Andrew on InfoSec GRC

Governance Risk Compliance

  • Building Custom Fields in a GRC Platform — Challenges and Solutions

    One thing I underestimated when I first started building my GRC platform was the amount of flexibility people want when it comes to metadata. Everyone asks for “just a couple of extra fields,” and before you know it, you’re knee-deep in requirements around conditional logic, multi-model support, imports, exports, surveys, reporting, and tenant isolation.

    Custom fields seem simple until you actually start designing them for a multi-tenant GRC environment. That’s when the fun begins.

    Here are the real challenges I hit, and the approach that finally worked.

    (more…)

    in

  • Creating Risk Management objects

    For “Simple GRC” I’ve defined Libraries, Library Objects and Requirements. These records will allow to create a simple logical approach to all GRC objects,. This is outlined in my other post Building the Foundations: Libraries, Objects, and Requirements in Simple GRC

    Example: “Authority -> NIST CSF -> Asset Management -> Physical devices and systems within the organization are inventoried” structure would be easy to implement. It can also be used for risks, controls etc.

    Now I need to define Risk Management structure where I can setup Risk Management Activities such as Assessments, Issues etc. and connect those specific activities to Libraries.

    This part is work in Progress

    (more…)

    in

  • Building the Foundations: Libraries, Objects, and Requirements in Simple GRC

    Over the past few weeks, I’ve been shaping the core structure behind Simple GRC — specifically how all the governance, risk, and compliance content connects together.
    I wanted something clean, logical, and scalable. GRC data tends to get messy fast — one framework references another, controls overlap, requirements duplicate, and every “simple mapping” turns into a web of dependencies.

    To handle that without losing my mind, I built a model centered around Libraries, Objects, and Requirements.
    It sounds simple (and that’s the point), but there’s quite a bit going on under the hood.

    (more…)

    in

  • Data Classification and Handling

    Classifying data and applying proper handling is an important but somewhat complex task. On one hand, we have governance, which might be vague at best; on the other hand, we have operational teams trying to implement comprehensive handling mechanisms. In the middle, we have compliance reporting carried out by various teams trying to put everything together.

    (more…)

    in

  • Risk Calculations, Probability x Impact

    We often hear that in order calculate the Risk Posture; we have to use Probability times impact. But what does it mean in real world?

    I will try to structure the response.

    (more…)

    in

  • Thoughts on Key Risk Indicators (KRI)

    I’ve seen many instances when KRIs live their own life. Often, KRIs that are being showcased to the board are very operational. Like Number of DDos attacks. While the KRI presentation is not bad in itself, there should a value that drives this demonstration. What is a KRI, where they live, what they need to show, and who and when need to see them?

    (more…)

    in

  • Align with NIST CSF – what it means and how to do

    Some thoughts on NIST CSF (Cyber Security Framework) alignment.

    What isn’t?

    It is not a final solution. It is not controls framework.

    What is CSF?
    It is a framework — strategic foundation or governance catalyst — a starting point that helps an organization structure its cybersecurity governance, risk management, and control implementation. You take the Framework and tailor it to your System.

    (more…)

    in

  • Building a Policy Program

    What I’m describing here really applies to organizations that already have some level of maturity around their policies and standards.

    If policies and standards exist but the overall program isn’t very mature, there are two possible paths. One — have a discussion about whether the organization understands the value and wants to invest in maturing the policy program. Or two — if there’s currently no appetite for that, take an honest look at what’s in place. Evaluate whether those policies actually create value.

    If they don’t, it may make sense to simplify — keep a smaller, more focused set of documents that are actually used and kept up to date.

    The main point is: if you’re going to have policies, do them well. Make sure they achieve their purpose and create value. Because policies that exist but aren’t followed just add overhead, weaken governance, and waste resources.

    (more…)

    in

  • Building an Exercise and Yoga Shed

    It is July, and I wanted to build an Exercise and Yoga shed.

    It is quite relaxing to use my hands and just systematically go though step-by step building project.

    Building from wood and nails is definitely something that I consider a stress relief.

    (more…)

    in

  • GRC Overview

    In this post I will write about GRC and how it works.

    While not overly encompassing, it will describe major GRC components and how they connected.

    Governance vs Management

    (more…)

    in