What is Governance, Risk, & Compliance? - HOMEBREW

5 min read

08 Jun

08Jun

I contemplated on writing about governance, risk, and compliance (GRC) as a developing professional, though the topic has been rather prevalent in my studies lately. Standards such as PCI DSS, FIPS 199 & 200, and relating frameworks including NIST RMF, NIST CSF, CIS Benchmarks, ISO 27001, COBIT, and ITIL have recently been on my mind during my progression. So, I figured there would be no better time than now to start discussing what are often the foundations of information security programs.

Depending on the industry an organization operates in, cybersecurity professionals may find that an entity is required to follow certain laws and regulations. In the United States, these regulations include HIPAA, FISMA, FERPA, GLBA, SOX, COPPA, CIPA, and several others enforced either federally or through the residing state. Not included in the list is PCI DSS, since this is an industry enforced standard as opposed to statutory law, though nevertheless is still a requirement for any organization accepting payments from major card brands (Visa, American Express, MasterCard, etc.). The consequences and penalties of noncompliance can result in bankruptcy or jailtime for executive leadership.

Before I go further into the frameworks and why cybersecurity programs should be mindful about compliance, understanding the core mission of cybersecurity is fundamental.

Cybersecurity & Organizational Success

Cybersecurity's goal is to ensure the success of a business through addressing necessary risks. At the end of the day, the purpose of a cybersecurity department is not to make the organization as secure as possible (doing so would likely cease all functions of the business), but to ensure the organization can operate and achieve it's goals with limited risk. There is an ongoing joke among security practitioners which claims that the best way of securing a network is by turning it off, and the best way to defend against insider threats is by simply not hiring anyone. Under these conditions, it would be impossible for a company to expand, communicate over long distances, and take advantage of new opportunities.

For example, fictitious company S&H Solutions decides to expand by building 5 new locations which would generate $2 million annually in profit. To integrate with their current payment systems, the sites would have to be connected to the main site, and the main site stores all customer information including names, credit cards, addresses, emails, and other contact information. On one hand, total security would prohibit the connection from one site to another, however unrestricted access would make S&H Solutions vulnerable to an immeasurable amount of threats that could diminish customer trust and bankrupt the company. In this case, and several similar cases, there should be an acceptable balance between confidentiality and availability. This does not, however, imply that organizations do not have security responsibilities.

From a moral perspective, organizations have an obligation to protect consumer and employee data (where security and privacy intersects), and integrity of these data is maintained. This is supported by laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). In fact, the Sarbanes-Oxley Act (SOX) was intended to restore consumer trust with public companies as a result of Enron's scandal, where financial reporting documents were falsified when presented to stakeholders and investors. Failing to take proactive steps to secure environments is likely to be seen as unacceptable by the law and by the consumer market. This results in severe impact to tangible (finances, equipment, data) and intangible assets (trust, integrity, public image).

By now, you might be able to see why maintaining information security is such a difficult task. Technical skills can be researched, and implementations of technical controls are generally consistent from one environment to another (the syntax for a command is always going to be the same). Knowing when to apply that control and how it relates to the organization is much more complex.

Governance, Risk, and Compliance

In today's technological world, many organizations understand that cybersecurity is an intricate part of their success for this reason. However, defining how much security is necessary is quite difficult. Thus, strategies have been developed that assists with implementing security controls, with some methods having higher success rates than others. The most successful frameworks incorporate risk management using the top-down approach and support ongoing security maintenance according to defined security objectives. These objectives must be agreed on holistically to enable cybersecurity professionals to achieve their goals in defending against threats across the organization.

Governance, risk, and compliance (GRC) is an umbrella term that defines methods, strategies, and requirements organizations must adhere to according to local and federal regulations. GRC includes auditing, risk management, implementing frameworks, policies, and ensuring entities are operating in accordance to the law.

As previously mentioned, several frameworks exists that assist in implementing adequate information security programs. Explaining every aspect of the different frameworks would be several books long. Thankfully it has already been done, and you can review common frameworks and standards directly from the authoritative organizations:

There are several other frameworks, however COBIT, ITIL, ISO 27000, and NIST SP 800-37 R2 are among the most popular frameworks, and for a good reason. Every item listed can be applied to any organization internationally and produce reliable outcomes for an effective security posture. While seemingly complex at first, the frameworks themselves are simple to use as long as there is a basic understanding of risk management and security concepts. The most difficult part of implementation is that doing so takes an organizational level of effort requiring immense collaboration.

As such, the industry has recognized that cybersecurity is not only an IT specialization, but rather an entire ecosystem encompassing the organization as a whole. One might hear the term "information systems" in the context of computer systems, though the term has developed from referring to a handful of interconnected servers to include people, processes, infrastructure, policies, and data. Governance dictates how information systems operate and interact with external entities as well as internally.

An example of compliance regulations can be found in the federal government. The United States Federal Information Processing Standards (FIPS), enacted under the Federal Information Modernization Act (FISMA) (formerly known as the Federal Information Management Act) requires federal agencies to follow strict standards regarding security. FIPS 199 outlines how systems and information should be categorized and labeled. FIPS 200 goes hand-in-hand with FIPS 199 and defines the minimum security requirements for each system. Prescriptive security controls approved from FIPS 200 are then assigned based on categorizations from FIPS 199. Below is a sample from section 3 of FIPS 200, "Specifications for Minimum Security Requirements."

Reading through the standard, there is much to accomplish just in four requirements. In total, there are seventeen requirements spanning from highly technical responsibilities to managerial enforcement. The FIPS 200 standard is publicly available and can be found at https://csrc.nist.gov/pubs/fips/200/final.

Monetizing Cybersecurity Compliance

Businesses may view cybersecurity compliance as a burden rather than an opportunity. For most organizations cybersecurity is not an income generating department, so it makes sense not to invest more than what is needed. As contradictory as it may seem, compliance and proper security can actually be used as a tool to incentivize cybersecurity operations.

In order for an organization to conduct business with government agencies or other organizations with federal contracts, the company must adhere to FISMA or FERPA depending on the industry of the provided service. Complying with these standards presents a major opportunity for expansion into other industries developing more business relationships. This indirectly increases overall profit and can be used to achieve company objectives. Another example would be compliance with PCI DSS, where following the standard will allow the company to accept credit card payments with relatively low risk. PCI DSS compliance enables a company to reach a broader consumer base, thus monetizing compliance efforts.

If an organization does not fall within scope for any regulation, these compliance frameworks can be used to secure infrastructure and reduce risk through accepted industry standards. Having an inherently secure infrastructure may lead to the consideration of outsourcing cybersecurity services to other organizations struggling to maintain their security posture. These businesses could possibly be companies with a supply chain interest to your organization, allowing you to monetize your own cybersecurity operations while further securing the environment. Once again, another opportunity presents itself with having a stabilized information security program.

Conclusion

Governance, risk, and compliance is necessary to understand as a security professional since failure to comply may result in detrimental effects to your organization. Depending on the industry, organizations can be subject to FISMA, FERPA, HIPAA, SOX, PCI DSS, or other regulations. Information systems must adhere to these regulations by using approved frameworks such as NIST SP 800 37 R2 and ISO 27001. By improving an organization's security posture, cybersecurity can open new opportunities and directly contribute to an organization's success.