CHAPTER 1: INTRODUCTION TO CYBER SECURITY GRC

Background to GRC

Governance. Risk. Compliance (or ‘Control’). Simple words – but they encompass so much. They cover the steps taken by organisations to ensure they act ethically, legally and with integrity, and can effectively and efficiently handle risks (or other uncertainties) in achieving their business goals or other objectives.

GRC was first defined by Scott Mitchell, OCEG, in 2007 as:

the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.2

Governance is the ability to ensure that the organisation achieves its goals and objectives. It includes policies and processes led by senior management and the board to provide overall control of their activities. Ultimately, they are accountable for the financial health and legal compliance of the organisation – sometimes at risk of criminal proceedings. Governance also includes providing the ethics and tone of the organisation, as well as the structures and policies within which it operates.

Risk management is the ability to confidently act in a world of uncertainty: the process by which the organisation identifies, assesses and reviews the risks it faces in performing its operations. It also considers controls for these risks and ensures that adequate mitigations are in place (i.e. controls, insurance or risk acceptance).

Compliance, the ability to act with ethical integrity, is the adherence to applicable laws and regulations, as well as to the company’s own policies and procedures.

The basic principles of GRC apply to all organisations regardless of size. However, the processes, people, information and technology used to achieve good GRC vary considerably between organisations depending mainly on their size and areas of activity. For example, whereas a large banking organisation will face complex governance issues (need for experienced and knowledgeable board members, risk management and compliance issues), and their compliance requirements will include financial regulations and anti-money laundering, a small corner café is likely to be owned and governed by a small number of people but needs to comply with food hygiene and other relevant regulations.

GRC can be seen as an overhead – some might say GRC is an additional activity that does not directly add to the success or financial health of the organisation. Where GRC activity is not focused or co-ordinated, there can be redundant activities that neither provide business benefit nor strengthen the organisation’s governance, risk management or compliance. The aim is to simplify and manage the GRC process in such a way that it enables the organisation to fulfil its objectives, for example by providing the capability to enter new markets where the risk profile or compliance requirements are different to those for the rest of the organisation. This may involve embedding the risk management and compliance processes in normal business activities while automatically producing the key performance indicators (KPIs) and other reporting required by the main stakeholders for their governance activities. The main consideration is to provide a robust approach to handling the challenges of uncertainty and the risk of loss of reputation or customers, and even in some cases the risk of prison! Another benefit can be that when mergers and acquisitions take place, the target company can more easily be integrated into the acquiring organisation’s GRC framework.

GRC activities are often spread across organisations, including board secretariat, internal audit, compliance teams and risk teams in legal, finance, IT and HR, as well as within normal business operations. This can lead to conflicting activities across the different silos. There can also be inconsistencies in the level and type of risk being addressed – risks important at local/departmental levels may be minute when compared to those of the organisation as a whole. Also, in large, complex organisations these activities may be replicated across the different constituent entities. In these cases there can therefore be duplications of activities and gaps in coverage. Enterprise governance, risk and compliance (EGRC) seeks to provide a consistent, integrated approach to GRC across the organisation to reduce these duplications and potential duplications. It also provides a framework of policies, tools, processes and information reporting to simplify the activity and provide consistency.

The three lines of defence model

To provide governance of the risk management process itself, many organisations use the three lines of defence model3 to explain their approach to managing risk. This model helps to assign specific risk management roles and responsibilities/duties, and to define the boundaries between them. The model is illustrated in Table 1.

Table 1: Summary of the Three Lines of Defence Model

Line Usually performed by Typical activities
First line – operational management control Business functions

Embedded risk management.

Direct contact with risks.

Highlight control failures/unexpected events.

Remediate to address process/control deficiencies.
Second line – risk control and compliance oversight Risk committees

Risk functions (e.g. CISO)

Provide frameworks and support implementation of relevant policies and procedures.

Help build/monitor first line.

Develop processes and controls to manage risks and issues.

Review and update registers and responses to risks faced.

Operate self-certification/compliance processes.
Third line – independent assurance Audit and the board

Provide independent review and reporting of the organisation’s response to risk, including first two lines.

The model can be applied to organisations of any size or complexity – the aim is to provide a risk management framework that is effective (fit for purpose), efficient (limited impact on normal, legitimate operations) and economic (costs not excessive given the level of risk or compliance needs). The boundaries between the lines may also vary. If this model is used, it is important that the three lines have been defined within the organisation, including how the different lines should interact, including in the sharing of findings and information about risks/incidents and issues. A risk is something that could happen; an issue is something that has happened.

Within the context of cyber, the three lines could be considered as follows:

1.Operational management, SEC OPS functions Managed Security Services Provider (MSSP), Third party suppliers and service providers.

2.CISO and other compliance/review functions (in part this may be incorporated into non-cyber activities, e.g. data compliance).

3.Qualified IT auditors/ISO audits.

For cyber (as with health and safety), staff should be considered the first line of defence. For example, while operational management may ensure that anti-malware is installed and updated, the end user may still compromise security by clicking a phishing link or visiting an inappropriate site. All users need to be educated on cyber risks and made aware of the risks and consequences both to them as individuals and to the organisation as a whole. This awareness could have benefits for their personal lives as well.

Another concern is that the model can be seen as silo based. To work effectively, the different defence lines need to be integrated, e.g. to reduce the risk of a blame culture between the lines if and when a breach occurs.

What is the relevance of GRC to cyber?

We live in a digital cyber-based world – we use IT to communicate with friends and family, purchase goods and services, and do our banking, to name just a few activities. Cyber security could be defined as:

Measures to prevent or detect electronic attempts of theft or damage to your data and IT assets.

Cyber is not very different from any other risk impacting a business. It can affect an organisation’s reputation, compliance (including data privacy and specific cyber compliance) and financial well-being. Cyber is not just an IT issue – it impacts the whole way that you do business and organisational administration.

Cyber is not exempt from GRC. We need to ensure that cyber-based security activities are in line with all other GRC activities of the organisation and are subject to similar governance and control. Indeed, given the threats and risks specific to cyber, it could be argued that GRC is even more important.

If we consider this from the cyber criminal’s perspective, they may create a user story as follows:

“As a ne’er-do-well, I want to access and change your data and information/deny you access to your systems and data so that I can meet my own evil agenda by damaging your reputation and/or extort a ransom or other financial reward. To achieve this, I will target organisations that have little or no overall control of cyber. They:

Employ badly trained users who are gullible to threats;

Have risk management processes that are not working (don’t update security tools such as anti-malware, no effective password management, etc.); and

Fail to comply with laws/regulations/best-practice cyber hygiene.”

Your job as a director, manager or cyber security specialist is to stop them. One way to do this is to ensure that your organisation has effective cyber GRC. We will explore how to achieve this in the following chapters.

It is also important to remember that the impact of a cyber incident can go well beyond the immediate costs. We have seen companies across the globe go into receivership following a cyber attack, particularly where there has been a breach of personal data. This can be due to loss of reputation/customers and/or potentially massive regulatory fines.

We will now consider how good GRC can help reduce these risks.

2 www.oceg.org/about/what-is-grc/.

3 IIA Position Paper “The Three Lines of Defense in Effective Risk Management and Control”, OECG.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.54.149