Andrew on InfoSec GRC

Category: Topic of GRC

  • Data Classification and Handling

    Classifying data and applying proper handling is an important but somewhat complex task. On one hand, we have governance, which might be vague at best; on the other hand, we have operational teams trying to implement comprehensive handling mechanisms. In the middle, we have compliance reporting carried out by various teams trying to put everything together.

    (more…)

  • Risk Calculations, Probability x Impact

    We often hear that in order calculate the Risk Posture; we have to use Probability times impact. But what does it mean in real world?

    I will try to structure the response.

    (more…)

  • Thoughts on Key Risk Indicators (KRI)

    I’ve seen many instances when KRIs live their own life. Often, KRIs that are being showcased to the board are very operational. Like Number of DDos attacks. While the KRI presentation is not bad in itself, there should a value that drives this demonstration. What is a KRI, where they live, what they need to show, and who and when need to see them?

    (more…)

  • Align with NIST CSF – what it means and how to do

    Some thoughts on NIST CSF (Cyber Security Framework) alignment.

    What isn’t?

    It is not a final solution. It is not controls framework.

    What is CSF?
    It is a framework — strategic foundation or governance catalyst — a starting point that helps an organization structure its cybersecurity governance, risk management, and control implementation. You take the Framework and tailor it to your System.

    (more…)

  • Building a Policy Program

    What I’m describing here really applies to organizations that already have some level of maturity around their policies and standards.

    If policies and standards exist but the overall program isn’t very mature, there are two possible paths. One — have a discussion about whether the organization understands the value and wants to invest in maturing the policy program. Or two — if there’s currently no appetite for that, take an honest look at what’s in place. Evaluate whether those policies actually create value.

    If they don’t, it may make sense to simplify — keep a smaller, more focused set of documents that are actually used and kept up to date.

    The main point is: if you’re going to have policies, do them well. Make sure they achieve their purpose and create value. Because policies that exist but aren’t followed just add overhead, weaken governance, and waste resources.

    (more…)

  • GRC Overview

    In this post I will write about GRC and how it works.

    While not overly encompassing, it will describe major GRC components and how they connected.

    Governance vs Management

    (more…)