Where to Begin

By Adam (Sully) Perella, Technical Director, Schellman

Governance, Risk, and Compliance (GRC) is the grouping of three topics with a heavy overlap in the Venn Diagram. Multiple methods, software, service providers, and frameworks exist in this space as a best effort to take concepts and apply them to unique organizations working to meet security objectives or laws. Similarly, those responsible for GRC must typically manage how these apply to multiple teams with different objectives.

Tell me something new!

For assessors, auditors, and consultants in this space, a candid conversation with our customers often begins with, “I don’t know where to start.” I propose every organization starts with the data.  Data discovery and data management are difficult fields in their own right but that does not preclude the ability to go through this exercise.

  • What data do we receive?
  • What data do we store?
  • Which systems handle the data?
  • What data do we transmit?
  • Who has access to the data?

For each of these questions, find someone who intimately understand each business segment – usually a collection of individuals working in their own area. If this sounds suspiciously like a data flow diagram, you hit the nail on the head. The exercise will provide the detail necessary to make individual diagrams for each data flow even if similarities exist between different flows.

Who and What Accesses the Data?

The data flows should reveal each of the systems which receive, transmit, and interact with the data. Common examples include parsing data for specific details, encrypting data for storage, and formatting data before sending off to a third party. Expect that there may be unknowns as this process unfurls and those items need to have a follow-up attached. No less, the picture of these flows will grow in completeness in detail. This part of the exercise will prove its value many times over.

Assign Value to Data as a Basis for Risk

The data elements in place now outline the first step in most risk assessment activities. Determine how sensitive the raw data is and for any data pulled from or merged with it. The value of data can be defined from a legal perspective (e.g., GDPR) or from a compliance perspective (e.g., credit card data) Next, the access available to data by both personnel and applications being the scope of review into focus.

Security-Impacting Systems and Functions

The devil is in the details here. The systems and services (including those provided by third-party service providers) will document both the security controls over the data and simultaneously what can impact the security of the data. Centralized authentication, SIEM, hosting providers, outsourced software development, and remote access are common examples of how an organization accesses, maintains, and monitors its environment. Be sure to document each of these.

Draw a Line Around It

Citing complete physical and logical separation are amazing boundaries if they exist. Most real-world implementations show that this is far messier. Bring in the network engineers for and developers to ask, ”What controls do we have around this data?”  The data flows provided earlier will identify the network segments involved and the following steps will show who and what are accessing and protecting that data. This is a difficult step because grey areas are met with the spectrum of responses which can dramatically grow or irrationally shrink scope. Involving an experienced staff member or consultant is beneficial here and if you already have an assessor, reach out and talk this through.  Better to get the answer now then have it challenged in three months.

In fact, this step may as well be called, “Scope of Review” because it will be present in most of the assessments.  To that I say, “Great news, the actions already taken can be used as evidence for why an organization defined scope.”

Applying Governance and Compliance

The circle needed to be complete. Governance and compliance focus on specific areas – most notably data. The previous actions should provide much of what is necessary to define how the controls in use meet legal and regulatory demands.


The worst thing that organizations do is avoid the issue. Avoiding this process will neither protect an organization from liability nor from the difficult work that makes security a year-round job. Instead of trying to take this all on at once, take one dataset and follow this from beginning to end. Lessons will be learned along the way which make subsequent datasets easier to evaluate and there are almost always overlapping controls which make those steps more simple. By highlighting the commonalities and outliers, an organization can better identify the risks to data and the security controls in place.

GRC conversations tend to feel overwhelming and can rattle the emotional status of your staff. Reassure yourselves and the staff involved that this is not about blame, this is about identifying, classifying, and course correcting any findings before the worst-case scenario unfolds. A candid conversation will provide a clear picture of where an organization is actually at and not where it wishes it was. The results of these exercises will identify shortcomings as well as some of the key roles staff are playing.

Hot Topics

Related Articles