SLEEPLESS IN BROOKLYN

Governance, Risk, and Compliance

πŸŽ“ What is Security GRC?

The security GRC field is covering lots of ground and include a varied number of tasks and responsibilities. Some of them will sound exciting, some will reignite painful memories.

πŸ’‚β€β™‚οΈ Governance

Governance, as the name implies, focuses on how security is managed and its oversight. This could include building the security strategy, managing the security programme and ensuring continous monitoring of workstreams.

This would also be the area responsible for orchestration and metrics for your security programme. In other words, the always useful dashboard with 15 graphs and thousands of data points would be include in the governance efforts. Your policies and procedures are also part of Governance as they help shape your vision of security and detail what is expected from everyone.

Managing stakeholders is also central to Governance efforts. Relationship with the different teams, managing upwards and delivering the right level of information to senior executives.

πŸ“ˆ Risk Management

How do I know what’s the priority for my security programme? Lockdown end-user access or focus on patching? (probably both lol) The only way to make rational decisions regarding what to do is to perform risk assessments.

Risk is traditionally explained as a factor of a threat and a vulnerability. Pretty simplistic (probably false as well) but it gets the job done:

  • A threat is a potential harmful event that could impact your organisation
  • A vulnerability is a known weakness that could be exploited
  • A risk is threat * vulnerability… A risk is the impact if the threat exploits the vulnerability (R = T*V)

A robust risk management program would also include some quantitative features to make sure senior management and business executives understands the financial costs associated with some of the identified risks. Nothing has to be too precise or too detailed, having numbers in the right ballpark and being able to evidence why you chose them is well more than enough.

Risk Management Frameworks (RMF)

A risk management framework describes the vocabulary, tools and techniques for a coherent approach and ensure that all stakeholders are on the same page.

Enterprise frameworks identifies any type of risk that could prevent the company from achieving its business objectives while others focus on information security, cybersecurity and privacy protection.

COSO Enterprise Risk Management

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) help organizations improve internal control with the ERM Framework (2020).

Factor Analysis of Information Risk (FAIR)

Fair is a quantitative model for information security and operational risk.

International Organization for Standardization (ISO)

ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection β€” Guidance on managing information security risksprovides guidelines to managing information security risks faced by organizations. The application of these guidelines can be applied to an Information Security Management System (ISMS) specified in ISO/IEC 27001 and ISO/IEC 27002.

A technical committee named ISO/IEC JTC 1/SC 27 focus on the development of standards for the protection of information and ICT.

ISO 31000 provides a common approach to managing any type of risk faced by organizations. The application of these guidelines can be customized to any organization and its context.

The ISO 31000 Risk Management umbrella include some specifications still under development: ISO 31000:2018 Risk management β€” Guidelines

A technical committee namedISO/TC 262 focus on the development of standards in the field of risk management. Visit the Technical Committee’s own website for more information.

NIST

The NIST Risk Management Framework provides a process that integrates security, privacy and risk management activities into the system development life cycle to meet the requirements of the Federal Information Security Modernization Act (FISMA).

Note that NIST Special Publications 800-53 revision 5 describe the Security and Privacy Controls for Information Systems and Organizations and the special publication 800-53B describe the control baselines.

Related initiatives*

Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)

The OCTAVE method was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University on behalf of the Department of Defense.

Rapid Risk Assessment

The Rapid Risk Analysis (RRA) methodology developed by Mozilla helps formalize decisions in 60 minutes.

Threat Agent Risk Assessment (TARA)

Threat Assessment and Remediation Analysis (TARA) is an engineering methodology used to identify and assess cyber vulnerabilities and select countermeasures effective at mitigating those vulnerabilities. TARA is part of a MITRE portfolio of systems security engineering (SSE) practices.

Risk Management Tools & Packages

  • Comply
    • Comply is a SOC2-focused compliance automation tool.
      • Policy Generator: markdown-powered document pipeline for publishing auditor-friendly policy documents
      • Ticketing Integration: automate compliance throughout the year via your existing ticketing system
      • SOC2 Templates: open source policy and procedure templates suitable for satisfying a SOC2 audit

Netflix’s riskquant

riskquant is a python library used for risk quantification. It can be used to do cool things like calculate annualized loss and generate loss exceedance curve charts.

You can use it to assess individual risks or even build automation to run calculations and build charts for all risks where data are available. For example, you can set up a GitHub Action to pull risks from your GRC tool, get the data to run the calculations, and put the results back into your GRC tool.

πŸ”« Audit & Compliance

Once you know what your direction is and you know what to focus on, how do you know you’re on track? There’s two ways:

  • Auditing allows you to know if the controls you chose and your security programme is working effectively
  • Compliance is how close are you to the baseline either set by yourself or by a 3rd party body (ISO, AICPA, insert acronyms)

Often hated (often for good reasons), audit and compliance folks have to be annoying by nature. They assess how things you said you’d do are actually done in the real world. More often than not, things are either not done as they should or not done at all. Probably because no one has read the policies you took six months to write!

πŸ™ Frameworks and Regulations

Well… There are a lot. Your organization likely uses some of these, but certainly not all. Executive leadership drives policy at a high level based on business objectives. Certain regulations are mandatory. For instance Sarbanes-Oxley Act (SOX) for US publicly traded companies or General Data Protection Regulation (GDPR) applies to any organisation handling data from EU citizens. This is a non-exhaustive alphabet soup of frameworks and regulations:

  • 🏦 Sarbanes-Oxley Act – SOX
  • πŸ’Ά General Data Protection Regulation – GDPR
  • πŸ’³ Payment Card Industry Data Security Standard – PCI-DSS
  • πŸ₯ Health Insurance Portability and Accountability Act – HIPAA
  • 🏳️ International Organisation for Standardization’s Information Security Management Standard – ISO 27001
  • πŸ’» Systems and Organization Controls for Service Organizations: Trust Services Criteria – SOC2
  • ☁️ Federal Risk and Authorization Management Program – FedRAMP
  • πŸ—½ Federal Information Security Modernization Act – FISMA
  • πŸš” Security and Privacy Controls for Information Systems and Organizations – NIST SP 800-53 Rev. 5
  • πŸ—„οΈ Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations – NIST SP 800-171 Rev. 2
  • πŸ“ NIST Cybersecurity Framework – NIST CSF

Added to that, each country would have specific cybersecurity regulations and standards companies would have to comply with. They could be specific to certain industries (critical infrastructures or financial services) or applicable to every company. As our planet is made of a lot of countries, we won’t list the specifics here and as is often the case, US standards are picked up in most of the world anyway!

πŸ“š Books

Security Risk ManagementEvan Wheeler, 2011

  • Often part of reading lists at universities, this is your first stop in security risk management. This book is both comprehensive, timeless and accessible
  • Great for referencing, it will help you assess and improve your internal risk management program. Focus on the Action Plans at the end of each chapter for some great takeaways

Measuring and Managing Information RiskJack Freund & Jack Jones, 2014

  • The FAIR book itself. Self explanatory, if you want to know more about risk quantification this is a must-read, the story in the intro is meme material.

How to Measure Anything in Cybersecurity RiskDouglas Hubbard & Richard Seiersen, 2016

  • Amazing primer on Cyber Risk Quantification as a whole. Keep these things in mind:
    • Your problem is not as unique as you think
    • You have more data than you think
    • You need less data than you think

Transformational Security AwarenessPerry Carpenter, 2019

  • The best Security Awareness book ever written. You’ll need this because GRC teams often handle Security Awareness and this will be a great resource to kickstart your program
  • Goes through the tools you need to build an effective awareness strategy, Marketing, Communications, Behavioural Science, Culture Management, etc. If advertisers have been successful for the past half century, we probably have something to learn from them!

Foundations of Information SecurityJason Andress, 2019

  • High-level overview of Information Security, touching on every topic relevant for a practitioner or a newcomer to the field
  • This baseline of knowledge is great to ensure you understand every control in your framework of choice

ISO 27001 controls – A guide to implementing and auditingBridget Kenyon, 2019

  • Bridget Kenyon has been involved in the development of the ISO 27001 standards for over a decade so you should probably listen
  • This goes through every control from Annex A. and provides guidance and how to implement and audit them. Useful for building your ISMS, performing internal audits or kickstarting your career as a beloved ISO auditor!

IT Auditing Using Controls to Protect Information AssetsMike Kegerreis, Mike Schiller and Chris Davis, 2019

  • IT Auditing stems from the increase of regulations that followed major financial scandals of the early 2000s. This is dominated by the Big Four audit firms for obvious reasons even though major corporations have internal staff dedicated to IT auditing
  • This book is an encyclopedia that goes through how to audit everything from Data Centers to Networking Devices and from Web Applications to Windows Servers
  • Written by industry experts with decades of experience, this will also be useful to GRC folks trying to understand some of the controls to verify with their teams armed with the underlying technical knowledge and know-how necessary

A Leader’s Guide to CybersecurityThomas J. Parenty and Jack J. Domet, 2019

  • Great opportunity to understand security when it’s written for the business. Down to earth and debunks some of the tropes we often repeat such as Security as a “People Problem”
  • Follows this structure: The Problems => The Principles => The Responsibilities

Rational Cybersecurity for Business: The Security Leaders’ Guide to Business AlignmentDan Blum, 2020

  • Another book about Security, Business and how to align the two. This book is an overview of the most useful controls and how to improve your security posture seamlessly and without impeding productivity

The Cybersecurity Manager’s GuideTodd Barnum, 2021

  • Probably the best information security book you’ll ever read, Todd has been the CISO of GoPro for 6 years and worked in a variety of industries in the last three decades
  • What defines our field:
    • Nobody Really Cares
    • Nobody Understands
    • Fear Drives Our Industry
  • The Four Cornerstones of your Security Program:
    • Documentation
    • Governance
    • Security Architecture
    • Communication, Education and Awareness

πŸ“Ί Talks/Videos

great foundational talk to understand how every framework are working into one another:

  • πŸ“— Control Frameworks such as NIST 800-53 or CIS 20 Controls for building your security baseline
  • πŸ“™ Program Frameworks such as ISO 27001 or NIST CSF to standardize an overarching security program
  • πŸ“˜ Risk Frameworks such as NIST 800-37 or FAIR to identify, measure and quantify risk

I have a full playlist of over 80 videos focus on Risk Management and Cyber Risk Quantification, will update it soon but it already has a lot.

  • This quick live Quantitative Cyber Risk Analysis from Evan Wheeler is a great overview of how straightforward a quantitative analysis can be
  • Steve Reznik has numerous talks on how FAIR can help build meaningful KRIs but this one is a good suggestion.

πŸ“ž People you should know

😎 Thought Leaders

πŸ“€ Everything written by Ryan McGeehan.

  • His website references over a dozen articles on Risk Management. Some of them are waaaay over my head
  • His various experience at Coinbase and Facebook and as a Start-up security advisor makes his input super relevant if you’re working at SaaS company as an example

🏦 Everything written by Phil Venables.

  • His take on most subjects are worth the read, he has a great analysis of the Compliance vs. Security debate
  • Phil has over 20 years of experience in security leadership at Goldman Sachs and now the CISO of Google Cloud

🚨 Everything from Adobe’s Tech GRC Team.

  • They’ve been at the forefront of innovation in the field, even building their own Common Control Framework. They produced numerous posts I suggest you have a look at:
  • Managing everyone’s input, role and expectations into the overall security compliance effort can often be cumbersome. Adobe Tech GRC Team introduced scalability by creating four major roles to map to the CCF standard and help achieve GRC in a multi-cloud environment
  • Automating the Common Controls Framework, Part I and Part II. Adobe as a major SaaS provider has to have a Tech GRC program that scales accordingly and these two articles introduce the 4-layer model used to automate security compliance
  • A major feature of their Tech GRC program are the Strategic Technology Initiatives. They are the equivalent of the DevOps principles but applied to technology GRC efforts. A must-read
  • If articles aren’t your thing, check out this podcast with former leader from Adobe Tech GRC Prabhath Karanth. Great overview of the program and the STIs

🎫 Everything from Atlassian’s Risk & Compliance Team

  • Working in a cloud-native, agile, DevOps and innovative (insert buzzwords) environment isn’t the most intuitive for a GRC Team. Mapping controls and performing audits when speed trumps everything is challenging to say the least.
  • Guy Herbert wrote a great series based on this talk calledΒ DevOps vs. Compliance, A Guide to Having it All.
    • Part 1Β explains that:
      • Compliance is being able to show that you follow the rules.
      • Risk management is balancing upsides and downsides.
    • Part 2 walks you through what compliance obligations, control objectives and control activities are and the different planning phases to reach compliance automation
    • Part 3 demonstrates with the Atlassian product suite how compliance is embedded into the CI/CD pipeline
    • Part 4 deals with how to sell such a cutting-edge approach to auditors and why agility and compliance CAN live in harmony πŸ™‚

πŸ“± Follow them on LinkedIn

Troy Fine, GRC general knowledge and SOC focus.

AJ Yawn, GRC general knowledge and SOC focus.

Aron Lange, ISO 27001 focus.

Jacob Horne, NIST and CMMC focus.

Ayoub Fandi, GRC general knowledge and cloud-native GRC focus.

:octocat:

Repositories

  • Minimslist Risk Management
    • Ryan McGeehan, a founder/advisor for HackerOne, has developed minimalist documentation to describe a simple risk management program.

🎀 Podcasts

The SecureWorld Sessions

  • Cybersecurity weekly podcast series featuring industry thought leaders discussing security solutions, best practices, threat intel, and more.

Cloud Security Podcast

  • Cloud Security weekly podcast series featuring industry thought leaders in Cloud Security from companies like Linkedin, Netflix, Twilio, CapitalOne & more discussing Cloud security challenges and how they guest solved them, best practices, offensive side of cloud security, and more.

Security GRC Podcasts

Security & Compliance Weekly – Hosted by Jeff Man, Scott Lyons and Josh Marpet

  • The name is pretty telling. PCI is often discussed in-depth, useful if you’re responsible for your company’s PCI-DSS program!

Risk, Governance and Cyber Compliance – Hosted by Dr. Bill Souza

  • The last episode dates back to late 2020 but the content is top-notch and his views on risk management are worth a listen.

The GRC Podcast – Hosted by Mark Graziano

  • The goal of this podcast is to shine light on GRC security champions and showcase the much of a dynamic security discipline GRC is.

Security GRC Episodes

Getting Over Our “Security β‰  Compliance” ObsessionCISO-Security Vendor Relationship Podcast – Featuring David Spark, Mike Johnson and special guest Chris Hymes (Head of Infosec, Riot Games)

Is Governance the Most Important Part of GRC?Defense in Depth Podcast– Featuring David Spark, Allan Alford and special guest Mustapha Kebbeh (CISO, Brinks)

Should Risk Lead GRC?Defense in Depth Podcast – Featuring David Spark, Allan Alford and special guest Marnie Wilking (Head of Security and Technology Risk Management, Wayfair)

IT GovernanceCISO Tradecraft Podcast – Featuring G Mark Hardy and Ross Young

Cyber FrameworksCISO Tradecraft Podcast – Featuring G Mark Hardy and Ross Young

πŸ“œ Certifications

Probably the only resource you’ll need for certifications. Paul Jerimy has done an incredible job with input from lots of practitioners and experts in InfoSec. If one certification had to be mentioned, it would be the CISSP for obvious reasons (πŸ’²πŸ’²πŸ’²).

πŸ“ The Knowledge Trifecta

We are offered jobs but we have a career. We’re the only one accountable for our career path and the best way to make the best of this is to continuously learn.

This section might seem out of place for a content curation repository but I’m passionate about this, sorry.

Security is a very young field and ours is even younger. Career pathways are still developing and no one actually knows the sureway to a GRC leadership role or a CISO position.

The only thing that’s certain is that this is the best thing that could happen to us. We can build our own paths. The only way we do this is through learning. Our field is about understanding, managing and translating. We understand the technical, manage security projects and translate into security terms business requirements.

If you’re a jack-of-all-trades, love learning new things, being inquisitive but always having the business goals in mind, then it’s the field for you. If you’re not, it’s probably the field for you anyway or you wouldn’t be here!

πŸ’Ύ The Technical

Understanding the technical landscape.

How do we know GRC is being done at all? It is measured! Put simply, businesses collect and measure data to make decisions. GRC broadly ensures that decision makers “appetite” for risk is being achieved.

Measurement can occur in many ways, though primarily GRC is concerned with audit.

πŸ” The Security

Understanding the security measures.

πŸ’Ό The Business

Understanding the business language.

Business can be empowered by a strong, comprehensive, and adaptive GRC foundation. GRC largely exists to support business objectives and corresponding legal (but not always) requirements.

Some regulations are compulsory to conduct business within geographic areas – Such as Sarbanes-Oxley (SOX) for publicly traded US companies… While some requirements are set within industry without governmental oversight (see – Payment Card Industry Data Security Standard (PCI DSS)).