ROI in GRC

Return on Investment (ROI) discussions are challenging
regarding GRC solution implementations for two reasons. First, GRC focuses on
improving an organization’s risk and compliance status, increasing security
controls and finding the balance between accepting and rejecting risks. Second,
GRC solution implementation and maturing an organization’s risk and security
posture occurs over a course of years. Therefore, ROI calculations may not show
immediate (within the first year) financial performance results. However,
knowing and understanding corporate budgets and decision-making, ROI metrics
become necessary to calculate and present to executives. Categories for ROI
metrics are as follows:

  • Decreasing time = Increasing Efficiency:
    Managers record the current time it takes employees to complete GRC tasks. For example,
    the time to manage the policy approval workflow, conduct business impact
    assessments or map policies to compliance regulations. Then managers project
    the future estimate of time to perform these same tasks after a GRC solution is
    implemented. Now, managers produce a time comparative analysis to provide
    evidence of increased efficiencies and in turn, discuss how employees will use
    their “extra time” to devote to supporting other company initiatives. SDS has
    seen such increased efficiency in organizations that have adopted some GRC
    solutions.
  • Effective Vendor Management = Reduced
    Duplication of Vendors: Centralizing vendor relationships into a single managed
    GRC solution will enable the business to identify duplication of vendor
    relationships including contracts and manage vendor risk with a consistent
    methodology.
  • Decreasing Risks = Cost Reductions: A GRC
    tool provides a database of risk information from all areas of the business and
    produces a comprehensive view of risk areas and impact. Organization strategies
    target the highest risks for remediation or address incidents effectively. This
    strategy results in less audit findings, reduced costs for security breaches
    and quicker remediation for risks because of the reduced number of risks.
  • Decreasing Silos = Strategic Performance:
    As an organization shifts operating from the GRC “silo” perspective to the GRC
    “integrated” perspective, that organization is equipped to use the
    comprehensive GRC information for making informed choices across typically silos
    areas of business. Examples of informed choices – faster availability of
    information to hire or assess vendors, administer information security awareness
    training and support marketing campaigns advertising the security program for
    your organization.

 

ISO 27001 Control A.7

A.7.1 Responsibility for assets

Objective: To achieve and maintain appropriate protection of organizational assets.

A.7.1.1 Inventory of assets

Control

All assets shall be clearly identified and an inventory of all important assets drawn up and maintained.

A.7.1.2 Ownership of assets

Control

All information and assets associated with information processing facilities shall be ‘owned’ by a designated part of the organization.

A.7.1.3 Acceptable use of assets

Control

Rules for the acceptable use of information and assets associated with information processing facilities shall be identified, documented, and implemented.

_______________________________________________________________________________________________________________

A.7.2 Information classification

Objective: To ensure that information receives an appropriate level of protection.

A.7.2.1 Classification guidelines

Control

Information shall be classified in terms of its value, legal requirements, sensitivity and criticality to the organization.

A.7.2.2 Information labelling and handling

Control

An appropriate set of procedures for information labeling and handling shall be developed and implemented in accordance with the classification scheme adopted by the organization.

 

ISO 27001 Control A.6

A.6 Organization of information security

A.6.1 Internal organization

Objective: To manage information security within the organization.

A.6.1.1 Management commitment to information security

Control

Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities.

A.6.1.2 Information security coordination

Control

Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions.

A.6.1.3 Allocation of information security responsibilities

Control

All information security responsibilities shall be clearly defined.

A.6.1.4 Authorization process for information processing facilities

Control

A management authorization process for new information processing facilities shall be defined and implemented.

A.6.1.5 Confidentiality agreements

Control

Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed.

A.6.1.6 Contact with authorities

Control

Appropriate contacts with relevant authorities shall be maintained.

A.6.1.7 Contact with special interest groups

Control

Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

A.6.1.8 Independent review of information security

Control

The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.

_______________________________________________________________________________________________________________

A.6.2 External parties

Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.

A.6.2.1 Identification of risks related to external parties

Control

The risks to the organization’s information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access.

A.6.2.2 Addressing security when dealing with customers

Control

All identified security requirements shall be addressed before giving customers access to the organization’s information or assets.

A.6.2.3 Addressing security in third party agreements

Control

Agreements with third parties involving accessing, processing, communicating or managing the organization’s information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security requirements.

 

A year into GDPR

In the run-up to its introduction
on 25 May 2018, everyone was buried in the microscopic details of trying to
become GDPR compliant. Much of the focus was on the fact that non-compliance
could mean monetary penalties of up to €20m or 4% of total annual worldwide
turnover in the preceding financial year, whichever was higher. As a result,
little thought seemed to be given to how exactly the GDPR would reshape the
data privacy regime on a global and macro level.

It soon became clear after 25 May 2018 that
the UK’s data protection authority, the Information Commissioner’s Office
(ICO), was keen to send a message that it would exercise the GDPR’s
extraterritorial scope under Article 3 of the Regulation. This states that the
GDPR can apply to controllers and processors not established in the EU, where
there are certain processing activities related to data subjects who are in the
EU. The ICO relied on Article 3 in July 2018 when it issued its first
enforcement notice, to Canadian company AggregateIQ Data Services Limited. Such
action indicated that the reach of the GDPR was going to be global as far as
data protection authorities were concerned rather than contained within the EU.

There have also been rising levels of fines by
data protection authorities in the first year of the GDPR. These have jolted
the corporate world, particularly entities operating in the technology sector.
This shows that companies that forced through GDPR compliance in a panic by 25
May 2018 were right to do so, although no one knew what level of fines would be
imposed until they happened. Pre-GDPR data protection fines had been low, and
some thought that trend would continue.

In the UK, the maximum fine the ICO could
issue before the GDPR took effect was a relatively modest £500,000 and the financial
penalties imposed rarely came anywhere near that amount. As fines under the
GDPR could be so much higher than under the former regime, there was
uncertainty before 25 May 2018 whether the amounts would creep up or leap up.
Within a short space of time, it became clear that it would be the latter. A
record financial penalty was the €50m fine imposed in January 2019 by the
French data protection authority, the Commission Nationale de l’Informatique et
des Libertés (CNIL), against Google for breaches of the GDPR.

One aspect of the new GDPR regime that has not
yet been properly addressed in its first year is how much compensation should
be awarded under the new data privacy regime. As with the level of fines,
before the GDPR came into force compensation for individuals who had suffered a
data breach was not usually very high. As such, data protection claims were
often a bolt-on to other claims in the courts for breaches of confidence,
defamation or for misuse of private information.

We have yet to see enormous damages awards in
the civil courts for individuals who have suffered from data privacy breaches.
We expect, though, that the amounts of compensation paid out to victims of data
breaches under the GDPR will gradually increase, as they have in misuse of
private information claims. This is a fairly recent but now distinct legal
cause of action that grew out of breach of confidence cases and Article 8 of
the European Convention on Human Rights. (Article 8 protects a person’s right
to respect for their private and family life, their home and their
correspondence.) Damages awarded by the courts for those claims did not breach
the £5,000 mark until Max Mosley was awarded £60,000 for his claim against the
News of the World in 2008, after which the amount of damages became markedly
more substantial. For instance, last year Sir Cliff Richard was awarded
£210,000 in damages for his privacy case against the BBC.

While out-of-court settlements of data privacy
compensation claims and awards by the courts are likely to increase under the
GDPR data privacy regime, there is still a likelihood that for a while at
least, individuals will consider bringing claims combined in large-scale group
litigation actions where data privacy is one element of a larger case. This has
been a tactic that has worked in the past, for instance in the long-running
court action against various construction companies where 1,200 blacklisted
workers secured £35m in compensation between May 2016 and May 2019 for breaches
of the Data Protection Act 1998, breaches of confidence, breaches of defamation
law, for misuse of private information and loss of earnings. Eventually,
however, compensation amounts for data privacy claims are likely to reach a
level at which stand-alone single claimant claims in the civil courts will
become viable, in a similar way to misuse of private information claims.

A final point to note about the GDPR regime is
that it may well have enthused non-EU countries to put a new emphasis on their
own data privacy regimes. In many instances, non-EU companies are likely to
need to be GDPR complaint anyway. Data privacy seems to be a new buzz phrase
across the world, and the US appears to be focusing heavily upon it,
particularly following the 2018 Facebook/Cambridge Analytica data scandal.

Facebook is said to be expecting a fine of up
to $5bn from the US Federal Trade Commission (FTC), which Facebook has said is
“in connection with the inquiry of the FTC into [Facebook’s] platform and user
data practices”. It is difficult to know if there would have been as much
enthusiasm for such large fines for data privacy issues in the US without the
GDPR having first shown the way in the EU and beyond. Everything may be said to
be bigger in the US, but to date the largest penalty that the FTC has imposed
for a privacy breach by a technology company was a $22.5m fine against Google
in 2012, a sum eclipsed by CNIL’s €50m fine against Google this year.

In short, the implementation of the GDPR on 25
May 2018 appears to be the most significant milestone so far in what looks set
to be a global shift in how data privacy is to be dealt with in the digital
age. We can expect increasing amounts of fines, compensation, litigation, and
headlines, not to mention more regulation and legislation to protect data privacy.
This will include the EU’s much delayed proposed ePrivacy Regulation, which in
March 2019 the European Data Protection Board pressed EU legislators to adopt.

The ePrivacy Regulation will probably not be
introduced for a year or two. When it is, it will affect all electronic
communications service providers, including WhatsApp, Facebook Messenger,
Skype, and Gmail. Its intention is to enhance the security and confidentiality
of electronic communications, to clarify electronic direct marketing rules (eg,
with regard to email and text messages), to clarify rules on metadata, to
define clearer rules on tracking technologies, such as cookies, and to achieve
more harmonisation of e-privacy across different countries. Like with the GDPR,
infringers of the ePrivacy Regulation will also be subject to fines up to €20m,
or 4% of total worldwide annual turnover of the preceding financial year,
whichever is higher.

The story, therefore, has just started in
relation to data privacy and the global digital market.

Content Source: https://www.lexology.com/library/detail.aspx?g=5bde5ab5-e0fb-41c0-ba1a-a50871887824

 

How GRC solutions help companies meet GDPR requirements

In May of 2018, companies raced to the finish line to accomplish GDPR compliance. Given that it was the first year of GDPR, many industry experts expected to not see any companies fined. That is all going to change in the year ahead. In January 2019, Google was hit with the first major GDPR fine of $57 million, putting an end to the unspoken grace period. Companies should recognize this as a warning: get compliant or risk massive fines. This is especially important as only 59 percent of organizations report meeting all or most GDPR requirements, 29 percent expect to do so within a year, and nine percent will take more than a year.

With the stress of GDPR and potential increase in consumer privacy legislation looming on the horizon, CISOs need help. Rather than continuing to spin their wheels, CISOs should consider governance, risk and compliance (GRC) solutions that simplify GDPR compliance by streamlining operations to avoid fines and penalties altogether. Below I put together three ways that a GRC solution can help.

Centralization of key data and activities

For many organizations, spreadsheets, email, and other manual approaches to tracking data and compliance activities are the norm. However, taking a manual approach to GDPR compliance only makes the task that much more difficult for CISOs. Rather than creating more problems, CISOs should seek out GRC solutions as they create a central repository of key compliance activities and information. In doing so, risk managers will be able to see all activities that fall under the GDPR compliance and monitor the processes dedicated to meeting regulatory standards.

Having a centralized location for all key data and activity provides clear visibility for internal stakeholders and executives. This keeps your information from becoming siloed, allowing data to be easily accessed. Additionally, a transparent approach will help cut down on a lack of clarity and verifiability—significant hardships when centralization is lacking.

Ability to demonstrate compliance

Beyond centralizing key data and activity, GRC solutions make it easier for companies to demonstrate GDPR compliance to internal to external parties. This is because when all GDPR compliance activities are visible in one location, digging up key information for reporting and sharing out becomes straightforward, efficient and clear.

There are several examples where the ability to demonstrate compliance is especially important. For example, risk managers can save time and remove stress by being able to quickly pull relevant information for an executive who is interested in the progress of GDPR compliance or who needs updates on other information. In other cases, a business may need to prove GDPR compliance in order to qualify for certain contracts with outside parties such as potential clients or governmental organizations. GRC solutions give CISOs and risk managers the tools they need to easily prove compliance.

Quick responses to breaches

Given the strong guidelines around breach responses for GDPR compliance, a robust incident-response plan is necessary. CISOs will want to have all protocols documented well ahead of time, before a breach event occurs. These guidelines can vary from quite general to highly specific to the market and type of data involved, . However, at a bare minimum, these plans need to identify key personnel, responsibilities, communication protocols, and timelines. Given the GDPR requirement to report breaches publicly within 72 hours, the timing for an incident-response plan is extremely important.

Additionally, GRC solutions give companies the opportunity to transform their incident response plans from static to interactive. This is especially important as a company begins to test its plan in the event of a real breach. Static incident response plans create siloed departments and loss of communication, leaving much of the responsibility on one person who must communicate across the organization. By putting an interactive process in place, companies can automatically capture:

  • The day and time the incident occurred
  • The type of incident
  • Each employee involved in the incident
  • Track all communications concerning the incident
  • Root cause analysis of the incident
  • Benefits of an interactive incident response plan

GRC solutions provide an interactive incident-response plan and give companies the ability to customize and automate workflows. This way, they can take complex risk-management processes from difficult to user-friendly, allowing employees to feel confident in their response to breaches.

 

ISO 27001 Control A.5

A.5 Security Policies

A.5.1 Information Security Policy

To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.

A.5.1.1 Information Security Policy Document

A set of policies must be defined, approved by management, published and communicated to employees and relevant external parties. The policies must be led by business needs, alongside the applicable regulations and legislation affecting the organisation too. These policies need to be reviewed regularly and updated when necessary. An information security policy document shall be approved by management, and published and communicated to all the employees and relevant external parties.

A.5.1.2 Review of the Information Security Policies

The policies for information security need to be reviewed at planned
intervals, or if significant changes occur, to ensure their continuing
suitability, adequacy and effectiveness. Whenever changes are made to the
business, its risks & issues, technology or legislation & regulation or
if security weaknesses, events or incidents indicate a need for policy change. Policies
must be also reviewed and updated on a regular basis.  ISO considers
‘regular’ to be at least annually, which can be hard work if you are manually
managing that many reviews and also dovetailing it with the independent review.

 

What is ISO 20071:2003?

ISO 27001 is the international standard which
is recognised globally for managing risks to the security of information you
hold. Certification to ISO 27001 allows you to prove to your clients and other
stakeholders that you are managing the security of your information. ISO
27001:2013 (the current version of ISO 27001) provides a set of standardised
requirements for an Information Security Management System (ISMS). The standard
adopts a process based approach for establishing, implementing, operating, monitoring,
maintaining, and improving your ISMS.

The ISO 27001 standard and ISMS provides a framework for information
security management best practice that helps organisations to:

  • Protect
    client and employee information
  • Manage
    risks to information security effectively
  • Achieve
    compliance with regulations such as the European Union General Data Protection
    Regulation (EU GDPR)
  • Protect
    the company’s brand image

Benefits
of ISO 27001:2013

Protecting your organisation’s information is critical for the
successful management and smooth operation of your organisation. Achieving ISO
27001 will aid your organisation in managing and protecting your valuable data
and information assets.

By achieving certification to ISO 27001 your organisation will be able
to reap numerous and consistent benefits including:

  • Keeps
    confidential information secure
  • Provides
    customers and stakeholders with confidence in how you manage risk
  • Allows
    for secure exchange of information
  • Helps
    you to comply with other regulations (e.g. SOX)
  • Provide
    you with a competitive advantage
  • Enhanced
    customer satisfaction that improves client retention
  • Consistency
    in the delivery of your service or product
  • Manages
    and minimises risk exposure
  • Builds
    a culture of security
  • Protects
    the company, assets, shareholders and directors

ISO
27001:2013 Accreditation

Certification Europe is accredited by both INAB and UKAS to audit and
certify organisations to ISO 27001:2013. This means that we have the authority,
expertise and know-how to go into organisations and assess them against the
requirements of ISO 27001.

The term ‘Accreditation’ can lead to confusion for organisations. To
clarify, only certification bodies can be accredited for a standard. As an
organisation, you are certified to a standard. As an accredited certification
body, we certify our clients when they have successfully met the requirements
of ISO 27001.

Accreditation is the process by which a certification body is recognised
to offer certification services. In order to become accredited, Certification
Europe is required to implement ISO 17021 which is a set of requirements for
certification bodies providing auditing and certification of management
systems. Certification Europe is audited annually by our accreditation bodies
to ensure its services meet the exact requirements of the relevant
accreditation standards.

What
industries implement ISO 27001:2013?

ISO 27001 Certification is suitable for any organisation, large or
small, in any sector. The standard is especially suitable where the protection
of information is critical, such as in the banking, financial, health, public
and IT sectors. The standard is also applicable to organisations which manage
high volumes of data, or information on behalf of other organisations such as
data centres and IT outsourcing companies.

Content source: https://www.certificationeurope.com/certification/iso-27001-information-security/

 

Requirement of GRC

The news headlines continue to report on fines imposed by regulators, a myriad of corporate bribery and fraud, and the challenges of driving business growth. This trend only serves to highlight that despite recent investment in compliance, internal audit, risk management, and corporate governance disciplines, significant assurance gaps exist in most corporations. While isolated incidents of one-time governance failures are bound to occur, long-term systemic failures are more than just an isolated anomaly.

Although fingers often point to one specific area of the company as the responsible party, these events are the result of much more than a couple of overlooked risk assessments or poor management judgments. They indicate that the assurance functions of legal, internal audit, risk management and compliance, in most cases, do not share business processes, terminology, technology, information, or a common assurance methodology. To address this shortcoming, the concept and discipline of end-to-end Governance, Risk and Compliance (GRC) has emerged.

Many organizations consider their legal, audit, risk management, compliance or corporate governance processes to be at an acceptable level of maturity. To assess where an organization is on the maturity curve, the question to ask is: Could my company make the following representation to our shareholders or to the board?

  • We have a consistent process in place to understand current regulatory requirements and proactively assess of all of the regulatory changes that will impact the organization.
  • We have identified the levels within our organization structure where accountability for GRC resides and have a common understanding of how GRC activities connect to the business processes that create value in our organization.
  • The board and senior management have a common language to describe risks and controls, have visibility into all business risks, and a secure portal to share and communicate information.
  • We have designed a standard, reliable methodology, developed suitable conceptual frameworks combined with information technology and assigned sufficient management accountability and resources across our organization to ensure our risk management information continuously meets our requirements.
  • Our internal audit department evaluates the reliability of our risk management framework continuously and we adopt all necessary measures to ensure the reliability of our framework is maintained or enhanced.

Few, if any, companies could reliably prepare such a representation. At best, individual point-in-time silo-based reports on compliance, control or governance effectiveness might be available. But the concept of positive, continuous and verifiable enterprise-wide reporting does not exist in today’s assurance world. To do so requires the implementation of an end-to-end approach to GRC.

GRC with RPA

What is Robotic Process Automation (RPA)

According to gartner, RPA is the recalibration of human labor to drive business outcomes. RPA is low cost, it costs about 1/3rd of offshore and 1/5th of onshore employees. It is quick to implement and unobtrusive. It can work with zero human error. It is commonly used for reporting, accounts payable, customer feedback capture and sales quote preparation.

What is Governance, Risk management and Compliance (GRC)

Governance, risk management and compliance are three relatives terms that help an organization to achieve objectives, address uncertain events and maintain integrity. GRC enables the simplification, automation, and integration of enterprise, operational, and IT risk management processes and data.

  • Governance: The laws, policies and practices which help executives to direct and control organization
  • Risk management: The process of identifying threats and vulnerabilities in an organization, and applying necessary controls to maintain security.
  • Compliance: The adherence of laws and corporate policies and procedures.

GRC using RPA

RPA in Governance:

  • Detecting frauds, waste and abuse within the organization
  • Robotics can be used for following purposes:
  1. Vendor management
  2. Pipeline and delivery management
  3. Organizational structure
  4. Human Resource
  • It can help in Decision making for executives in controlling an organization.

RPA in Risk Management:

  • Robots can be fully automated to detect any mishap in a control.
  • Collection of previous data and analysis of future predictions of risk occurrence can be determined by RPA.
  • Automatic Password change of critical assets every few minutes.
  • Implying emergency measures in case of an attack
  • Prioritization of critical assets and data and predictions of their uses.
  • Expect enhanced regulatory and internal audit scrutiny.

RPA in Compliance:

  • Provides efficiency through automation of highly manual process and workflow.
  • Pull and aggregate data from multiple sources can enhance the efficiency of regulatory, non-financial, and risk reporting
  • Help reduce the time-consuming processes of collecting, compiling, and cleansing, and summarizing large amounts of information.

Financial institutions execute tests to determine if operations are compliant with specific laws, rules, regulations and, as appropriate, internal policy directives

Enterprise Risk Management

Risk Management (VRM) allows organizations to proactively manage

IT security risks by combining asset business context, actionable threat intelligence,

vulnerability assessment results, and comprehensive workflows

– More secure organization with proactive

management of IT security risks

– Accurate identification and prioritization of

vulnerability issues

– Link audit procedures and results to enterprise risks and controls.

– Assign, measure, and report on vulnerability program KPIs