GRC analysts have the responsibility of speaking about security from a business point. Their work is designed to help the organization, bolster its defenses, be in a place to quickly react and handle bad situations, and limit the number of negative consequences and impacts.
One of the really important pieces of work that GRC analysts do is Governance. Governance is arguably the most vital of the three (governance, risk, and compliance) because it sets the tone and direction, and it underpins everything that an organization does. It encompasses writing policy, defining standards, and documenting procedures.
Policy
Policy is the base foundation and the will of an organization. Policy communicates in writing, what the expected behavior is, what happens if people don’t comply with the policy, and what the penalty or sanctions are. One can think of policy as kind of a checklist or a step-by-step kind of thing.
It’s just like the rules of a game or the rules of a household. Policy is crucial due to the fact that without it people in the organization are left to assume what the rules are.
Within the information security space when we talk about policy, we talk about things like acceptable use policy, password policy, remote access policy, access policy, and what is okay for staff to do with technology. Are you allowed to take data home? Can you put data on thumb drives? Are you allowed to remote in from a hotel? And many others.
Standards
Standards and procedures help illustrate how policies are implemented by the organization. Standards are the specific value that outlines precisely what the detail of a policy is. Standard is essentially a value that explains the details of a policy. It also quantifies value that helps understand what a policy is as an objective for establishing a behavior for an organization.
Standard talks about the How and What of the policy. How much, How often, How many? Examples include; how many days until passwords need to be changed? How many people are allowed in the data center at any time? What systems get assessed for risk? How often do we assess that risk? What standards are we using to assess the risk? And many others.
Procedures
Procedures are documentation that outlines how policies will be implemented. One can think of procedure as an operating manual on how to do something.
It is how processes are supposed to be executed by an individual. When processes are done consistently, you can expect timely and quality execution and there are one or more procedures that are directly aligned with a specific policy.
In the information security space, procedures ensure that there is consistency in the way processes are executed, to help limit deviation, and bad things from happening, they become predictable, they also help ensure that new hires to the organization can adopt a similar acceptable process for implementing those policies.
Governance, is really difficult for most people to kind of wrap their heads around, because it’s not exactly tangible. It is imperative that when developing policies, they should be those that can actually be followed. Also, making sure they are not just based on industry best practices, which you can find by doing some research, but something that works for the organization.