& Compliance (GRC)
A HOLISTIC APPROACH
In today's digital age, the amount of sensitive data being handled by organizations is growing at an unprecedented rate. From personal and financial information to intellectual property and trade secrets, the consequences of a data breach can be catastrophic — both reputationally and financially.
As a result, businesses are fortifying their cyber defences to protect against the risk of a breach. But a siloed approach to cybersecurity is not enough.
Organizations must adopt a holistic approach that addresses governance, risk and compliance (GRC) to effectively manage and secure sensitive data. In this article, we will clarify what is meant by ‘GRC’ and how its various components work together to mitigate risk and enable business.
WHAT IS GOVERNANCE, RISK AND COMPLIANCE (GRC) IN CYBERSECURITY?
Governance, Risk and Compliance (GRC) is a holistic approach to managing information security risks within an organization. The GRC model seeks to align corporate governance, enterprise risk management, and regulatory compliance with the organization’s IT and business initiatives.
‘Governance’ refers to the creation and management of policies, procedures, and controls to ensure that information technology is used responsibly and effectively. IT governance is comprised of several subcategories of activities, which include the following:
- Strategy and business alignment
- Security policies and standards
- Risk management and control frameworks
- Resource management
- Roles and responsibilities
- Data ownership, sharing, and data privacy
- Conflict management
- Metrics and reporting
- IT, operational technology (OT), and Internet of Things (IoT) convergence
- Collaborative information security (infosec)
- Tool and vendor consolidation
- Evaluating control effectiveness
- Security roadmap maintenance
In GRC, ‘risk’ refers to the potential for harm or loss resulting from a cybersecurity incident. Risk-related activities include identifying, assessing, prioritizing, and mitigating cyber risks to develop resilience in an organization’s information systems.
While governance activities focus on policies, procedures, and controls to guide an organization, ‘compliance’ is about meeting the requirements set forth by the laws, regulations, and standards relevant to its industry, operations, and information systems. Compliance activities are meant to ensure the organization follows these requirements and can avoid legal or financial penalties.
You may be wondering if some of those governance activities overlap with what we define as risk and compliance, and the answer is yes! These are interrelated components of an effective cybersecurity program, which is why they’re grouped together as the practice of GRC.
WHY IS GRC IMPORTANT?
GRC is essential to the success (and increasingly, survival) of any organization that handles sensitive information, such as personal data and financial records. The rising number of data breaches and cyber attacks necessitates a comprehensive, proactive approach to information security that aligns with evolving legal and regulatory requirements.
Without a GRC program in place, organizations increase their risk of a data breach while decreasing the likelihood of responding appropriately. Further, they are prone to reputational damage, loss of customer trust, and economic loss via ransomware, lost revenues, or legal penalties and fines.
GRC Will Drive Your Business Forward
However, GRC is not just about risk aversion. When an organization aligns its cybersecurity strategy and programs with its business goals, it can improve operational efficiency, foster innovation, and drive sustainable growth.
GRC allows for the identification and prioritization of critical assets and processes, ensuring resources are allocated appropriately to protect them. This proactive approach minimizes unplanned disruptions, reducing downtime and optimizing workflows.
Further, by considering cybersecurity requirements early in the development of new products, services, or processes, organizations can introduce innovative solutions with confidence — confidence that the security risks are being managed.
Finally, by demonstrating strong cybersecurity measures and compliance with regulatory requirements, organizations build trust with customers, partners, and other stakeholders. This trust enhances the organization’s reputation, attracting new business opportunities and safeguarding existing relationships.
With cybersecurity aligned with business goals via an integrated GRC program, organizations can seize growth opportunities confidently and maintain a competitive edge in the digital landscape.
CYBERSECURITY POLICIES AND STANDARDS
Policy management is a vital component of GRC. Well-defined security policies and standards provide the framework for organizations to define security guidelines and guardrails, set expectations, and ensure regulatory compliance.
To effectively manage cybersecurity policies, organizations should develop a structured approach that specifies development and review processes as well as communication and training programs. Indeed, employees tend to be the weakest link in a company’s security posture, and these policies should inform an organization’s approach to security awareness and human risk.
RISK MANAGEMENT AND CONTROL FRAMEWORKS
There are several frameworks organizations can use to guide their GRC efforts, including SOC 2, ISO 27001, PCI DSS, NIST, FedRAMP, COSO, COBIT, and FAIR. The appropriateness of each framework depends on factors such as the organization’s industry, location (including areas served), and types of data processed.
ISO 27001 is an internationally-recognized standard that defines how an information security management system (ISMS) should be implemented and maintained. This framework takes a holistic approach to cybersecurity, combining the areas of risk management and cyber-resilience with operational excellence.
ISO 27001 has a broader scope than SOC 2, which focuses primarily on data security controls, and prescribes the implementation of cybersecurity best practices across the entire organization. It also tends to be more popular than SOC 2 outside of North America.
Implementing ISO 27001 requires substantial effort and complete buy-in from company leadership, making it one of the more difficult certifications to maintain. However, its reputational and operational benefits make it a worthwhile endeavour — particularly for large organizations seeking to standardize their information security approach.
SOC 2 is a compliance standard for service providers that handle sensitive customer information. It specifies how organizations should manage customer data.
SOC 2 is popular in North America and focuses on the security and availability of information systems. It uses a framework called the Trust Services Criteria to evaluate performance in up to five categories:
- Processing integrity
The security category is mandatory, though organizations have the option of whether or not to pursue the other criteria. As many have noted, this makes the SOC 2 standard somewhat of a “choose your own adventure” approach to cybersecurity compliance.
The SOC 2 audit, while narrowly focused on the area of customer data security, is very expensive — approximately twice the cost of ISO 27001. Though, it can instill a great deal of trust in an organization’s ability to safeguard customer information.
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards for handling payment card data.
The PCI Security Standards Council (SSC) administers the DSS and is comprised of stakeholders from six major payment brands, including MasterCard, Visa, and American Express. The council is supported by an advisory board made up of more than 30 organizations.
PCI DSS specifies twelve requirements for any organization that processes payment cards. For example, these organizations must regularly test their security systems and processes. Non-compliance can result in fines and restrictions on the ability to accept payment cards.
The National Institute of Standards and Technology (NIST) is a US federal agency. It is part of the United States Department of Commerce, and its mission is to promote innovation by advancing measurement science and technology standards.
The agency’s cybersecurity framework, the NIST CSF, is widely used and referenced by organizations of all sizes across industries. This voluntary framework is designed to provide flexible guidance based on the organization’s risk management context. It also aligns well with other cybersecurity standards, such as ISO 27001, SOC 2, and HIPAA.
Having been adopted by both private and public sector organizations — including several government entities within and outside the US — the NIST CSF is considered a common language of cybersecurity risk management.
FedRAMP (Federal Risk and Authorization Management Program) promotes the secure use of cloud IT services by the US federal government. The FedRAMP standard also informs the Government of Canada’s cloud adoption strategy.
FedRAMP requires cloud providers to undergo an authorization process that includes an assessment by an accredited third-party assessment organization (3PAO). This process determines whether the provider meets the program’s rigorous security standards. FedRAMP’s security controls are based on NIST.
Once authorized, cloud providers must continuously monitor and assess their security controls, undergoing re-authorization every three years to ensure ongoing compliance.
The Center for Internet Security (CIS) Critical Security Controls (CSCs) are a set of 18 prioritized actions that provide a structured framework for organizations to bolster their cybersecurity posture. These controls, developed based on real-world attack data and expert insights, address key areas of vulnerability to mitigate prevalent cyber risks effectively.
Designed for adaptability across industries and organization sizes, the CIS CSCs offer a flexible approach to risk management. By following these controls, organizations can establish a solid foundation for their cybersecurity efforts, encompassing aspects like inventory and control of hardware and software assets, vulnerability management, secure configurations, network protection, and incident response. The CIS CSCs empower organizations to proactively defend against emerging threats, enhance data protection, and ensure the resilience of their digital environments. For more in-depth information on each control and its implementation, you can explore the official CIS website.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides organizations with guidance on enterprise risk management (ERM), internal control, and fraud deterrence. While not exclusively focused on cybersecurity, it provides a strong foundation for managing cyber risks within an organization.
COSO consists of five interrelated components meant to integrate risk management into an enterprise’s operational processes and strategy: a control environment, risk assessments, control activities, information and communication, and effective monitoring.
Adherence to COSO is not mandatory, though implementing the standard across an organization can help improve operational efficiency while reducing risks.
COBIT stands for Control Objectives for Information and Related Technologies, a globally recognized IT governance framework. Its goal is to align business, IT, and compliance stakeholders with commonly sought objectives and outcomes.
Five core principles uphold COBIT’s approach to IT governance: meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management.
COBIT was developed and updated by ISACA beginning in 1996. Unlike ISO 27001, it is considered a ‘best practice’ at the organizational level, rather than a ‘standard,’ and organizations cannot be certified against COBIT — though individuals can.
The Factor Analysis of Information Risk (FAIR) model helps organizations quantify cybersecurity risk so they can make well-informed business decisions founded on accurate risk evaluations. Notably, it aids organizations in evolving from a compliance-based to risk-based approach to cyber risk management.
Regulatory compliance alone provides the bare minimum for information security, whereas risk-based approaches promote a better balance between business enablement and protection.
FAIR is an open standard supported by The Open Group. It is internationally recognized and used voluntarily across many sectors including finance, energy, and healthcare.
SECURITY CONTROLS ASSESSMENTS
To achieve compliance with a cybersecurity control framework — or to gain a clear picture of their current cybersecurity posture — organizations need to regularly perform the appropriate security controls assessments.
These assessments evaluate the effectiveness of the cybersecurity controls that have been implemented, identifying security gaps and areas for improvement.
Here are some examples of security controls assessments that apply to different control frameworks, processes, and environments:
SOC 2 Gap Assessment | Align your organization with SOC 2’s Trust Services Criteria (TSC)
ISO 27001 Gap Assessment | Let experienced cybersecurity consultants and auditors guide your ISO 27001 implementation
CIS Security Controls Assessment | Assess your cybersecurity measures against the Center for Internet Security (CIS) controls, a set of recognized guidelines for enhancing security.
NIST CSF Security Controls Assessment | Evaluate your cybersecurity posture using the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) recommended controls, fostering better protection.
FedRAMP Security Controls Assessment | Ensure cloud services comply with the Federal Risk and Authorization Management Program (FedRAMP), meeting strict U.S. government security requirements.
WHAT IS A CYBERSECURITY RISK ASSESSMENT & THIRD-PARTY RISK ASSESSMENT?
A cybersecurity risk assessment is a process for evaluating potential risks to an organization’s information systems and data. It is a comprehensive assessment that goes beyond “ticking the box” to satisfy compliance requirements.
Cybersecurity risk assessments aim to quantify potential impacts and prioritize mitigation efforts to improve the organization’s overall security posture. The activity helps centralize the risk management function and integrates with broader enterprise risk management strategies.
For a more focused evaluation of data privacy risks, organizations may consider a data security and privacy assessment rather than a cyber risk assessment.
Third-Party Risk Assessment
Evaluating third-party services, software, and hardware is crucial for a strong cybersecurity strategy. This involves assessing external partners to ensure they meet your security standards. Consider their data protection practices, security policies, and compliance with regulations. Regular audits and robust contractual agreements are essential. Continuous monitoring and joint incident response plans help maintain secure collaborations and safeguard sensitive data. This approach enhances your overall cybersecurity posture.
SECURITY ADVISORY SERVICES
To effectively manage their cybersecurity needs, businesses may consider retaining security advisory services from a trusted cybersecurity partner. By gaining access to a dedicated consultant who brings clarity and cohesiveness to their security initiatives, organizations acquire instant domain expertise that is difficult to hire for or develop internally.
Further, integrating a consultant into the organization can help jumpstart its internal cybersecurity capabilities by providing an accessible source of knowledge and nurturing the growth of junior IT staff.
For more information on how cybersecurity advisory services can be tailored to suit your organization’s needs, contact us today.
SCHEDULE A MEETING WITH AN EXPERTMirai's focus is on delivering solutions that are matched to each organization's unique needs.
Whether you're an SME just starting to understand what security risk posture means or part of a complex multi-unit enterprise looking to supplement your team with specific expertise, Mirai can help.
Across regions and industries, data privacy regulations are becoming more stringent. But what exactly does data privacy mean?
Data privacy refers to the protection and control of data containing personally identifiable information (PII). PII includes any information that can be used to identify an individual, such as their name, address, birthday, email address, phone number, finances, health records, or online activity.
Unlike other types of sensitive information, PII is defined by the law and not by the organization.
For years, organizations of all sizes played fast and loose with customer data as they sought to boost engagement, refine marketing strategies, and generate revenue from advertisers. But now, while those activities certainly continue, it’s safe to assume that every company is legally required to protect PII.
DATA PRIVACY LAWS AND REGULATIONS
There are several data privacy laws that organizations must comply with, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Quebec Privacy Act. These regulations, collectively set standards for data protection, data breach notification, and safeguarding privacy rights for individuals.
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law considered the strongest in the world. It applies to entities that process personal data from the European Union (EU) and has extra-territorial reach. This means organizations are subject to the law if they serve or monitor EU citizens — even if their business is based outside of the EU.
Organizations that fail to comply with GDPR can face significant fines: up to 4% of global annual revenue or €20 million, whichever is greater. GDPR compliance is critical for any business offering goods or services to EU citizens or monitoring their behaviour, regardless of where the organization is located.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian privacy law that regulates the collection, use, and disclosure of personal information by private sector organizations. It also gives individuals the right to access and request corrections to their data.
Organizations can face severe penalties for non-compliance, including fines of up to $100,000. Intentional contravention of PIPEDA is considered an indictable offence. PIPEDA compliance is critical for any business that collects, uses, or discloses personal information in Canada.
The California Consumer Privacy Act (CCPA) is similar to the GDPR, but it concerns the PII of California residents. It’s designed to give individuals more control over how businesses collect and use their data.
Non-compliance with CCPA can result in fines of up to $7,500 per violation. CCPA compliance is essential for any business that collects or sells the personal information of California residents, regardless of where the business is located.
The Health Insurance Portability and Accountability Act (HIPAA) applies to organizations in the American healthcare industry that handle protected health information (PHI). It is a US federal law designed to ensure the confidentiality, integrity, and availability of PHI.
HIPAA specifies administrative, physical, and technical safeguards that covered entities must apply to their data security. Its rules dictate how PHI should be handled, how access should be controlled, and the steps to take in the event of a data breach.
Compliance with HIPAA is enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR). Non-compliance can result in significant fines and reputational damage.
LGPD stands for Lei Geral de Proteção de Dados, Brazil’s General Data Protection Law that regulates the processing of personal data. The law was created to unify more than 40 data privacy laws and norms that existed in Brazil.
The LGPD applies to the personal data of anyone located in Brazil, as well as any data processed within the country. It requires organizations to obtain individuals' consent when collecting their personal data and ensures that each person has the right to access, rectify, and delete their information. It also mandates that businesses implement appropriate security measures to protect personal data and establishes guidelines for reporting data breaches.
To comply with the LGPD, organizations must appoint a Data Protection Officer (DPO) and provide transparent privacy policies informing individuals about the purpose and legal basis for data processing. Noncompliance can result in penalties such as warnings, fines, and temporary or permanent bans on data processing activities.
The Quebec Privacy Act
The Quebec Privacy Act, also known as the Act Respecting the Protection of Personal Information in the Private Sector, holds a significant role in governing data privacy in Quebec, Canada. Comparable in scope to the GDPR, this provincial law outlines how private sector organizations gather, use, and disclose personal information. Key aspects include obtaining consent for data processing, ensuring data security, and granting individuals rights to access and correct their personal data. Non-compliance can result in penalties, highlighting the importance of understanding and adhering to the Act's provisions.
Adhering to the Quebec Privacy Act is vital to evade potential fines, legal actions, and harm to reputation. By placing emphasis on data privacy and effective compliance, organizations can nurture customer trust, preserve reputation, and contribute to a more secure digital environment.
DATA SECURITY AND PRIVACY ASSESSMENTS
In today’s data-driven world, ensuring data security and privacy has become a crucial concern for businesses of all sizes. To meet the rising expectations of customers, regulatory requirements, and society as a whole, organizations must take proactive measures to safeguard personally identifiable information (PII) and mitigate the associated risks.
By performing a Data Security and Privacy Assessment, businesses can determine which of their data qualifies as PII, where the data is stored and shared, how well it is protected, and what measures they can take to ensure robust data security.
THE PRIVACY OFFICER'S ROLE
An organization’s Privacy Officer is responsible for ensuring compliance with applicable data privacy laws and regulations. They also oversee the company’s privacy program and may conduct activities such as establishing privacy policies and procedures, conducting privacy impact assessments, and liaising with government officials.
Every company must have a Privacy Officer. If the role is not assigned, it falls to the CEO. Some functions are better suited to assuming the role of Privacy Officer than others — and outsourcing the role altogether may be an option for your organization.
WHAT IS A PRIVACY IMPACT ASSESSMENT (PIA)?
A Privacy Impact Assessment (PIA) is a systematic evaluation of a project, product, or system to identify and assess potential privacy risks. The goal of a PIA is to ensure that privacy risks are identified and mitigated before they cause harm. A PIA can help organizations comply with data privacy laws and improve their overall privacy posture.
In Canada, the OPC specifies that PIAs are generally required when a program or activity may impact individuals' personal information. Some provinces, including Quebec and British Columbia, provide separate guidance on conducting PIAs. Specifically in Quebec, both public and private corporations handling privacy data must conduct PIAs to protect personal information and comply with data privacy regulations. This requirement applies regardless of your company's location, extending to situations where you have employees, customers, suppliers, or store data within Quebec's jurisdiction.
CAREERS IN GRC
Those in GRC roles are usually described as analysts, consultants, or engineers. For example, you may see job titles such as GRC Consultant, Governance and Policy Analyst, or Security and Compliance Engineer. These positions can be found on internal cybersecurity teams or within cybersecurity consulting firms.
As a GRC professional, you would help organizations comply with data privacy regulations, audit existing policies and procedures, and manage risk to improve their overall security posture. GRC careers require a combination of technical and business skills and provide opportunities for professional growth.
While certification is not required for most entry-level GRC positions, many in the field seek designations such as CompTIA’s Security+ and ISACA’s Certified Information Security Auditor (CISA). Further, GRC professionals may seek more focused certifications such as the Cloud Security Alliance’s Certificate of Cloud Security Knowledge (CCSK) or IAPP’s Certified Information Privacy Professional (CIPP).
Visit Mirai Security’s careers page to see what GRC roles are currently available.
Governance, Risk, and Compliance (GRC) is a comprehensive approach to managing information security. GRC aligns corporate governance, enterprise risk management, and regulatory compliance with an organization’s IT and business initiatives.
Implementing a GRC program is critical for organizations that handle sensitive information. There are several GRC frameworks and certifications available to guide organizations' GRC efforts. The best choice of framework depends on various factors such as industry, location, and types of data processed.
As data privacy regulations tighten, organizations of all sizes are now legally obligated to safeguard personally identifiable information (PII). Numerous data privacy laws require organizational compliance based on their location and the location of their customers, including the GDPR (Europe), CCPA (California), PIPEDA (Canada), and Quebec Privacy Act (Quebec). These regulations establish distinct standards for data protection, breach notifications, and privacy rights. Non-compliance can lead to substantial fines.
If you’d like guidance implementing your GRC program, conducting a cyber risk assessment, or aligning your organization with a recognized compliance framework, contact our GRC experts today.
SCHEDULE A MEETING
Mirai Security is a trusted cybersecurity partner for businesses across North America.
If you have an information security problem to solve or a challenge to discuss, we'd love to hear from you.