27. GRC - Governance, Risk Mgmt, Compliance

Question 1

GRC - Governance, Risk Mgmt, Compliance

Governance

Answer 1

IT goals and processes align with business objectives

• Making sure leadership, processes, structures allow this to happen
• Security investments should meet the business needs
• Ensure we have enough resources to meet the needs
  1. Human resource
  2. Financial resource
  3. Technological resource
• Monitoring - how well is program performing against its objectives

Question 2

GRC - Governance, Risk Mgmt, Compliance

Risk Management

Answer 2

Process of identifying, assessing and responding to risks
1. Identification
2. Assessment
3. Risk Response
4. Control monitoring and reporting

• Identification
• Assessment
• Risk Response
• Control and monitoring

Question 3

GRC - Governance, Risk Mgmt, Compliance

Compliance

Answer 3

Conforming with stated requirement
1. Laws and regulations
2. Auditing and monitoring
3. Ehtids and privacy

Question 4

GRC - Governance, Risk Mgmt, Compliance

Governance:
Objectives

Answer 4

Performance program

• Monitoring how well the program is performing against its objectives
• KPI - Key Performance Indicator
• KRI - Key Risk Indicator

Question 5

GRC - Governance, Risk Mgmt, Compliance

Governance:
Value Delivery

Answer 5

Value Delivery

• Finding right balance between security requirements and the business needs

Question 6

GRC - Governance, Risk Mgmt, Compliance

Risk Managment:
Identification

Answer 6

To have a risk;
1. Need the vulnerability
2. Need to have the threat

Question 7

GRC - Governance, Risk Mgmt, Compliance

Risk Management:
Assessment

Answer 7

Analyse likelihood and potential impact
1. Qualative
2. Quantative

• Qualative risk assessments

Question 8

GRC - Governance, Risk Mgmt, Compliance

Risk Assessment:
Qualitive

Answer 8

Based on feeling;

“I think this is low probability and its probably high impact”

Question 9

GRC - Governance, Risk Mgmt, Compliance

Risk Management:
Quantitive risk analysis

Answer 9

Conducted on the risks deemed high enough risk

“apply numbers to the feelings - this is the likely cost of this happening”

• Quantative risk analysis - numbers i.e. financials

Question 10

GRC - Governance, Risk Mgmt, Compliance

Risk Response

Answer 10

1. Acceptance
2. Avoidance
3. Mitigation
4. Transference

• Risk rejection - never ok! Do not just ignore the risk

Question 11

GRC - Governance, Risk Mgmt, Compliance

Risk Response:
Acceptance

Answer 11

We know risk is there, have done our due dilligence
Accepting risk makes more financial sense than mitigating it

Question 12

GRC - Governance, Risk Mgmt, Compliance

Risk Response:
Avoidance

Answer 12

Stop doing whatever is putting us at risk

Question 13

GRC - Governance, Risk Mgmt, Compliance

Risk Response:
Mitigation

Answer 13

Put something in place that mitigates part of the risk
Reduce the risk level to an acceptable level

• Accept whatever is left over from the mitigating controls
• Risk left over is residual risk

Question 14

GRC - Governance, Risk Mgmt, Compliance

Risk Response:
Transference

Answer 14

Getting insurance against the identified risk
i.e. insurance for the data center flooding

• going into partnership with someone means that they own 50% of the risk

Question 15

GRC - Governance, Risk Mgmt, Compliance

Risk Management:
Control Monitoring and Reporting

Answer 15

Esnuring that controls function as they should and no new risks are emerging that require mitigation

Question 16

GRC - Governance, Risk Mgmt, Compliance

Compliance:
Laws and regulations

Answer 16

1. If your industry has to be compliant, ensuring that the business is in compliance
2. Ensure what you do is inline with your internal policies, standards and procedures

Question 17

GRC - Governance, Risk Mgmt, Compliance

Compliance:
Auditing and monitoring

Answer 17

On a regular schedule confirm that the business is compliant over time

• Internal audits - done by ourselves
• External audits - outside company

Question 18

GRC - Governance, Risk Mgmt, Compliance

Compliance:
Ethics and Privacy

Answer 18

Inside the organisation, need to promote ethical behaviour

• Ethical behaviour needs to be part of organisations compliance program

Question 19

GRC - Governance, Risk Mgmt, Compliance

Governance:
Overall strategy

Answer 19

1. Direction of the organisation
2. Defines the risk appetite
3. Establishes the business ethical, legal and procedural guidelines

• risk appetite - level of risk the organisation is willing to accept
• Risk appetite will guide the risk management process
• Lack of governenace means there is lack of direction, so security program cannot be effective

Question 20

GRC - Governance, Risk Mgmt, Compliance

Risk Management:
Strategy

Answer 20

Aligns with the risk appetite defined in governance

• If business has low appetite for risk, likely to implement much stronger controls to mitigate risk
• With no risk strategy, the business could be open to risks and security team will not prioritize the right initiatives
• May mitigate things that are not a problem whilst leaving critical services wide open

Question 21

GRC - Governance, Risk Mgmt, Compliance

Compliance:
Strategy

Answer 21

Ethical, legal and porcedural guidelines are establish by governance
Compliance requirements are used in creation of policies and procedures

• For example, if the business wants a secure cloud environment, you will write procedures that ensure a secure configuration it used on deployment
• Financial losses and penalties

Question 22

GRC - Governance, Risk Mgmt, Compliance

Risk Management & Compliance

Answer 22

Risk management focues on the threats and vulnerabilities
Compliance focuses on what can cause us to be non compliant

• Understanding how you will not be compliant with a law or regulation feeds into the risk assessment where there will be a lower “low” tolerance to accept risk and risk will be higher