Strong Security Governance through Integration and Automation: A Practical Guide to Building an Integrated GRC Framework for Your Organization
by Priti Sikdar
- Length: 240 pages
- Edition: 1
- Language: English
- Publisher: Auerbach Publications
- Publication Date: 2021-12-20
- ISBN-10: 0367862778
- ISBN-13: 9780367862770
- Sales Rank: #0 (See Top 100 Books)
This book provides step by step directions for organizations to adopt a security and compliance related architecture according to mandatory legal provisions and standards prescribed for their industry, as well as the methodology to maintain the compliances. It sets a unique mechanism for monitoring controls and a dashboard to maintain the level of compliances. It aims at integration and automation to reduce the fatigue of frequent compliance audits and build a standard baseline of controls to comply with the applicable standards and regulations to which the organization is subject. It is a perfect reference book for professionals in the field of IT governance, risk management, and compliance. The book also illustrates the concepts with charts, checklists, and flow diagrams to enable management to map controls with compliances.
Cover Page Half Title Page Title Page Copyright Page Dedication Page Contents Page Preface Page 1 Business Impact of Emerging Technologies and Trends Introduction Artificial Intelligence Augmented Reality Blockchain Technology Drones Applying for a Drone License for Commercial Use Internet of Things Robotics 3D Printing Virtual Reality Change in the Way Business Is Done Some Prevalent Types of Computing Risks Surrounding Business and Technology Connected to Them Need for Compliance Use of Tools to Ease the Compliance Process Building a Compliance Framework Conclusion 2 Challenges and Roadblocks to Compliance The Pain Points in GRC NIST Cybersecurity Framework Compliance Can Be Attested or Assurance Function Challenges to Address Security Governance in the Organization To Combat Incidence of Security Breaches Existence of Skill Gaps Challenge of Connected Devices Changing Face of Technology Data Governance Data Governance Serves to Overcome the Following Obstacles Delay in Submission of Compliance Reports Avoids Breach of Data Integrity by Secure Access Removes the Fear of Wrong Comprehension of Data and Data Subjects Allows Better Centralized Control Over Compliance and Other Data Data Governance Brings Autonomy and Reduces the Dependence on Individual Employees Size of Data Existence of Legacy Data Regulatory Requirements of Business Continuity Challenges in Cloud Computing Challenges with Cloud Services Security Issues Cost Management and Containment Lack of Resources or Expertise Governance/Control Compliance Managing Multiple Clouds Performance Segmented Usage and Adoption Migration Compliance Issues for Specific Industries Challenges in Healthcare Industry Healthcare’s Attack Surface Is Growing Use of Old Hardware and Software Healthcare Gives Low Priority to Cybersecurity Risks Healthcare Is Interconnected Stolen Healthcare Data Is Valuable Patients Are Given Access Rights to Medical Data Limited Budget for Cybersecurity Lack of Cybersecurity Education Healthcare Industry to Comply with GDPR Change in Legal and Regulatory Provisions There Is No Accountability for Cybersecurity HITRUST Compliance Challenges for Banking and Financial Services Acute Competition Increase in Breaches Changing Business Models Addressing Issues of Making a ‘Global Footprint’ Adapting to Rapid Changes Technology Challenge Supervisory Pressure Use of Mobile Banking Applications Some Banking-Related Compliances SOX Compliance and Data Security Top Compliance Challenges Facing Logistics Industry Third-Party Service Providers Challenges in Implementation of GDPR Keeping Abreast of Changes Maintaining Accountability and Transparency in Operations Complex Technology That Is Constantly Being Added to the Suite Lack of Awareness, Education, and Cultural Barriers Ensuring Third-Party Compliance Data Breaches and Cyberattacks Build Strong and Adaptable Foundations Conduct Due Diligence on Third-Party Service Providers Embed a Security- and Compliance-Aware Business Culture Obtaining Right Skill Sets for Technology Make Security and Data Protection a Priority Monitoring and Reporting Need for a Well-Drafted Compliance Plan ePrivacy Regulation Security Policy Implementation Employees Are Assets but Sometimes Pose a Challenge Conclusion Coming Next . . . 3 Adopting an Integrated Approach PDCA Approach to Building Organizational Framework Categories of Compliance Weaving Compliance into the Organizational Setup Appointment of a Compliance Officer Understanding Organizational Processes and Structure Compliance Analytics for Identifying and Validating Compliance Requirements Conducting Compliance Risk Assessment Compliance Analytics Is an Ongoing Program Choosing and Tailoring an Appropriate GRC Framework Steps in Building a GRC Framework Stakeholder Participation in GRC Strategy Building a Hybrid Security Framework Finding a Right Fit Components of GRC Framework Information Security Governance Framework Cybersecurity Framework, a Part of Security Governance Other Frameworks Risk Governance/Framework Risk Identification Risk Monitoring and Reporting Risk Governance Common Risk Frameworks Risk IT Framework (ISACA) IRGC Risk Framework Formulating an Integrated Compliance Framework Compliance Programs Automation for Better Compliance Compliance Requirements of Partner Organization and Due Diligence during Contract Signing Compliance Training Compliance Audit Follow-Up Action by Management Conclusion Going Further . . . 4 Compliance Frameworks – Possible Solutions IT Governance Compliance Standards and Guidelines IT Governance Frameworks COSO (Committee of Sponsoring Organizations) COBIT (Control Objectives for Information Technology) ITIL Sarbanes–Oxley Compliance ISO/IEC 38500 Strengths Constraints Advantages of ISO/IEC 38500 – IT Governance Risk Frameworks ISO 31000:2009, Risk Management IEC 31010, Risk Management FAIR (Factor Analysis of Information Risk) The International Risk Governance Council (IRGC) Enterprise Risk Management (ERM) NIST Cybersecurity Framework Octave CIS Critical Security Controls Regulatory Compliance Global Data Protection Regulation (GDPR) HITRUST HIPAA Industry-Specific Standards PCI DSS (Payment Card Industry Data Security Standard) Building a Hybrid Security Framework Types of SOC Reports Security Availability Processing Integrity Confidentiality Privacy Certification Readiness Points of Focus in an SOC 2 Audit Annexure A Annexure B Annexure C Annexure D 5 Adoption of a Customized Approach to Compliance Setting Right Business Imperatives Need for an Integrated Compliance Framework Mapping of Key Controls Planning an Integrated Framework Befitting the Business and Scale of Operations In Building the Business Case, the Following Factors Have to Be Considered Why Compliance Standards Exist? Options for Building a GRC Framework Components of GRC Framework Some Existing GRC Structures The Three Lines of Defense Model for Management Oversight The First Line of Defense (Functions that Own and Manage Risks) The Second Line of Defense (Stands for Functions that Specialize in the Compliance and/or Management of Risk) The Third Line of Defense (Independent Assurance) Integrated Cybersecurity Governance Model Integrated Management System (or IMS) How to Define a Compliance Framework for the Organization Determining Costs of Compliance Key Capabilities of a GRC Framework Compliance Capabilities Desired by Organizations Purpose of a Compliance Program How to Build an Integrated Framework for Compliance Considerations at the Time of Initiating an Integrated Compliance Program Key Assumptions in Implementing an Effective GRC Program Consists of How to Stitch Multiple Controls Together for Overlapping Controls Control Sheets for Various Standards Implementing an Integration of Two or More Frameworks Metrics to Be Set to Measure Performance Reducing the Risk of Noncompliance Critical Success Factors in Implementing an Integrated Compliance Program Benefits of a Single Integrated Framework for Compliance Internal Audit Standardizing Audit Questions IT Audit and Compliance Conclusion 6 Activities/Phases for Achieving Integrated Compliance Illustration I Forming a Comprehensive Baseline of Controls Illustration 2 Conclusion Annexure A 7 Designing an Operating Model for Risk and Compliance Aligned with the Business Model GRC Drivers OCEG Model KPMG’s GRC Target Operating Model (TOM) The Three Lines Model for GRC GRC Model for Banks Evolution of Virtual Banking Model Monitoring and Control Model Validation Components of Validation GRC Metrics and Measurements Data Integrity Model Control Practices 8 Next Steps – Through Automation Need for an Integrated GRC Platform Process of Integrating GRC Function Working on a GRC Strategy for Transformation Good to Keep a Suggestion Box Commonality of Purpose Is Important Creating a Strategic GRC Plan Features of GRC Platforms Criteria for Choice of GRC Application 1. It Should Be User-Friendly 2. Support Mobile Devices 3. Support Cloud Application 4. Security 5. Cost 6. Vendor Support 7. Automation Identifying a Business-Ready GRC Solution MIS Reporting 1. LogicManager 2. SAP’s GRC Offering 3. MetricStream GRC Platform 4. ServiceNow 5. The Cura Software GRC Management Platform 6. OneTrust Speed of Digital Transformation Three Principles for Organizational Redesign Data Analytics Compliance Analytics Techniques ISO 19600 – A Certification for GRC Governance Risk and Compliance Certification Conclusion Annexure A Case Study 1 Case Study 2 Case Study 3 Case Study 4 Case Study 5 Index
To access the Link, solve the captcha.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.
