GRC Overview

What is GRC?
Governance
G stands for Governance, defined as “the way rules, norms & actions are
structured, sustained, regulated, and held accountable.”

Initiatives for Governance include:

 Establishment of processes & policies.
 Shaping your organizational structure.
 Working towards business goals.

In practice, the ultimate goal of Governance is to align your organization’s

operations and business objectives, ensuring that what you are doing is in
line with what you are trying to do.

Risk
R stands for Risk. Risk is the possibility or chance of loss, adverse effect(s),
danger, or injury.

Risk's initiative is to keep your business objectives. This is done by either:

1. Predicting circumstances that may occur (being preventative).

2. Addressing issues that you are already aware of (being reactive).

By leveraging the OneTrust platform, your organization gains access to a

suite of tools designed to manage risk effectively. From predictive analytics
to proactive monitoring, these tools can significantly enhance your risk
management capabilities, ensuring your business objectives are always on
track.

Compliance
C stands for Compliance, which is defined as ensuring your company and
employees follow the laws, regulations, standards, and ethical practices that
apply to your organization.

Compliance initiatives are not rigid structures but rather adaptable

boundaries. These boundaries can take two forms:
1. Mandated by laws and regulations that oversee your jurisdiction.
 2. Voluntary, where your company chooses to follow a policy, procedure,
standard, and/or framework.

Again, the OneTrust platform can provide you with the tools to meet either of
these requirements.
Terminology
Controls
Controls are security measures against which you and your organization
evaluate inventory items and risks. They can be tied to different security
standards/frameworks prepopulated in the OneTrust platform or custom-
created by your organization.

Controls are safeguards or counter-

measures to avoid, detect, counteract, or
minimize security risks to physical
property, information, computer systems,
or other assets.

Security standards framework

A series of documented processes that are used to define

policies and procedures around the implementation and
ongoing management of information security controls in an
enterprise environment.

Control library

Includes controls from recognized frameworks and custom

controls which your organization can use to evaluate and
describe the security and privacy requirements you have for
vendors within the OneTrust application

Controll implementation
Organizations can use controls to evaluate and describe the
security and privacy requirements necessary for vendors.

For example, if you’re using the Access Control, which

is part of the ISO 27001 standard/framework, for 4
different assets, you’d have 1 record of that control in
the Controls Library, but 4 records of Control
Implementations, one for each asset use case.

To simplify, Security Standards/Frameworks

have controls that you can add to your
Controls Library in OneTrust. You can then
implement those controls in several different
areas of your business.

Standards/Frameworks
The table below contains some commonly used
standards/frameworks.

Name Abbreviation Industry

Cloud Security Alliance / Cloud Computing
CSA CCM
Cloud Controls Matrix Environments
Government-wide
approach to security
Federal Risk &
assessment,
Authorization FedRAMP
authorization, &
Management Program
monitoring for cloud
products & services
International Information Security
Organization for ISO27001 Management Systems
Standardization (ISMS)
 Name Abbreviation Industry
Issued & maintained by
the International
Organization for
Standardization
United States federal
National Institute of
information systems
Standards & Technology NIST 800-53
(excluding those related
Publication 800-53
to national security)
Center for Internet Computer & Cyber
CIS Controls
Security Security
American Institute of
Certified Public Audit procedure to
Accountants’ Trust AICPA TSC SOC2 ensure the protection of
Services Criteria Service sensitive data
Organization Control 2

Keep inventory updated

Risks identified on inventories:

 Assets
 Processing Activities
 Entities
 Vendors

It's crucial that we address the risks associated with our assets, processing
activities, entities, and vendors. To do so, we need to ensure they’re all in
our system, ready for us to make those vital connections.

This may sound like a lot of work, but it doesn’t have to be. The OneTrust
platform can connect templates to an inventory item and send an
assessment using that template to the person who knows that inventory
object best. They’ll answer the questions in the assessment and send them
back, and we can have their answers update the inventory objects in the
system.
Create risk scoring plan

Your company will need to:

 Assess Inherent vs. Residual Risk Level.

 Document Business Process.

The next consideration is ensuring we have a method to prioritize risks that

we find using this strategy. We have two methods in OneTrust: the matrix
and standard, both of which we will see. However, determining which to use
and exactly what will constitute a high vs. medium vs. low risk is going to be
a cross-team decision in your organization.

The security team, privacy team, IT group, legal department, and others will
all need to be in sync with what these different levels constitute. OneTrust
can make it happen, but your business will need to create that plan itself.

Identify risk assesments

Now that we have a risk scoring plan and inventory objects to associate with
risk, we can start identifying risks. There are multiple ways to do this:

 Manually add all the risks into your system:

o This is labor intensive and creates a margin of error.
o Risks could also slip through the cracks.
 Use assessments:
o The same assessments that update our inventory object details
can also auto-create risks based on how certain questions are
answered.
o This is done by configuring a Rule within the assessment itself.

Your company will need to:

 Review Assessment Templates

 Conceptualize Assessment Responses
 Produce Proper Automation

Understanding related controls

Understanding what controls you will need to manage the risks you prepared
for when you identified your risk assessments is essential.

 What industry are you in?

  Do the common security/framework screen controls have what you
need?
 Will you need any additional custom controls?

Once you've identified the controls you need, it's crucial to add them to your
control's library. This step is not only important for risk mitigation but also a
necessity for using other GRC modules, such as Audit Management and
Enterprise Policy Management.

Risk Scoring Methodology

You can configure the application to use a risk heatmap to quantify risks
based on impact and probability.

Risks are rated using heatmap scores between 1 and 25, with one being the
lowest. Both the level of impact and the probability of the risk occurring are
used to select the level of risk and assign a score.

Our application allows you to configure the labels on the heatmap to use
specific terms in association with certain levels of impact or probability. This
flexibility ensures that the heatmap is tailored to your specific risk
management needs. Once you configure risk scoring, you can navigate to
the Risks tab of an inventory record to view a breakdown of risks per risk
category.

Enterprise Policy Management

The Enterprise Policy Management module provides the ability to create and
manage policies, standards, and internal control procedures that can be
cross-mapped with external regulations and best practices. In OneTrust,
policies can be linked to controls, related to inventory objects, managed in
one centralized location, and easily shared to assist in streamlining end-to-
end business workflows.
Policies
What do policies do?
Clarify the expected output and behavior of an organization’s members in
the context-specific to that organization.
Why do we need them?
 Guide daily workplace activities
 Promote compliance with laws & regulations
 Provide a strategic viewpoint for decision making
 Aid in simplification of processes

DETERMINE POLICIES NEEDED

There are many questions to answer when determining which policies are
needed.
Examples are:

1. Is this a policy we are proactively creating in anticipation of

needing it later?
2. Or, is this a policy we are creating reactively or in response to a
need that has come up?
3. Is this policy regarding expected behaviors and outputs internal to
our organization or is it an effort that extends beyond our
companies borders (externally)?

AUTOMATION RULES

 Automation rules serve as a great way to prompt you when a policy is:
o soon to go into effect
o left stagnant/dormant within a specified stage.
 These can be done using time triggers against workflow stages and
policy detail attributes.

When writing a policy, identify the intended audience. Ensure the wording, length, and complexity
are appropriate for them.

What is a Breach Response Plan?

A breach response plan can be defined as the employment of
specific recording, assignments of directly responsible
individuals for, and use of process workflows to respond to a
breach incident.

Put simply, it provides a guideline for organizations to follow

each and every time a breach is discovered.

STREAMLINE INCIDENT REPORTING

There are two ways you can streamline incident reporting:

 Webforms to report incidents

o A majority of OneTrust clients use web forms to report an
incident because it is an easy and seamless process. This will be
demonstrated in one of the exercises in the next section.
 Assessments to gather additional information & detailed descriptions
of events
o An Assessment can be used to report incidents or to collect more
details about the incident.
o In the assessment template builder, there is a question type
labeled "Incident Question." You can set these assessment
questions to populate details within incidents and set up different
types of assessments to report on specific details depending on
the reported incident type.

ASSIGN RISKS
Assign Risks and Tasks

One of the tasks we’ll be completing in this exercise is for our incident to
trigger an automatic email to our hypothetical company’s Chief Information
Officer (CIO). This is one of several ways to assign directly responsible
individuals (DRIs) to specific target aspects of an incident. Risks and tasks
within a workflow can be assigned to specific owners. This means that when
incidents occur if you assign a risk with a specified DRI, you are better able
to:

 Centralize communication
 Track accountability
 Improve response times
What is Audit Management?
The Audit Management Module automates the work streams of audit teams,
optimizing resources and productivity. It also assesses an organization's
management methods and policies in resource administration, tactical and
strategic planning, and employee and organizational improvement.

What is the objective of Audit Management?

The objectives are to:
 Simplify and organize the workflow and collaboration process of
compiling audits
 Ensure that it is board-approved

Internal Audit Teams

Internal Audit teams commonly report to an Internal Audit Committee that is
independent of management, to ensure unbiased reporting.

The internal audit team functions include:

 Evaluating the risk management culture and identifying risk factors
within all systems, processes, and procedures
 Evaluating control and design implementations
 Testing controls to ensure their proper operation

Parts of an Audit
OneTrust's Audit Management tool has many components that work
together to build a comprehensive picture of compliance within a given
standard or framework.

Details
The details of an audit in the OneTrust tool identify the major components of
the audit in question. To perform and track an audit efficiently, we need to
understand what framework we are auditing. What is the goal of the audit?
Who is involved?
Workpaper
Workpapers track specific tasks and findings for each control/control
implementation.

Controls are usually populated and updated via frameworks, and the
individual controls come from the frameworks assigned to each audit.

Scope
The scope of the audit identifies a comprehensive list of controls and control
implementations, as well as specific assignments for auditing those
individual controls.

Findings
Findings are populated on the OneTrust tool both in the audit itself and in the
individual workpapers that make up the audit. This allows for one
centralized location for users to review, address, and add action plans to the
findings associated with all controls involved in the audit.

Findings are where specific areas of improvement within a given framework

are identified.

Define the audit scope

In OneTrust, you can provide auditors with read-only access to compliance

controls, evidence, and assessments. Three tasks are recommended when
defining the scope of your audit.

 Select risk or framework:

o OneTrust allows you to track and integrate your controls from
your Controls Library into the Audit Management Process.
 Plan Workpaper:
 oYou must plan your workpaper, which is the document that
records evidence obtained during an audit. This evidence can
include financial statements, internal management documents,
details about information systems, etc.
 Assign Auditor:
o You need to assign your auditors to which workpapers they
should review. Remember that the auditing team should be
independent of management to ensure unbiased reporting.

Test Controls

In Incident Management, we covered the best practice of testing your breach

response plan. From an Audit perspective, you should also test the following
aspects of your controls:

 Review control implementation – Configure Control Library in ITRM

module for a better experience
 Design & Effectiveness
 Dynamic Record of Activity

Consolidate findings

The process to consolidate the findings will look like this:

 Collect evidence
 Review past audit findings
 Summarize recommendations

After your auditor finishes their work, you must consolidate the findings.
Once your evidence is gathered, you will need to review all documents to
identify any audit findings thoroughly. This review is done based on the
historical understanding of the process, historical evidence obtained, and the
auditor's professional judgment on the adequacy of the evidence provided.

Using the integrated task assignment feature to assign tasks to the

responsible individuals within your organization based on the auditor's
findings can also result in efficiencies.

Apply recomandations

To apply recommendations, you will need to:

 Prioritize action
 Review risk score
 Schedule future audits
 Based on the auditor's findings, management must recommend
compensating or complementary controls to address the risks
identified in the audit. What is the impact of these controls on the risks
identified, and do they reduce the residual risk to an acceptable
amount? Lastly, when will we re-assess the findings? A frequency will
need to be set for future audits.