The GRC approach to managing cybersecurity

/ By / Digital Transformation and Innovation / Cybersecurity

This post discusses Governance, Risk Management, and Compliance (GRC) in the context of IT governance and cybersecurity. The GRC approach to managing cybersecurity takes a risk-based approach to managing risks to the confidentiality, integrity, and availability of valued enterprise information assets. This discussion covers the ins and outs of the GRC cybersecurity career path – focusing on the role of GRC analyst/manager.

  • Important cybersecurity regulations
  • IT governance
  • Governance, risk management, and compliance (GRC)
  • GRC as a RMF (risk management framework)
  • Cybersecurity policy
  • How to get into GRC
  • GRC training resources

You may also be interested in Compliance frameworks and industry standards.

Important cybersecurity regulations

Canada’s most visible commitments to cybersecurity governance include Bill C-27: Digital Charter Implementation Act (2022), Canada’s Cybersecurity Strategy (2010-1015), the Canadian Cyber Incident Response Centre (CCIRC), Counter-terrorism Strategy: Building Resilience Against Terrorism, the RCMP Cybercrime Strategy (2015), the National Strategy for Critical Infrastructure, and Action Plan for Critical Infrastructure (2014-2017).

Cybersecurity – The Legal Landscape in Canada (McMillan LLP: Mitch Koczerginski, Lyndsay A. Wasser, and Carol Lyons, 2017)

Important U.S. regulations, guidelines, and standards that govern information security and privacy include FISMA (Federal Information Security Management Act of 2002), Electronics Communications Privacy Act, PATRIOT Act, Privacy Act of 1974, CISPA (Cyber Intelligence Sharing and Protection Act), Consumer Data Security and Notification Act, and Computer Security Act of 1987. HIPAA (Health Insurance Portability and Accountability Act) has five key subsections: Electronic Transaction and Code Sets, Privacy Rule, Security Rule, National Identifier Requirements, and Enforcement.

Important cybersecurity regulations and standards

 International StandardsNational or Regional StandardsOrganizational Standards or Guidelines
IT Security ManagementISO 13335, ISO 13569, ISO 17799, ISO 27001, ISO 27002BS 7799-2, NIST StandardsACSI-33, COBIT Security Baseline, ENV12924, ISF Standard of Good Practice, SAS 70
IT GovernanceISO 38500:2008COSO Internal Control -Integrated FrameworkCOBIT, ITIL, BITS
Compliance Sarbanes-Oxley Act, Privacy Act, Trade Practices ActBasel II, FFIEC Handbook, Gramm-Leach-Bliley Act, BSA, FACTA, GISRA, CA Bill 1386, PCI DSS, FISMA
Privacy Directive 95/46- European Union, ETS no. 108 – Council of Europe, PIPEDA -Canada, Privacy Act 1988 -Australia, Specter-Leahy Personal Data Privacy and Security Act 2005 – USA, Personal Information Protection Act No. 57 – Japan 
Risk ManagementISO 27005AS/NZS 4360, COSO Enterprise Risk Management, MoR, NIST Standard 800-30 
Security MetricsISO 27004NIST StandardsWeb Security Threat Classification, ISECOM, CVSS
Security EvaluationISO 15408, ISO 27001NIST Standards -FIPS, NSA IAM / IEMPCI DSS
Security Testing NIST SP 800-115 Technical Guide to Information Security Testing and AssessmentOWASP Testing Guide (v4), OSSTMM, CHECK, ISACA, ISSAF, CREST

IT governance

IT governance frameworks are used to create value for organizations by streamlining business activities and enterprise IT infrastructure so as to meet certain performance and regulatory requirements related to information security and privacy.

IT governance is a framework “that provides a structure for organizations to ensure that IT investments support business objectives.” IT governance emphasizes a strategic alignment between IT activities and business goals, value creation, and performance management. ISO 38500 IT governance standard Corporate Governance of Information Technology defines IT Governance as three activities: Evaluate, Direct, and Monitor. NIST describes IT governance as,

the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. (EDUCASUE, 2022)

While in the business world the definition of IT governance has been focused on managing performance and creating value, in the academic world the focus has been on “specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT” (Weill & Ross, 2004). Benefits of IT governance include 1) Increased predictability and reduced uncertainty of business operations; 2) Protection from the potential for civil and legal liability; 3) Structure to optimize the allocation of resources/prioritize risks; 4) Assurance of security policy compliance; 5) Foundation for effective risk management; and 6) Accountability for safeguarding information (EDUCASUE, 2019).

Governance, risk management, and compliance (GRC)

Organizations consult governance frameworks for guidance in developing and refining their GRC policy. GRC is an IT governance framework for managing an organization’s overall governance, enterprise risk management, and compliance with various regulations. A GRC framework “helps an organization align its information technology with business objectives, while managing risk and meeting regulatory compliance requirements” (ibm.com).

GRC is a top-level framework for coordinating technical solutions, business cooperation and buy-in, and meeting regulatory requirements. It should be similar in structure to a business plan.

Governance: ensuring that IT goals and business goals align (IT infrastructure and operations support business goals). Security governance components: Strategic planning, Organizational structure, Establishment of roles and responsibilities, Integration with the enterprise architecture, and Documentation of security objectives in policies and guidance.

Risk management: ensuring risk associated with organizational activities is identified and addressed in a way that supports business goals, i.e./so, having a comprehensive IT risk management process that rolls into an organization’s enterprise risk management function.

Compliance: ensuring that organizational activities operate in a way that meets the laws and regulations impacting those systems, i.e./so, making sure that IT systems and the data contained in those systems are used and secured properly.

COBIT, COSO, and ITIL are among the common IT governance frameworks within different industries. Key IT governance frameworks include:

•ITIL: Customizable framework designed around documents and processes to deliver an IT governance/life-cycle framework
•COBIT 5: Governance and management of enterprise IT
•COSO: Guidance on governance and operational performance through internal control
•CMMI: Delivering value by building capability in people and processes
•ISO/IEC 38500:2015: International standard of governance for corporate information technology
•IT Governance: Developing a Successful Governance Strategy (ISACA)

GRC as a RMF (risk management framework)

“Managing cybersecurity is about managing risk, specifically the risk to information assets valued by an organization” (The GRC Approach to Managing Cybersecurity). A GRC framework is a structured, integrated, and comprehensive approach to enterprise risk management that reveals and categorizes all risks an enterprise faces. Several enterprise governance frameworks exist to help with evaluating assets and determining risk scores.

A NIST Risk Management Framework (RMF) is commonly used to quantify operational risk – to help “ensure that an enterprise understands the true risks to the key assets behind its day-to-day operations and how best to mitigate them” (Cobb, 2019). The NIST 800 series is a set of documents that describe U.S. federal government computer security policies, procedures, and guidelines.

Which of the NIST SP 800-Series Publications Should You Follow? (Schellman: Doug Stonier and Tim Walsh, n.d.)

The RMF NIST SP 800-37 was developed to provide federal agencies and contractors with guidance on implementing risk management programs. NIST SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy – first posted online on January 16, 2020 – integrates information security and risk management activities into the system development life cycle. It “takes a more holistic approach to the risk management process” and integrates privacy and risk management into a SDLC.

NIST SP 800-37 Revision 2 also includes information on aligning the RMF with NIST’s Cybersecurity Framework (CSF). The five core functions of NIST’s CSF are: Identify, Protect, Detect, Respond, and Recover. NIST defines CSF as a set of cybersecurity activities, desired outcomes, and applicable informative references common across critical infrastructure sectors.

Cybersecurity policy

An information security policy is an essential component of information security governance. A GRC program should be written like a business plan, a security policy should be written like an action plan. A security policy is effective in achieving risk management goals and has mechanisms for achieving the policy objectives and evaluating success through performance metrics.

A cybersecurity policy provides guidance for the protection of information assets, IT assets, and infrastructures. A cybersecurity risk governance policy identifies stakeholders, assets and threats, and procedures to assess vulnerabilities and risks and procedures to mitigate risks and manage incidents. Stakeholders should be identified at all levels in the business hierarchy, which may include businesses, services, groups, or feature teams. In addition, external stakeholders such as customers, governments, and investors should be identified. An information security policy is based on a combination of appropriate legislation, such as FISMA; applicable standards, such as NIST Federal Information Processing Standards (FIPS); and internal compliance requirements.

IT governance policies tell administrators, users and operators how to use information technology to ensure information security within organizations. Information security policies aggregate directives, rules, and practices that prescribe how an organization manages, protects, and distributes information.

An organization’s information security policies are typically high-level policies covering a large number of security controls. An information security policy at the institutional level should address the fundamentals of the institution’s information security governance structure, including information security roles and responsibilities, rules of behavior that users are expected to follow, and minimum repercussions for noncompliance. Further, organizational policies should include an access control policy outlining the access available to employees in regards to an organization’s data and information systems (e.g., based on NIST’s Access Control and Implementation Guides); an incident response policy, remote access policy, email and communication policy, and disaster recovery policy.

How to Write a Policy – “The only guide you need” to understand the structure and content of an effective organizational policy.

Industry focus: Higher education

The regulatory environment impacting higher education IT systems is complex. Data protection is governed by a patchwork of different federal and state laws rather than by one national data protection law. Student data are traditionally protected by the Family Educational Rights and Privacy Act of 1974 (FERPA) “although some types of student data, when it is held in healthcare IT systems, may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).”

In addition, some types of student and institutional employee financial data may be protected by the Gramm Leach Bliley Act (GLBA). State laws may have data-breach notification requirements, and contractual agreements may have their own list of security technological controls that must be implemented and validated in IT systems. (Grama & Vogel, 2017)

Most commonly deployed information security risk management frameworks in higher education are: NIST 800-53/FISMA (33%), NIST Cybersecurity Framework (32%), and NIST 800-171 (31%) (EDUCAUSE Almanac, 2019).

How to get into GRC

IT enterprise and professional services roles

You can get into GRC through a security analyst role (e.g., vulnerability assessment analyst), a cyber defender role (e.g., SOC analyst), a cyber operator role (e.g., penetration tester), a security/privacy policy analyst role, a risk analyst or risk management role (e.g., IT vendor risk manager), a compliance auditor role, or an IA/QA assurance role. GRC analyst can be your first job in IT.

GRC analyst relevant job titles include Compliance Analyst, IT Auditor, Risk and Compliance Analyst, Cyber Audit Analyst, GRC Specialist, and GRC manager.

Certifications

  • CISA – Certified Information Systems Auditor by ISACA (you can take the test pending 3 years experience to receive the certification)
  • ISACA’s IT Risk Fundamentals Certificate
  • CRISC – ISACA’s Certified in Risk and Information Systems Control certification is ideal for mid-career IT/IS audit, risk, and security professionals
  • CISM – Certified Information Security Manager by ISACA
  • ISO 27001 Lead Auditor (ISMS) by CIS

Salient risk management frameworks

  • NIST CSF as an information security program framework and NIST SP 800-30 to risk assess it
  • NIST SP 800-37 and select the appropriate subset of security controls from the control catalog in NIST SP 800-53
  • SOC 2 Cybersecurity Framework is a good RMF – AICPA maps SOC 2 to all sorts of frameworks
  • Other: ISO/IEC 27001, CMMC

Skills of a GRC analyst

A cybersecurity analyst/manager has skills/knowledge in the technical foundations of cybersecurity – especially network security, incident and disaster management, operating systems, and system administration. As a GRC professional, you’re interacting and coordinating regulatory compliance and assurance activities with legal, procurement, engineering, project management, etc. You’re working internally, or externally with professional services.

A GRC analyst/manager may partake in the following organizational IT governance activities:

  • Developing a cybersecurity governance program
  • Specifying the committees, roles, and plans needed to perform contingency planning
  • Identifying regulations/compliance needs relevant to the organization’s industry and business activities, and a suitable GRC RMF to help the organization achieve compliance in alignment with its business goals
  • Establishing compliance procedures relevant to GDPR, PCI (financial services), HIPAA (health care), FISMA (Federal IT), CMMC (DoD), etc. (regulations the organization may be held accountable to)
  • Establishing IT security audit procedures relevant to NIST, SOC 2, ISO 27001, etc.
  • Establishing performance measures as a method to assess and improve GRC programs

GRC training resources

Cybersecurity Compliance Framework & System Administration (Coursera – Course 3 in IT Fundamentals for Cybersecurity Specialization)
This Coursera course “gives you the background needed to understand the key cybersecurity compliance and industry standards.”

Executive RMF (Cybrary)
“This course will discuss the NIST Risk Management Framework (RMF) from an executive perspective. Each module will not only address each step in the RMF process, but how this process can be implemented into your organization or business.”

GRC Analyst Master Class (TCM Security Academy)
“This class assumes no prior background knowledge and is setup to give you a full scope understanding and the practical skills needed to be an effective GRC Analyst.”

The GRC Approach to Managing Cybersecurity (Coursera – Course 2 in Managing Cybersecurity Specialization)
This Coursera course “examines the role of Governance, Risk Management, and Compliance (GRC) as part of the Cybersecurity management process, including key functions of planning, policies, and the administration of technologies to support the protection of critical information assets.”

References/resources

Abu-Shaqra, B. (2020). Technoethics and sensemaking: Risk assessment and knowledge management of ethical hacking in a sociotechnical society (2020-04-17T20:04:42Z) [Doctoral dissertation, University of Ottawa]. uO Research.

GRACE-IT – The “Critical Six” disciplines of GRC (oceg.org)

How to GRC Like A Boss with Erika McDuffie (YouTube video by Gerald Auger of Simply Cyber)

Information Security Governance (EDUCAUSE, 2022)

NIST Cybersecurity Program Development Plan (“Plain English Guide” by Praxiom Research Group Limited)

NIST Special Publications (Repo by The IT Law Wiki)

Related content

Cybersecurity GRC in plain English

Ethical AI frameworks, initiatives, and resources

Information security definition

How to break into information security

IT career paths – everything you need to know

IT governance and cybersecurity regulations

Job roles in IT and cybersecurity

Network security risk mitigation best practices

The penetration testing process

The Security Operations Center (SOC) career path

What do ethical hackers do?

Back to DTI Courses

Related Posts

Text copying is disabled!