection before exploitation. They also often entail better data protection and incident response, as well as continuous monitoring and improved compliance. 

• Avoidance –The goal of an avoidance strategy is to proactively identify and address potential issues before they become major problems. This can include implementing policies and procedures for conducting regular risk assessments and training employees on compliance and risk management. 

• Acceptance – Acceptance indicates the company’s understanding that risks are present or inevitable. This approach is used, for example, when it is determined that a mitigation effort would cause more burden and financial risk and uncover additional issues that would also need to be addressed. Acceptance also happens when it is believed that a risk will have little to no impact on the current network environment, thus negating the inclination to promote risk management. 

• Transfer - Transfer of risk involves outsourcing to a 3rd party who manages the risk responsibilities on behalf of the organization (such as an insurance company who manages the risk along with needed fixes). 

The evolution of technology and the non-ceasing existence of ‘loopholes’ render the complete alleviation of compromise impossible. Risk management, however, helps to identify and evaluate the risk level in order to propose remediation that reduces or eliminates the possible impact overall. Risk Management processes base their evaluations on the business entity as a whole. 

Role Three: Compliance 

Compliance is the means by which operations align with the laws governed by third party requirements, in order to conduct business appropriately within a particular market. An organization must adhere to the legalities that are contractually outlined and prescribed through internal directives and policies. Compliance is commonly associated with privacy laws.  

One type of compliance familiar to most small business owners is Regulatory Compliance. This requires an organization to follow the set standards of local and international laws relevant to them in order to conduct business within that environment. One example of this might involve a U.S. company engaging in business within Europe. This company would be required to respect two sets of rules: 

• The International Traffic in Arms Regulations (ITAR) – which is prompted when American systems are taken onto foreign land 
• The General Data Protection Regulation (GDPR) – which helps companies abide by privacy laws within the E.U. as defined by Data Sovereignty. The E.U. has the right to collect, store, and interpret data that is subject to local jurisdiction and laws of the land.  

In addition, some organizations are also subjected to a 3rd party review at which time they are audited by an outside party. Under suspicions or accusations of a violation of the Sarbanes-Oxley (SOX) Act, the court system may appoint an unaffiliated auditor to scrutinize the processes of that organization. This review is an investigation into acts of collusion, possibly leading to allegations of IT fraud.  

Financial Institutions and others operating high-risk security systems must comply with the appropriate local, state, and federal laws as appropriate to their practice of business. Adhering to such regulations may require implementation of specific security controls and procedures, as well as regular review and updating for continued integrity and effectiveness. 

The Systems and Steps of GRC

When implementing a GRC system into your business, there are several steps to take in order to be sure that you are operating in a legal, ethical, and compliant manner and that it is effectively managing risks. Here are steps toward establishing GRC in a business: 

• Identify the risks – What might your organization face, including risks related to financial performance, legal compliance, and reputational integrity? 
  
• Assess the risks - What is the likelihood and impact of these potential risks? It is important to determine the significance and prioritize accordingly. 
• Develop a risk management plan - What is your plan to mitigate or eliminate the identified risks? Determining this may involve implementing controls, procedures, and policies to manage the risks. 
• Implement the risk management plan - Make plans to train employees, create processes and procedures, and implement technology solutions to support your efforts. 
• Monitor and review the risk management plan - Review and update your company’s risk management plan to keep it effective, relevant, and malleable as changes in organization and environment take place. 
• Establish governance - Having an organizational strategy and putting processes and systems in place provides identified lanes that guide in legal, ethical, and compliant operations. Policies may have to be created, committees may need to be developed to oversee the efforts, and a clear rule of managing the governance must be recognized. 
• Communicate GRC efforts - Updating employees, customers, shareholders, and stakeholders is important in maintaining compliance and adhering to regulations while also alleviating questions or concerns. This may involve providing regular updates on the status of GRC efforts, as well as responding to questions or concerns that stakeholders may have. 

Although GRC doesn’t prevent a breach from happening, it is a strong line of defense for companies in the event of a breach. Incidents are better managed by having policies in place that outline each person’s responsibility and the role they play in maintaining order. 

The Intersection of GRC and Cybersecurity

A framework for resilience and integrity, GRC is vital in assuring that your company’s data and infrastructure are safe and free from harm. GRC is a vital part of your company’s best practices. 

In this day and age, practicing GRC alone may not be enough. The importance of GRC within the space of cybersecurity sometimes necessitates a company to lay out the operational processes required for the business to run, while making sure that they are within the proper operational tolerance. Everything needs to move in the right direction - together. 

Cybersecurity risks need to be identified and assessed as a part of a business risk management process due to the impact that such risks have on laws, regulations, and reputation. Performance of a cybersecurity risk assessment may be necessary to identify and evaluate the likelihood and potential of threats. Once identified, a risk management plan needs to be developed in an effort to mitigate or eliminate such risks. From here, controls and procedures may need to be implemented and may include measures such as putting firewalls in place, enlisting an intrusion detection system, and training employees on prevention. 

Overall, effective GRC and cybersecurity practices are essential beyond the walls of a company. Best practice is pivotal in protecting an organization's assets and maintaining the trust of employees, customers, and stakeholders.