Overview
GRC, which stands for governance, risk management, and compliance, is a set of processes used to formalise procedures and maintain order in a company. It mainly helps a company increase efficiency and decrease non-compliance risk.
While each procedure that makes up GRC can be categorised into their own department, companies decided to merge them all into one in order to save costs and maintain efficiency as some of their job scopes overlap with each other.
Breakdown
As most of GRC consists of yapping (itās kinda like law), Iāll try to summarise them in the following table. More information can be found online by doing a quick Google search.
| GRC | Purpose |
|---|---|
| Governance | Creating rules aligned with the business goals of a company |
| Risk Management | Identify and remediate risks that a company faces to minimise loss |
| Compliance | Ensures that a company follows the laws and regulations set by industrial bodies |
Laws & Regulations
The slides listed some laws and regulations for different industries, so I assume we sorta have to memorise them and regurgitate them for our tests. Iāve compiled them into the following tables for easier access.
Industry Laws
| Industry | Law | Description |
|---|---|---|
| Finance | Sarbanes-Oxley Act of 2002 (SOX) | Laws preventing companies from committing fraud |
| Healthcare | HIPAA Privacy Rule | Limiting the use and disclosure of protected health information (PHI) |
| Healthcare | HIPAA Security Rule | Protects an individualās health data by establishing proper administrative, physical, and technological safeguards for their PHI |
| Credit Card | Payment Card Industry Data Security Standard (PCI DSS) | Set by the PCI SSC to prevent credit card fraud and identity theft by requiring anyone dealing with credit card information to comply with PCI DSS. |
Local Laws
| Law | Description |
|---|---|
| Computer Misuse and Cybersecurity Act (Chapter 50A) | Laws against unauthorised access to computer material + Allowing the police to seize devices to maintain cybersecurity |
| Banking Act (Chapter 19) | Law to facilitate the licensing and regulation of financial institutions and instruments, such as banks and credit card businesses |
| Cybersecurity Code of Practice (CCoP) for Critical Information Infrastructure | Law to ensure the resilience of critical information infrastructure (CII). CII refers to the computer systems directly involved in the provision of essential services, such as water, energy, finance, healthcare, etc. |
| Instruction Manual (IM) 8 | Policies, standards and regulations for IT security in government agencies. Vendors serving the government would also have to comply with this |