GRC, which stands for Governance, Risk, and Compliance is widespread in the cybersecurity space today. This is as a result of industry standards organizations and governments responding to data breach landscape. The new requirements of compliance are crucial in the creation of a risk management plan that is extremely effective. Another way to look at GRC is as an approach with structures to align Information Technology with business objectives at the same time manage risk and comply with the requirements.
Governance: Ensures that all organization activities align to support the long-term business goals. Governance communicates with both external and internal stakeholders for auditing and smooth running of all processes.
Risk seeks to ensure that both risks and opportunity that are linked to an organization’s activities align with the business goals.
Compliance: Ensures that activities within the organization operate within the laws and regulations that affect the systems.
What is Corporate Governance?
Companies need to establish processes, practices, and rules to prove governance. Critically, the responsibility to review risks knowledgeably lies with the senior management and Board of Directors. Governance gives the power to the two bodies.
What is Corporate Governance in Cybersecurity?
Corporate governance has a twist in cybersecurity. The Board and senior-level executives have to understand the cybersecurity risks often as a result of business objectives but do not need to make security-related decisions.
Also, cybersecurity governance needs to review the success of internal controls.
What is the Audit Committees’ Responsibility?
Many companies are now focusing on cybersecurity and making the audit committee a go-between linking the Board of directors to the audit program.
Therefore, the audit committee members need to understand cyber risk better than all the other members of the organization. They, however, do not need to be tech-savvy. They only need to work with the IT (Information Technology) leaders within the company to engage in detailed conversations.
Companies audit plans have to pay attention to data threats even as they use more of Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), and Software-as-a-Service (SaaS) vendors. The process you use to determine your (KPIs) Key Performance Indicators for your compliance program is the main focus of audit plans. Therefore, establishing a cyber-security audit plan guides you on how to develop and prove governance.
Internal audits planning is a continuous process. Review your past check for control deficiencies before you set out an audit plan. After that, you can determine the scope.
For instance, if your organization did not have the required operating system and software patch management, that should be part of the scope in the next audit. If patching was perfect, but your past audit found that many network and systems maintained the factory-preset logins, focus on that.
In other words, keep planning and timing continuously based on the improvements you do to your cybersecurity oversight.
Every audit plan should include cybersecurity risk in a holistic view. At the point of creating an audit plan, establish a risk tolerance that incorporates data breach potential, location, potential data breach cost, and data. Focus on the information assessment that has the highest risk when you are determining the audit plan scope.
A compliance committee comprises of internal stakeholders whose duty is to document and monitor internal controls. Together with the audit committee, the compliance committee ensures that the company aligns with changes to regulations and standards. They are therefore the first line of defense in endeavoring to keep the controls productive and provide a program for governance.
How Internal Auditors Review Cybersecurity Governance
The scope containing the needed steps for proof of governance is set out by the audit plan. Since you need a second set of eyes, your internal audit plays that role.
You will need an independent person for the internal auditing to asses and review whether the cybersecurity meets the standards and regulations set by the industry compliance requirements. The internal auditor will consider all the documents that are related to the cybersecurity compliance program. The audit checks whether you maintained compliance through the defined internal controls.
For governance, the internal auditor examines whether the compliance committee reports to the audit committee and reviews the controls that are defined by processes and policies.
An example of the role internal committee plays is that it may review the audit and compliance committee minutes for a meeting to ensure that the teams communicate risks and monitor effectively. The auditor will then compare the notes to the Board meeting minutes to ensure that the information passes through all people involved.
Ideally, documenting activities and communication will provide the auditors with the proof needed to audit governance over cybersecurity program.
How To Use Documentation to Ease Auditing Governance
Automation helps to facilitate the internal governance auditing as it enables substantial documentation and communication.
Organizations are different in size. The size of the organization directly affects the coordination of a message across the audit committee, compliance committee and Board of Directors. Audit committee materials should include executive summaries that needed for identification of issues, risks, and next steps.
Automation plays a significant role in streamlining the governance auditing system. By sharing drives, you ease the communication burden to a great extent. The flipside of sharing is that when any change is affected, the shared files update automatically. Finding historical documents, in this case, takes a lot of time. Since anyone with access can make changes and in turn update all the shared files, the information integrity is compromised thus undermining governance.
Organizations, therefore, need a central source of information that requires them to document all their compliance activities as well as single out who can edit or change the documents.
Before the implementation of GRC, you need first to prepare the environment. Check if you have adequate controls and if the available ones are fully functional. Though GRC focusses on IT, the involvement of the whole organization is crucial when implementing a strategy. You will need to pay attention and establish all the processes and people the implementation may affect beforehand.
You may also like: Audit Log Best Practices for Information Security
About the Author
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.