Governance, Risk & Compliance: The Three Primary Strands
What are the Three Primary Strands of Cyber-Security? What is Governance? What is Risk Management? What is Compliance?
— Dusty
What are the Three Primary Strands of Cyber-Security?
Within the broad scope of cyber-security, there are three primary strands that play a key role in safeguarding organisations and individuals: Governance, Risk & Compliance (GRC).
Together these three aspects control an organisations approach to security, how they manage risk, and make sure they are operating securely within all legal boundaries and best practices.
Let's take a look at each aspect:
Governance:
Governance is how you control your organisation's approach to cyber security. It involves directing and controlling security decisions while exercising due care and ensuring full accountability. This may encompass coordinating security activities, enabling the flow of security information, and facilitating decision-making throughout the organisation.
Risk Management:
Risk management aims to assess and reduce risk by implementing appropriate measures. Major security issues often occur due to inadequate risk management but this does not only refer to information security issues, so risk management must not be delegated solely to the IT team.
Compliance:
Compliance means conforming to various objectives such as Rules, Policies defined by the organisation itself, Industry Standards like ISO 27001, Legal Regulations like the Data Protection Act (DPA), and Contractual Obligations.
It is important to consider each individual jurisdiction that your organisation operates within and the different national and international laws you will have to comply with.