Andrew on InfoSec GRC

Category: GRC Platform Development

  • Building Custom Fields in a GRC Platform — Challenges and Solutions

    One thing I underestimated when I first started building my GRC platform was the amount of flexibility people want when it comes to metadata. Everyone asks for “just a couple of extra fields,” and before you know it, you’re knee-deep in requirements around conditional logic, multi-model support, imports, exports, surveys, reporting, and tenant isolation.

    Custom fields seem simple until you actually start designing them for a multi-tenant GRC environment. That’s when the fun begins.

    Here are the real challenges I hit, and the approach that finally worked.

    (more…)

  • Creating Risk Management objects

    For “Simple GRC” I’ve defined Libraries, Library Objects and Requirements. These records will allow to create a simple logical approach to all GRC objects,. This is outlined in my other post Building the Foundations: Libraries, Objects, and Requirements in Simple GRC

    Example: “Authority -> NIST CSF -> Asset Management -> Physical devices and systems within the organization are inventoried” structure would be easy to implement. It can also be used for risks, controls etc.

    Now I need to define Risk Management structure where I can setup Risk Management Activities such as Assessments, Issues etc. and connect those specific activities to Libraries.

    This part is work in Progress

    (more…)

  • Building the Foundations: Libraries, Objects, and Requirements in Simple GRC

    Over the past few weeks, I’ve been shaping the core structure behind Simple GRC — specifically how all the governance, risk, and compliance content connects together.
    I wanted something clean, logical, and scalable. GRC data tends to get messy fast — one framework references another, controls overlap, requirements duplicate, and every “simple mapping” turns into a web of dependencies.

    To handle that without losing my mind, I built a model centered around Libraries, Objects, and Requirements.
    It sounds simple (and that’s the point), but there’s quite a bit going on under the hood.

    (more…)

  • Comments module design and specifications

    When you’re building out a GRC platform, you eventually hit that moment where “leaving notes” isn’t enough. Records, requirements, risks—everything ends up needing proper conversation around it. And that conversation has to live with the object, not in someone’s inbox or a random Slack thread. After ignoring this part for way too long, I finally decided to build a proper comments module that feels native to the way the rest of the platform works.

    (more…)

  • Mappings(Relations) Functionality for GRC Platform

    GRC platforms are designed to allow relations between various GRC objects. Controls might be linked to assets, risks, organizations, Authority etc.

    To provide the ability to manage mappings efficiently, the Mappings functionality should be available and also very user friendly. Mappings should not only be available from within the object, but rather implemented as a mappings layer, where any object can be quickly selected and mapped to another object.

    (more…)

  • RACI – common GRC functionality

    RACI shall be embedded into each GRC object. Any control, risk, asset etc. should have RACI associated with it.

    (more…)

  • GEC Platform User Management

    While user management is part of any system, implementing such functionality is vital and needs to align with platform capabilities and would also integrate with Roles, Permissions and also Groups capabilities.

    (more…)

  • Glossary – module

    Will allow to have a centrally managed glossary that can be used by anyone and each term can be defined differently by different groups (variations)

    (more…)

  • Data Classifications and Attributes – Module

    Functionality 

    • Display classifications and definitions
      • Restricted
      • Confidential
      • Internal
      • Public
    (more…)

  • Entity Relationship Diagram (ER)

    The complex GRC structure demands a complex relational database, and in some cases would require replication of various data to allow to store specific data aggregations.

    While the ER is in development and will undergo changes, the overall structure begin to emerge

    (more…)