Compliance and Governance

Compliance and governance establish frameworks to ensure that organizations operate within legal, regulatory, and security best-practice requirements.

What is GRC?

Governance, Risk, and Compliance (GRC) is an integrated approach to managing governance, risk management, and regulatory compliance.

LGPD - General Data Protection Law

Fundamental Principles

  • Purpose, adequacy, and necessity
  • Free access and transparency
  • Security and prevention
  • Non-discrimination
  • Accountability and reporting

Legal Bases

  • Consent of the data subject
  • Compliance with a legal obligation
  • Performance of a contract
  • Legitimate interest
  • Protection of life or physical safety

Data Subject Rights

  • Confirmation of and access to data
  • Correction of incomplete or inaccurate data
  • Anonymization, blocking, or deletion
  • Data portability
  • Withdrawal of consent

GDPR - General Data Protection Regulation

Extraterritorial Applicability

GDPR applies to organizations that:

  • Process data of EU residents
  • Monitor behavior within the EU
  • Offer goods/services in the EU

Penalties

  • Tier 1: Up to €10M or 2% of annual global revenue
  • Tier 2: Up to €20M or 4% of annual global revenue

ISO 27001

International standard for Information Security Management Systems (ISMS).

Structure

  • Clauses 4-10: ISMS requirements
  • Annex A: 93 controls organized into 4 categories

Control Categories

  • Organizational (37 controls)
  • People (8 controls)
  • Physical (14 controls)
  • Technological (34 controls)

PDCA Cycle

  • Plan: Establish the ISMS
  • Do: Implement and operate
  • Check: Monitor and review
  • Act: Maintain and improve

SOC 2

Framework for reporting on service controls in service organizations.

Trust Service Criteria

  • Security: Protection against unauthorized access
  • Availability: System available as committed
  • Processing Integrity: Complete and accurate processing
  • Confidentiality: Confidential information protected
  • Privacy: Personal information collected, used, and retained in accordance with commitments

Type I vs Type II

  • Type I: Design of controls at a point in time
  • Type II: Operational effectiveness over a period (usually 6-12 months)

PCI-DSS

Payment Card Industry Data Security Standard for organizations that process cards.

12 Requirements

  1. Install and maintain firewall configuration
  2. Do not use vendor defaults for passwords
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data
  5. Protect systems against malware
  6. Develop and maintain secure systems
  7. Restrict access to data by business need-to-know
  8. Identify and authenticate access to components
  9. Restrict physical access to cardholder data
  10. Track and monitor access to network resources
  11. Regularly test systems and processes
  12. Maintain an information security policy

NIST Cybersecurity Framework

Voluntary framework consisting of standards, guidelines, and practices.

5 Core Functions

  • Identify: Develop organizational understanding
  • Protect: Develop and implement safeguards
  • Detect: Develop and implement detection activities
  • Respond: Develop and implement response activities
  • Recover: Develop and implement recovery plans

CIS Controls

18 prioritized and actionable controls for cyber defense.

Implementation Groups

  • IG1: Small organizations, limited resources
  • IG2: Medium organizations, more resources
  • IG3: Large organizations, dedicated specialists

Risk Management

Process

  1. Identification: Catalog assets and threats
  2. Analysis: Assess likelihood and impact
  3. Evaluation: Prioritize risks
  4. Treatment: Accept, mitigate, transfer, or avoid
  5. Monitoring: Review continuously

Methodologies

  • ISO 31000 - Risk Management
  • NIST 800-30 - Risk Assessment
  • FAIR (Factor Analysis of Information Risk)

Audits and Assessments

Types

  • Internal Audit: Conducted by the organization itself
  • External Audit: Independent third party
  • Certification Audit: For certification (ISO 27001)
  • Compliance Audit: Verify adherence to regulation

GRC Platforms

  • ServiceNow GRC: Integrated with ITSM
  • RSA Archer: Enterprise GRC platform
  • MetricStream: GRC and risk management
  • LogicGate: Risk Cloud platform
  • Vanta/Drata: Automated compliance (SOC 2, ISO)

Best Practices

  • Integrate compliance into organizational culture
  • Automate evidence collection
  • Maintain an inventory of applicable requirements
  • Conduct gap assessments regularly
  • Train the team on requirements
  • Document policies and procedures
  • Implement compensating controls when necessary
  • Maintain communication with regulators

Compliance is not merely a checkbox exercise, but an opportunity to improve security posture. Frameworks and regulations provide a tested roadmap for implementing robust controls. Organizations should view compliance as a baseline, not a ceiling, for their security practices.