How To GRC Playbook

This reference is a "How To GRC Playbook" that designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. It is designed to address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM) and Third-Party Risk Management (TPRM).

Integrated Controls Management (ICM) GRC focus

Integrated Controls Management (ICM) Model

The Integrated Controls Management (ICM) is a freee resource to help organizations design and implement their Governance, Risk & Compliance (GRC) practices to center around applicable cybersecurity and data protection controls. The premise of the ICM is that controls are central to cybersecurity and data privacy operations, as well as the overall business rhythm of an organization. This is supported by the Secure Controls Framework (SCF) Cybersecurity & Data Privacy Risk Management Model (C|P-RMM), that describes the central nature of controls, where not just policies and standards map to controls, but procedures, metrics, threats and risks, as well. The ICM model takes a different approach from the traditional definition of GRC, since ICM is controls-centric, where controls are viewed as the nexus, or central pivoting point, for an organization’s cybersecurity and privacy operations. 

Integrated Controls Management (ICM) model

 

What Does It Mean To Be Secure? What Does It Mean To Be Compliant? 

The ICM specifically focuses on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions. To assist in this process, the ICM helps an organization categorize its applicable controls according to “must have” vs “nice to have” requirements:

  • Minimum Compliance Requirements (MCR) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts.
  • Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCR, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.

cybersecurity compliant vs secure

Secure and compliant operations exist when both MCR and DSR are implemented and properly governed:

  • MCR are primarily externally-influenced, based on industry, government, state and local regulations. MCR should never imply adequacy for secure practices and data protection, since they are merely compliance-related.
  • DSR are primarily internally-influenced, based on the organization’s respective industry and risk tolerance. While MCR establish the foundational floor that must be adhered to, DSR are where organizations often achieve improved efficiency, automation and enhanced security.

Plan, Do, Check & Act GRC Principles

There are eight (8) principles associated with ICM:

    1. Establish Context;
    2. Define Applicable Controls;
    3. Assign Maturity-Based Criteria;
    4. Publish Policies, Standards & Procedures;
    5. Assign Stakeholder Accountability;
    6. Maintain Situational Awareness;
    7. Manage Risk; and
    8. Evolve Processes.