Governance, Risk, and Compliance (GRC) PDF

Governance, Risk, and Compliance (GRC) Prepared by : Dr. Mazen Alwadi and Dr. Hala Hamadeh 1 What Is GRC (Governance, Risk, and Compliance)? ØGRC is a structured way to align IT with business goals while managing risks and meeting all industry and government regulations. ØEach organization has its own mission (business), size, industry, culture and legal regulations. ØHowever, all organizations have a responsibility and duty to protect their assets and operations, including their IT infrastructure and information. 2 Outline ØGovernance Organizational governance Organizational Structure, roles, and responsibilities Organizational risk culture, risk appetite, and risk tolerance Ethics of risk management Risk 3 Governance ØGovernance: a system that provides a framework for managing organizations. It identifies: who can make decisions who has the authority to act on behalf of the organization who is accountable for how an organization and its people perform. 4 Governance ctd. Governance consists of: ØExternal governance which comes in the form of: Laws Regulations Professional and industry standards Any requirements imposed on the organization from the outside ØInternal governance which supports external governance in the form of: Policies Procedures Processes 5 Organizational Strategy, Goals, and Objectives ØSenior management defines the organization strategy, goals, and objectives, as each organization exists to fulfil a particular purpose. ØSenior management also defines: Risk tolerance: is the acceptable level of deviation in risk for a particular endeavor or business pursuit. Risk appetite: is how much risk an organization is willing to deal with in any given endeavor. It is based on: Market space, Operational environment, The economy, Governmental regulation Risk capacity is the amount of loss an organization can incur without seriously affecting its ability to continue as an organization. ØThese risk levels directly support and articulate the business mission. 6 Organizational structure, roles, and responsibilities ØThe organization of the business helps in driving how it deals with risks, which is typically organized from a functional perspective. ØRisks are handled by all the organization departments and entities from the smallest to the highest in the organization hierarchy. ØRisks roll up from small departments to higher organizational levels. ØEach unit in the organization structure should take steps to identify, evaluate, and assess risks at its level. 7 Organizational structure, roles, and responsibilities Risks may be thought of as: ØTactical risks: are the risks encountered by small production sections that carry out the day-to-day work of the organization. ØOperational risks: are the risks that span across multiple work units and relate to how the business conducts its functions and how different units interact with each other. ØStrategic risks: borne at higher levels of the organization, including senior management, and involves risks incurred by leading the business towards opportunities and away from decisions that exceed the organization’s capacity for risk appetite and tolerance. 8 Organizational culture ØCulture is the term that describes how people treat each other and how people get things done. Terms like respect, collaboration, and teamwork are often seen in these values. ØThe organization also has a risk culture that defines how the organization feels and deals with risks, which comes from: The organization leadership based on the management philosophies, attitudes, education, and experience The organization’s governance (externally or internally) 9 Security policies and procedures Policies and procedures supports the success of the security program. ØPolicies: high-level documents that outlines an organization's security objectives, principles, and standards. support the strategy, as well as governance requirements, such as those that may be found in laws or regulations state the roles and the responsibilities An example of a risk-related policy would be a risk management or risk assessment policy. ØProcedure describes, step-by-step how a certain functionality is done within the organization. 10 Security policies and procedures ØWithout a policy, a security program can fail due to the lack of: Governance Security policies are the foundation of governance Management involvement Security policies are developed with the involvement of management, especially senior leadership Accountability Policies help ensure that everyone in the organization understands their role in maintaining security. ØClarity in policies and procedures helps in understanding the organization's risk management framework. 11 Business processes ØThe business processes are the activities that carry out business mission. ØThe business mission describes why the organization exists. ØBusiness processes can be as high level as manufacturing and sales, and as low level as sewing cloth and leather. ØAll business processes incur some level of business risk. ØBusiness processes are owned by different managers within the organization. ØHigher level management bears ownership and responsibility for both the process and risk. 13 Business processes ctd. ØImproving the management of the organization can be achieved by developing documents describing the way each process is done. ØThese documents need to be periodically reviewed and kept in official repositories. ØOrganizations with higher maturity develop metrics and Key Performance Indicators (KPIs) for each process. ØKPIs helps in understanding the quantity and quality of business processes output. ØKPIs can be used to improve the effectiveness and efficiency of business processes. 14 Organizational assets ØAssets include: Physical items: computers, networking equipment, office machines, buildings … etc Non-physical items: valuable information, secret recipe, patents … etc ØAsset identification involves identification of both types of assets and determining their values. ØAsset values are not always as simple as the mere cost of the item. ØAsset management is the collection of activities used to oversee the inventory, classification, use, and disposal of assets. 15 Asset identification ØThe main objective of a security management program is the protection of the organization’s assets. Examples: Real estate: buildings, structures, property Equipment: Machines, vehicles, IT equipment Virtual assets: Virtual machines, websites, software Supplies and materials: materials used in manufacturing, office supplies Records: contracts, video surveillance tapes, visitor logs Information: documents, e-mail messages, files Intellectual property: patents, software source code, processes Personnel: the people working in the organization (basically the organization) Reputation: the opinion of clients, competitors, shareholders, and community 16 Sources of asset data ØInterviews: discussion with key personnel to identify assets are usually the best approach. ØIT systems portfolio: A well-managed IT organization will have formal documents and records for its major applications. ØOnline data: An organization with cloud-based assets can use the asset management portion of the could services. ØSecurity scans: can be utilized to identify the network assets. ØAsset management system: larger organization may find it more cost effective to use such application. ØNone of these sources should be considered accurate and complete. 17 Organizing asset data ØIt is rarely possible to create a list of assets from a single source. ØAssets are typically organized in smaller chunks to be analyzed effectively, some ways to organize assets are: Geography: classify assets based on location in dispersed organizations Service provider: group by service provider if using services from multiple Business process: based on the business process they support Organizational unit: based on the organizational unity they support Sensitivity: usually used with information Regulation: if the organization is required to follow legal obligations ØNo need to choose one way, usually collect information related to location, business process, service provider … etc 18 Risk governance ØDescribes the requirements the organization must adhere to in terms of managing both business and IT risk. ØSources of risk governance plan: External: Laws, regulations, and other external factors Internal: comes in the form of policy ØRisk governance is set by executive management in the form of: Risk appetite and tolerance Risk strategy Policies that support risk management 19 Enterprise Risk Management (ERM) ØAn organization can manage risks in one of two different ways: 1) one risk at a time, on a largely compartmentalized and decentralized basis 2) all risks viewed together within a coordinated and strategic framework. This approach is often called “enterprise risk management,” or “ERM”. ØEnterprise Risk Management ERM: is the practice of identifying and managing strategic risk in an organization. This includes topics such as macroeconomics, market risk, regulations, workforce, information technology, and cybersecurity. 20 Risk Management Frameworks ØStandards and frameworks help provide a standardized, industry- accepted approach towards managing risk. ØStandards and frameworks are not perfect, but they provide a baseline for an organization. ØEach standard and framework has its own pros and cons. ØPopular standards and frameworks examples are: ISACA NIST (National Institute of Standards and Technology) 21

Governance, Risk, and Compliance (GRC) PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue