GRC Categories

Governance, Risk and Compliance

AM | Asset Management
All the components of the solution such as infrastructure assets, network devices or any physical or logical systems are properly classified, recorded, updated and removed on a periodical basis. In order for asset management to be effective, all assets must be up to date throughout their lifecycle. A typical assessment will check if:

  • Are all the components clearly identified?
  • Will the process update the records continuously?
  • Where will those records be stored and managed?
  • Which team will own the process and the duty to update the records?
  • Will the records include information such as who is accountable per asset or its owner?

LR | Supply Chain
All the dependencies will external suppliers are clearly understood, responsibilities are well defined, contracts include proper security clauses and business contacts are recorded, up to date and readily available when required. A typical assessment will check if:

  • Have all external vendors and third parties been identified?
  • Is the responsibility matrix well defined in the contract?
  • Is the provider integrated into the incident response process?
  • Has the contract been reviewed and it follows internal security requirements?
  • Will access to internal networks, systems and data be limited as much as possible?

LR | Regulations
Compliance against laws or regulations such as General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS) or Network and Information Security Directive (NIS) to name a few. A typical assessment will check if:

  • Will the solution be in scope of any relevant regulations that the organization must follow?
  • Are there any compliance activities currently being performed towards each regulation?
  • Have all relevant teams been engaged to participate in these compliance activities?

BG | Strategy
Ensures there is an alignment against the overall Business and Architecture Strategy, specifically in terms of goals, vision and objectives. A typical assessment will check if:

  • Is the solution following the strategy defined at higher organizational levels?
  • Has the broad objective and approach been properly socialized and was it approved by all relevant teams? (e.g. Enterprise Architecture, Architecture, or any other team who defines the enterprise strategy and vision the organization must follow).

BG | Policies
A Security Policy will identify and define rules and procedures for all individuals accessing and using IT assets and resources. In essence, a policy is a statement of expectation, enforced by standards and implemented by procedures and patterns. A typical assessment will check if:

  • Is the solution complying with internal security policies?
  • Policies could include: Cyber Security Policy, Cyber Security Charter, etc.

BG | Standards
Standards are formal and established requirements in regard to processes, actions, and configurations. They are finite and quantifiable requirements that satisfy policies. A typical assessment will check if:

  • Is the solution complying with the internal security standards?
  • Standards could include: Network Security, Identity and Access Management, Privileged Access Management, Vulnerability Management, Endpoint Security Standard, etc.

BG | Patterns
Patterns are reusable solutions to common requirements or practices in an architectural design. These patterns are usually a high-level design or template to address a specific technical scenario. A typical assessment will check if:

  • Is the solution adhering to the established security architecture patterns?
  • Patterns could include: Authentication and Authorization, Centralized Jumpbox, Network Security Zones, Remote Access, Security Logging and Monitoring, etc.