Skip to content

What is it?

A combination of three approaches that organizations use to demonstrate compliance with international standards, global rules, laws, and state regulations. Referred to as IT GRC when a company uses information technology (IT) to apply GRC.

Why is it important?

Governance, risk management, compliance (GRC) is often implemented by companies that are growing globally to maintain consistent policies, processes, and procedures across all parts of the organization. It is important for business professionals to understand and follow the internal information security rules, company risk factors, and industry requirements that drive the implementation of GRC in order to ensure that the company as a whole remains compliant.

Why does a business professional need to know this?

For companies to provide quality products or services, grow, and achieve success, they need an efficient vision, correct guidelines, internal controls, and mature operations.

Compliance is central to this effort, because companies must adhere to international standards, requirements, and certifications to succeed. Compliance is a combination of internal processes that ensure that all operational procedures follow guidelines and specifications from industry regulations, local laws, and information security best practices.

Business professionals should consider incorporating innovative solutions and technologies designed to protect intellectual property (content) and personally-identifiable or sensitive personal information (data) from the prying eyes of competitors, disgruntled employees, and mischievous pranksters. However, introducing new technologies introduces risk. Digitally-savvy organizations adopt risk management best practices to reduce potential negative impacts from these cybersecurity efforts.

Risk management is the discovery, evaluation, and prioritization of business risks. Risk management activities involve determining, minimizing, and controlling the probability or impact of unfortunate events. Risk managers work to help organizations develop rules, adopt controls, and take steps designed to both protect information assets and eliminate cybersecurity vulnerabilities. Risk managers also develop response plans and proactive protection strategies focused on limiting the impact of cyberattacks.

Risk management and compliance efforts must be aligned to address these needs, which leads companies to adopt governance. Governance refers to a set of policies, processes, and procedures that define how a company ensures that critical systems and sensitive information are kept secure, confidential, and available.

About Flavio Valenzuela

Photo of Flavio Valenzuela

Flavio Valenzuela has broad experience in finance, telecommunications, information security, and international markets in Latin America and the Caribbean. He has bachelor’s degrees in letters/science from De La Salle (HS) and in business administration from Pontificia Universidad Católica Madre y Maestra (PUCMM) and a master’s degree in economics from PUCMM.  His certifications include Payment Card Industry Professional (PCIP) and Certified Information System Security Professional (CISSP).

Term: Governance, Risk Management, Compliance (GRC)

Email: flaviovalenzuela@gmail.com

Website: darasecurity.com

LinkedIn: linkedin.com/in/flavio-valenzuela-64261843

Facebook: facebook.com/flavio.valenzuela.7

What is it?

The act or process of making a network, data repository, sensor, computer system, software, or other equipment resistant to unauthorized access or damage.

Why is it important?

Unauthorized access is one of the primary catalysts for operational, financial, strategic, legal, and other damage to an organization. These breaches also increase the risk of harm to third parties, including customers, patients, and other stakeholders. Hardening hardware, software, and data systems is a key risk mitigation strategy.

Why does a business professional need to know this?

Hardening is necessary when there is a mission-critical need to:

  • Protect information, content, or application data such as health records, credit card information, intellectual property, or location information
  • Ensure continuous availability and reliable performance of facilities such as electric grids, factories, or data centers
  • Safeguard hardware and other resources, such as computer servers, passenger vehicles, building sensor networks, or point-of-sale systems

Hardening is an ongoing, never-ending process that business professionals must understand and support. Frequently, the value of hardening -- and the need to invest in workforce development and processes -- is not apparent until a high-profile failure occurs.

A recent galvanizing event was the loss of credit card information for 40 million Target customers during the 2013 Christmas season(Radichel 2014). This breach resulted in a 46% drop in profits for that quarter, a CEO exit, and nearly $150 million in settlements. The vulnerabilities exposed included significant failures in hardening networking and other equipment found in most businesses.

In 2016, a Distributed Denial-of-Service (DDoS) attack left Twitter and Reddit inaccessible for many US web users(Meyer 2016). Similar questions about the amount of hardening applied to in-flight entertainment systems were raised in 2015, when a cybersecurity researcher was accused of unauthorized access to flight systems and issuing a command to one of the airplane engines that resulted in a change of flight movement(APTN News 2015).

Security industry analysis indicates that crisis planning and the application of lessons learned from a breach can minimize losses. Effective teams should be multi-disciplinary to ensure deep subject-matter expertise and capabilities. Funding for these teams should be available from product/service conception to end of life, because hardening approaches can differ at each point in the lifecycle.

Security culture has developed a number of ways to share lessons learned and build practical expertise in identifying and fixing vulnerabilities across a wide array of equipment and software. Investing in continued learning, such as conferences and certification, empowers cybersecurity teams to plan for, prepare for, and address the ever-shifting threat landscape.

References

About Linda Maepa

Photo of Linda Maepa

Linda Maepa brings several decades of information systems, cybersecurity, and systems science experience to the energy sector. She currently leads an energy and transportation advisory and project development firm. She is an active advisor to academia, government, and industry worldwide regarding energy and economic security, energy sector cyber-physical security, risk management, energy storage, and project finance. She holds a BS degree from the California Institute of Technology (Caltech) and is currently writing the first book in the Cyber-physical Security and Battery System Design series.

Term: Hardening

Email: linda@electroferocious.com

Website: electroferocious.com

LinkedIn: linkedin.com/in/lmaepa

The Language of Cybersecurity has received a 2018 STC Touchstone award for excellence from the Northern California Chapters of the Society for Technical Communication.

The citation for this honor highlights the usefulness of the references, the crispness of the writing, and the consistency of its format.

Congratulations to editor Tonie Flores and the 60+ industry experts who contributed to this book.

Touchstone Award

What is it?

The practice of isolating malware, or software that is suspected to contain malware, within a contained or quarantined environment to observe and study its communications, infection vectors, and other behavioral heuristics.

Why is it important?

Sandboxing allows security researchers to investigate malware execution, heuristics, and communications within an isolated environment and aids in the development of indicators of compromise (IOC) and anti-malware signatures.

...continue reading "Term of the Week: Sandboxing"