17 Dec 2024
GRC Nine o’clock, make GRC fun, tell no one.GRC: Governance, Risk, Compliance.
Ensures an organization’s security practices align with their personal, regulatory, and legal obligations. Some additional regulation examples:
GRC team translates external standards to internal standards and ensures compliance of all different departments/teams in organization.
Creates the framework for organizational information security decision making. Creates security strategy, policies, standards, and practices in alignment with the org’s overall goal. Also defines roles and responsibilities everyone has to play to meet goal.
Helps identify, assess, quantify, and mitigate risks to IT assets. Helps org understand potential threats and vulnerabilities and the impact they could have. Risk function helps reduce overall risk to acceptable levels and develops contingency plans in case something does happen.
Ensures the org adheres to all legal, regulatory, and industry standards (GDPR, NIST, ISO 27001, etc.)
Like reality checks for business. Connects cyber security to the bigger picture, protecting the whole business, not just the data, minimizing business risk. For most businesses, cyber security doesn’t directly contribute to revenue generation or profit maximization, but helps avoid the risk of loss due to a cyber threat. A risk register helps track the progress of risk mitigation and all open risks. Performing an assessment involves:
Identify factors that can cause revenue or reputation loss if there’s a cyber attack. May include things like: - An unpatched web server - A high-privileged user account without proper security controls - A third-party vendor who might be infected by malware connecting to the org’s network - A system where vendor support has ended but it’s still in production
Also need to quantify the threat. The likelihood of an incident involving an unpatched, air-gapped server locked in an inner closet is far different than a public-facing web server. Impact of a risk is also different between a main database server with confidential information and a development server with dummy data.
Quantify the risk with a number scale, typically 1 to 5. Can be refered to as the probability of materialization of a risk. Sample scale:
Scale may not be uniform, or apply to every instance the same, but allows flexibility to suit each circumstance/network/device for different types of events.
Need to consider the impact of each risk if realized. For instance, if this public-facing web server is unpatched and gets breached, what will be the impact to the org? Impacts are scaled 1 to 5 but scoring may be based on different methods (i.e. Common Vulnerability Scoring System [\CVSS], Cofidentiality/Integrity/Availability, etc.). Example scale description might be:
Last step is to decide what to do about the risks identified, which means assigning priorities. This can be helped along by calculating a total risk score. The most simple method is mulitplying the likelihood of realisation by the impact if realized, but may use something more advanced like Microsoft’s DREAD. Finally, remediation gets assigned to a team member that is responsible for additional investigation into the cost to remediate versus what could be lost if realized. If the cost of security is lower than the loss, we mitigate. If cost of security is higher, we may accept the risk, documenting it and reviewing periodically to see if the cost has changed.
Internal assessments are like checking your house for leaks or broken windows, looking for what you can improve within your own walls. Things they can help resolve:
If outsourcing items of business to other companies, orgs need to evaluate the risks of working with said vendors, suppliers, or partners. One weak link in the chain could bring everyone down. Third-party assessments may look to ensure the other org:
Perform third-party assessments to find a vendor to work with. Brain refused to math at first.
Risk Management room.