---
The Strategic Role of GRC in Achieving Organizational Goals through Information Security
A Holistic View on Managing Security Risks through GRC
بسم الله الرحمن الرحيم
---
GRC Security is an essential field for organizations, especially as business models and technology evolve, while digitalization reshapes the way organizations operate and expand. With the increasing use of technology in the digital era, the potential risks faced by organizations also rise - not only risks inherent in assets but also those in processes that can impact an organization's ability to achieve its goals. Therefore, GRC Security plays an important role in providing direction and strategy for information security, encompassing aspects of confidentiality, integrity, and availability, as a tangible contribution to supporting the organization in reaching its objectives.
---
Introduction
In this article, we will provide a brief overview of GRC in the context of security and its relationship to technical aspects of security.
So, imagine if we want to go on a trip to a city safely and comfortably, stating the city of Makkah where Masjid Al-Haram is in that city as the destination. Of course, before going on a trip, we will prepare many things, such as:
a. Itinerary or Travel Plan
To reach our desired destination, we'll need to consult a map to determine the route we'll take, aiming for a safe and efficient journey.
b. Capital or Resources
These resources are essential for the journey to your destination, covering expenses for fuel, food, accommodation, or even preparing our vehicle for the trip.
c. Vehicle
A vehicle is necessary to transport us to the place you intend to reach.
d. Driver
When planning a trip with a personal vehicle, it's important to understand the direction to ensure a safe arrival at the destination. Even if hiring a driver, their experience and skills can help to choose better routes, making resource use more efficient and potentially shortening travel time.
Now, how does this all relate to GRC? Before answering that, let us briefly explain what GRC is.
---
I. What is GRC?
GRC stands for Governance, Risk & Compliance, where each aspect has a role that complements and supports the others. But what does GRC actually mean? Let's examine each of these three components individually.
a. Governance
Governance is a system that manages, controls, and directs IT users in both the current environment and the future.
b. Risk
There are various definitions based on standards we can use to define risk. However, as this pertains to security, I'll refer to the ISO 27005 definition, where risk is the effect of uncertainty on objectives. According to GARP, the risk is the likelihood of an unfavourable outcome. To build a solid understanding, I will focus on risk management, as it is essentially the process of managing risk that will be applied within GRC.
c. Compliance
Compliance is the action or process of adhering to relevant legal, regulatory, and guideline requirements.
Thus, as Aron Lange describes, GRC is a set of integrated capabilities that enables an organization to achieve its objectives reliably, address uncertainty, and act with integrity.
Here, "capabilities" refer to Governance, Risk & Compliance itself, including its integration with other departments or units within the organization. If I were to define it in my own terms, GRC is a working system (processes and practices) that organizes and directs, interconnected rather than isolated, to achieve objectives, minimize the impact of uncertainty, and ensure compliance with applicable regulations.
This system not only involves Governance, Risk & Compliance, but also integrates with other departments within an organization to achieve goals in alignment with the organization's abilities, with regular improvements.
Now, how does this relate to security? In this context, security refers to information security, which is the process of maintaining the confidentiality, integrity, and availability of information. This is essentially what GRC seeks to regulate (whether in storage, use, or transmission), assess in terms of risk, and align with legal and regulatory requirements.
Thus, Security GRC is a working system (processes and practices) that organizes and directs to safeguard information confidentiality, integrity, and availability. Each entity is interconnected rather than isolated, working to achieve the organization's objectives, reduce the impact of uncertainty, and maintain compliance with applicable regulations.
Figure 1 Illustration of GRC SecurityIf I may simplify my answer, the relationship between GRC and the "journey" scenario, where the destination is Masjid Al-Haram in Makkah, it can be mapped out and understood as follows:
Just as a well-directed journey requires direction, a map, and a destination, an organization also needs guidance from a GRC framework to reach its goals. Without this, resources are wasted, security risks increase, and the potential for reputational damage and vulnerability to compliance violations becomes much higher. In GRC, every step of the journey has a clear purpose, managed risks, and resources used effectively to protect the organization.
---
II. What is the Purpose of GRC Security?
As is commonly known, information security threats can emerge from various unexpected vectors. This was recently experienced by a major company like Nokia, where a group of threat actors calling themselves "IntelBroker" claimed to have breached the server of a third-party vendor working with Nokia to steal source code and sell it on the Breach forum. Similarly, another large company, Schneider Electric, faced a situation where a threat actor named "Grep" mocked the company on a social media platform claiming that they had successfully breached Schneider Electric's Jira server. Using exposed credentials, they allegedly stole 75,000 unique email addresses, and full names of Schneider Electric employees and customers, and sold the data on the dark web.
In addition to the two examples above, there are other cases that might initially seem unrelated to security but, upon closer examination, are deeply connected to information security, particularly the aspect of availability. One such case is the incident experienced by Code Spaces. In 2014, Code Spaces, a company providing source code hosting and project management services, was forced to shut down following a devastating cyberattack. Attackers gained unauthorized access to their Amazon Web Services account, and deleted data and backups, leaving the company unable to continue its operations. Without a source code escrow agreement in place, clients relying on Code Spaces to host their code faced significant challenges in recovering their data.
All of those previous cases clearly demonstrate that information security requires commitment and involvement from various parties within an organization, it is not solely the responsibility of a few individuals. This is where the purpose of Security GRC becomes important and clear, namely to provide a robust security program or framework for comprehensive information protection aimed at safeguarding the confidentiality, integrity, and availability of information. This process includes identifying security needs, planning by relevant parties, decision making by top management, documentation, and implementing adequate controls. With these control mechanisms in place, information security processes can be effectively assessed and managed, thus supporting the organization's objectives efficiently.
---
III. What Frameworks are used in relation to Security GRC?
Currently, there are many standards that can serve as a foundational basis for implementing Security GRC according to an organization's needs. Some of these include:
ISO 27001: This standard or framework outlines and establishes requirements for setting up, implementing, maintaining, and continuously improving an information security management system within the context of an organization. It can be applied to organizations of any type and size.
Cybersecurity Framework (CSF - NIST): This standard or framework provides security requirements and a security and privacy control framework based on NIST SP 800–53. It is more suitable for government organizations.
PCI DSS: This standard sets requirements and controls for securing card data or authentication data that could impact the cardholder data environment. It is typically used by organizations whose business operations involve cardholder data.
HIPAA: U.S. law that establishes privacy, security, and breach notification standards for protected health information (PHI).
ISO 27018: An extension of ISO 27001 designed to protect personally identifiable information (PII) in public cloud environments.
GDPR: European Union regulation that protects personal data and gives individuals greater control over their information.
CSA STAR: The Security, Trust, and Assurance Registry for evaluating cloud service providers' security practices against the CSA's Cloud Controls Matrix (CCM).
---
IV. How do Governance, Risk, and Compliance Interrelate in the Context of Security?
In this part, we will attempt to illustrate the interrelationship of these three aspects, beginning with Risk. Here's an overview:
Figure 2 Intercorrelation Governance, Risk and Compliance in the context of Information Security4.1. Risk
An organization may already have processes or activities in place for its operations, such as maintaining available storage space for data, applying system hardening to operating systems that support business processes or services provided to users, or controlling access to sensitive information resources. So, should the organization conduct identification or assessment after these processes and activities exist, or when creating new activities or services?
For this reason, the process of identifying potential risks or threats that could disrupt the organization's objectives is, in my opinion, essential to perform at the outset. By conducting a risk assessment, an organization can proactively identify, measure, and evaluate the level of risk and potential impact, as well as minimize any negative effects or unexpected issues that could hinder organizational goals. The results of this assessment are then used for evaluation by stakeholders, whether for future products or services or for existing activities or services (depending on the situation at hand). This is followed up with remediation or an action plan to address any identified potential risks or threats. Once stakeholders have completed the remediation, risk management typically needs to update the risk level documented in their risk register.
For example, suppose an organization has a situation where one of its tribes plans to release a new feature into the production environment. During the risk assessment, it is found that the release was not tested in the development environment, real data was used in the User Acceptance Testing, and some critical findings from the reported penetration test were overlooked. The results of this assessment are then communicated to the relevant stakeholders to outline the remediation actions that will be taken, along with the target timeframe for their implementation.
---
4.2. Governance
Based on the example provided in the "Risk" section, the risk assessment conducted by the organization has identified potential risks or threats that require remediation or corrective action plans to address them. Typically, the outcomes of this remediation process will influence (but are not limited to) the following:
Policies, standards, or procedures (administrative controls): These may need to be modified or newly created to strengthen existing administrative controls or to implement new ones.
Process adjustments: Processes may be added or reduced as part of mitigating the identified risks or threats. This could mean new activities are introduced, or certain activities are minimized within a process, resulting from the remediation measures. This applies if the organization chooses to handle the risk through control or by transferring it to another party.
Delegation of responsibilities: The identified risks or threats will often impact the delegation of tasks as part of the remediation process. For example, an IT Quality Assurance team member and an IT Project Manager may be tasked with ensuring the UAT process aligns with organizational policies or standards, such as prohibiting the use of production data. Alternatively, a GRC person may be responsible for ensuring that critical findings from penetration testing reports are mitigated before services or applications are released to the production environment. This remediation process becomes standard practice, with the GRC person implementing or refining administrative controls whenever a release is planned in the future.
---
4.3. Compliance
As commonly understood, the role of compliance is to identify legal, regulatory, and contractual obligations that must be fulfilled. If the organization operates in Saudi Arabia, compliance and GRC personnel should stay informed and up-to-date on the laws and regulations related to information security and cybersecurity issued by the country (currently regulated by the National Cybersecurity Authority).
In the example described in the "Risk" section, compliance will inform the organization of the applicable laws and regulations in its industry. This includes government regulations, such as mandatory data protection under controls like "2–7 Data and Information Protection" or "2–11 Penetration Testing", which requires organizations to perform regular penetration testing.
Compliance also oversees adherence to internal company policies. When fulfilling its function, stakeholders - alongside risk management - typically seek input from compliance to ensure that regulatory requirements are met and legal and compliance risks are mitigated before any application, service, or product is released. An essential part of compliance's role is to socialize and communicate relevant laws and regulations that impact the organization.
---
V. Conclusion
So, after understanding the roles and mechanisms of the three aspects (Governance, Risk, and Compliance, along with Security), we recognize that all practices and actions undertaken to support an organization in achieving its goals need to be directed, controlled, monitored, and measured. In the context of security, GRC Security plays a key role in helping the organization execute its information security program. This involves mitigating potential information security risks or threats, ensuring that established controls are implemented, monitored, and measured, and aligning legal and regulatory requirements with existing rules or controls to support the organization in achieving its objectives.
---
VI. HakTrak's Innovation in GRC Security: Introducing Comply360
In its mission to assist organizations in assessing and managing their Governance, Risk, and Compliance (GRC) needs, HakTrak not only provides comprehensive assessments but also recognizes that some organizations require specialized tools to support their compliance efforts. To address this, HakTrak has developed Comply360 (formerly known as CyberImtithal), an advanced solution designed to simplify and enhance the compliance journey.
Comply360 -Streamlining Compliance with a State-of-the-art PlatformComply360 is a comprehensive solution that streamlines GRC management by providing essential features such as centralized risk and asset tracking, compliance monitoring, and real-time alerts. Its intuitive dashboard and robust reporting tools enable efficient oversight, while automation and task tracking enhance collaboration and operational efficiency. Designed to support regulatory adherence and strategic risk management, Comply360 simplifies the compliance journey, empowering organizations to achieve their objectives with confidence and precision.
---
VII. References
ISO, "ISO/IEC 38500:2024 Information technology - Governance of IT for the organization," February 2024. [Online]. Available: https://www.iso.org/standard/81684.html.
ISO, "ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection - Guidance on managing information security risks," October 2022. [Online]. Available: https://www.iso.org/standard/80585.html.
ISO, "ISO 37301:2021 Compliance management systems - Requirements with guidance for use," April 2021. [Online]. Available: https://www.iso.org/standard/75080.html.
ISO, "ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection - Information security management systems," October 2022. [Online]. Available: https://www.iso.org/standard/27001.
BleepingComputer, "Nokia investigates breach after hacker claims to steal source code," November 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/nokia-investigates-breach-after-hacker-claims-to-steal-source-code/.
"Schneider Electric confirms dev platform breach after hacker steals data," November 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/schneider-electric-confirms-dev-platform-breach-after-hacker-steals-data/.
CROWN Records Management, "SOURCE CODE ESCROW IN THE AGE OF THE CLOUD: IS THERE A NEED?," June 2023. [Online]. Available: https://www.crownrms.com/id/en/insights/source-code-escrow-in-the-age-of-the-cloud-is-there-a-need/.
A. Swoope, "GOVERNANCE 101: BACK TO BASICS," [Online]. Available: https://www.simplerisk.com/blog/governance-101-back-to-basics.
National Cybersecurity Authority, "Guide to Essential Cybersecurity Controls (ECC)," [Online]. Available: https://nca.gov.sa/en/regulatory-documents/guidelines-list/669/.
COMPLIANCE FORGE, "Governance, Risk Management & Compliance (GRC) Content - Policies, Standards & Procedures," [Online]. Available: https://complianceforge.com/governance-risk-compliance-grc-content/.
Global Association of Risk Professionals Workbook level 1.
The GRC Lab - https://grclab.com