GRC (Governance, Risks & Compliance) – An Introduction

January 17, 2013, by | Start Discussion

Usually when one talks about Information Security audit, governance, risk management, compliance and such topics it is dubbed “management-speak” and wished away by hacker community members. It worked the same way for the management people too who wished away the geeky types who could bang a keyboard at the speed of light or “go where no one had been before”.

Times are a changin’ and the twain are set to meet.

Yes, over the years, the ethical hacker has realized that he/she has to learned that report writing is as much a difficult skill as finding a 0-day and claiming a 100k prize (ok not as difficult but maybe equivalent to a 50k prize ). While the hacker community was learning the difference between an Executive Summary and a Summary and the necessity of running a spell and grammar check before closing a document (oh oh! don’t forget you need to have a standard font through and also font size)… ok while the community was learning these subtle differences, the management and auditor types started brushing up on their knowledge about tools, exploits, ports, networks, vulnerabilities, remediation and more.

While CH Mag has also been fulfilling the need for the non-techie to learn and understand the techie’s hackie thought process, there has been a gap in terms of providing the techie with non-techie knowledge and skills.

And, this is now due for change with the new section on GRC et al starting off with this issue.

I have the privilege of penning this kickoff piece and will spend the remaining bytes walking you into the bright world of audit, risk and compliance.

Fundamentally, everyone is on the same team and doing the same work, except that the methods vary. The ethical hacker goes blind into a system, runs tools / exploits, uses his/her knowledge of IT infrastructure to discover weaknesses and then presents findings along with the solution for closing the vulnerabilities. In the same manner, an auditor too goes blind into the organization and calls for evidence that will prove that the organization is complying with the policies they have formulated – he/she will use his knowledge and skills to dig into documents and systems and will do a good bit of mind reading and body language analysis to discover weaknesses in the processes and technologies which will be reported along with suggestions for closure of the same.

In effect – the same work (assessment, testing, analysis…); the same goal (information, IT, data, security…); work done at the same place and the same deliverables submitted (soft copy and hard copy of the report with remediation).

For the sake of simplicity, we shall call this the GRC domain while the techie domain may be referred to as Hackers.

Enough said, and we move on to know more about this specialization in Information – certifications are aplenty and some carry a strong reputation while some are around. Some of the most well-known certifications are CISSP, CISA, CISM, ITIL, ISO27001 Implementation, ISO27001 Lead Auditor, BCP, CIA, CRISC, CGEIT, CFE, C|CISO, DISA, CIPP, ABCP, CBCP and many others covering various specializations. These professional certifications usually require the person to have a few years of work experience then qualify by passing an examination. The areas of specialization and experience will be in IT Audit, systems audit, risk management, business continuity, disaster recovery, governance, compliance, asset management, data center audits, IS management, ISMS implementation, metrics management and much more.

We usually bundle all these specialist areas of work under the single label of GRC or IS / IT Auditor which may seem to be incorrect but, in a different manner, it is representative of the knowledge requirement of the auditor too! He/She, as an information security professional has to understand and know about all the areas mentioned above, plus all those that are not mentioned. And of course, report writing is an integral part of the profession itself.

A GRC (Governance, Risk, and Compliance) professional is an information security practitioner and may be working as a CISO (Chief Information Security Officer), an IS Manager, or Auditor in an organization. Other roles may be that of Change Manager, Incident Manager, Risk Manager etc.

The fundamental attributes that drive the profession are the principles of Confidentiality, Integrity and Availability of IT for running the business and as applied to People, Process and Technology using ‘controls’ or ‘rules’.

As one starts on the GRC practice the first thing one is usually asked for is a Gap Analysis or a Risk Assessment. The gap analysis is just that – an analysis of the area of investigation and discovery of the gaps so it is a VA but carried out on processes and not on systems. A Risk Assessment is a more critical activity because it is not something which is done and then on an annual basis but more dynamic as it has to be made part of the overall organization culture – this is critical to the success of any Information Security program in an organization. In fact a VA/PT or AppSec is usually termed as a Technical Risk Assessment and is usually carried out as a result of a risk or gap assessment.

While implementing Information Security in any organization the team carries out a Risk Assessment and identifies risk areas along with the path and strategy for mitigation. Risks are identified in respect of current practices and processes, technologies deployed in the infrastructure, people related policies and practices, assets etc. The mantra followed by all mature organizations, and advised by all Information Security Auditors / practitioners / consultants is that all controls and policies should be risk based. In effect this means that any new control or asset must be deployed once a proper risk assessment has been carried out. A thorough risk assessment will identify threats, vulnerabilities, challenges, issues relating to the process in terms of the environment and working and the organization management will be able to take informed decisions for the same.

Risk values can be quantitative or qualitative – which means that it can be expressed as a number or stated as ‘high’, ‘medium’, ‘low’ or in one’s own terminology as it is a gut feel. The most basic formula is risk = impact * probability – where impact or probability can be a number on a defined scale. These inputs are received from the asset stakeholders by the Risk Assessor based on specific interactions and informed questioning.

This is a very basic introduction to risk assessment and this is a very big area of specialization. Risk managers carry huge responsibilities in their organizations and they depend on much more than this basic formula . Needless to say this will be an important topic that will be carried in future issues and hope you will gain a deeper understanding which you can apply to your work too and benefit.

Elements of GRC, like governance, risk management, gap analysis, change management and others are based on best practices and standards like ITIL, ISO27001, CoBIT etc. and provide organizations with the necessary direction, guidance and controls for effective information security and management.

Dinesh is an Information Security professional specializing in security strategy, architecture design and operations. He is an Advisor to Cyber Defence Research Centre (Special Branch, Jharkhand). He also leads the Indian Honeynet Project.

Leave a Reply