Best Practices for IT Security Policy Framework Approaches
Governance, risk management, and compliance (GRC) is the discipline that systematically manages risk and policy compliance. Governance describes the management oversight in controlling risks. Governance includes the process and committees formed to manage risk. Governance reflects leadership tone at the same time. This means that governance reflects the core values of the organization towards risk, including the ability to enforce policy, the importance given to protecting customer data, and the tolerance for taking risks.
FYI
A study published in 2019 identified the top four best practice frameworks. They are:
- ISO 27000 series
- PCI-DSS
- NIST
- CIS Critical Security Controls
Various experts may disagree on the specific ‘best’ frameworks. But every list seems to include ISO 27000 and NIST.
Risk management describes the formal process for identifying and responding to risk. The concept beyond this part of GRC is a close alignment of business process and technology. This approach ensures risks are assessed and managed within the context of the business. Risk management also reflects leadership’s risk appetite. How far is leadership willing to go to ensure third-party vendor protection of the organization’s data? This view of risk can be reflected in leadership acceptance of risk, ranging from accepting vendor representation to insisting on on-site audits.
Compliance refers to the processes and oversight necessary to ensure the organization adheres to policies. Compliance also includes regulatory compliance. An organization’s internal policies should address external regulatory concerns. Therefore, for organizations with well-defined policies, the focus is mainly on internal policies. If you can show evidence of adherence to internal policies, you can demonstrate regulatory compliance. The ability to demonstrate regulatory compliance is further enhanced when an organization can demonstrate the adoption of a best practices policy framework.
A framework helps create an enterprise view of risk. Many organizations have complex business and technology environments. The need to align these environments is critical. Organizations also find themselves facing increased pressure from regulators to demonstrate compliance. As a consequence, adoption of best practices provides leaders, regulators, shareholders, and the public the assurance each group requires.
Another framework approach is enterprise risk management (ERM). This framework aligns strategic goals, operations effectiveness, reporting, and compliance objectives. ERM is a methodology for managing a vast array of risks across the enterprise. ERM is not a specific set of technologies. As an example, the ERM function may look at credit or market risk and attempt to determine if the pricing strategy or compensation to the sales force is creating risk to the business. ERM is not an IT security policies framework—it is a good integration point for IT security issues to be considered in context with other risks.
What Is the Difference Between GRC and ERM?
The terms GRC and ERM are sometimes used interchangeably, but that’s incorrect. The difference is not in their goals—they both attempt to control risk. You can view ERM more as a broad methodology that leadership adopts to identify and reduce risks. There are similarities worth noting, because both approaches:
- Define risk in terms of the business threats.
- Apply flexible frameworks to satisfy multiple compliance regulations.
- Eliminate redundant controls, policies, and efforts.
- Proactively enforce policy.
- Seek line of sight into the entire population of risks.
GRC is more a series of tools to centralize policies, document requirements, and assess and report on risk. Because GRC is tools-centric, many vendors have created GRC offerings. It’s not surprising that with vendors aggressively selling solutions, GRC has more momentum than ERM. That’s not to suggest there aren’t tools to support the ERM process. Many of the GRC tools can be used to support the ERM methodology. But as a methodology, ERM adoption is driven by the organization’s leadership.
The lines between GRC and ERM do blur. In the real world, ERM teams deal with governance and compliance issues all the time. They use many of the same tools and techniques. More and more, GRC teams are reaching out to risk committees and teams to align efforts at a leadership level.
The important distinction is that ERM focuses on value delivery. This shifts the discussion from organizations’ budgetary requirements for risk mitigation, compared with how their expenditures enhance value. ERM takes a broad look at risk, whereas GRC is technology-focused. This broad view of risk considers technology as one aspect of risk among many. This can be either a benefit or a drawback depending on the leadership ability to understand IT risk. One of the benefits is that a successful implementation of ERM leads to risk management being fused into the business process and mindset.