Governance Risk and Compliance (GRC)

Governance Risk and Compliance (GRC)

Manage your Cybersecurity Program

Guernsey can help you meet regulatory and compliance obligations by implementing a Governance Risk and Control Program. Depending on regulatory or contractual requirements, organizations may be required to be compliant with different cybersecurity frameworks, pass a regulatory review or audit such as CMMC and SOC2.

We help you identify the appropriate framework to measure the design and effectiveness of your cybersecurity program. Common frameworks we have helped our clients implement include NERC-CIP, CIS7.1, NIST 800-171, CMMC, HIPAA, and Trust Services Criteria.

We track and measure compliance with control objectives, identify and map control activities, and create processes to collect evidence that controls are completed. We also identify control objectives that are not being met and prioritize recommendations for improvement based on risk.
Our GRC process is one of the best ways to continually measure the adequacy of your cybersecurity program. We have individuals with experience assisting organizations who must comply with various standards mandated by government entities, customers, or industry groups. We can help you build a cybersecurity program that provides security and complies with any applicable standards, including CMMC, NERC-CIP, PCI, HIPAA, FFIEC, and others. We can also prepare you for CMMC, SOC2, and HITRUST assessments.

Governance, Risk, Security and Compliance Guidance

There are a variety of governance, cybersecurity, and compliance frameworks and controls that intent to provide guidelines, best practices, and requirements organizations follow to manage and protect their business, information systems, data, and networks from a variety of threats and vulnerabilities (risks), including cybersecurity risks. Nearly all the resources listed below are often referred to as "frameworks", but many are just a set of standards, requirements, or regulations.

An organization’s goal should be to establish a systematic approach to identify, assess, and mitigate risks and ensure confidentiality, integrity, availability, and safety of their systems, employees, and customers. There are numerous standards and frameworks, each with a specific focus and applicability. Some of the most prominent or misunderstood include:

Frameworks & Maturity Models

  • ISO/IEC 27001: ISO/IEC 27001 is an international standard for information security management systems providing a comprehensive framework for establishing, implementing, maintaining, and continuously improving information security within an organization. ISO 27001 outlines a set of controls and risk management processes that organizations can adopt to protect their information assets.

    ISO/IEC 27001 is a quite common framework, particularly for companies providing cloud offerings or needing to demonstrate a solid security program to customers because they can be certified against the standards by an independent third party. Additionally, this is a standard recognized throughout the world.
  • Capability Maturity Model Integration (CMMI): CMMI is a process and behavioral model that drives process improvements with a focus on hardware, software, and service development and performance across industries.

    Originally designed as a process improvement tool with input from the DoD, implementation of the program is often seen as a requirement for DoD and U.S. Government software development contracts. More recently, ISACA has developed a Cybersecurity Platform based on CMMI to aid organizations in building and managing their cybersecurity program.
  • Control Objectives for Information and Related Technologies (COBIT): COBIT is a framework for governance and management of enterprise information and technology, aimed at the whole enterprise. It defines roles and responsibilities throughout the organization and aims to ensure effective communication of business objectives and identification and management of information and technology related risks.

    A cybersecurity program and set of controls would be part of a COBIT implementation, but specific details would not be driven by COBIT. The framework describes high level tasks for roles throughout the organization (e.g., communicate management objectives, define data and system ownership, optimize asset value). COBIT also recognizes the concept of a capability level taken from CMMI-based process capability scheme (maturity).
  • Committee of Sponsoring Organizations (COSO) FrameworksCOSO is a control framework focused on corporate governance, risk management, and internal controls designed by groups of five respected accounting-related organizations to understand the impact of internal controls on fraudulent financial reporting. It was designed to help organizations design and implement internal control in light of the many changes in business and operating environments.

    COSO is considered an important framework and often used by public companies as they are required to demonstrate compliance and internal controls to provide confidence in their financial reporting.
  • National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) –NIST CSF, born out of Executive Order 13636, Improving Critical Infrastructure Cybersecurity, is a framework designed to focus on business drivers to guide cybersecurity activities and ensure cyber risk is considered as part of organizational risk management. It provides a set of activities to achieve specific cybersecurity outcomes and references examples and other NIST guidance to achieve those outcomes.

    A new version of the CSF is currently out in draft form with updates to better address current and anticipated future cybersecurity challenges and to make it easier for all organizations to use the framework.
  • Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) HITRUST CSF was originally focused and tailored to address compliance obligations in healthcare for protect personal health information (PHI), but now is a security and risk compliance framework that brings together components and best practices from several frameworks and compliance guidance that can be tailored to address various compliance obligations. HITRUST does include a self-assessment option, but most organizations using HITRUST seeks certification.
  • Cybersecurity Capability Maturity Model (C2M2)– The C2M2 framework is focused on the implementation and management of cybersecurity practices associated with information technology (IT), operational technologies (OT), and information assets and the environments in which they operate. This framework was developed by the Department of Energy (DOE) along with private and public sector experts. While led by the energy industry, the current version of the framework is designed to work organizations across industries.
  • *Systems and Organization Controls (SOC) 2 Trust Services Criteria– The American Institute of Certified Public Accountants (AICPA) has developed the SOC 2 as a process for examining and reporting on controls at an organization focused on Trust Services Criteria (TSC) including security, availability, processing integrity, confidentiality, and/or privacy. For each area of focus, criteria are defined that an organization must demonstrate they are performing through properly designed and operating controls.

    * The important thing to keep in mind is that on its own this is not exactly a security or governance framework and there is no “SOC certification”. Rather, the TSC are based on COSO principles and a company must define their internal controls implemented to meet those principles, and then will engage an accounting firm to evaluate the design and implementation of those controls to meeting the SOC 2 TSC. It is common that software-as-a-service (SaaS) providers would have a SOC 2 audit each year to communicate to customers not only their documented security controls, but a level of assurance that the implementation and operation of those controls was independently verified.

Security Standards and Control Resources

  • Center for Internet Security (CIS) Critical Security Controls: The CIS Controls is a set of 18 prioritized security controls that are considered essential for effective cybersecurity. This list of controls is risk informed and is a great starting point to help organizations without robust governance or large security and IT teams to quickly identify and focus on high-risk areas of cybersecurity.

    CIS provides safeguards, or “sub-controls”, that are specific and unique actions to implement the 18 controls as well as implementation groups to help prioritize implementation of the controls and safeguards. Mappings are also available to aide in understanding and compliance with various regulations.
  • NIST Special Publication 800-53:  NIST 800-53 is a catalog of security controls for systems and organizations and are mandatory for U.S. federal information systems in accordance with Office of Management and Budget (OMB) Circular A-130 and the provisions of the Federal Information Security Modernization Act (FISMA). Implementers of these controls are advised to first determine which controls are required by using Federal Information Processing Standards (FIPS) 199, basically a guide for categorizing the security level of the system and information it processes (low, moderate, high). NIST 800-53B is an inventory of the applicable security and privacy baseline controls from 800-53 required for each of those security categories.

    Because NIST 800-53 is not a framework but a control catalog, it states that additional publications including NIST 800-37 (risk management framework), NIST CSF (cybersecurity framework), along with 800-53 will aide organizations in identifying the security and privacy controls needed to manage risk and meet the requirements of FISMA.
  • NIST Special Publication 800-171:  NIST 800-171 is a catalog of security controls, tailored from NIST 800-53, aimed at the protection of Controlled Unclassified Information (CUI) in systems outside of US federal systems. CUI is a category of U.S. federal information that, while not classified, still requires a certain level of confidentiality safeguards.

    Federal contractors, particularly Department of Defense (DoD) contractors have clauses in their contracts requiring protection of CUI and, in many cases, implementation of the NIST 800-171 practices. The DoDs pending compliance program - Cybersecurity Maturity Model Certification (CMMC), is a hot topic. While it sounds like a cybersecurity framework (and initially was intended as such), it really is just a requirement to comply with NIST 800-171 and demonstrate that compliance, often through assessment by a certified third party assessor organization (C3PAO).

    It should also be noted that a draft update to NIST 800-171 is out for public comment. It has been updated to better align with the most recent version of 800-53, as well as include some controls previously “assumed” to be implemented by the organization.
Industry and Data Specific Standards and Regulations
  • Payment Card Industry Data Security Standard (PCI DSS): PCI-DSS is a set of control requirements for organizations that handle credit card data and devices used for card processing. It outlines security controls and practices to protect cardholder data and prevent data breaches in the payment card industry.

    Depending on the role played in the payment process and number of transactions handled, the organization will have a different level of attestation they must do regarding their compliance with the standard ranging from various types of self-assessments to an independent third-party assessment.

  • Health Insurance Portability and Accountability Act (HIPAA) Security Rule – The security rule establishes standards for protecting electronic PHI that is created, received, used, or maintained by a health provider. Requirements within the security rule are identified as either required, or addressable. As expected, those marked required must be implemented as stated in the rule. The concept of addressable items doesn’t mean the standard is optional but allows for flexibility in the implementation. A company may implement as specified, address through alternative security measures, or not implement but document the decision and a risk-based justification for why it may not be applicable. HIPAA also includes a privacy rule with a focus on protecting patient's privacy.
  • General Data Protection Regulation (GDPR): The GDPR is a European Union (EU) regulation that governs personal data protection for EU citizens. GDPR is a privacy regulation, requiring a focus on data protection, technical data security controls, accountability and governance, and privacy rights. Many US states are releasing similar personal data protection regulations such as the California Consumer Privacy Act (CCPA), so it is important for businesses to understand where their customers reside and ensure security and privacy controls are in place to meet those regulations.

    Many US states are releasing similar personal data protection regulations such as the California Consumer Privacy Act (CCPA), so it is important for businesses to understand where their customers reside and ensure security and privacy controls are in place to meet those regulations.
  • Transportation Security Administration (TSA) Cybersecurity Security Directives – The TSA has regulatory authority over pipelines, railways, public transportation and as such has released security directives regarding cybersecurity protections in those industries.

    In response to the Colonial Pipeline cybersecurity incident, TSA used their authority under 49 U.S.C. 114(l)(2)(A) to issue enforceable security directives (see SD-Pipeline-2021-01C and SD-Pipeline-2021-02D) for the top 100 pipeline owner/operators requiring implementation and demonstration of security and incident response programs designed to meet specific TSA requirements.
  • North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP):NERC-CIP is one of many enforceable reliability standards applicable to bulk power system owner/operators and it has a specific focus on key areas of cybersecurity controls for critical infrastructure. The US Federal Energy Regulatory Commission (FERC) has the authority to issue cybersecurity regulations through the nonprofit authority NERC. In early 2023 FERC issued a final rule instructing NERC to create new or modified CIP reliability standards as part of the larger effort to protect all US critical infrastructure.