Key Concepts and Terminologies

Key Concepts and Terminologies

Welcome to the world of GRC, where businesses strive to achieve effective governance, risk management, and compliance. In order to navigate this complex landscape, it is essential to have a clear understanding of the key concepts and terminologies that underpin GRC practices. Whether you’re a seasoned professional or just beginning your GRC journey, this article will provide you with the knowledge you need to confidently navigate the realm of GRC.

At TrustCloud, we understand the importance of trust, security, and simplifying compliance. Our mission is to bring trust back to business, and to achieve this, we believe in equipping professionals like you with the tools and information to ensure effective GRC practices. Our tone of voice is professional and confident, communicating with authority while maintaining a sense of approachability and helpfulness.

Throughout this article, we’ll explore essential GRC terms and concepts, breaking down complex ideas into accessible language. From risk assessments to compliance audits, we’ll provide you with the insights needed to build a strong GRC foundation.

Audit Scope

The scope of an audit is the focal point of the audit. The range of activities is the subject of the audit examination. Each compliance standard, framework, and regulation has a specific point of focus. The scope involves determining the point of focus before engaging in the audit. The scope is usually determined through a series of discussions with the auditors.

Control

Control is something you do as an organization to mitigate potential risks. Control is part of a process designed to accomplish a goal. For example, a goal might be to train your employees in the matter of security because it is important to safeguard data. Control might be: Every year, security training is provided to all employees.

Design

To design is to decide on the functioning of a particular process. An effective design plan requires a series of steps or action plans, to achieve a specific goal. This is usually documented in a policy or a procedure. To implement a control, you need to design it. Control is a process to accomplish a goal, and design is the “how” to achieve the goal. For a security training control, the design is to identify the steps to make it happen, such as,

1. The month during which the training must happen
2. Who is included in the training (i.e., full-time personnel or contractors)?
3. The tools that are used to administer the training
4. The designated personnel involved in administering the training

Evidence

Auditors and sometimes customers require an organization to provide evidence to validate that it is actually meeting the compliance obligations it claims. Evidence can take the form of:

1. Documentation
2. Screenshots from a system
3. Or a test report from an API-based query
4. Population or list of events

For a security training control, the evidence is the complete report that shows your employee’s name, training date, training completion date, and any related score.

Implementation

Implementation means putting into effect the steps documented in the design plan. This is what your auditors look for. For security training control, the implementation is to administer the training consistently every year to all your employees.

Personal Data

Personal data is information that helps identify an individual. This can be as simple as their name, phone number, or e-mail address. The definition can also extend to an IP address or cookie identifier. Some examples of personal data include:

1. First or Last name
2. Address
3. Age
4. Gender
5. Employer
6. Date of Birth

Policies

Another key concept in the GRC is a policy. A policy is a high-level statement document that defines “what” must happen. Policies are the rules and laws to be followed and serve as the foundation of any process. Policies must be formally reviewed and approved at least once a year.

For example, a policy can say, We must conduct a risk assessment every year to effectively prevent and mitigate risks.

Population

As part of your compliance audit, it is common for auditors to ask for evidence to prove that a certain control activity occurred. This evidence can be a population of events from which the auditor picks a random sample. A population of events means a pool or list of specific events.

For example, a population of new hires means a list of new hires. A population of incidents is a list of incidents. As an organization, it is good practice to have a method to pull out these lists of events in a way that is automated and not manual. This is because an auditor trusts a computer system to generate a list of events rather than a manually maintained list.

Process

A process is a series of actions or steps taken in order to achieve a particular goal. In compliance, the term ‘process’ gets used often. For example, your auditor might ask, What is your process for granting access to a new hire? Or, what is your hiring process? The process referred to here is the set of steps and actions taken to provide access or hire a new employee in your organization. A process can be any goal or phenomenon in your organization that requires some particular action.

Sensitive / Critical data or Personally Identifiable Information (PII)

Sensitive data differs from personal data in the sense that some types of information are considered more sensitive than others. Sensitive information can be misused and cause potential harm to a person. This is about the potential impact if a set of data were lost or stolen.

For example, though a first and last name can be sensitive, is it as sensitive as a credit card number? Some examples of PII include, but are not limited to:

1. First or Last name
2. Passport or driver’s License number
3. Social Security Number
4. Credit Card Number
5. Photos
6. Account username
7. Fingerprints
8. Financial records
9. Medical records

Risk Assessment

Risk assessment is a systematic process of identifying, evaluating, and analyzing potential risks that could have an impact on an organization or project. It involves identifying potential hazards, assessing the likelihood and severity of those hazards, and determining the level of risk they pose. The goal of risk assessment is to prioritize risks based on their potential impact and likelihood so that appropriate measures can be taken to mitigate or manage those risks.

This process helps organizations make informed decisions about how to allocate resources and develop strategies to minimize or eliminate potential risks. By conducting risk assessments, organizations can proactively identify and address potential vulnerabilities, ultimately enhancing their ability to achieve their objectives while minimizing negative consequences.

By exploring GRC 101, individuals can learn about the importance of these three components and how they interact to create a strong foundation for organizational success.