Go to the profile of Vishant Pai
Vishant Pai
A GRC enthusiast

GRC — Connecting the dots (Hint:COBIT 5)

Connecting the GRC Dots

Anxiety was killing me, yet connections between Governance, Risk and compliance were poles apart. I kept asking myself how GRC connects with each other.

It all started when I got confused between a risk and an audit observation:

While I accessed my enterprise’s risk register I realized they were audit observations rather than risk. I struggled to understand the difference between Risk, audit observations, compliance and Security.

It is then that I realized that audit observation shares a child relationship with something larger in this case Risk (I call them parent entity). Let me give you an example:

Unprotected passwords, unauthorized access, Lack of DLP solution, unpatched systems are all examples of observations (Child). Relationship between risk and audit observations is 1:M. It means “many” audit observations may impact “one” Risk in this case “Loss of data theft”.

Going one step forward connect these items to COBIT 5 process areas (Grand Parent). In this situation the Risk and observation connects to Manage Security Services (DSS05).

These observations are nothing but mitigation strategies. So if you close even one observation the overall risk is impacted.

Anxiety was over; I realized how to use COBIT 5, everything seems to now have a connect.

  1. Create risk scenarios (refer COBIT 5 risk scenarios) (Parent)
  2. Map risk scenarios to COBIT 5 process areas (Grandparent)
  3. Identify Risk observations (Child)

What about Compliances?

Treating PCI-DSS v3.2, ISO 27001:2013 or ISO 31000:2009 just as standards is a mistake. In reality these standards requires compliances to the requirements stated (MEA03).

Identify relevant compliance requirements to your enterprise. Examples include Mandates from RBI, HIPAA, SOX, Visa, security standards and quality standards.

Security or Cyber Security?

Security is also a child unit that satisfies relevant risk scenario (Parent). For instance DDOS, DLP solution, Anti-virus, PIM and so on are all child items. Child items fall under a single umbrella called “Cyber Security”. A strong Cyber Security framework (http://www.nist.gov/cyberframework/) will eventually impact your enterprise risks.

I realized there is a strong linkage between Governance, Risk and Compliance. With this approach I was able to connect dots.

Finally, Governance:

Governance is the easiest puzzle. It just requires the above family to be monitored for health vitals. Monitoring of Key metrics, Process goals and process objectives are few examples.

Top management must use such indicators to improve the health of the Organization. Such vitals provide the captain (CXO’s) to steer its boat (Company) in the right direction.

COBIT 5

I have no formal education in COBIT 5, but I have always been fascinated by the framework and realized it to be the best framework ever designed yet. It answers every Organizational question. Major domains such as Security, Service management, Business continuity, Risk management and compliance are covered in depth.

Trial and error phase still continues, however I look forward to share my implementation experiences and hope to succeed.