The Integrated Controls Management (ICM) is a freee resource to help organizations design and implement their Governance, Risk & Compliance (GRC) practices to center around applicable cybersecurity and data protection controls. The premise of the ICM is that controls are central to cybersecurity and data privacy operations, as well as the overall business rhythm of an organization. This is supported by the Cybersecurity & Data Privacy Risk Management Model (C|P-RMM), that describes the central nature of controls, where not just policies and standards map to controls, but procedures, metrics, threats and risks, as well. The ICM model takes a different approach from the traditional definition of GRC, since ICM is controls-centric, where controls are viewed as the nexus, or central pivoting point, for an organization’s cybersecurity and privacy operations.
OCEGdefines GRC as, “GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity,” while Gartnerjointly defines GRC/IRM as, "a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks."
ComplianceForge and Secure Controls Framework (SCF), the developers of the ICM model, define ICM as, “a holistic, technology-agnostic approach to cybersecurity and data protection controls to identify, implement and manage secure and compliant practices, covering an organization’s people, processes, technology and data, regardless of how or where data is stored, processed and/or transmitted.”
How To GRC Playbook
ICM is designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. ICM is designed to address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM).
What Does It Mean To Be Secure? What Does It Mean To Be Compliant?
Unlike GRC/IRM, ICM specifically focuses on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions. To assist in this process, ICM helps an organization categorize its applicable controls according to “must have” vs “nice to have” requirements:
Minimum Compliance Requirements (MCR) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts.
Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCR, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.
Secure and compliant operations exist when both MCR and DSR are implemented and properly governed:
MCR are primarily externally-influenced, based on industry, government, state and local regulations. MCR should never imply adequacy for secure practices and data protection, since they are merely compliance-related.
DSR are primarily internally-influenced, based on the organization’s respective industry and risk tolerance. While MCR establish the foundational floor that must be adhered to, DSR are where organizations often achieve improved efficiency, automation and enhanced security.
Plan, Do, Check & Act GRC Principles
There are eight (8) principles associated with ICM:
Establish Context;
Define Applicable Controls;
Assign Maturity-Based Criteria;
Publish Policies, Standards & Procedures;
Assign Stakeholder Accountability;
Maintain Situational Awareness;
Manage Risk; and
Evolve Processes.
ComplianceForge has simplified the concept of "how to GRC" in the following downloadable diagram to demonstrate the unique nature of these components, as well as the dependencies that exist:
Integrated Controls Management (ICM) – Overlaid On Integrated Cybersecurity Governance Model (ICGM)
Principle 1: Establish Context
To build and maintain efficient and effective operations, a cybersecurity & privacy program must have a hierarchical vision, mission and strategy that directly supports the organization’s broader strategic objectives and business processes. This process of establishing context involves identifying all applicable external compliance requirements (e.g., laws, regulations and contractual obligations), as well as internal directives (e.g., Board of Directors, corporate policies, etc.). This is a due diligence element of the cybersecurity and privacy program.
Principle 2: Define Applicable Controls
A tailored control set cybersecurity and data protection controls must exist. This control set needs to be made of Minimum Compliance Requirements (MCR) and Discretionary Security Requirements (DSR). This blend of “must have” and “nice to have” requirements establish an organization’s tailored control set to ensure both secure practices and compliance.
Principle 3: Assign Maturity-Based Criteria
The cybersecurity & privacy program must assign maturity targets to define organization-specific “what right looks like” for controls. This establishes attainable criteria for people, processes and technology requirements. Tailored maturity level criteria can be used to plan for, budget for and assess against. Maturity targets should support the organization’s need for operational resiliency.
Documentation must exist, otherwise an organization’s cybersecurity and data protection practices are unenforceable. Formalizing organization-specific requirements via policies and standards are necessary to operationalize controls. Stakeholders utilize those prescriptive requirements to develop Standardized Operating Procedures (SOP) that enable Individual Contributors (IC) to execute those controls. Policies, standards and procedures provides evidence of due diligence that the organization identified and implemented reasonable steps to address its applicable requirements.
Principle 5: Assign Stakeholder Accountability
Controls must be assigned to stakeholders to ensure accountability (e.g., business units, teams and/or individuals). These “control owners” may assign the task of executing controls to “control operators” at the IC-level. The documented execution of procedures provides evidence of due care that reasonable practices are being performed.
Principle 6: Maintain Situational Awareness
Situational awareness must involve more than merely “monitoring controls” (e.g., metrics). While metrics are a point-in-time snapshot into discrete controls’ performance, the broader view of metrics leads to a longer-term trend analysis. When properly tied in with current risk, threat and vulnerability information, this insight provides “situational awareness” that is necessary for organizational leadership to adjust plans to operate within the organization’s risk threshold.
Principle 7: Manage Risk
Proactive risk management processes must exist across all phases of development/information/system life cycles to address confidentiality, integrity, availability and safety aspects. Risk management must address internal and external factors, including privacy and Supply Chain Risk Management (SCRM) considerations. To manage risk, it requires the organization to clearly define its risk threshold and risk management expectations.
Principle 8: Evolve Processes
Cybersecurity and data protection measures must adapt and evolve to address business operations and the evolving threat landscape. This requires the adoption of a Plan, Do, Check & Act (PDCA) approach (Deming Cycle) to ensure the organization proactively identifies its requirements, implements appropriate protections, maintains situational awareness to detect incidents, operates a viable capability to respond to incidents and can sustain key business operations, if an incident occurs.
Plan-Do-Check-Act (PDCA) Approach To GRC
The ICM takes a comprehensive view towards governing a cybersecurity and privacy program. Without an overarching concept of operations for the broader GRC/IRM function, organizations will often find that their governance, risk, compliance and privacy teams are siloed in how they think and operate. These siloed functions and unclear roles often stem from a lack of a strategic understanding of how these specific functions come together to build a symbiotic working relationship between the individual teams that enables quality control over people, processes and technology. The ICM utilizes a Plan, Do, Check & Act (PDCA)approach that is a logical way to design a governance structure:
Plan. The overall GRC process beings with planning. This planning will define the policies, standards and controls for the organization. It will also directly influence the tools and services that an organization purchases, since technology purchases should address needs that are defined by policies and standards.
Do. Arguably, this is the most important section for cybersecurity and privacy practitioners. Controls are the “security glue” that make processes, applications, systems and services secure. Procedures (also referred to as control activities) are the processes how the controls are actually implemented and performed. The Secure Controls Framework (SCF) can be an excellent starting point for a control set if your organization lacks a comprehensive set of cybersecurity and privacy controls.
Check. In simple terms, this is situational awareness. Situational awareness is only achieved through reporting through metrics and reviewing the results of audits/assessments.
Act. This is essentially risk management, which is an encompassing area that deals with addressing two main concepts (1) real deficiencies that currently exist and (2) possible threats to the organization.
What is Cybersecurity GRC?
Cybersecurity Governance, Risk, & Compliance (GRC) is an integrated approach organizations use to align cybersecurity and data privacy requirements with business objectives.
Which comes first? Governance, Risk or Compliance? This has been a hotly-debated topic since GRC was first coined over two (2) decades ago. However, there is a logical order to GRC processes that must be understood to avoid siloes and an improperly scoped security program. First, it is necessary to level-set on the terminology of what GRC functions do:
Structures the organization’s controls to align with business goals and applicable statutory, regulatory, contractual and other obligations. Develops necessary policies and standards to ensure the proper implementation of controls.
Risk Management. Identifies, quantifies and manages risk to information and technology assets, based on the organization’s operating model.
Oversight of control implementation to ensure the organization’s applicable statutory, regulatory, contractual and other obligations are adequately met. Conducts control validation testing and audits/assessments.
Compliance > Governance > Risk Management. When establishing GRC practices, what is described below is the precedence of how (1) Compliance influences (2) Governance, which influences (3) Risk management.
The genesis of GRC is to first identify applicable statutory, regulatory and contractual obligations that the organization must adhere to, as well as internal business requirements (e.g., Board of Director directives). This is a compliance function that identifies statutory, regulatory and contractual obligations. It is a due diligence exercise to identify what the organization is reasonably required to comply with from a cybersecurity & data privacy perspective. This process involves interfacing with various Lines of Business (LOB) to understand how the organization operates, including geographic considerations. Generally, Compliance needs to work with the legal department, contracts management, physical security and other teams to gain a comprehensive understanding of the organizational compliance needs.
Based on these controls, Governance has two (2) key functions:
Develop policies and standards to meet those compliance obligations (defined by applicable control objectives); and
Assign ownership of those controls to the applicable stakeholders involved in the affected business processes. This process often requires a documented Responsibility, Accountability, Supportive, Consulted and Informed (RASCI) chart to ensure the organizational model supports effective implementation and oversight of the assigned controls.
From a trickle-down perspective, while Risk Management logically follows both Compliance and Governance functions in establishing a GRC program, Risk Management is crucial for the organization to maintain situational awareness and remain both secure and compliant. Risk Management serves as the primary "canary in the coal mine" to identify instances of noncompliance that lead to the improper management of risks and exposure of the organization to threats; since ongoing risk assessments generally occur more frequently than internal/external audits that Compliance may oversee.
Secure Controls Framework (SCF) "Premium Content" - Editable Policies, Control Objectives, Standards, Guidelines, Controls & Metrics.
Product Walkthrough Video
When you click the image or the link below, it will direct you to a different page on...
Cybersecurity Standardized Operating Procedures (CSOP) DSP | SCF Version
Product Walkthrough Video
When you click the image or the link below, it will direct you to a different page on our website that contains a short product walkthrough...
Cybersecurity Supply Chain Risk Management (C-SCRM) Bundle #2 - DSP Version (45% discount)
This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing Cybersecurity Supply Chain Risk...
Digital Security Plan (DSP) Bundle #1 - SCF-Aligned Policies, Standards & Procedures (25% Discount)
Is your organization looking for enterprise cybersecurity documentation? This is a bundle that includes the following two (2) ComplianceForge...
Digital Security Plan (DSP) Bundle #2 - ENHANCED DIGITAL SECURITY (35% Discount)
Is your organization looking ofr enterprise cybersecurity documentation? This is a bundle that includes the following seven (7) ComplianceForge products that are...
Digital Security Plan (DSP) Bundle #3 - ROBUST DIGITAL SECURITY (45% Discount)
Is your organization looking for enterprise cybersecurity documentation? This is a bundle that includes the following thirteen (13) ComplianceForge products that are...
NIST 800-171 & CMMC 2.0 Compliance Bundle #4 - EXPERT CMMC 2.0 Levels 1-3 (45% discount)
Is your organization looking to achieve CMMC compliance? This is a bundle that includes the following thirteen (13) ComplianceForge...
Privacy Bundle #2 - DSP Version (45% discount)
This is a bundle that includes the following twelve (12) ComplianceForge products that are focused on operationalizing the cybersecurity and privacy principles:
Digital Security Program (DSP)
Cybersecurity...