Understanding GRC (Governance, Risk, and Compliance)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Let's pick up with our next section,
00:00
which is understanding GRC.
00:00
GRC stands for governance,
00:00
risk, and compliance.
00:00
We've already talked about the role
00:00
of risk and information security,
00:00
and that's going to just be a theme
00:00
throughout everything we discussed.
00:00
But here we're going to really talk about how
00:00
information security has to
00:00
start with the top governance.
00:00
When we say governance, we're talking
00:00
about those senior executives,
00:00
board of directors, those folks that set
00:00
the focus and the vision for the organization as a whole.
00:00
Governance and then risk,
00:00
and then of course,
00:00
we have to maintain our compliance.
00:00
Compliance might be with laws,
00:00
with regulations,
00:00
with industry standards, best practices.
00:00
Again, that's going to be
00:00
determined by our governing entities,
00:00
but our focus is going to be GRC for this next section.
00:00
Now, basically,
00:00
GRC came about as some of
00:00
the shenanigans of the early 2000s.
00:00
If you remember that we had
00:00
Enron and WorldCom and Arthur Andersen and we
00:00
had some major organizations
00:00
that were really cooking the books, so to speak.
00:00
They had separate sets of accounting documents.
00:00
Basically senior leadership was
00:00
really making off with a lot
00:00
of really embezzling money from
00:00
the organization just for
00:00
lack of a better way to say that.
00:00
We had the open compliance and ethics group,
00:00
the OCEG, came out and said, look,
00:00
we have got to provide some standards for
00:00
principled governance and organization
00:00
and management leadership really for the organization.
00:00
They introduced a set of standards and guidelines.
00:00
They brought in some online support tools
00:00
that really focused on the elements of GRC,
00:00
proper governance of the organization,
00:00
addressing the unknown factors,
00:00
which of course is risk,
00:00
and then ensuring compliance.
00:00
Again, down at the last bullet point there, focus.
00:00
Let's have some sound principled leadership.
00:00
That sounds like something we would
00:00
just take for granted.
00:00
But in many organizations that
00:00
structure really has to be supported.
00:00
That structure has to be required.
00:00
Because if we don't have solid governance
00:00
then the organization is not going to be in compliance,
00:00
is not going to be able to handle risks effectively.
00:00
These processes and procedures,
00:00
these tools that are given really make a difference.
00:00
Now, if we look at GRC,
00:00
we have the various elements here.
00:00
Again, starting with governance and accountability.
00:00
When we talk about accountability,
00:00
we're talking about accountability to our stakeholders,
00:00
meeting our stakeholder needs
00:00
and satisfying their requirements.
00:00
We can't do that unless we look at
00:00
risks because with risks,
00:00
we always start with
00:00
identifying our assets and what they're worth,
00:00
and then trying to
00:00
find a solution that's
00:00
going to have a good benefit to the organization.
00:00
Now, once we determine
00:00
that solution that will benefit the organization,
00:00
we start to implement it and there's
00:00
risk mitigation strategies or
00:00
frequently referred to as controls.
00:00
When we talk about security controls
00:00
and are various processes,
00:00
these are mitigating strategies,
00:00
whether they're technical controls,
00:00
administrative controls or physical controls.
00:00
I'm just going around the wheel from top to bottom,
00:00
right to left. Training and awareness.
00:00
Of course, we can't expect our employees to follow
00:00
processes and procedures unless they
00:00
know what those processes and procedures are.
00:00
Now what I want you to notice is
00:00
we just start talking about
00:00
technology enablement after we've
00:00
covered governance and risk and controls and training.
00:00
Because technology really should be
00:00
thought of as the icing on the cake,
00:00
not the basis for security.
00:00
All of these elements have to come
00:00
into play these good security,
00:00
foundational principles before we
00:00
even talk about the technology.
00:00
Technology is important, but it can
00:00
never be the basis of our program.
00:00
Once we enter our technology or
00:00
once we implement our technology,
00:00
then of course we monitor, audit and report.
00:00
We have incident management programs
00:00
in place and I'll mention that
00:00
incident management is much
00:00
greater than just incident response.
00:00
Of course we'll cover
00:00
incident management later in Chapter 7.
00:00
These are just some main elements of GRC.
00:00
I think it's good to look at security in terms of
00:00
benefit and operations within
00:00
the organization as a whole.
00:00
It's also important just
00:00
like a pointed down a minute ago,
00:00
that technology is just a slice
00:00
of our information security program.
00:00
All of these other elements must be in
00:00
place before we really start talking about tech.
00:00
This section was just a high-level overview
00:00
of GRC, but again,
00:00
these are the foundational principles
00:00
that underlie everything we discussed.
00:00
I think on the exam you're not going to
00:00
have a GRC question per se,
00:00
as in they're not going to say what's the R
00:00
in GRC or something silly like that.
00:00
But I think that they might
00:00
frame it in context of the role of governance,
00:00
its importance within the process,
00:00
how risk comes to play.
00:00
The elements of compliance like auditing,
00:00
keeping us in place.
00:00
I think the concepts of GRC,
00:00
more than just the specific requirements and rules.
00:00
Always on the exam come back
00:00
to these foundational concepts.
00:00
Don't choose Tech, choose
00:00
security principles when you can.
00:00
In summary, we've talked about GRC,
00:00
we've talked about governance,
00:00
we've talked about risk and then compliance
00:00
through auditing and monitoring the organization,
00:00
making sure that we're in compliance with laws,
00:00
policies, best-practices, industry standards.
00:00
I don't think you're going to per se see
00:00
a question that maybe even references GRC per se.
00:00
But I think questions on the importance of governance.
00:00
How you have to lead an organization from the top down.
00:00
You can't have the security team trying
00:00
to change culture within the organization,
00:00
governance must be involved.
00:00
Governance must have buy-in and they must support.
00:00
That's going to be an answer I always
00:00
want you to look for on the exam,
00:00
the importance of governance.
00:00
How do you make any activity successful?
00:00
You get support and buy-in from senior leadership.
00:00
That's a very common theme.
00:00
Then another common theme, risk.
00:00
All security decisions should
00:00
come back to risk management.
00:00
What am I protecting?
00:00
What's it worth, and then what are the threats and
00:00
vulnerabilities that might impact my assets?
00:00
Ultimately, what I'm trying to find is
00:00
a good cost effective solution that I can put in place.
00:00
Security controls, for instance,
00:00
that mitigate the risks in a way that
00:00
makes sense from a cost benefits standpoint.
00:00
That's how we make our decision with risk management.
00:00
Then of course, our goal is to always
00:00
be in compliance with laws,
00:00
regulations, industry standards,
00:00
best practices, whatever.
00:00
Ultimately, GRC comes
00:00
together and provides us with the foundation
00:00
of what we need to implement
00:00
as far as our information security programs.
Up Next