CGRC Week 1 Flashcards
What challenges do businesses face?
Value/Cost
Aligning IT with business requirements
Security
Managing Complexity
Regulatory Compliance
What is security and business goals?
Security goals are aimed to protect data
Business goals are aimed to gain/generate profits
What is Governance, Risk, and Compliance (GRC)?
A set of processes and procedures to help meet business objectives, address uncertainty, and act with integrity. It aims to protect corporate assets
What is Governance?
Setting the rules to ensure strategies and policies on IT systems align with business goals and how it conducts itself.
What is Risk?
Ensuring that the correct controls are in place and functioning to identify potential threats and vulnerabilities to the systems and having to have measures taken place to mitigate them.
What is Compliance?
Ensures adherence to applicable laws, regulations, standards, and internal policies. This is to reduce the likelihood of a risk occurring
What are the steps of compliance?
1) Adapt
- Adapt to different frameworks with ease
2) Audit
- Internal audit: Involves an internal team to take a look whether the organization is compliant to the security policies in the organization
- External audit: External party/vendor/management doing it
3) Monitor
- Monitoring for problems, changes, issues of a system or security mechanisms
What are the eight functions of GRC?
1) Organize and oversee (Roles and Responsibilities)
2) Assess and align (Identify, analyze, and optimize risk mitigation)
3) Prevent and promote (Code of conduct, Policies, Preventive controls)
4) Detect and discern (Detective Controls (IDS/IPS), survey, notification)
5) Respond and Resolve (Internal reviews, third-party investigations, corrective controls, crisis response
6) Monitor and measure (Performance, Context, Evaluation, Improvements, assurance)
7) Inform and integrate (Documentation, Internal & External communications, technology, and infrastructure)
8) Context and culture (Incorporate internal & external business context, culture, values and objectives)
What is the purpose of Law & Regulations
To strengthen the security of information stored within companies.
Standards and Frameworks are used to ensure security is planned, organized, implemented, tested, modified and meet the requirement of the laws
What are the frameworks that are suited for Finance - Healthcare - Credit Card (In sequence).
Sarbanes-Oxley Act (SOX): Prevents fraudulent corporate accounting.
HIPAA: Protects sensitive health information with privacy and security rules.
- Privacy: Limiting the use and disclosure of sensitive PHI, protect privacy of patients, the right for patients to access their own medical records.
- Security: National standards (administrative, physical, technical safeguards to ensure confidentiality, integrity and security) of PHI.
PCI DSS: Ensures security for credit card transactions.
What are the Local law/regulation frameworks?
Cybersecurity Act 2018: Sets requirements for Critical Information Infrastructure (CII) protection (e.g., banking, healthcare).
IM8: Mandatory government IT security compliance for agencies and vendors.
What are some GRC tools?
1) Archer (Commercial Tool by RSA)
2) Practical Threat Analysis (PTA) (Free Tool)
3) Open Risk & Compliance Framework and Tool (ORICO) (open source)
4) GPLI (open source)
5) STREAM (by Acuity Risk Management)
