Governance, Risk and Compliance
Governance, risk and compliance (GRC) refers to the overall strategy an organization has for managing governance, enterprise risk management and compliance. GRC provides a structured approach that helps aligning with business objectives, while at the same time ensuring risk is being taken care of and fulfilling any internal or regulatory compliance requirement.
There are multiple definitions for each term, but as a broad view, Governance ensures that every activity in the organization aligns in a way that supports the organization’s business goals. It provides strategic direction, controlling and directing the approach towards security. Risk management is in charge of evaluating and mitigating any identified risk or threat, which could come from a wide variety of sources (legal liabilities, strategic management, human or nature accidents, etc.). Finally, Compliance makes sure that any activity done by the organization is performed in a way that complies against any relevant laws, regulations and internal policies. In the case of IT, that would mean that any system, and the data in them, are used and secured properly.
This core component is divided into 3 subcomponents:
- Asset Management
- Legal and Regulatory
- Business Governance
Information Security Controls
Information Security Controls (ISC) refers all the measures taken to prevent, reduce and mitigate as much as possible security risks that might take the form of security breaches to internal systems, data theft, and any unauthorized changes which could impact the organization. These information security controls help to protect the foundational security principles, those being confidentiality, integrity and availability. The controls have as a goal to strengthen cybersecurity and are designed to prevent cyber security incidents.
This core component is divided into 3 subcomponents:
- Identity and Access
- System Architecture
- Secure Configuration
Resilience and Disaster Recovery
This core components deals with the relevant process to ensure continuity of the systems and the organization as a whole, taking measures before, during and after an incident. It is critical to ensure any events are managed and the relevant teams are aware. Furthermore, this section covers corrective security controls needed after an incident to help minimize data loss and damage. Finally, it also ensures there is a robust process in place to restore critical systems as quickly as possible.
This core component is divided into 3 subcomponents:
- Resilience Architecture
- Backup Strategy
- Incident and Recovery