Compliance and Governance
Compliance and governance establish frameworks to ensure that organizations operate within legal, regulatory, and security best-practice requirements.
What is GRC?
Governance, Risk, and Compliance (GRC) is an integrated approach to managing governance, risk management, and regulatory compliance.
LGPD - General Data Protection Law
Fundamental Principles
- Purpose, adequacy, and necessity
- Free access and transparency
- Security and prevention
- Non-discrimination
- Accountability and reporting
Legal Bases
- Consent of the data subject
- Compliance with a legal obligation
- Performance of a contract
- Legitimate interest
- Protection of life or physical safety
Data Subject Rights
- Confirmation of and access to data
- Correction of incomplete or inaccurate data
- Anonymization, blocking, or deletion
- Data portability
- Withdrawal of consent
GDPR - General Data Protection Regulation
Extraterritorial Applicability
GDPR applies to organizations that:
- Process data of EU residents
- Monitor behavior within the EU
- Offer goods/services in the EU
Penalties
- Tier 1: Up to €10M or 2% of annual global revenue
- Tier 2: Up to €20M or 4% of annual global revenue
ISO 27001
International standard for Information Security Management Systems (ISMS).
Structure
- Clauses 4-10: ISMS requirements
- Annex A: 93 controls organized into 4 categories
Control Categories
- Organizational (37 controls)
- People (8 controls)
- Physical (14 controls)
- Technological (34 controls)
PDCA Cycle
- Plan: Establish the ISMS
- Do: Implement and operate
- Check: Monitor and review
- Act: Maintain and improve
SOC 2
Framework for reporting on service controls in service organizations.
Trust Service Criteria
- Security: Protection against unauthorized access
- Availability: System available as committed
- Processing Integrity: Complete and accurate processing
- Confidentiality: Confidential information protected
- Privacy: Personal information collected, used, and retained in accordance with commitments
Type I vs Type II
- Type I: Design of controls at a point in time
- Type II: Operational effectiveness over a period (usually 6-12 months)
PCI-DSS
Payment Card Industry Data Security Standard for organizations that process cards.
12 Requirements
- Install and maintain firewall configuration
- Do not use vendor defaults for passwords
- Protect stored cardholder data
- Encrypt transmission of cardholder data
- Protect systems against malware
- Develop and maintain secure systems
- Restrict access to data by business need-to-know
- Identify and authenticate access to components
- Restrict physical access to cardholder data
- Track and monitor access to network resources
- Regularly test systems and processes
- Maintain an information security policy
NIST Cybersecurity Framework
Voluntary framework consisting of standards, guidelines, and practices.
5 Core Functions
- Identify: Develop organizational understanding
- Protect: Develop and implement safeguards
- Detect: Develop and implement detection activities
- Respond: Develop and implement response activities
- Recover: Develop and implement recovery plans
CIS Controls
18 prioritized and actionable controls for cyber defense.
Implementation Groups
- IG1: Small organizations, limited resources
- IG2: Medium organizations, more resources
- IG3: Large organizations, dedicated specialists
Risk Management
Process
- Identification: Catalog assets and threats
- Analysis: Assess likelihood and impact
- Evaluation: Prioritize risks
- Treatment: Accept, mitigate, transfer, or avoid
- Monitoring: Review continuously
Methodologies
- ISO 31000 - Risk Management
- NIST 800-30 - Risk Assessment
- FAIR (Factor Analysis of Information Risk)
Audits and Assessments
Types
- Internal Audit: Conducted by the organization itself
- External Audit: Independent third party
- Certification Audit: For certification (ISO 27001)
- Compliance Audit: Verify adherence to regulation
GRC Platforms
- ServiceNow GRC: Integrated with ITSM
- RSA Archer: Enterprise GRC platform
- MetricStream: GRC and risk management
- LogicGate: Risk Cloud platform
- Vanta/Drata: Automated compliance (SOC 2, ISO)
Best Practices
- Integrate compliance into organizational culture
- Automate evidence collection
- Maintain an inventory of applicable requirements
- Conduct gap assessments regularly
- Train the team on requirements
- Document policies and procedures
- Implement compensating controls when necessary
- Maintain communication with regulators
Compliance is not merely a checkbox exercise, but an opportunity to improve security posture. Frameworks and regulations provide a tested roadmap for implementing robust controls. Organizations should view compliance as a baseline, not a ceiling, for their security practices.
