Gouvernance Risk and Compliance

Gouvernance Risk and Compliancy sessions are meetings focussed on alligning IT and OT to Business Goals while managing risks to the organisation. It focusses on compliancy with standards and regulations.

By combining gouvernance, risk management and compliancy management we can increase efficiency, reduce wasted efforts because they aren't alligned with the business goals, and work towards compliancy in regulations and standards.

GRC sessions will help key decision makers to take better informed decisions in a risk aware environment.

The elements in Gouvernance, Risk Management and Compliancy:

Gouvernance:

 Gouvernance is the set of rules and policies or even frameworks that the organisation uses in achieving the business goals.
The scope of Gouvernance is wider than only Cybersecurity, and should include topics like Resource Management, Ethics, Social Responsability, Conflict Management, ...

Risk Management:

Risk management is the process of defining and discovering risks and to define mitigating measures.
Risks can be technical risks, safety risks, economical risks, environmental risks and reputational risks. The greater the risk, the more important it is to have good mitigating measures.

There are multiple ways of doing Risk Management, and all industry standards include Risk Management in one way or another.

We found that Risks should be investigated with different mindsets where we will:

  • Look at scope and baseline for the organisation
  • Investigate risk origings using RO/TO (Risk Origing / Target Objective)
  • look at strategic scenario's defining attack paths that will most likely be used to reach Target Objectives
  • Operational scenario's: Look at the possible technical scenario's that can impact the environment. 
  • Risk mitigation: What we can do to reduce the risk of those scenario's happening. How much risk is left, is it acceptable?


Compliancy:

Compliancy checks if the rules, regulations, industry standards and laws are followed. Compliancy handles procedures that should be implemented in order to comply with the rules and regulations. For instance, in the industry, for cybersecurity, we often refer to ISA 62443 series of standards to check for compliancy.