5 ways you could be doing GRC better

Having spent time with a number of organisations all at different levels of maturity, here are my top 5 controls which often need work.

Inventory of processes, devices and applications

A giant problem, which everyone does but few do well. Keeping and maintaining a list of all major organisational processes with sub-processes and the authorized and unauthorized applications and devices. Unfortunately without this model of the organisation how do you know where to spend your precious time.

Linking with automated tools, existing information and fitting with existing processes making the wider company contribute to a single central model. This is not just time saving but essential in ensuring the companies priorities are aligned.

Ensuring unauthorized applications and devices are managed is important too. Employees are bringing their iphone, ipads and more istuff (watches, glasses, cars) into the office, then emailing their personal accounts, syncing with dropbox and copying files onto USB drives on shareware and freeware applications which have now become critical to their work. They are logging onto free wifi at coffee shops, hotels, airports and train stations.

Understanding the landscape of applications, devices and behaviours ensures appropriate controls, working with users rather than blanket unrealistic restriction which users will work around, avoid and undermine.

Incident response and analysis

Lots of security controls exist and are detective but provide us with a good feeling of security. High profile CCTV for example is a preventive and detective but does nothing but watch as an incident unfolds. Good response procedures which are well designed and deployed quickly are more and more important as the perimeter security in our workplaces is disappearing.

Lets look at response procedures in store security. Security personnel see a known shoplifter  enter the store and will watch as they inevitably pickup and hide items on their person, the security will then wait till the person attempts to leave the store before intervening detaining and calling the police. The rational behind it is that without leaving the store the shoplifter hasn’t committed a crime and therefore can’t be arrested. This response procedure is flawed, the goal for the store is loss prevention and not to ensure criminals are successfully prosecuted. An early detection and appropriate response would ensure the shoplifter’s efforts were thwarted early and with less effort.

My issue with response is not what companies are doing, it is that we’ve become fixed in what we do. Measuring and learning should be part of process. Recording and dealing with incidents consistently is the first step, the second is to then learn from each incident and detail which security control worked and which didn’t.

Vetting staff

I have worked with two companies who’s CEOs have confessed to me they had employees with court conditions not to use computers connected to the internet and only discovering this with an incidental Google search and a policeman at reception.

Background checking is required by a number of regulations and best practice frameworks, normally performed as a pre-employment check but rarely reviewed. People who are working in trusted positions should have their checks performed at hire or when moved into the position. Subsequent checks should also be performed on an appropriate schedule.

We don’t like to think that the people we work with could do something illegal/immoral etc. but unfortunately psychology tells us all people have the potential to be dishonest and we must have transparency.

Managing user access and rights

normally the hiring and firing ( perhaps leavers is a nicer term) have good process, it’s the moving internally that I tend to see is missed. Users gain access in one role and when they transition that access is not revoked. Honestly what user is going to chase you to remove their access?

I think we all know why this happens, we trusted the employee with that access and so there isn’t a rush to remove it in the same way as leavers and in smaller organisations it’s even encouraged to ensure those employees can revert back to an old role when it all hits the fan. However conflicts can occur, the employee who could approve expenses moves roles and starts fraudulently approving his colleagues expenses. Good process around promotions and transitions means when we move to a new role our permissions are reviewed and redundant system access removed.

GRC Culture

A recent discussion with an advertising firm revealed how ‘the creative’ rebelled against standard tools and defined process. Those arty types downloading the latests filters and paintbrushes for Adobe or signing up for SaaS tools. The poor BCM Manager I spoke with had a nightmare to provide continuity for this swirling changing mess of tooling used by each team and individual.

Culture is difficult. You cannot change culture quickly or dramatically and it must be adopted by the organisation not forced onto it. One of the best ways of doing this is by being clear and transparent why change is necessary. If we understand and can clearly show employees the risks they are exposed to and why controls exist they will be more likely accept and conform to policy.


Leave a Reply

Your email address will not be published. Required fields are marked *