A well-rounded GRC framework facilitates the formulation and sustained management of information security risks.
At Infradata we understand that all security requirements stem from a need to manage risk. Risk drives and shapes all business activity.
If we compare corporate IT security to securing your home, we should ask ourselves; why is it that we close our doors and windows when we leave? Why do we invest in high fences, intruder detection lighting, burglar alarms, safes, panic rooms?
All of these are defensive measures that can be deployed to help control risk. The risk of burglary, theft, kidnap etc. As these crime types increased, perhaps due to other causation factors, the need arose to invent solutions that would reduce the risk of the crime occurring and the impact it may have if it does occur.
Closed doors and windows are like putting in place a firewall or Intrusion Prevention solution at the perimeter of your network. Intruder alarms and lights could be likened to Endpoint Detection and Response or Intruder Detection Systems. Safes or panic rooms could be akin to encryption or Identity and Access Management solutions. Again, all of these solutions exist to help reduce risk. In the IT world, risk could relation to critical digital assets (the recipe for Coke or a new prototype electric car) or perhaps Personally Identifiable Information which is now highly regulated through privacy legislation.
For companies to function normally and ensure that they, their investors, their customers and their supply chain all feel safe, they must identify the risks that threaten their organisation and in turn, digital assets. In order to identify these risks, the organisation must first understand what they have, how valuable their assets are and then decide how to protect them. Much like when you are applying for home and contents insurance, you must assess all the building, its structure, its entry points and its contents.
Understanding assets is key, but it is equally important to understand the threat landscape. The threat landscape is all about knowing who the threat actors are, what motivates them and what techniques they may use to steal your property. In other words, there is little point spending thousands of pounds to secure a £100 shed with one £5 shovel in it. If that shed were now a jewellery store in London’s Hatton Garden, there would be every point in applying a defence in depth strategy, utilising security guards, panic alarms, secure vaults etc.
IT security, risk and compliance
That having been said, even a secure vault in Hatton Garden is vulnerable to a breach. The same applies to IT security, risk and compliance. There is no such thing as 100% secure, risk free or compliant. The journey is all about identifying risks and applying appropriate controls according to the risk rating. It is all about prioritising risks and not getting overwhelmed by the amount of risk discovered.
If discovery/identification of assets/risks and applying controls are the first two stages of a GRC journey, then change management will almost certainly be the third most important activity. Change management is vitally important.
Using the home protection example, if you were to move home, all of the controls that you had applied are now redundant and your personal property is now at risk. It would be pointless to simply transfer all the controls across to the new home. You went through a bespoke process to evaluate your estate, identify risks and apply controls that were unique to that home. The new home may have more doors/windows, no driveway, a separate annex etc. All new things that should be considered to see if the previous controls are still needed, appropriate, adequate and fit for purpose. It may be that more controls are required, or even less. The new home could have a new, state of the art, built in safe, so there is no need to go and buy your own!
Talk with an Expert
Speak with a solutions expert or architect. Give us a call or leave a message. Our team is ready for your business.