Governance, risk & compliance

Protect your business and bottom line with intelligent GRC and security frameworks.

Talk to a security expert
Introduction
GRC Overview
About Us
Solutions
Contact Us

Introduction

Governance, risk, and compliance – popularly known as GRC – is a set of processes and procedures to help organisations achieve business objectives, address uncertainty, and act with integrity.

The basic purpose of GRC is to instill good business practices into everyday life. While not a new concept, GRC has grown in stature as risks have become more numerous, more complex, and more damaging.

GRC today spans multiple disciplines, including enterprise risk management, compliance, third-party risk management, internal audit, and more. While each of discipline has its own priorities – and often its own way of doing things – GRC leaders are now recognising the power of sharing data and intelligence to drive better results and build a stronger, more resilient organisation.

GRC Overview

There are three main components of GRC:

Governance — Aligning processes and actions with the organization’s business goals
Risk — Identifying and addressing all of the organization’s risks
Compliance — Ensuring all activities meet legal and regulatory requirements
In the past, organisations often approached Governance, Risk, and Compliance as separate activities. Processes or systems frequently were created in response to a specific event – e.g., new regulations, litigation, a data breach, or audit finding – with little thought as to how that worked within the whole. The result was a tangle of inefficiencies, redundancies, and inaccuracies, including:

  • Lack of visibility into the complete risk landscape
  • Conflicting actions
  • Unnecessary complexity
  • Inability to assess the cascading effects of risk

The reality is that there is plenty of overlap between Governance, Risk, and Compliance. Each of the three disciplines creates information of value to the other two – and all three impact the same technologies, people, processes, and information. An organisation, for instance, might be subject to a new data-privacy regulation (a compliance activity), while also holding itself to certain internal data-protection controls (a governance activity), both of which help mitigate cyber risk (a risk management activity).

When the three disciplines of GRC are managed separately, there is substantial duplication of tasks. Multiple teams end up spending hours collecting the same data – and hours more untangling email threads and spreadsheets just to begin analysis.

More damaging, disconnected processes and lack of transparency leave the organisation blind to insights and interrelationships between risks, undermining the whole system by allowing gaps and redundancies of controls to go unnoticed. Siloed teams also have no understanding on how their particular domain influences the company’s risk position as a whole or its overall success.

In short, managing GRC in separate silos is a lot of extra effort – and that effort produces very little reward. Without an integrated view of all GRC-related activities, it’s nearly impossible to identify issues and inconsistencies. A damaging risk can easily slip by undetected and unaddressed because you couldn’t gauge the full impact until it was too late.

Our experienced team at SR Cloud Solutions can assist you at every stage of your compliance journey. We are able to assess your current state of readiness and advise on areas that require remediation. Taking a risk-based approach, we can help implement technologies, processes and policies that will meet the most stringent compliance and security requirements.

 

Why choose SR Cloud Solutions?

SR Cloud Solutions has a 25-year track record of supplying managed security services to many organisations in different industries. 

  • The best technology – highest levels of accreditation with the world’s leading vendors such as Cisco, Fortinet, and Palo Alto.
  • Skills and expertise with a UK-based 24/7 Security Operations Centre (SOC).
  • We are a Joscar accredited business which means we are certified to work with leading defense companies who require the highest standards of cyber security.
  • We are experts in Cloud infrastructures such as Microsoft Azure so we can provide expert security consultancy on hybrid cloud environments and how best to secure and monitor those environments including Cloud Governance.

Book a meeting with one of our consultants to learn more or read on more below to find out more about our GRC Services. 

GRC Frameworks, Standards, Regulations & Assessments

Cyber Essentials

Cyber Essentials is a standard developed by the UK government in collaboration with industry partners and is managed by the National Cyber Security Centre. The standard sets a baseline of cybersecurity fundamental controls that organisations need to apply in order to be certified. The purpose of the standard is to help organisations protect themselves from hacking, phishing and password guessing.

The standard is split into five technical control areas:

  • Firewalls
  • Secure configuration
  • User access control
  • Malware protection
  • Patch management

The basic Cyber Essentials process can be done as a self-assessment to a certification body, with then finally conducting a vulnerability test on your external facing presence. The cyber essential plus requires the same standards to be met but is certified by an audit and internal testing, by a certification body.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) was developed to set a single, global security standard for organisations that handle or process cardholder data. The standard sets out twelve technical and operational requirements.

12 PCI DSS technical and operational requirements

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Protect all systems against malware and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

The twelve requirements are in themselves broken down into well over a hundred separate, specific controls that are all assessed for compliance.

PCI DSS is a set of minimum requirements. These can always be enhanced through the use of additional controls. Being a standard, PCI DSS is not a legal requirement and as such, national law or sector regulations will supersede it.

PCI DSS requires a zone to be established that is in scope for compliance. This zone is called the cardholder data environment. The CDE includes all people, processes and technologies that are involved in the processing, storing or transmitting of cardholder data or sensitive authentication data. The zone need not necessarily be segmented out in the network, however, this is strongly recommended.

Just like other compliance regulations, the standard promotes an analysis of what the business need is to store cardholder data and to what extent, encouraging the concept of data minimisation. Generally speaking, less data equals less risk to both the organisation and the data subject.

ISO/IEC 27000 family

What is ISO?
The International Organisation for Standardisation (ISO) is an independent, non-governmental organisation with 164 national standards bodies. Through its members, it develops international standards for products, services and systems. The ISO2700 family helps organisations keep information assets secure. ISO27001 is the most well-known of the family. This sets out the requirement for an Information Security Management System (ISMS).

About ISMS
An ISMS is a systematic approach to managing sensitive company information so that it remains secure. Management must be able to demonstrate that they continuously identify, examine and manage security risks through the application of appropriate controls. Company assets that must be considered include people, processes and IT systems. The standard sets out 14 domains that are broken down into 114 controls. The domains are:

  1. Information security policies
  2. Organisation of information security
  3. Human resource security
  4. Asset management
  5. Access control
  6. Cryptography
  7. Physical and environmental security
  8. Operations security
  9. Communications security
  10. System acquisition, development and maintenance
  11. Supplier relationships
  12. Information security incident management
  13. Information security aspects of business continuity management
  14. Compliance; with internal requirements, such as policies, and with external requirements, such as laws

GDPR & DPA

The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA) both came into effect on 25th May 2018. The DPA sits alongside the GDPR and tailors how it applies to the UK.

The GDPR is a piece of legislation that came to force in order to unify data protection laws across Europe. It puts in place a wide range of requirements on controllers and processors of personally identifiable information (PII). Article 5(1) and 5(2) of the legislation provide seven principles for the processing of personal data.

Seven principles for the processing of personal data

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  3. Adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed
  4. Accurate and where necessary kept up to date
  5. Kept in a form which permits identification of the data subjects for no longer than is necessary for the purpose for which the personal data processed
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing against accidental loss, destruction or damage, using appropriate technical or organisational measures
  7. The controller shall be responsible for and be able to demonstrate compliance with the above principles.

Throughout the GDPR, there is a consistent need for taking a risk-based approach to all elements of data processing, including the security of the data.

Join Other Leading Companies Who Trust SR Cloud Solutions

AVALON C M
Stanhope Capital
Workspace
British Red Cross
tk maxx
NHS
Hakluyt - Edited

Speak to one of our security EXPERTS

Our team is available for a quick call or video meeting. Let's connect and discuss your security challenges, dive into vendor comparison reports, or talk about your upcoming IT-projects. We are here to help.

Thank you for downloading the e-book “The state of remote work”

Contact us today for a closer look at how we can help your organization create an effective remote work strategy.

Download Whitepaper

Thank you for downloading the e-book “Maximize your investment in Microsoft Office 365 with Citrix Workspace.”

Contact us today for a closer look at how you can accelerate your transformation to a modern workplace and get the most out of Microsoft Office 365.

Download Whitepaper

Thank you for downloading the e-book “5 reasons your SMB workspace needs simple SSO.”

Contact us today for a closer look at how a digital workspace can help you improve user productivity while simplifying IT complexity.

Download Whitepaper