Governance, Risk, and Compliance
Dear reader, I have been in your place, thinking about which certification I should go for first. Should I begin with CISM? It seems to be the most widely recognized. Alternatively, should I consider CISA? However, I am not an auditor, so is it really necessary for me? What about CISSP? It seems rather challenging for someone trying to get certified for the first time. Finally, what about CRISC? It doesn’t appear to be the most relevant for the job responsibilities in the expanding realm of IT risk management.
Congratulations! Now that you have decided on the CRISC, you have taken the most important step of deciding on your certification and are embarking on the first stage of the journey of your career growth. However, what about the study material? Should I buy the official review manual? It appears to be very dull. Should I explore technical forums or communities for more advice and hacks? Alternatively, should I conduct a search using the hashtag CRISC (
#CRISC) to see if there's a one-stop blog with all the resources needed to pass the exam in one convenient location?
As I look back on all this certification preparation and reference material, I realize that the majority of them missed a key point – what is the practical application of the knowledge I will acquire as I read this book and attain the certification? If I zoom out a little, why is governance, risk, and compliance (GRC) required in an organization when the sole aim of cybersecurity is to prevent companies from attackers? Also, what is GRC in the first place?
This chapter aims to answer all these questions so that when you pass your CRISC with flying colors and boast about your certification, you don’t have to worry about recalling the basic concepts of GRC and have a solid foundation of IT risk management.
In this chapter, we will cover the following topics:
- Governance, risk, and compliance
- GRC for cybersecurity professionals
- Importance of GRC for cybersecurity professionals
- A primer on cybersecurity domains and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
- Importance of IT risk management
The content of this chapter is not directly related to the exam syllabus, but it is important to understand the concepts of GRC before learning about IT risk management and its implementation for the CRISC exam.
The hope is that this chapter will provide you with enough understanding that you can differentiate between all domains of cybersecurity and can continue your journey well beyond the CRISC certification.
Governance, risk, and compliance
In this section, we’ll look at the concepts of GRC, their interrelationships, and how to differentiate among them.
What is GRC?
GRC is an acronym that stands for governance, risk, and compliance. It can be defined as a common set of practices and processes, supported by a risk-aware culture and enabling technologies that improve decision-making and performance through an integrated view of how well an organization manages its unique set of risks.
A GRC program aims to provide organizations with an overarching framework that can be used to streamline different organizational functions, such as legal, IT, human resources, security, compliance, privacy, and more so that they can all collaborate under a common framework and set of principles instead of running individual functions and programs.
Governance is the organizational framework that helps the stakeholder set the tone for the stakeholders on the direction and alignment with business objectives. These are the rules that run the organization, including policies, standards, and procedures that set the direction and control of the organization’s activities. These stakeholders can be a board of directors in large companies or senior executives in small and medium enterprises.
Risk or risk management is the process of optimizing organizational risk to acceptable levels, identifying potential risk and its associated impacts, and prioritizing the mitigation based on the impact of risk on business objectives. The purpose of risk management is to analyze and control the risks that can deflect an organization from achieving its strategic objectives.
Qualitative risk is defined as likelihood * probability of impact, whereas the Factor Analysis of Information Risk (FAIR) methodology is widely used for quantitative risk assessment in matured organizations.
Compliance requirements for an organization ensure that all obligations including but not limited to regulatory factors, contractual requirements, federal and state laws, certification requirements such as ISO 27001 or SOC 2 audit, and more are adhered to and any gaps in compliance are logged, monitored, and corrected within a reasonable timeframe. The entire organization must follow a standard set of policies and standards to achieve these objectives.
An integrated approach to GRC that is communicated to the entire organization ensures that the main strategies, processes, and resources are aligned according to the organization’s risk appetite. A strong compliance program with the sponsorship of a senior leadership team is better suited to align its internal and external compliance requirements, leading to increased efficiency and effectiveness.
In the next section, we’ll learn about the relationship between these concepts.
Simplified relationship between GRC components
I would not blame you if you found the preceding concepts tedious and confusing. It took me a good 5 years to make sense of all the concepts. The following paragraph should serve as an adage for the preceding concepts:
Governance is guidance from stakeholders (board of directors or senior leadership) to put the processes and practices in place to optimize (not reduce) the risk and comply with external and internal compliance obligations.
The following figure shows a simplistic view of GRC. It should be noted that the activities included under each pillar are not holistic and an organization may have an overlap between these activities. You should also be mindful that these activities are not standalone programs but need inputs from other pillars to be implemented successfully:
Figure 1.1 – Relationship between the components of GRC
Key ingredients of a successful GRC program
- Sponsorship: A successful GRC implementation should have the sponsorship of a senior leader such as a Chief Information Security Officer (CISO), Chief Risk Officer (CRO), Chief Information Officer (CIO), Chief Financial Officer (CFO), Chief Executive Officer (CEO), or someone else. These sponsors have a wider overview of not only the organization’s risk but also the industry peers across multiple verticals. Sponsorship from leadership is also important to have a risk-focused culture.
- Stewardship: The GRC program requires participation from all businesses and functions of an organization. Stewards play an important role in the GRC program and make information sharing across the organization easier for developing a common understanding across the organization and making relevant information available for everyone. These stewards, while translating the requirements from governance, are better able to target and address business risks. Stewards of the program are better suited to create business-oriented, process-based workflows to identify risks across functions, analyze for cascading risks, and treat them accordingly.
- Monitoring and reporting: It is easy to roll out a GRC program across the organization, but over time, it becomes extremely difficult to keep pace with internal and external regulations without continuously monitoring risks and controls without efficient risk indicators. It is important to enable continuous monitoring of risks and controls by using automated risk indicators and keep the stakeholders abreast of risk in business terms through business-focused indicators and reports periodically circulated to the appropriate audience with actionable insights.
An important pillar of the monitoring function is to monitor the security controls of critical vendors and perform an ongoing assessment for each department and functional group across the enterprise to provide a holistic real-time view of risk.
Governance is not management
Those new to the GRC domain often confuse governance with management and think both are the same; however, in the realm of GRC, governance and management serve very different functions.
Governance provides oversight and is highly focused on risk optimization for the stakeholders. Governance always focuses on the following aspects:
- Is the organization doing the right things?
- Are these things done in the right away?
- Is the team getting things done on time and within budget?
- Are we continuously optimizing the risk and getting benefits?
Once these questions have been answered, the management team focuses on planning, building, executing, and monitoring to ensure that that all projects, processes, and activities are aligned with the direction and business objectives set by governance. It is expected that as management progresses in achieving these goals, the results are shared with governance (board of directors) periodically and additional inputs are taken into consideration.
GRC for cybersecurity professionals
Cybersecurity and information assurance
There are various ways to look at cybersecurity from an outsider’s view. In the industry, this is often categorized as a red team (attackers), blue team (defenders), and purple team (a combination of the red team and blue team focusing on collaboration and information sharing). For this book, I will take a different approach that is more aligned with the objectives of this book and your understanding when you prepare for the certification.
Firstly, let’s segregate cybersecurity into two major practices: cybersecurity and information assurance.
In the cybersecurity realm, we consider activities such as penetration testing, vulnerability assessments, network monitoring, malware analysis, and all the other practices that require robust technical understanding and knowledge to prevent unauthorized access and disruption to the business.
The second practice, information assurance, is going to be the focus of this book. Information assurance includes activities such as policy and procedure development, risk assessments and management, data analysis, IT audits, compliance with regulatory frameworks, incident management, vulnerability management, vendor management, KPI and KRI reporting and dashboards, and all the other sub-domains that do not require extensive technical understanding. However, these practices do require thorough collaboration across all teams and a strong understanding of the fundamentals of cybersecurity concepts. These activities are important for complying with multiple federal and state regulations as well as to ensure the implementation of compliance with industry-standard practices.
Many organizations tend to completely segregate the cybersecurity and information assurance functions into different verticals altogether, where the communication between different teams and opportunities to collaborate are limited. This leads to security being seen as a gatekeeper and not an enabler.
As security is continuing to shift left – that is, being prioritized more and more in the initial stages of software development and project viability – this distinction is fading and teams using modern security tools collaborate a lot more than just meeting once a month.
As you continue with this book, you will realize that though the CRISC exam covers all concepts of cybersecurity and information assurance, the focus will primarily be on the latter as the entire purpose of the CRISC exam is to help you prepare for the IT risk management of an organization, regardless of its size.
So far, we have learned about GRC, the importance of GRC, and how to differentiate between different verticals of cybersecurity. In the next section, we’ll learn about the importance of GRC for cybersecurity professionals and industry-standard frameworks to implement a GRC program.
Importance of GRC for cybersecurity professionals
With the continuously increasing emphasis on privacy in the form of GDPR, CCPA, HIPAA, LGPD, and other state, national, and international regulations, the cybersecurity and information assurance teams can’t work in silos. Compliance with these laws and regulatory requirements requires commitment and tenacity from all functions of the organization.
The following table shows the importance of implementing an overarching GRC framework for an organization in detail:
Lack of effective oversight
Effective oversight across all departments
Focus on achieving results only
Achieving results with integrity and ethics
Organizational and functional silos
Lack of visibility
Shared technology, services, and vocabulary
Duplication of efforts
Lack of integrity
Culture of integrity
Shared and common knowledge
Continuous flow of information
Table 1.1 – Importance of a GRC framework
Implementing GRC using COBIT
ISACA, the certification body of CRISC, also provides a comprehensive framework called Control Objectives for Information and Related Technology (COBIT) to bridge the gap between governance, technical requirements, business objectives and risks, and control requirements.
The latest version of COBIT (COBIT 2019) guidance from ISACA focuses on providing elaborate guidance on managing risk, optimizing resources, and creating value by streamlining all business objectives.
There are four publications under the COBIT 2019 framework:
- Introduction and Methodology: This is the fundamental document for implementing the COBIT framework that details governance principles, provides key concepts and examples, and lays out the structure of the overall framework, including the COBIT Core Model.
- Governance and Management Objectives: This publication contains a detailed description of the COBIT Core Model and its 40 governance and management objectives. These are then defined and matched with the relevant processes, enterprise goals, and governance and management practices.
- Design Guide: Designing an Information and Technology Governance Solution: This publication provides essential guidance on how to put COBIT to practical use while offering perspectives for designing a tailored governance system for an organization.
- Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution: This document, combined with the COBIT 2019 Design Guide, provides a practical approach to specific governance requirements.
- Evaluate, Direct, and Monitor (EDM): EDM has five objectives that focus on a few specific, governance-related, areas. These include alignment of enterprise and IT strategies, optimization of costs and efficiency, and stakeholder sponsorship.
- Align, Plan, and Organize (APO): APO’s 14 objectives include managing organizational structure and strategy, budgeting and costs, the HR aspect of IT, vendors, service-level agreements (SLAs), risk optimization, and data management.
- Build, Acquire, and Implement (BAI): The 11 BAI objectives are focused on managing changes to data and assets while ensuring end user availability and capacity needs are met.
- Deliver, Service, and Support (DSS): DSS contains six objectives and mostly aligns with the IT domains. DSS is focused on managing operations, problems, incidents, continuity, process controls, and security.
- Monitor, Evaluate, and Assess (MEA): MEA has four objectives related to creating a monitoring function that ensures compliance for APO, BAI, and DSS. These objectives include managing performance and conformance, internal control, external requirements, and assurance. Notably, MEA differs from EDM by concentrating on the monitoring function from an operational standpoint, whereas EDM monitors from a governance (or top-down) approach.
The following figure shows the five domains and 40 COBIT Core processes:
Figure 1.2 – COBIT 2019 Core Model (COBIT® 2019 Framework: Governance and Management Objectives ©2019 ISACA. All rights reserved. Used with permission.)
Detailed guidance on ISACA introduction and methodology is available at no cost to members and non-members on the ISACA website: https://www.isaca.org/resources/cobit.
COBIT and ITIL
ITIL is a framework designed to standardize the selection, planning, delivery, and maintenance of IT services within an enterprise. The goal is to improve efficiency and achieve predictable service delivery.
ITIL and COBIT are both governance frameworks but serve different purposes. ITIL primarily aims to fulfil service management objectives, whereas COBIT is globally recognized for both enterprise governance and IT management.
On their own, each framework is extremely successful in offering custom governance while delivering quality service management. When paired together, however, COBIT and ITIL have the potential to dramatically increase value for customers as well as internal and external stakeholders.
The COBIT framework helps identify what IT should be doing to generate the most value for a business, ITIL prescribes how it should be done to maximize resource utilization within the IT purview. Even though the frameworks are different, they do have multiple touchpoints – for example, from the COBIT domain, BAI, process BAI06 Managed IT Changes is equivalent to ITIL Change Management; process BAI10 Managed Configuration is equivalent to ITIL Configuration Management, and so on.
A major differentiation between COBIT and ITIL is that COBIT covers the entire enterprise, ensuring that governance is achieved, stakeholder value is ensured, and holistic approaches to governing and managing IT are accomplished, whereas ITIL is focused entirely on IT service management. COBIT aims to achieve its objectives through policies, processes, people, information, and culture and organizational structures, services, and applications that are implemented and integrated under a single overarching framework for ease of integration and customization, whereas ITIL provides prescriptive guidance on implementing these objectives.
In the previous section, we learned about the importance of ISACA COBIT for implementing a GRC program and its relationship with ITIL. In the next section, we will learn about multiple cybersecurity domains and the NIST CSF.
A primer on cybersecurity domains and the NIST CSF
There are many, many ways to think about cybersecurity domains and this could very well be a book in itself. The purpose of this section is to provide an overview of common cybersecurity domains and what they entail.
The NIST CSF divides the cybersecurity domain into five main categories, namely, Identify, Protect, Detect, Respond, and Recover:
- Identify: There is an old saying in the cybersecurity world – You cannot protect what you do not know exists. The Identify category of the CSF emphasizes developing the organization’s understanding to manage cybersecurity risk to systems, assets (including people), data, and the capabilities to do so.
This activity is important for prioritizing the organization’s efforts and resources in consistency with its overall risk management strategy and business goals. This function stresses the importance of understanding the business context, the resources that support critical functions, and the related cybersecurity risks. The activities in Identify include the following:
- Identification of physical, software, and people assets to establish the basis of an asset management program
- Identification of established cybersecurity policies to define the governance program, as well as identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organization
- Identification of the organization’s business environment and critical systems, including the role of critical vendors in the supply chain
- Identification of asset vulnerabilities, threats to internal and external organizational resources, and risk response activities to assess risk
- Implementation of a risk management strategy, including identifying risk appetite and tolerance
- Identification of vendor risk management strategy, including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks
- Protect: Once the assets and critical processes have been identified, the appropriate safeguards (controls) must be developed and implemented to ensure the delivery of critical infrastructure services. This function is dedicated to identifying controls that outline appropriate safeguards to ensure the delivery of critical infrastructure services and supports the ability to limit or contain the impact of a potential cybersecurity event. The activities in Protect can be seen here:
- Perform security awareness training for all staff and additional role-based and privileged user training.
- Implement protections for identity management and access control within the organization, including physical and remote access. In the case of an external data center or using cloud services, implement robust controls such as complex passwords, the use of VPNs, and multi-factor authentication.
- Establish data security protection consistent with the organization’s risk strategy and criticality of assets to protect the confidentiality, integrity, and availability of information.
- Implement processes and procedures to maintain and manage the protection of information systems and assets.
- Protect organizational resources through maintenance, including remote maintenance activities.
- Manage technology to ensure the security and resilience of systems, consistent with organizational policies, procedures, and agreements.
- Detect: Proactively detecting and deterring potential cybersecurity incidents is critical to a robust information security program. This function defines the appropriate activities to proactively identify the occurrence of a cybersecurity event and involve the relevant teams as soon as the threat vectors are identified. The activities in Detect can be seen in the following list:
- Detect anomalies across all system events and act on them before they cause substantial harm to the assets
- Implement tools for continuous monitoring and detection (also known as the Security Operations Centre) to monitor critical events, tune the systems to reduce false positives, and gauge the effectiveness of protective measures, including network and physical activities
- Respond: Once an event has indeed materialized and caused the incident, the organization should be prepared to contain and respond using manual as well as automated processes. This function aims to develop such systems, train the staff on incident response, and ensure that incidents can be resolved within the agreed timeframe and with minimum disruption to the system. The activities in Respond include the following:
- Manage communications with internal and external stakeholders during and after an event
- Analyze the incident to ensure effective response and supporting recovery activities including forensic analysis and determining the impact of incidents
- Ensure incident response planning processes are agreed upon with relevant staff, executed at the time of the incident, and lessons learned are improved to prevent the incident in the future
- Perform mitigation activities to prevent the expansion of an event and to resolve the incident
- Implement improvements by incorporating lessons learned from such responses and ensure the staff is trained on the new practices
- Recover: This function identifies appropriate activities to renew and maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The activities in Recover can be seen here:
- Ensure that the organization has a recovery plan process in place that is tested within an acceptable time frame and that procedures to restore systems and/or assets affected by cybersecurity incidents are in place
- Implement the lessons learned while responding to incidents and review those with relevant stakeholders
- Internal and external communications are coordinated during and following the recovery from a cybersecurity incident, and new areas of risk are continuously added and acted upon
The following figure summarizes the NIST CSF functions:
Figure 1.3 – Simplified NIST CSF functions
Each of these domains is further segregated into multiple subdomains that are outside the scope of this book. I highly encourage you to familiarize yourself with the NIST CSF subdomains and their relationship with COBIT.
COBIT has custom frameworks for several specific use cases, including a framework for implementing the NIST CSF. A set of such publications can be found on the ISACA website at https://www.isaca.org/resources/cobit.
Importance of IT risk management
In an enterprise risk management function, there can be a myriad of risks such as strategic risk, environmental risk, market risk, credit risk, operational risk, compliance risk, reputational risk, and more.
All the preceding risks can be impacted by IT risks in three major ways:
- IT value enablement risk: The delivered projects did not create the expected value, leading to a loss of shareholder value and opportunities that could have materialized
- IT program and project delivery risk: Projects are not ready to be delivered as agreed with the internal and external stakeholders, leading to inconsistency with the overall strategy
- IT operations and service delivery risk: Delivered services are not in compliance with the SLAs agreed upon at the inception of the project
All the preceding impacts have cascading effects on other areas of the organization. An overarching governance framework implementation can prevent these risks from materializing.
At the beginning of this chapter, we learned that governance is the guidance from stakeholders (board of directors or senior leadership) to put the processes and practices in place to optimize (not eliminate) the risk and comply with external and internal compliance obligations. Then, we looked at the key ingredients of a successful GRC program, including sponsorship, stewardship, monitoring, and reporting. We concluded this chapter by understanding the ISACA COBIT framework for a GRC program implementation and its relationship with ITIL and providing a primer on cybersecurity domains and the NIST CSF. Now, you should be well equipped to start conversations regarding a GRC program implementation and speak about its value with the senior leaders in your organization.
In the next chapter, we will switch gears and learn about the CRISC practice areas and the ISACA mindset to answer the CRISC exam questions.