Cybersecurity GRC

What does GRC stand for?

Governance, Risk Management, and Compliance

What is Governance?

Ensures cybersecurity strategies are aligned with business practices

How can governance be implemented in long-term risk management?

Incorporate security in corporate decision making

What is risk management?

Identify, analyze, and mitigate risks for internal and external threats

How do frameworks prioritze risks?

Likelihood and potential impact to allocate resources efficiently

What is compliance?

Ensures organizations adhere to regulations

Regulation: GDPR

General Data Protection Regulation: Sets guidelines for collecting and processing the personal data of individuals within the EU

Regulation: NST CSF

NST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover, and Govern

Regulation: ISO/IEC 27001

Outlines requirements for establishing and maintaining Information Security Management System (ISMS) to make it suitable for organizations obtaining global credibility

Regulation: COBIT

Control Objectives for Information and Related Technologies: Aligns IT goals with business objectives

Regulations: CIS Controls

Center for Internet Security Controls: Guide for most common cyber threats

Regulation: PCI-DSS

Payment Card Data Security Standard: Protect cardholder data through speciic security controls

Regulation: HIPAA

Health Insurance Portability and Accountability Act: Sets national standards for the protection of sensitive patient data

GRC Challenge: Complex and Evolving Ecosystems

Overlapping regulations each with specific requirements. Organizations may be unprepared for new threats which means frameworks need to be updated frequently.

GRC Challenge: Updating Existing Systems and Challenges

Requires an investment in technology, personnel, and training

GRC Challenge: Internal Resistance

Cybersecurity may feel like a “hindrance” to productivity so it might be difficult to get leadership approval

GRC Challenge: Continuous Evaluation, Monitoring, and Reporting

Quantifying success can be difficult

GRC Challenge: Balancing security w/ usability

Implementing GRC strategies can sometimes reduce usability of systems and slow things down

GRC Best Practice: Align GRC with business goals

Get leadership support and protect critical assets

GRC Best Practice: Implement Risk-Based Decision-Making

Prioritize risks based on likelihood

GRC Best Practice: Leverage Technology and Automation

Improve efficiency and response times

GRC Best Practice: Foster a Security-Aware Culture

Promote shared responsibility throughout the organization

GRC Best Practice: Continuous Monitoring and Policy Updates

Ensure security controls remain effective and relevant

What is the CIA Triad?

Confidentiality, Integrity, and Availability

What is CIA Confidentiality?

Access of information must be controlled to prevent unauthorized sharing of data

What is CIA Integrity?

Making sure data is trustworthy and safe from tampering

How to protect integrity?

Use hashing, encryption, digital certificates, or digital signatures

What is CIA Availability?

Data is available to the right people when they need to access it

CIA Best Practice: Categorize and protect sensitive data

Classify data based on their confidentiality needs. Enforce data encryption, MFA, and maintain updated access control lists and file permissions

CIA Best Practice: Strengthen role-based privacy training

Conduct regular privacy awareness training. Tailor training to both organization-wide privacy standards and role-specific privacy requirements

CIA Best Practice: Implement data integrity controls

Use version control, data logs, checksums, and hash functions to monitor and preserve data accuracy during processing, transfer, and storage. Apply granular access control to prevent unauthorized data modifications.

CIA Best Practice: Adhere to the compliance standards

Review regulatory obligations frequently and be aware of any new updates/changes

CIA Best Practice: Ensure continuous availability and recovery

Design systems with redundancy and failover mechanisms to reduce downtime. Use network/server monitoring tools and maintain cloud-based backup. This can help ensure quick and complete data recovery and business continuity in case of a security breach.