Scribd
Upload
66 views3 pages

GRC Program

Uploaded by

alexandremjoao
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
66 views3 pages

GRC Program

Uploaded by

alexandremjoao
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

 Governance Component: Involves guiding an organisation by setting its direction

through information security strategy, which includes policies, standards, baselines,


frameworks, etc., along with establishing appropriate monitoring methods to
measure its performance and assess the outcomes.
 Risk Management Component: Involves identifying, assessing, and prioritising risks
to the organisation and implementing controls and mitigation strategies to manage
those risks effectively. This includes monitoring and reporting on risks and
continuously evaluating and refining the risk management program to ensure its
ongoing effectiveness.
 Compliance Component: Ensuring that the organisation meets its legal, regulatory,
and industry obligations and that its activities align with its policies and procedures.
This includes developing and implementing compliance programs, conducting regular
audits and assessments, and reporting on compliance issues to stakeholders.
How to Develop GRC Program - Generic Guidelines
A well-developed and implemented GRC program for cyber security provides an integrated
framework for managing risks, complying with regulations and standards, and improving the
overall security perspective of an organisation. It enables effective governance, risk
management, and compliance activities, mitigating cyber incidents' impact and ensuring
business resilience. In this section, we will explore how to develop and implement a GRC
framework. Developing and implementing a GRC framework involves various steps; we will
explain each step with an appropriate example so that we can easily understand:

 Define the scope and objectives: This step involves determining the scope of the GRC
program and defining its goals. For example, a company can implement a GRC
program for its customer data management system. The objective might be to reduce
cyber risks to 50% in the next 12 months while maintaining the trust of its customers.
 Conduct a risk assessment: In this step, the organisation identifies and assesses its
cyber risks. For example, a risk assessment might reveal that the customer data
management system is vulnerable to external attacks due to weak access controls or
outdated software. The organisation can then prioritize these risks and develop a risk
management strategy.
 Develop policies and procedures: Policies and procedures are developed to guide
cyber security practices within the organisation. For example, the company might
establish a password policy to ensure the usage of strong passwords. They might also
implement logging and monitoring system access procedures to detect suspicious
activity.
 Establish governance processes: Governance processes ensure the GRC program is
effectively managed and controlled. For example, the organisation might establish a
security steering committee that meets regularly to review security risks and make
decisions about security investments and priorities. Roles and responsibilities are
defined to ensure everyone understands their role in the program.
 Implement controls: Technical and non-technical controls are implemented to
mitigate risks identified in risk assessment. For example, the company might
implement firewalls, Intrusion Prevention System (IPS), Intrusion Detection System
(IDS), and Security Information and Event Management (SIEM) to prevent external
attacks and impart employee training to improve security awareness and reduce the
risk of human error.
 Monitor and measure performance: Processes are established to monitor and
measure the effectiveness of the GRC program. For example, the organisation can
track metrics and compliance with security policies. This information is used to
identify areas for improvement and adjust the program as needed.
 Continuously improve: The GRC program is constantly reviewed and improved based
on performance metrics, changing risk profiles, and stakeholder feedback. For
example, suppose the organisation experiences a security incident. In that case, it
might conduct a post-incident analysis to identify the root cause and make changes to
prevent a similar incident from happening again.
An Example - GRC Framework in Financial Sector
To fully understand each component of GRC, it is necessary to understand it with real-world
examples and scenarios. In the ensuing section, we will see how the financial industry
implements each component of the GRC framework:

 Governance-Related Activities: Nominate the governance level executives, and


make financial-related policies such as bank secrecy act, anti-money laundering
policy, financial audit policies, financial reporting, crisis management, and many
more.
 Risk Management Activities: Identify potential risks, their possible outcomes, and
countermeasures such as financial fraud risks, fraudulent transactions through cyber-
attack, stolen credentials through phishing, fake ATM cards, etc.
 Compliance Activities: Take measures to meet legal requirements and industry
standards such as PCI DSS, GLBA, etc. Moreover, this also includes implementing
correct methods like SSL/ TLS to avoid Man in the Middle (MITM) attacks, ensuring
automatic patch management against unpatched software, creating awareness
campaigns for users to protect them from phishing attacks, and many more.

You might also like