Understanding GRC (Governance, Risk, and Compliance)
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Let's pick up with our next section
00:00
which is understanding GRC.
00:00
GRC stands for governance, risk, and compliance.
00:00
We've already talked about the role of risk and
00:00
information security and that's going to just be
00:00
a theme throughout everything we discuss.
00:00
But here we're going to really talk about how
00:00
information security has to
00:00
start with the top governance.
00:00
When we say governance, we're talking
00:00
about those senior executives,
00:00
board of directors, those folks that set the focus,
00:00
and the vision for the organization as a whole.
00:00
Governance and then risk,
00:00
and then of course,
00:00
we have to maintain our compliance.
00:00
Compliance might be with laws,
00:00
with regulations,
00:00
with industry standards, best practices.
00:00
Again, that's going to be
00:00
determined by our governing entities,
00:00
but our focus is going to be GRC for this next section.
00:00
Now basically, GRC came about
00:00
as some of the shenanigans of the
00:00
early 2000s if you remember that.
00:00
We had Enron and
00:00
WorldCom and Arthur Andersen and then we had
00:00
some major organizations that
00:00
were really cooking the books, so to speak.
00:00
They had separate sets of accounting documents.
00:00
Basically, senior leadership was really making off with
00:00
a lot of really embezzling money from the organization,
00:00
just for lack of a better way to say that.
00:00
We had the Open Compliance and Ethics Group,
00:00
the OCEG, came out and said, look,
00:00
we have got to provide some standards for
00:00
principled governance and organization,
00:00
and management leadership for the organization.
00:00
They introduced a set of standards and guidelines,
00:00
they brought in some online support tools
00:00
that really focused on the elements of GRC,
00:00
proper governance of the organization,
00:00
addressing the unknown factors,
00:00
which of course is risk,
00:00
and then ensuring compliance.
00:00
Again, down at the last bullet point there, focus.
00:00
Let's have some sound principled leadership.
00:00
That sounds like something we would
00:00
just take for granted,
00:00
but in many organizations,
00:00
that structure really has to be supported.
00:00
That structure has to be
00:00
required because if we don't have solid governance,
00:00
then the organization is not going to be in compliance,
00:00
is not going to be able to handle risks effectively.
00:00
These processes and procedures,
00:00
these tools that are given really make a difference.
00:00
If we look at GRC,
00:00
we have the various elements here.
00:00
Again, starting with governance and accountability.
00:00
When we talk about accountability,
00:00
we're talking about accountability to our stakeholders,
00:00
meeting our stakeholder needs,
00:00
and satisfying their requirements.
00:00
We can't do that unless we look at
00:00
risks because with risks,
00:00
we always start with
00:00
identifying our assets and what they're worth,
00:00
and then trying to
00:00
find a solution that's
00:00
going to have a good benefit to the organization.
00:00
Once we determine that solution
00:00
that'll benefit the organization,
00:00
we start to implement it.
00:00
Those risk mitigation strategies are
00:00
frequently referred to as controls.
00:00
When we talk about security controls
00:00
in our various processes,
00:00
these are mitigating strategies,
00:00
what are their technical controls,
00:00
administrative controls, or physical controls?
00:00
I'm just going around
00:00
the wheel from top to bottom, right to left.
00:00
Training and awareness, of course,
00:00
we can't expect our employees to follow processes and
00:00
procedures unless they know what
00:00
those processes and procedures are.
00:00
What I want you to notice is we just start talking about
00:00
technology enablement after we've
00:00
covered governance and risk,
00:00
and controls in training because
00:00
technology really should be
00:00
thought of as the icing on the cake,
00:00
not the basis for security.
00:00
All of these elements have to come into play,
00:00
these good security foundational principles,
00:00
before we even talk about the technology.
00:00
Technology is important but it can
00:00
never be the basis of our program.
00:00
Once we enter our technology or
00:00
once we implement our technology,
00:00
then of course we monitor audit report.
00:00
We have incident management programs
00:00
in place and I'll mention that
00:00
incident management is much
00:00
greater than just incident response,
00:00
and of course we'll cover
00:00
incident management later in Chapter 7.
00:00
These are just some main elements of GRC.
00:00
I think it's good to look at security in terms
00:00
of benefit and operations
00:00
within the organization as a whole.
00:00
I think it's also important
00:00
just like I pointed down a minute ago,
00:00
that technology is just a slice
00:00
of our information security program.
00:00
That is clear throughout the CISSP exam.
00:00
All of these other elements must be in
00:00
place before we really start talking about tech.
00:00
This section was just a high-level overview
00:00
of GRC, but again,
00:00
these are the foundational principles
00:00
that underlie everything we discuss.
00:00
I think on the exam, you're not going to
00:00
have a GRC question per se,
00:00
as in they're not going to say what's
00:00
the R in GRC or something silly like that.
00:00
But I think they might
00:00
frame it in context of the role of governance,
00:00
its importance within the process,
00:00
how risk comes to play,
00:00
the elements of compliance like auditing,
00:00
keeping us in place.
00:00
I think the concepts of GRC more than
00:00
just the specific requirements and rules.
00:00
Always on the exam,
00:00
come back to these foundational concepts.
00:00
Don't choose tech,
00:00
choose security principles when you can.
00:00
In summary, we've talked about GRC,
00:00
we've talked about governance,
00:00
we've talked about risk and then compliance
00:00
through auditing and monitoring the organization,
00:00
making sure that we're in compliance with laws,
00:00
policies, best practices, industry standards.
00:00
I don't think you're going to per se see
00:00
a question that maybe even references GRC per se,
00:00
but I think questions on the importance of governance,
00:00
how you have to lead an organization from the top down.
00:00
You can't have the security team trying
00:00
to change culture within the organization.
00:00
Governance must be involved.
00:00
Governance must have buy-in and they must support.
00:00
That's going to be an answer I always
00:00
want you to look for on the exam,
00:00
the importance of governance.
00:00
How do you make any activity successful?
00:00
You get support and buy-in from senior leadership,
00:00
that's a very common theme.
00:00
Then another common theme, risk.
00:00
All security decisions should
00:00
come back to risk management.
00:00
What am I protecting? What's it worth?
00:00
Then what are the threats and
00:00
vulnerabilities that might impact my assets?
00:00
Ultimately, what I'm trying to find is
00:00
a good cost effective solution that I can put in place.
00:00
Security controls, for instance,
00:00
that mitigate the risks in a way that
00:00
makes sense from a cost-benefit standpoint.
00:00
That's how we make our decision with risk management.
00:00
Then of course, our goal is to always
00:00
be in compliance with laws,
00:00
regulations, industry standards,
00:00
best practices, whatever.
00:00
Ultimately, GRC comes
00:00
together and provides us with the foundation
00:00
of what we need to implement as
00:00
far as our information security programs.
Up Next
Instructed By
Similar Content
