Security
Reader small image

You're reading from  ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Product typeBook
Published inSep 2023
PublisherPackt
ISBN-139781803236902
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Shobhit Mehta
Shobhit Mehta
author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Right arrow

Governance, risk, and compliance

In this section, we’ll look at the concepts of GRC, their interrelationships, and how to differentiate among them.

What is GRC?

GRC is an acronym that stands for governance, risk, and compliance. It can be defined as a common set of practices and processes, supported by a risk-aware culture and enabling technologies that improve decision-making and performance through an integrated view of how well an organization manages its unique set of risks.

A GRC program aims to provide organizations with an overarching framework that can be used to streamline different organizational functions, such as legal, IT, human resources, security, compliance, privacy, and more so that they can all collaborate under a common framework and set of principles instead of running individual functions and programs.

Governance is the organizational framework that helps the stakeholder set the tone for the stakeholders on the direction and alignment with business objectives. These are the rules that run the organization, including policies, standards, and procedures that set the direction and control of the organization’s activities. These stakeholders can be a board of directors in large companies or senior executives in small and medium enterprises.

Risk or risk management is the process of optimizing organizational risk to acceptable levels, identifying potential risk and its associated impacts, and prioritizing the mitigation based on the impact of risk on business objectives. The purpose of risk management is to analyze and control the risks that can deflect an organization from achieving its strategic objectives.

Qualitative risk is defined as likelihood * probability of impact, whereas the Factor Analysis of Information Risk (FAIR) methodology is widely used for quantitative risk assessment in matured organizations.

Compliance requirements for an organization ensure that all obligations including but not limited to regulatory factors, contractual requirements, federal and state laws, certification requirements such as ISO 27001 or SOC 2 audit, and more are adhered to and any gaps in compliance are logged, monitored, and corrected within a reasonable timeframe. The entire organization must follow a standard set of policies and standards to achieve these objectives.

An integrated approach to GRC that is communicated to the entire organization ensures that the main strategies, processes, and resources are aligned according to the organization’s risk appetite. A strong compliance program with the sponsorship of a senior leadership team is better suited to align its internal and external compliance requirements, leading to increased efficiency and effectiveness.

In the next section, we’ll learn about the relationship between these concepts.

Simplified relationship between GRC components

I would not blame you if you found the preceding concepts tedious and confusing. It took me a good 5 years to make sense of all the concepts. The following paragraph should serve as an adage for the preceding concepts:

Governance is guidance from stakeholders (board of directors or senior leadership) to put the processes and practices in place to optimize (not reduce) the risk and comply with external and internal compliance obligations.

The following figure shows a simplistic view of GRC. It should be noted that the activities included under each pillar are not holistic and an organization may have an overlap between these activities. You should also be mindful that these activities are not standalone programs but need inputs from other pillars to be implemented successfully:

Figure 1.1 – Relationship between the components of GRC

Figure 1.1 – Relationship between the components of GRC

Now that we know what GRC entails, we’ll learn about the importance of various factors for a successful GRC program in the next section.

Key ingredients of a successful GRC program

A successful GRC program requires collaboration across all layers of the organization. Three major components are a must-have for successful implementation:

  • Sponsorship: A successful GRC implementation should have the sponsorship of a senior leader such as a Chief Information Security Officer (CISO), Chief Risk Officer (CRO), Chief Information Officer (CIO), Chief Financial Officer (CFO), Chief Executive Officer (CEO), or someone else. These sponsors have a wider overview of not only the organization’s risk but also the industry peers across multiple verticals. Sponsorship from leadership is also important to have a risk-focused culture.
  • Stewardship: The GRC program requires participation from all businesses and functions of an organization. Stewards play an important role in the GRC program and make information sharing across the organization easier for developing a common understanding across the organization and making relevant information available for everyone. These stewards, while translating the requirements from governance, are better able to target and address business risks. Stewards of the program are better suited to create business-oriented, process-based workflows to identify risks across functions, analyze for cascading risks, and treat them accordingly.
  • Monitoring and reporting: It is easy to roll out a GRC program across the organization, but over time, it becomes extremely difficult to keep pace with internal and external regulations without continuously monitoring risks and controls without efficient risk indicators. It is important to enable continuous monitoring of risks and controls by using automated risk indicators and keep the stakeholders abreast of risk in business terms through business-focused indicators and reports periodically circulated to the appropriate audience with actionable insights.

An important pillar of the monitoring function is to monitor the security controls of critical vendors and perform an ongoing assessment for each department and functional group across the enterprise to provide a holistic real-time view of risk.

In the next section, we’ll learn about how to differentiate between governance and management.

Governance is not management

Those new to the GRC domain often confuse governance with management and think both are the same; however, in the realm of GRC, governance and management serve very different functions.

Governance provides oversight and is highly focused on risk optimization for the stakeholders. Governance always focuses on the following aspects:

  • Is the organization doing the right things?
  • Are these things done in the right away?
  • Is the team getting things done on time and within budget?
  • Are we continuously optimizing the risk and getting benefits?

Once these questions have been answered, the management team focuses on planning, building, executing, and monitoring to ensure that that all projects, processes, and activities are aligned with the direction and business objectives set by governance. It is expected that as management progresses in achieving these goals, the results are shared with governance (board of directors) periodically and additional inputs are taken into consideration.

Previous Page
Chapter 3 of 28, Page 2
Next Page
You have been reading a chapter from
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Published in: Sep 2023Publisher: PacktISBN-13: 9781803236902
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at AU $19.99/month. Cancel anytime

Author (1)

author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages