Governance, risk management, and compliance

Governance, risk management and compliance (GRC) is the term covering an organization's
approach across these three practices: Governance, risk management, and compliance.[1][2][3] The
first scholarly research on GRC was published in 2007[4] where GRC was formally defined as "the
integrated collection of capabilities that enable an organization to reliably achieve objectives,
address uncertainty and act with integrity." The research referred to common "keep the company
on track" activities conducted in departments such as internal audit, compliance, risk, legal,
finance, IT, HR as well as the lines of business, executive suite and the board itself.

Basic concepts[edit]
 Governance describes the overall management approach through which senior executives
direct and control the entire organization, using a combination of management information
and hierarchical management control structures. Governance activities ensure that critical
management information reaching the executive team is sufficiently complete, accurate and
timely to enable appropriate management decision making, and provide the control
mechanisms to ensure that strategies, directions and instructions from management are
carried out systematically and effectively.[9]
 Risk management is the set of processes through which management identifies, analyzes,
and, where necessary, responds appropriately to risks that might adversely affect realization
of the organization's business objectives. The response to risks typically depends on their
perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third
party. Whereas organizations routinely manage a wide range of risks (e.g. technological
risks, commercial/financial risks, information security risks etc.).
 Compliance means conforming with stated requirements. At an organizational level, it is
achieved through management processes which identify the applicable requirements
(defined for example in laws, regulations, contracts, strategies and policies), assess the state
of compliance, assess the risks and potential costs of non-compliance against the projected
expenses to achieve compliance, and hence prioritize, fund and initiate any corrective
actions deemed necessary.

GRC market segmentation

A GRC program can be instituted to focus on any individual area within the enterprise, or a fully
integrated GRC is able to work across all areas of the enterprise, using a single framework.
A fully integrated GRC uses a single core set of control material, mapped to all of the primary
governance factors being monitored. The use of a single framework also has the benefit of
reducing the possibility of duplicated remedial actions.
When reviewed as individual GRC areas, the three most common individual headings are
considered to be Financial GRC, IT GRC, and Legal GRC.

 Financial GRC relates to the activities that are intended to ensure the correct operation of all
financial processes, as well as compliance with any finance-related mandates.
 IT GRC relates to the activities intended to ensure that the IT (Information Technology)
organization supports the current and future needs of the business, and complies with all IT-
related mandates.
 Legal GRC focuses on tying together all three components via an organization's legal
department and chief compliance officer.
Analysts disagree on how these aspects of GRC are defined as market categories. Gartner has
stated that the broad GRC market includes the following areas:

 Finance and audit GRC

 IT GRC management
 Enterprise risk management.
They further divide the IT GRC management market into these key capabilities. Although this list
relates to IT GRC, a similar list of capabilities would be suitable for other areas of GRC.

 Controls and policy library

 Policy distribution and response
 IT Controls self-assessment and measurement
 IT Asset repository
 Automated general computer control (GCC) collection
 Remediation and exception management
 Reporting
 Advanced IT risk evaluation and compliance dashboards
GRC product vendors[edit]
The distinctions between the sub-segments of the broad GRC market are often not clear. With a
large number of vendors entering this market recently, determining the best product for a given
business problem can be challenging. Given that the analysts don’t fully agree on the market
segmentation, vendor positioning can increase the confusion.
Due to the dynamic nature of this market, any vendor analysis is often out of date relatively soon
after its publication.
Broadly, the vendor market can be considered to exist in 3 segments:

 Integrated GRC solutions (multi-governance interest, enterprise wide)

 Domain specific GRC solutions (single governance interest, enterprise wide)
 Point solutions to GRC (relate to enterprise wide governance or enterprise wide risk or
enterprise wide compliance but not in combination.)
Integrated GRC solutions attempt to unify the management of these areas, rather than treat them
as separate entities. An integrated solution is able to administer one central library of compliance
controls, but manage, monitor and present them against every governance factor. For example,
in a domain specific approach, three or more findings could be generated against a single broken
activity. The integrated solution recognizes this as one break relating to the mapped governance
factors.
Domain specific GRC vendors understand the cyclical connection between governance, risk and
compliance within a particular area of governance. For example, within financial processing —
that a risk will either relate to the absence of a control (need to update governance) and/or the
lack of adherence to (or poor quality of) an existing control. An initial goal of splitting out GRC
into a separate market has left some vendors confused about the lack of movement. It is thought
that a lack of deep education within a domain on the audit side, coupled with a mistrust of audit in
general causes a rift in a corporate environment. However, there are vendors in the marketplace
that, while remaining domain-specific, have begun marketing their product to end users and
departments that, while either tangential or overlapping, have expanded to include the internal
corporate internal audit (CIA) and external audit teams (tier 1 big four AND tier two and below),
information security and operations/production as the target audience. This approach provides a
more 'open book' approach into the process. If the production team will be audited by CIA using
an application that production also has access to, is thought to reduce risk more quickly as the
end goal is not to be 'compliant' but to be 'secure,' or as secure as possible.
Point solutions to GRC are marked by their focus on addressing only one of its areas. In some
cases of limited requirements, these solutions can serve a viable purpose. However, because
they tend to have been designed to solve domain specific problems in great depth, they generally
do not take a unified approach and are not tolerant of integrated governance
requirements. Information systems will address these matters better if the requirements for GRC
management are incorporated at the design stage, as part of a coherent framework.[10]

Regulatory compliance
In general, compliance means conforming to a rule, such as a specification, policy, standard or
law. Regulatory compliance describes the goal that organizations aspire to achieve in their
efforts to ensure that they are aware of and take steps to comply with relevant laws, policies,
and regulations.[1] Due to the increasing number of regulations and need for operational
transparency, organizations are increasingly adopting the use of consolidated and harmonized
sets of compliance controls.[2] This approach is used to ensure that all necessary governance
requirements can be met without the unnecessary duplication of effort and activity from
resources.
Regulations and accrediting organizations vary among fields, with examples such as PCI-
DSS and GLBA in the financial industry, FISMA for U.S. federal agencies, HACCP for the food
and beverage industry, and the Joint Commission and HIPAA in healthcare. In some cases other
compliance frameworks (such as COBIT) or even standards (NIST) inform on how to comply with
regulations.
Some organizations keep compliance data—all data belonging or pertaining to the enterprise or
included in the law, which can be used for the purpose of implementing or validating
compliance—in a separate store for meeting reporting requirements. Compliance software is
increasingly being implemented to help companies manage their compliance data more
efficiently. This store may include calculations, data transfers, and audit trails.[
INDIA
in India, compliance regulation takes place across three strata: Central, State, and Local
regulation. India veers towards central regulation, especially of financial organizations and
foreign funds.[18] Compliance regulations vary based on the industry segment in addition to the
geographical mix. Most regulation comes in the following broad categories: economic regulation,
regulation in the public interest, and environmental regulation.[19] India has also been
characterized by poor compliance - reports suggest that only around 65% of companies are fully
compliant to norm.
Financial compliance
The U.K. Corporate Governance Code (formerly the Combined Code) is issued by the Financial
Reporting Council (FRC) and "sets standards of good practice in relation to board leadership and
effectiveness, remuneration, accountability, and relations with shareholders.
All companies with a Premium Listing of equity shares in the U.K. are required under the Listing
Rules to report on how they have applied the Combined Code in their annual report and
accounts.
 The U.K.'s regulatory framework requires that all its publicly listed companies should provide
specific content in the core financial statements that must appear in a yearly report, including
balance sheet, comprehensive income statement, and statement of changes in equity, as well as
cash flow statement as required under international accounting standards.

Challenges
Data retention is a part of regulatory compliance that is proving to be a challenge in many
instances. The security that comes from compliance with industry regulations can seem contrary
to maintaining user privacy. Data retention laws and regulations ask data owners and other
service providers to retain extensive records of user activity beyond the time necessary for
normal business operations. These requirements have been called into question by privacy rights
advocates.
Compliance in this area is becoming very difficult. Laws like the CAN-SPAM Act and Fair Credit
Reporting Act in the U.S. require that businesses give people the right to be forgotten.

Cloud Security Alliance

Cloud Security Alliance (CSA) is a not-for-profit organization with the

mission to “promote the use of best practices for providing security
assurance within Cloud Computing, and to provide education on the
uses of Cloud Computing to help secure all other forms of computing.”[1]
The CSA has over 80,000 individual members worldwide.[2] CSA gained
significant reputability in 2011 when the American Presidential
Administration selected the CSA Summit as the venue for announcing
the federal government’s cloud computing strategy.
The Cloud Security Alliance (CSA) is a nonprofit organization that promotes
research into best practices for securing cloud computing and the use of
cloud technologies to secure other forms of computing. CSA leverages the
expertise of industry practitioners, associations and governments, as well
as its corporate and individual members, to offer research, education,
certification, events and products specific to cloud security.

History
The CSA was formed in December 2008 as a coalition by individuals who saw the need to
provide objective enterprise user guidance on the adoption and use of cloud computing.[4]
Its initial work product Security Guidance for Critical Areas of Focus in Cloud Computing was put
together in a Wiki-style by dozens of volunteers.[5]
Policy maker support
The CSA works to support a number of global policy makers in their focus on cloud security
initiatives including the National Institute of Standards and Technology (NIST), European
Commission,[9] Singapore Government and other data protection authorities.

Size
The Cloud Security Alliance employs roughly sixty full-time and contract staff worldwide. It has
several thousand active volunteers participating in research, working groups and chapters at any
time.

Cloud Security Alliance research areas

The CSA leads a number of ongoing research initiatives through which it

provides white papers, tools and reports to help companies and vendors
secure cloud computing services.

There are CSA working groups that target 38 different cloud security
domains and address almost every aspect of cloud security. These include
the following:

 The Cloud Data Governance Working Group works to design principles

and map them to emerging technologies and techniques to guarantee
the privacy, availability, integrity, confidentiality and security of data
across public and private clouds.

 The Cloud Security Alliance IoT Working Group focuses on developing

relevant use cases for internet of things (IoT) implementations, as well
as establishing actionable guidance to enable security practitioners to
secure their deployments.

 The CSA Application Containers and Microservices Working Group

focuses on conducting research on the security of
application containers and microservices. It is also charged with
publishing guidance and best practices for the secure use of application
containers and microservices.

 The SaaS Governance Working Group aims to encourage and define

mechanisms to promote cooperation and help vendors and customers
 work closely together to manage software-as-a-service risks and
guarantee the security of customer data and the resilience of the SaaS
cloud infrastructure.

The CSA Security, Trust & Assurance Registry (STAR) is a program for
security assurance in the cloud. STAR incorporates the principles of
transparency, rigorous auditing and the harmonization of standards. The
STAR program offers a number of benefits, including "indications of best
practices and validation of security posture of cloud offerings," according to
the CSA website.

CSA membership

The Cloud Security Alliance offers three membership options:

 Corporate Membership for Solution Providers offers a venue for

members to learn about the latest developments in the cloud, showcase
their expertise to a global audience and connect with users.

 Corporate Membership for Enterprises provides the information, tools

and guidance to help members realize the benefits of their cloud
investments.

 Individual Membership offers any individual with an interest in cloud

computing and the expertise to help make it more secure a
complimentary individual membership based on a minimum level of
participation.

The CSA currently has 90,000 individual members, 80 global chapters and
400 corporate members.

Cloud Security Alliance certifications

The Cloud Security Alliance also offers professional cloud security

certifications.
 CSA STAR (Security, Trust & Assurance Registry) Certification is a
rigorous, third-party, independent assessment of the security of a cloud
service provider. The STAR Certification is based on achieving ISO/IEC
27001, as well as the specified set of criteria detailed in the Cloud
Controls Matrix. Achieving the STAR Certification means that cloud
providers will be able to offer prospective customers a greater
understanding of their level of security control.

 CSA CCSK (Certificate of Cloud Security Knowledge) is a web-based

examination of a person's competency in the primary cloud security
issues. The CCSK aims to provide an understanding of security issues
and best practices over a range of cloud computing domains.
Recommended for IT auditors, the CCSK is required for portions of the
CSA STAR program.

 CSA CCSP (Certified Cloud Security Professional) is a global credential

representing the highest standard for expertise in cloud security. It was
co-created by the Cloud Security Alliance and the International
Standardization Council -- the stewards for information security and
cloud computing security. The CCSP is recommended for experienced
IT/ICT (information communication technology) professionals involved
with IT architecture; web and cloud security engineering; information
security; governance, risk and compliance, or IT auditing. Additionally,
the CCSP is useful for individuals who are working with organizations
committed to DevSecOps, Agile or bimodal IT practices.