Information Security Governance, Risk and Compliance team

Note: All views in this article are my personal and team structure differs upon organization size, infosec team size, and business priorities.

The Governance, Risk, and Compliance (GRC) team plays a vital role in information security. They are responsible for ensuring that the organization’s information security policies and procedures are aligned with the business goals, and they are effectively managing risks and complying with regulations. GRC plays a crucial role in ensuring the effectiveness of information security within an organization.

Sub Teams

GRC, as the name suggests, is divided into three sub-teams. Usually, GRC team members work during business hours unless there is an active incident or audit going on where the team needs to act as the bridge between multiple teams to drive the initiative forward (or towards closure).

Governance Team:

The Governance team sets the direction and establishes policies, procedures, and guidelines for information security governance. They define the organizational structure, roles, and responsibilities related to information security, ensuring that decision-making processes align with business objectives and risk tolerance. The governance function provides oversight and ensures accountability for information security within the organization.

The above is achieved in 6 phases in following order:

Define Objectives: Identify the primary objectives of the information security governance team, such as ensuring compliance with regulatory requirements, protecting the organization from cyber threats, and aligning information security with business goals.

Establish Roles and Responsibilities: Define the roles and responsibilities of each team member in InfoSec, including the team leader, sub-team leaders, and individual contributors. Ensure that each team member understands their responsibilities and is accountable for their actions. That also means defining expectations and working with other teams, to ensure expectations are defined for other teams, including many verticals of IT team.

Develop Policies and Procedures: Develop information security policies, procedures, standards, and guidelines that align with the organization’s objectives. Ensure that the policies are comprehensive, consistent, and up-to-date.

Implement Controls: Implement information security controls that align with the policies, procedures, and risk management plans. Ensure that the controls are implemented consistently and effectively across the organization.

Monitor and Report: Continuously monitor the effectiveness of the information security governance program and report on progress, issues, and risks to stakeholders, including senior management and the Board of Directors.

Define Metrics and KPIs: The responsibility of the Governance team in InfoSec includes defining metrics and key performance indicators (KPIs) to assess the effectiveness of the information security program. They ensure that these metrics and KPIs are in line with the organization’s objectives and are monitored and reported regularly. By analyzing the results, the Governance team drives strategic changes in the InfoSec program, proposes new controls and resources, and requests and allocates budgets to support the growth and development of the InfoSec team and overall program. This helps in continually improving the security posture of the organization and aligning InfoSec efforts with the evolving needs of the business.

Compliance Team

The compliance team ensures that the organization adheres to relevant laws, regulations, and industry standards related to information security. They stay up-to-date with changing regulatory requirements and assess the organization’s compliance status. The team develops policies and procedures to address compliance gaps and implements controls to meet the required standards. They also conduct audits and internal reviews to assess compliance and identify areas for improvement. This is again done in the following phases (no particular order).

Regulatory Compliance: The compliance team is responsible for ensuring that the organization complies with various regulatory requirements, such as GDPR, HIPAA, PCI DSS, etc. They monitor changes in the regulatory landscape, update policies and procedures, and ensure that the organization is prepared for audits and assessments.

Compliance Monitoring: The team monitors the organization’s compliance with its own information security policies, standards, and procedures. They conduct regular audits and assessments to ensure that these policies are being followed and that any non-compliance issues are identified and addressed.

Training and Awareness: The team is responsible for creating and delivering security awareness and training programs to employees, contractors, and other stakeholders. They educate the workforce on information security best practices, policies, and procedures, and help create a culture of cyber security within the organization.

Audit and Assessment: The compliance team is responsible for conducting internal and external audits of the organization’s information security controls to ensure compliance with policies and standards. They may also initiate vulnerability assessments, penetration testing, and security audits for internal applications and third-party vendors when required.

Continuous Improvement: Basis the learnings from internal and external assessments, measuring InfoSec against its own policies and procedures, the compliance team moves forwards towards raising the bar and improving the overall Information Security program.

Risk Team (Or Risk Management Team)

The Information Security Risk team identifies, assesses, and manages information security or cyber security related risks. They conduct risk assessments to identify vulnerabilities, threats, and potential impact on the organization’s information assets. Based on the assessment results, the risk team develops risk mitigation strategies and recommends controls to minimize risks to an acceptable level. They also monitor and review the effectiveness of these controls and update risk management processes as needed.

Risk team is again further divided into Internal Risk and Third Party Risk Management (TPRM) Team.

TPRM

Third Party Risk Management Team is responsible for managing and reducing risks that might originate from Third Party, like vendors working for the organization. For example, if your organization is using a software or hardware component that is critical for a high-importance business application, a vulnerability in that component can put your business at risk. Thus TPRM manages such risks. How do they achieve it?

• Third-party Due Diligence: The TPRM team conducts due diligence on third-party vendors to assess their information security posture, including their policies, procedures, controls, and security certifications.
• Risk Assessment: The TPRM team assesses the level of risk posed by third-party vendors based on their access to sensitive information or systems, and the likelihood and impact of a security breach or data leak.
• Contractual Security Requirements: The TPRM team ensures that contracts with third-party vendors include appropriate security clauses, such as data protection, breach notification, and liability and Financial guarantee.

Internal Risk Team:

This team is further divided into 3 sub teams basis the role they play to reduce the risk.

1. Business Continuity and Disaster Recovery team (BCDR): This team in information security is responsible for ensuring the organization’s resilience in the face of disruptive cyber incidents. They develop and implement business continuity and disaster recovery plans to enable the organization to recover and continue its operations. The team conducts analyses to identify critical processes and their dependencies, creates plans for backup and recovery, tests the plans regularly, coordinates response efforts during incidents, and continuously improves strategies based on lessons learned. Their role is crucial in minimizing the impact of disruptions on information security and maintaining business operations.
2. Vulnerability Management and Remediation (VMR) Team: This team plays a vital role in maintaining the security of an organization’s IT systems and infrastructure. Their primary responsibility is to conduct regular vulnerability scans to identify potential security weaknesses. They utilize automated scanning tools or perform manual assessments to detect vulnerabilities within the organization’s systems. Once vulnerabilities are identified, the team collaborates with various stakeholders, including IT, Application, and Security teams, to prioritize and remediate these vulnerabilities based on the severity levels defined by the organization’s InfoSec Policies. They ensure that patches and fixes are applied within the agreed-upon timeframes outlined in the Service Level Agreements (SLAs), minimizing the risk of exploitation and enhancing the overall security posture of the organization. Without patching known vulnerabilities, the risk of being compromised keeps on increasing, and this is one of the basic hygiene every InfoSec program should implement in the organization. VMR team usually takes care of vulnerabilities that are present on the Operating System of a server or endpoint, and any software(s) installed on them, and the firmware installed on the network or any other IT infra devices.
3. Application Security team (AppSec): Their role involves ensuring that applications (Web, Mobile or API based) are designed, developed, tested, and deployed with robust security measures in place. The team conducts comprehensive security assessments, threat modeling, code reviews, and even perform white/gray/black box assessment to identify vulnerabilities and weaknesses within the applications. They collaborate with development teams to implement secure coding practices, provide guidance on security best practices, and ensure that proper security controls, such as authentication, access controls, and encryption, are implemented across different parts of the application. A Bug Bounty vulnerability reported by external researchers often reaches this team for validation before being forwarded to the Application team for fixing. Now you know where your bug bounty tickets come to :)

• A sub-team of the application security team usually plays the role of a red team or the offensive security team (OST) in the company. OST is a more advanced team that operates in a manner similar to that of a real-world attacker. The Red Team simulates attacks against an organization’s systems and infrastructure in order to identify potential vulnerabilities and weaknesses in the organization’s security defenses. The Red Team’s goal is not only to identify vulnerabilities but also to assess the effectiveness of the organization’s security controls in detecting and responding to attacks.

InfoSec Toolset:

In addition to the tools mentioned earlier in the series, various other tools are employed by different teams within information security. These tools aid in identifying easily detectable gaps and vulnerabilities and enhance the efficiency of day-to-day operations. These additional tools provide valuable capabilities that complement the existing toolset, enabling teams to streamline their processes and achieve higher levels of effectiveness in their security tasks. Some of these are:

• Vulnerability Management tool: A vulnerability scanning and management tool is used to track and manage the vulnerability status of each asset within an organization. It maintains a historical record of the asset’s state, including the identified vulnerabilities and their remediation status. Some organizations utilize comprehensive vulnerability management tools that not only scan for vulnerabilities but also provide a complete management solution. On the other hand, some organizations rely on simpler vulnerability scanners that generate regular reports. These reports are manually correlated to analyze the historic vulnerability trends and track the progress of vulnerability remediation efforts. Premium vulnerability scanners also support authenticated scans, which do a better job by login into the device and looking for missing patches and vulnerabilities on installed software as well.
• A Static Code Analyzer is a tool employed by the InfoSec team to analyze source code without executing it. It scans the code for potential security vulnerabilities, coding errors, and adherence to coding standards. This automated tool identifies issues such as SQL injection, cross-site scripting, and insecure access control, enabling early detection and remediation of security flaws in the codebase.
• A Web Application Scanner (WAS): is a specialized tool utilized by the InfoSec team to assess the security of web applications. It automatically scans web applications, identifying potential vulnerabilities, such as SQL injection, cross-site scripting, and insecure configuration. The scanner examines various components, including URLs, forms, cookies, and headers, to identify security weaknesses that could be exploited by attackers. By detecting vulnerabilities early on, the web application scanner helps the InfoSec team strengthen the security posture of web applications and mitigate potential risks. AppSec team usually also has its own vulnerability and validation checklist which they run apart from automated WAS.
• A Configuration Scanner is a tool used by the InfoSec team to assess the security of system configurations and settings. It scans various components, such as operating systems (for CIS Benchmarks), network devices, databases, and applications, to identify configuration weaknesses and vulnerabilities. The scanner checks for misconfigurations, insecure default settings, and deviations from security best practices. By performing automated checks, the configuration scanner helps ensure that systems are properly configured, minimizing the risk of unauthorized access, data breaches, and other security incidents. It allows the InfoSec team to proactively identify and address configuration issues, enhancing the overall security of the organization’s infrastructure.
• The Risk Register: is a centralized repository used by the InfoSec Risk team to document known risks, remediation tasks, and the responsible owners for each risk. The Risk Register can take the form of a dedicated software tool or a simple Excel file, depending on the organization’s level of maturity and available resources. It serves as a comprehensive record of identified risks, their associated mitigation actions, and the individuals or teams accountable for addressing them. The Risk Register facilitates effective risk management by providing visibility into the organization’s risk landscape and ensuring that appropriate actions are taken to mitigate and monitor risks over time.
• Lastly, The GRC tool serves as a document repository, housing past and current versions of policies, procedures, and process documents. It maintains a historical record, allowing for tracking changes made to each document and facilitating audits. The most up-to-date versions of these documents are accessible on the internal company portal, providing employees and InfoSec teams with a point of reference to understand permissible actions and identify potential violations.

InfoSec Overall

Now you know about all teams under InfoSec, lets see how GRC connect internally with other sub teams of InfoSec.

1. Security Operations Center (SOC): The GRC team works closely with the SOC to provide guidance on regulatory compliance requirements and risk management processes. They collaborate on incident response procedures, ensuring that security incidents are appropriately handled, documented, and reported in line with compliance obligations.
2. Security Architecture and Engineering: The GRC team engages with the Security Architecture and Engineering team to incorporate security requirements and compliance considerations into system and network designs. They collaborate on defining security controls, evaluating technology solutions, and ensuring that security architecture aligns with industry best practices and regulatory requirements.
3. Internal Audit: The GRC team interacts closely with the Internal Audit team to support audit activities related to information security. They provide documentation, evidence, and insights on security controls, risk management processes, and compliance efforts. The GRC team works in collaboration with Internal Audit to address findings and implement corrective actions identified during audits.
4. Data Privacy and Compliance: The GRC team closely collaborates with the Data Privacy and Compliance team to align information security practices with privacy regulations. They work together to develop policies and controls that protect sensitive data, address data breach notification requirements, and ensure compliance with data protection laws such as GDPR or HIPAA.
5. Vulnerability Management and Remediation: The GRC team liaises with the Vulnerability Management and Remediation team to integrate vulnerability assessments into the overall risk management framework. They collaborate on prioritizing and addressing vulnerabilities based on risk assessments and compliance requirements, ensuring timely remediation of identified risks.
6. Security Awareness and Training: The GRC team collaborates with the Security Awareness and Training team to develop and deliver security awareness programs that align with compliance obligations. They provide input on regulatory requirements, security policies, and risk management practices to ensure that the training materials and initiatives effectively educate employees on their security responsibilities.
7. Business Continuity and Disaster Recovery (BCDR): The GRC team works closely with the BCDR team to align business continuity plans with regulatory requirements and risk management practices. They collaborate on identifying critical business processes, conducting impact assessments, and incorporating compliance considerations into the BCDR strategies and response plans.

Conclusion:

In summary, the GRC team acts as a key enabler within the information security landscape, bridging the gap between compliance, risk management, and governance. Their responsibilities, interactions with other teams, and utilization of specialized tools make them an essential component in establishing and maintaining a secure and resilient environment for organizations.

Series Conclusion:

This sums up the series about Demystifying Information Security Team, hope you enjoyed reading it as much as I enjoyed writing it. You can reach out to me on Twitter if you have feedback or queries regarding the blog.

Cheers!

Video Series Link: https://www.youtube.com/playlist?list=PLYvPOAFzOkSsGlrW74f-2351WW9Sh7S3u

Link to previous part: https://medium.com/@inishantgrover/security-architects-and-engineering-team-33eeb32de17a