Security, Compliance & Resilience Management System (SCRMS)

The Security, Compliance & Resilience Management System (SCRMS) is a freee resource to help organizations design and implement their Governance, Risk & Compliance (GRC) practices to center around applicable cybersecurity and data protection controls. The premise of the ICM is that controls are central to cybersecurity and data privacy operations, as well as the overall business rhythm of an organization. This is supported by the Secure, Compliant & Resilient Risk Management Model (SCR-RMM), that describes the central nature of controls, where not just policies and standards map to controls, but procedures, metrics, threats and risks, as well. The ICM model takes a different approach from the traditional definition of GRC, since ICM is controls-centric, where controls are viewed as the nexus, or central pivoting point, for an organization’s cybersecurity and privacy operations. 

OCEG defines GRC as, “GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity,” while Gartner jointly defines GRC/IRM as, "a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks."

ComplianceForge and Secure Controls Framework (SCF), the developers of the ICM model, define ICM as, “a holistic, technology-agnostic approach to cybersecurity and data protection controls to identify, implement and manage secure and compliant practices, covering an organization’s people, processes, technology and data, regardless of how or where data is stored, processed and/or transmitted.”

How To GRC Playbook

ICM is designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. ICM is designed to address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM).

What Does It Mean To Be Secure, Compliant & Resilient? 

Unlike GRC/IRM, ICM specifically focuses on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions. To assist in this process, ICM helps an organization categorize its applicable controls according to “must have” vs “nice to have” requirements:

• Minimum Compliance Requirements (MCR) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts.
• Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCR, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.

Secure and compliant operations exist when both MCR and DSR are implemented and properly governed:

• MCR are primarily externally-influenced, based on industry, government, state and local regulations. MCR should never imply adequacy for secure practices and data protection, since they are merely compliance-related.
• DSR are primarily internally-influenced, based on the organization’s respective industry and risk tolerance. While MCR establish the foundational floor that must be adhered to, DSR are where organizations often achieve improved efficiency, automation and enhanced security.

What Does It Mean To Be Secure?

An entity can reasonably claim it is secure if it has implemented and operational defenses focused on Confidentiality, Integrity, Availability and Safety (CIAS). An entity’s level of security is dynamic, based on its:

• Implemented defensive capabilities; and
• Applicable risks and threats.

What Does It Mean To Be Compliant?

An entity can reasonably claim it is compliant if it has the ability to demonstrate conformity with applicable laws, regulations and other obligations. The scope of compliance includes both external and internal requirements.

What Does It Mean To Be Resilient?

An entity can reasonably claim it is resilient if it has prepared for and has the ability to adapt to changing conditions, where it can withstand and/or recover rapidly from disruption. Resilience includes the ability to withstand and recover from deliberate attacks, accidents or naturally occurring threats or incidents.

Plan, Do, Check & Act GRC Principles

There are eight (8) principles associated with ICM:

1. Establish Context.
2. Identify Applicable Controls.
3. Define Maturity Expectations.
4. Publish Governance Documentation.
5. Assign Stakeholder Accountability.
6. Prioritize Capabilities According To Risk.
7. Maintain Situational Awareness.
8. Manage Risk.
9. Evolve Processes.

ComplianceForge has simplified the concept of "how to GRC" in the following downloadable diagram to demonstrate the unique nature of these components, as well as the dependencies that exist:

Integrated Controls Management (ICM) – Overlaid On Integrated Cybersecurity Governance Model (ICGM) 

The nine (9) principles associated with the SCRMS:

SCRMS Principle 1: Establish Context

To build and maintain efficient and effective operations, a cybersecurity and data protection program must have a hierarchical vision, mission and strategy that directly supports the entity’s broader strategic objectives and business processes. This process of establishing context involves identifying all applicable external compliance requirements (e.g., laws, regulations and contractual obligations), internal directives (e.g., Board of Directors, corporate policies, etc.). This also includes understanding applicable risks and threats, since the entity’s exposure to those may influence the need for controls beyond those that are mandated as compliance obligations.

Establishing context is both a due diligence and due care element of an entity’s cybersecurity and data protection program, since context changes with time. Things to consider when establishing context:

• Mission / vision / strategy of the entity;
• Statutory (law), regulatory (regulation) and contractual requirements for cybersecurity and data protection;
• Fiscal constraints;
• The entity’s structure;
• The entity’s risk profile (including risk appetite, risk tolerance and risk threshold considerations);
• Planned organizational changes (e.g., Mergers, Acquisitions & Divestitures (MA&D));
• Corporate culture (e.g., how receptive is the entity to change); and
• Geographic-specific requirements.

SCRMS Principle 2: Identify Applicable Controls

A tailored set of cybersecurity and data protection controls must exist for an entity to implement a SCRMS. This control set needs to be tailored for the entity’s unique requirements, such as a combination of Minimum Compliance Requirements (MCR) and Discretionary Security Requirements (DSR). This blend of “must have” and “nice to have” requirements establish an entity’s tailored control set to help ensure secure, compliant and resilient capabilities.

SCRMS Principle 3: Define Maturity Expectations

The entity must define maturity expectations for its cybersecurity and data protection controls. From the perspective of the SCRMS, the maturity expectations define entity-specific “what right looks like” expectations for control implementation and continued operation. The maturity-based criteria are applicable to People, Processes, Technologies, Data & Facilities (PPTDF).

Maturity targets are expected to directly support the entity’s need for security, compliance and resiliency capabilities. These maturity targets can be used by an entity’s leadership for:

• Multi-year business planning;
• Budgeting; and
• Assessment criteria.

SCRMS Principle 4: Publish Governance Documentation

Cybersecurity and data protection documentation must exist, otherwise an entity’s governance practices are both unenforceable and indefensible. Formalizing entity-specific requirements via documented policies, standards and procedures are necessary to operationalize cybersecurity and data protection controls.

Documented policies, standards and procedures provide evidence of due diligence that the entity identified and implemented reasonable steps to address its applicable requirements. The output of procedures provides evidence of due care that controls were operated as described.

SCRMS Principle 5: Assign Stakeholder Accountability

Controls must be assigned to stakeholders to ensure accountability (e.g., business units, teams and/or individuals). These “control owners” are expected to assign the task of executing controls to “control operators” at the Individual Contributors (IC)-level.

• Stakeholders utilize the prescriptive requirements from policies and standards to develop Standardized Operating Procedures (SOP) that enable ICs to execute those controls.
• The documented execution of procedures provides evidence of due care that reasonable practices are being performed.

SCRMS Principle 6: Prioritize Capabilities According To Risk

Security, compliance and resilience capabilities must be prioritized based on applicable risks and threats. Not all risks and threats are equal, so a risk-based prioritization must occur.

SCRMS Principle 7: Maintain Situational Awareness

Situational awareness must involve more than merely “monitoring controls” (e.g., metrics). While metrics are a point-in-time snapshot into discrete controls performance, the broader view of metrics leads to a longer-term trend analysis (e.g., analytics). When properly tied in with current audits, control deficiencies, risk, threat and vulnerability information, this broader insight provides “situational awareness” that is necessary for an entity’s leadership to adjust plans to operate within the defined risk threshold.

SCRMS Principle 8: Manage Risk

Proactive risk management processes must exist across all phases of Technology Assets, Applications, Services and/or Data (TAASD) life cycles to address Confidentiality, Integrity, Availability and Safety (CIAS) aspects. Based on finite resources (e.g., time, personnel and money), it is necessary to utilize prioritized risk management practices that ensure issues posing the highest risk are addressed first.

Risk management must address internal and external factors, including data privacy, Artificial Intelligence (AI), embedded technology and Supply Chain Risk Management (SCRM) considerations. To manage risk, it requires the entity to enforce a clearly-defined risk threshold and ensure reasonable security practices are operational.

SCRMS Principle 9: Evolve Processes

Cybersecurity and data protection measures must adapt and evolve to address business operations and the evolving threat landscape. This requires the adoption of a Plan, Do, Check & Act (PDCA) approach (e.g., Deming Cycle) to ensure the entity proactively identifies its requirements, implements appropriate protections, maintains situational awareness to detect incidents, operates a viable capability to respond to incidents and can sustain key business operations, if an incident occurs.

Things to consider when evolving processes:

• Changes in the compliance landscape (e.g., laws, regulations and contractual obligations);
• Technology changes; and
• Budget/resourcing constraints that affect how processes are implemented.

Plan-Do-Check-Act (PDCA) Approach To GRC

The ICM takes a comprehensive view towards governing a cybersecurity and privacy program. Without an overarching concept of operations for the broader GRC/IRM function, organizations will often find that their governance, risk, compliance and privacy teams are siloed in how they think and operate. These siloed functions and unclear roles often stem from a lack of a strategic understanding of how these specific functions come together to build a symbiotic working relationship between the individual teams that enables quality control over people, processes and technology. The ICM utilizes a Plan, Do, Check & Act (PDCA) approach that is a logical way to design a governance structure: