By John Manganiello
Governance Risk and Compliance (GRC) has been merging with cybersecurity for some time. We aim to serve as a strategic partner to IT executives & C suite to formulate an information security program and a process to discover and manage risks across the technology infrastructure and applications. The goal for our clients is to lead a governance culture and ensure their firms have a comprehensive GRC framework and C-suite buy-in.
The focus is often on specific solutions and service providers. Our process starts with GRC and maps back to the solutions that deliver compliance to NIST standards (Recover, Identify, Protect, Detect, Respond & Govern). The technology is a means to an end where we serve as your technology procurement advisors. We will help you find the right solutions and vendors based on our past operating experience and relationships with best-in-class suppliers.
Key drivers behind this include:
✅ Board-level accountability and planning regarding cyber risk and incidents
✅ Regulatory drivers such as SEC, HIPPA, and PCI requirements. Recent SEC cyber rule requires annual security assessments and artifacts to prove compliance
✅ Managing to the C suite during budgeting season to attain budget based on an established strategy against a known framework such as NIST
Pillars of a GRC program:
✅ Policy Suite: WISP (Written Information Security Program), IRP (Incident Response Plan) BCP (Business Continuity Plan)
☑️ The policies will speak to your technology and security systems and how they are managed
✅ Risk Management: Analyzing and benchmarking against known frameworks such as NIST or ISO 27001
✅ Vulnerability Management: Weekly scanning and more importantly management and remediation of found risks.
✅ Vendor Risk Management: Identify key vendors, tier accordingly, and assess and understand the risks. Conduct due diligence based on the top tier to start.
✅ Risk and Security Assessment: This is commonly done through a third-party partner annually. The goal is to have a clear understanding of risk, recommendations to remediate, and plan to address risks
✅ Data Governance: Data critical assessment, service impact evaluation, outage impact analysis. The question to ask is where is my data and who can access it? We see a big challenge and ask our clients when it comes to their development teams’ data management and security.