Imagine that you want to build a house. Now imagine that you bought all the material needed to build the house like bricks, cement, wires, pipes and everything else. And now you hired masons, electricians, plumbers. Wow, you are so close in fulfilling your dream. Everything is delivered to your address, a work force has arrived and they are ready to build your house. Wait!! You don’t have a blueprint for your house, you don’t know where to build it. So you look for an empty plot and start building the house. Everyone you hired is working on the best effort basis.
Sound stupid!!!! Isn’t it????
Yes, this is what most organisations are doing with cyber security.
They have a workforce, they have tools but they don’t have blueprints for cyber security. No real plan on how to implement, what to implement, which task to prioritize. On the name of AGILE projects, cyber security is abused by performing activities on the best effort basis.
After working years in cyber security I came up with a GRC framework which is simple, easy to understand and easy to implement.
This framework focuses on challenges that we face and solutions to the challenges. And all components are interrelated in some way or the other. When working with this framework you can start from solutions towards challenges or the other way around. For example you can create policies to manage some risks or list risks first and then create policies to mitigate the risks. We will discuss these interdependencies in more detail in the coming sections.
Let’s start to understand the basis of this framework and its components. From the GRC perspective, the organisation faces security challenges and the security team’s job is to find solutions to mitigate these challenges. Using this framework we can group these challenges into following groups:
- Asset/Information Management.
- Risk Management.
- Compliance Management.
And solutions to manage these challenges are listed as following:
Asset Management: This section lets you identify the assets of your organisation. Assets like servers, laptops, cloud infrastructure must be identified and listed according to the criticality and sensitivity. The criticality and sensitivity is evaluated based on the information that is processed, stored or transferred by these assets. Individual risk assessment must be performed to categorize each asset or information.
Some organisations are obliged to cater for legal compliances, especially government organisations. For example, GDPR, Privacy act, PSPF. To be compliant risk management methodology, asset management must be implemented.
That how asset management is dependent on risk management and compliance management.
Risk Management: This section is considered to be the core of this framework. All modules of the framework are either input or output of this module. Asset/ Information identified in the previous module must have a risk analysis to attach appropriate categorization.
Based on the result of the risk assessment policies are designed, controls are defined and ,if applicable, exceptions are raised. As mentioned, some organisations have compliance requirements, such requirements can be treated as a compliance risk and act as an input to risk management module.
Compliance Management: This section deals with all regulatory compliance applicable to the organization. Compliance to regulations like GDPR, PSPF, Privacy Act 1988 are key enablers to any GRC relation program.
Some organisations may choose to use this module as compliance risk and merge it with risk management module. However, keeping it as a separate module will provide ease of compliance management.
To be compliant to regulations and laws, organisations must categorize assets as per regulations, design listed policies, develop control objectives, and ,if applicable, raise compliance exceptions.
Now you can start using this framework defining challenges first and then developing solutions. You can also work your way from solutions to challenges.
Let’s understand how!!!
You can create policies, design controls according to your organisation eco system to manage challenges within the defined constraints. Your organisation may define exceptions based on performance, technical limitations and then try to manage risks, assets and compliance. A good example is that your organisation defined a policy of not encrypting data at rest. Now you can design technical controls, firewall configurations according to this policy. You will have to perform a risk analysis based on this risk tolerance information and manage risks. If any regulation requires the organisation to encrypt data at rest, then you can accept this risk of non compliance.
To compensate for the risk of unencrypted data you can design stronger access controls to the data and stronger monitoring for the data leakage.
That’s how you can work your way from solutions to challenges.
There are multiple GRC frameworks available from ISACA, SANS, NIST. This framework, however, is simple to comprehend and implement.
The work to improve this framework is still on. A case study is under development where I am able to demonstrate this framework in action. Feel free to drop your feedback at [email protected]
Next step: To develop a document detailing each module of this framework.