Security Governance, Risk, and Compliance

Now that you’ve learned a little about the overall GRC context, this lesson is focused on providing a working definition for Security Governance, Risk, and Compliance. If you’ll recall, we previously discussed the OCEG’s definition of GRC, and I think it’s a great starting point for defining Security GRC.

As a reminder, the OCEG definition was: “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity,” but also remember that Security GRC is more narrowly focused on supporting the Security mission. If we combine the OCEG definition with the more tactical outcomes of Security, than we end up with something more along the lines of the following:

Security GRC is the integrated collection of capabilities that enable an organization to set and meet strategic goals, address existing and emerging threats, and meet obligations as they relate to security.

All these functions (Governance, Risk, and Compliance), of course, coming together at the intersection of Security Controls, meaning that each of the three functions operates to ensure security controls are operating in a way that supports business outcomes. When Security GRC functions and ultimately, security controls are not functioning as anticipated, the results could mean security gaps throughout the infrastructure. If, for instance, you look at any of the high-profile security breaches frequently reported in the news, you can typically find links between GRC and security failures and the severity of the incident.

If you examined breaches like those from Booz Allen Hamilton or the Office of Personnel Management, for instance, you would likely find multiple security failures and many opportunities to improved security posture through healthy Security GRC practices before the breach occurred or that would have led to less severe results.

• Booz Allen Hamilton 2017 Breach
• OPM Breach