Policy Generation & Review

What is GRC?

Governance, Risk, and Compliance (GRC) is the framework that organizations use to manage risks, ensure operations are aligned with business goals, and that all laws and regulations are properly adhered to.

For most organizations, GRC is best achieved through a set of policies, standards, and guidelines as follows. (*Mandatory)

High-level document(s) or directives from senior management that define cybersecurity goals and principles. These tend to be general in nature, very broad in scope, and relatively static. They focus on what needs to be achieved, without detailing how. An example might be a Data Governance Policy stating what category of data is to be protected in transit and at rest, and what type of data can be shared.
Specific, mandatory requirements that seek to provide guidance for achieving management or board intent as stated in the previously defined policies. They are used to translate high-level objectives into measurable requirements in alignment with the organization's security goals. An example might be a Credential Standard which requires 16-character alpha-numeric passwords with no repeated words or common phrases. This standard might also reference a separate but related Password Construction Guideline document.
Recommendations for best practices and suggestions for how to implement policies and standards without enforcing strict compliance. Further these offer suggestions as to how to approach certain security tasks or technologies. A guideline can provide flexibility on how to achieve the objectives of a policy or standard, without being overly constricting. For example, a Password Standard might state that a “password safe” must be used for all administrative accounts but allow for a password management system of the user’s choosing, rather than requiring a specific product.

Why is it important?

The best way to ensure your cybersecurity strategy is aligned with your organization’s business goals is through the creation of a strong, comprehensive GRC program.

Using a GRC framework allows you to take a proactive approach to risk management, thereby ensuring legal and regulatory compliance. A strong GRC program also builds trust and reputation with your customers, assuring them you value data protection.

By investing in a strong GRC program, organizations will discover more effective security versus relying strictly on technology.

The PuzzleSec Solution

By taking the GRC approach, PuzzleSec enables organizations and their relevant stakeholders to effectively achieve their cybersecurity goals.

Many organizations spend a sizable portion of their cybersecurity budget on technology and perceive this as a “fix-all solution” to their cybersecurity needs. A much smaller investment in a set of well-written policies, standards, and guidelines, will inform better decision-making and drive better security outcomes. Coupled with effective communication and education regarding organizational goals, organizations will achieve much stronger results and ultimately achieve a true defense in depth posture. Technical solutions are fraught with risk and rarely fully implemented. PuzzleSec solutions reflect the actual goals of the organization.