Cybersecurity GRC in plain English
This section demystifies cybersecurity GRC. This discussion situates cybersecurity management within IT governance and presents GRC as a cybersecurity risk management framework
This discussion demystifies cybersecurity GRC, i.e., the GRC approach to managing cybersecurity. This discussion situates cybersecurity management within IT governance and presents GRC as a cybersecurity risk management framework. GRC is a high-level governance framework often applied in IT governance, as a cybersecurity risk management framework.
Cybersecurity GRC in IT governance
Governance, risk management, and compliance (GRC)
GRC as a RMF (risk management framework)
Common cybersecurity risk management frameworks
Cybersecurity GRC in IT governance
IT governance frameworks are used to create value for organizations by aligning IT activities with business goals - financial goals, IT compliance goals, environmental goals, etc.
IT governance encompasses three key components:
1) Rules - international treaties/regulations, domestic/state regulations, industry standards/best practices, and organizational SOPs and ethical standards.
2) Compliance frameworks - give structure and guidance to the process of aligning IT ops with cybersecurity policy goals.
3) Policy - articulates high level strategic requirements ("we shall protect our customers' data").
The GRC approach to managing cybersecurity is a structured way to operationalize these three components of IT governance related to information security within a risk-based management framework.
Governance, risk management, and compliance (GRC)
Governance, Risk, and Compliance (GRC) is a structured way to align IT with business goals while managing risks and meeting all industry and government regulations. It includes tools and processes to unify an organization's governance and risk management with its technological innovation and adoption. Companies use GRC to achieve organizational goals reliably, remove uncertainty, and meet compliance requirements. (amazon.com)
1) Governance refers to the set of policies, rules, or frameworks that a company uses to achieve its business goals. Governance defines the responsibilities of key stakeholders, such as the board of directors and senior management, in a cybersecurity governance policy.
Governance (IT governance) ensures alignment of IT goals and business goals by identifying relevant rules, turning the rules into clear goals, selecting compliance framework(s), and enacting policy to make it happen.
Organizations consult established IT governance frameworks for guidance in developing and refining their GRC policy rather than creating one from scratch. Frameworks and standards provide building blocks that organizations can tailor to their environment. Commonly, you will have a cybersecurity GRC framework that rolls into an IT governance framework, e.g., combining COBIT 2019 with NIST Cybersecurity Framework.
2) Risk management ensures that information security risks associated with organizational activities are identified and addressed in a way that supports business goals. This entails having a structured and comprehensive risk management process that rolls into an organization’s enterprise risk management policy or strategy.
Risk management involves identifying potential risks, assessing the likelihood and impact of those risks, and developing and implementing plans to mitigate those risks.
In more concrete terms,
Companies use an enterprise risk management program to predict potential problems and minimize losses. For example, you can use risk assessment to find security loopholes in your computer system and apply a fix. (amazon.com)
Information security testing is used to identify and assess the risks to an organization's information assets. This information is then used to develop and implement security controls to mitigate those risks.
An organization can have an incident response team (SIRT) comprised of cross-functional team members whose function is to investigate and document security incidents.
3) Compliance involves developing and implementing procedures and controls to ensure that business activities comply with the respective regulations. For example, healthcare organizations must comply with laws like HIPAA that protect the privacy of patients.
Compliance entails making sure that IT systems and the data contained in those systems are used and secured properly. Compliance requires monitoring on an ongoing basis through scheduled and provisional compliance audits.
Information security testing is used to verify that an organization's information security controls are effective and are in compliance with applicable regulations.
The information security goals of IT governance are achieved through standards (in authority-based compliance) and procedures.
GRC as a RMF (risk management framework)
Underlying various information security risk management frameworks are five phases: asset valuation, identifying threats, identifying vulnerabilities, risk profiling (measuring the risk), and risk mitigation.
This risk-based approach “allows an organization to correctly prioritize the vulnerabilities it’s identified and focus its efforts on the risks that are the most significant to its operations.” A risk-based security strategy “identifies the true risks to an organization’s most valuable assets and prioritizes spending to mitigate those risks to an acceptable level.” A risk-based information security strategy “enables an organization to develop more practical and realistic security goals and spend its resources in a more effective way. It also delivers compliance, not as an end in itself, but as natural consequence of a robust and optimized security posture” (Cobb, 2019).
Steps of the Information Security Risk-Based Management Approach (Adapted from Cobb, 2019)
Asset valuation
Determine what are the organization’s key information assets, where they are stored, and who owns them. When determining the value of assets, include “any business impact and costs associated with the confidentiality, integrity or availability of a compromised asset in an evaluation, such as lost revenue from an order-entry system going down or the reputational damage caused by a website being hacked.” This way of evaluating assets “ensures those that are most important to the day-to-day continuity of the organization are given the highest priority when it comes to security.”
Identifying threats
Identify who may want to steal or damage the organization’s key information (or mission critical) assets, why, and how they may do it. This includes “competitors, hostile nations, disgruntled employees or clients, terrorists and activists, as well as non-hostile threats, such as an untrained employee.” Also consider natural disasters such as floods and fire. Assign a threat level to each identified threat based on the likelihood of it occurring and the estimated impact/cost.
Identifying vulnerabilities
Automated vulnerability scanning tools are used by penetration testers to identify software and network vulnerabilities. Physical vulnerabilities may also need to be enumerated. Finally, there are “also vulnerabilities associated with employees, contractors and suppliers such as being susceptible to social engineering-based attacks.”
Risk profiling
Risk profiling begins after an organization’s assets, threats, and vulnerabilities have been identified. “Risk can be thought of as the likelihood that a threat will exploit a vulnerability resulting in a business impact.” Risk profiling “evaluates existing controls and safeguards and measures risk for each asset-threat-vulnerability and then assigns it a risk score. These scores are based on a combination of the threat level and the impact on the organization should the risk actually occur.”
Risk mitigation
“Once each risk has been assessed, a decision is made to treat, transfer, tolerate or terminate it. Each decision should be documented along with the reasons that led to the decision.” Once mitigation measures are implemented “carry out tests to simulate key threats to ensure the new security controls do actually mitigate the most dangerous risks.”
Several frameworks and tools exist to help with evaluating assets, threat levels, and risk scores. NIST’s Risk Management Framework (RMF) is commonly used to quantify operational risks – risks to the key assets behind an organization's day-to-day operations - and how best to mitigate them.
Common cybersecurity risk management frameworks
RMFs are used alone and in combinations. Common cybersecurity risk management frameworks include NIST SP 800-37, NIST CSF, and ISO/IEC 27001. Here is a brief introduction to these three RMFs.
1) NIST SP 800-37
The NIST 800 series is a set of documents that describe U.S. federal government computer security policies, procedures, and guidelines.
The Risk Management Framework (NIST SP 800-37) as a cybersecurity risk management framework integrates information security and risk management activities into the system development life cycle (SDLC). The second step of the RMF is to select the appropriate subset of security controls from the control catalog in NIST SP 800-53.
NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, first posted online on January 16, 2020, takes a more holistic approach to the risk management process, integrating privacy into the SDLC, and including information on aligning the RMF with NIST’s Cybersecurity Framework (CSF), supply chain, and security engineering.
NIST SP 800-37 Rev2 is divided into seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. NIST SP 800-37 is a more detailed and prescriptive guide than the CSF. It is designed to be used by organizations that need to implement a more rigorous risk management program.
2) NIST CSF
NIST Cybersecurity Framework (CSF) is a holistic framework that provides organizations with a set of high-level cybersecurity activities and outcomes. It is not a prescriptive framework, but rather a set of guidelines that organizations can use to tailor their cybersecurity program to their specific needs.
NIST defines CSF as a set of cybersecurity activities, desired outcomes, and applicable informative references common across critical infrastructure sectors. In general, the CSF is a good starting point for organizations that are new to cybersecurity or that are looking to improve their overall cybersecurity posture.
The five core functions of NIST’s CSF are: Identify, Protect, Detect, Respond, and Recover.
3) ISO/IEC 27001
ISO/IEC 27001 is perhaps the world's best-known standard for information security management systems (ISMS). ISO/IEC 27001 is an international standard that provides organizations with requirements an ISMS must meet. It is a more detailed and prescriptive framework than the CSF, and it is often used by organizations that need to demonstrate compliance with specific regulations.
Common combinations
NIST SP 800-37 and select the appropriate subset of security controls from the control catalog in NIST SP 800-53.
NIST CSF as a RMF and NIST SP 800-30 to risk assess it.
ISO/IEC 27001 as a RMF and ISO 27002 as a reference guide for implementing the controls required by ISO/IEC 27001.
ISO/IEC 27001 and the Payment Card Industry Data Security Standard (PCI DSS).
Key references
Cobb, M. (June 2019). 5 ways to achieve a risk-based security strategy. Retrieved December 20, 2019, from https://searchsecurity.techtarget.com/tip/5-ways-to-achieve-a-risk-basedsecurity-strategy
Last updated