GRC Lecture: Governance, Risk and Compliance Frameworks

Name: GRC Analyst Masterclass : Build Policies, Manage Risks, and Ensure Compliance
Uploaded: 2024-11-21T13:00:06+00:00
Duration: 2 h 13 min 35 s
Channel: Prabh Nair
Description: Summary and key takeaways on GRC Lecture: Governance, Risk and Compliance Frameworks, covering to Governance Governance establishes accountability
Prabh Nair
Nov 21, 2024
•
133 min video
•
3 min read
YouTube video ID: JswwHeEqBIc
Source: YouTube video by Prabh Nair — Watch original video
PDF
Governance establishes accountability, transparency, and alignment with organizational goals. It does so through a framework of policies, standards, defined roles (RACI), and procedures that guide consistent execution. Without governance, organizations experience confusion, lack direction, and encounter conflict.
Governance Hierarchy

Corporate governance evaluates, directs, and monitors the enterprise as a whole. IT governance is typically led by the CIO and focuses on aligning technology with business objectives. Information security governance is led by the CISO and concentrates on protecting all assets, with cyber security specifically safeguarding digital assets.
GRC Professional Roles

GRC analysts bridge operational efficiency, compliance, and risk by translating requirements into actionable controls. Risk analysts identify, analyze, and treat threats using likelihood‑impact metrics. Privacy and compliance specialists interpret regulations such as GDPR or DPDP for business units. IT auditors test controls and evaluate evidence, while vendor‑risk (TPRM) specialists assess third‑party risk before onboarding.
Regulatory vs. Business Requirements

Legal and regulatory requirements are non‑negotiable mandates. Stakeholder requirements reflect expectations from customers, partners, or investors. Business requirements capture internal goals and performance targets. Effective GRC aligns all three layers while respecting the hierarchy of obligations.
Three Lines of Defense

The first line—operational management and process owners—owns and manages risk directly. The second line—risk management, compliance, and privacy functions—provides oversight, guidance, and monitoring. The third line—internal audit—delivers independent assurance and reports directly to the board.
Frameworks and Standards

Frameworks such as COBIT, COSO, and NIST give high‑level guidance on how to approach governance, risk, and compliance. Standards like ISO 27001, PCI‑DSS, or SOC 2 define specific, mandatory requirements that organizations must implement to achieve certification. IT general controls (ITGCs) such as access management, change control, and backups form the technical foundation for financial reporting integrity under SOX.
Risk Fundamentals

A threat exploits a vulnerability, creating risk. Risk is quantified as Likelihood × Impact, where likelihood measures the probability of exploitation and impact measures the severity of consequences. Risk appetite, capacity, and tolerance set the boundaries for acceptable exposure. Treatment options include avoidance, mitigation, acceptance, and transfer. An incident is a confirmed event that has already occurred, distinct from the probabilistic nature of risk.
Policy & Governance Hierarchy

Policy: Broad rules and management intent.
Standard: Uniform requirements applied across the organization.
Baseline: Minimum acceptable security configuration.
Procedure: Step‑by‑step instructions for consistent execution.
Guideline: Optional best‑practice recommendations.
GRC Implementation Lifecycle

Preparation – Create a Business Requirement Document and conduct stakeholder analysis.
Regulatory Mapping – Align legal obligations with business processes.
Gap Assessment – Use a scoping matrix to identify differences between current practices and required standards.
Control Design – Classify controls as preventive, detective, or corrective and map them to frameworks.
Continuous Monitoring – Track key performance indicators (KPIs) and key risk areas (KRAs) through Risk and Control Self‑Assessments (RCSA) and ongoing audits.
Audit & Awareness

The internal audit process follows four steps: planning (audit memo and risk assessment), fieldwork (interviews and document requests), test work (workpapers and evidence collection), and reporting (draft report, exit meeting, and action‑plan follow‑up). Training modifies skills, while awareness shapes behavior, both essential for a resilient GRC program.
Mechanisms and Explanations

Governance Cycle (EDM) – Evaluate legal, regulatory, and market needs; Direct strategy and policy; Monitor performance and compliance.
ITGC Integration with COSO – COSO provides the high‑level internal‑control framework; specific ITGCs satisfy COSO’s control‑activity requirements.
Risk Statement Formula – “Due to [cause], there is a risk of [event] resulting in [impact].”
Audit Process Steps – Planning, fieldwork, test work, and reporting create a structured path to independent assurance.
Takeaways

Governance provides accountability, transparency, and alignment by defining policies, standards, roles, and procedures that guide organizational behavior.
The GRC hierarchy separates corporate governance (evaluate, direct, monitor), IT governance led by the CIO, and information security governance led by the CISO.
GRC professionals—including analysts, risk specialists, privacy experts, and IT auditors—translate regulations into actionable controls and manage day‑to‑day risk activities.
Risk is quantified as likelihood multiplied by impact, with treatment options of avoidance, mitigation, acceptance, or transfer, governed by appetite, capacity, and tolerance.
Implementing GRC follows a lifecycle of preparation, stakeholder analysis, gap assessment, control design, and continuous monitoring, supported by frameworks such as COBIT, COSO, NIST, and standards like ISO 27001.
Frequently Asked Questions

How is risk calculated in GRC frameworks?

Risk equals likelihood times impact; likelihood measures the probability of a threat exploiting a vulnerability, while impact measures the severity of consequences for the organization. This formula guides risk prioritization and treatment decisions across GRC programs.
What distinguishes a framework from a standard in GRC?

A framework offers high‑level guidance on how to approach governance, risk, and compliance, while a standard specifies mandatory, detailed requirements that organizations must implement to achieve certification or compliance. Thus, frameworks shape strategy and processes, whereas standards define the exact controls and metrics to be audited.
Who is Prabh Nair on YouTube?

Prabh Nair is a YouTube channel that publishes videos on a range of topics. Browse more summaries from this channel below.
Does this page include the full transcript of the video?

Yes, the full transcript for this video is available on this page. Click 'Show transcript' in the sidebar to read it.
Helpful resources related to this video

If you want to practice or explore the concepts discussed in the video, these commonly used tools may help.
Official Isaca Cobit 2019 Framework Book Recommended
Provides the authoritative guidance on IT governance and management, which is central to the GRC concepts discussed in the lecture.
Amazon →
Iso 27001 Lead Auditor Training Book
Covers the implementation and auditing of information security management systems, directly supporting the lecture's focus on compliance and audit.
Amazon →
It Risk Management And Compliance Book
Offers a comprehensive overview of risk assessment methodologies and regulatory compliance, reinforcing the lecture's core themes.
Amazon →
Professional Notebook For Audit Workpapers
Essential for GRC professionals to document fieldwork, evidence collection, and test work during the audit process described in the brief.
Amazon →
Links may be affiliate links. We only include resources that are genuinely relevant to the topic.
Summarize another video
Full Transcript YouTube

hello team welcome to my session on
coffee with PR and today we're going to
discuss about GRC analyst actually in
every company the JC analyst role is
different so this video is going to be
start from zero what is governance and
we'll also going to discuss about how
governance actually Implement in the
organization I can proudly say that it
is a first kind of a video which cover
endtoend approach of GRC which include
your skill
certification how practically GRC work
in the organization what are the
components and different perspective of
audit on Shop video for entire
GRC I really put a lot of efforts in
building this content so if you're new
to the channel to subscribe to the
channel and click on the Bell icon to
make sure you should not miss my future
videos on a similar topic my name is
brab for more information check my
LinkedIn profile because I don't want to
spend time on the introduction but for
your information I have a 17 plus year
of experience in GRC sock and offensive
security so without wasting a time let's
start with the first part thank
[Music]
[Music]
you so before we start with actual thing
let's understand the basic six first so
what is
governance okay so governance is like a
you
know governing something or it is a it
is basically a framework okay it is a
framework for rules practice and process
that guide how organization is manage
and control now if you take example of
country like India let's say example of
India okay so we have more than 25
States right so we have more than 25
States each state has has their own
belief system so country like India
country like Pakistan country like
Bangladesh country like us UA and all
that so each and every state each and
every country has their their own belief
systems and there are some different
resources we have like people are there
nature is there so everything need to be
managed properly and to manage them they
need to create a
rules okay they need to introduce law
they need to manage them appropriately
so so they will form one system that
system is called as a governance if you
take another
example okay with the same context of
India and India what happen is we have a
ministers so we appoint ministers the
minister create a law they create a
department and then they manage them to
create a value for us that is called as
a governance even when your parents
create a rules for you introduce a
processes for you okay every day morning
you have to wake up 9:00 10:00 you need
to have a breakfast 11:00 you have to go
to school come back so they creating a
policy which is called as a law for you
they creating a process how to follow
that policy and by end of the day
they're trying to create a discipline to
give you the better life same like
company in order to manage that company
their resources everything they create a
rule they create a practices and
processes that guide how the organiz is
managed control I want to show you one
video okay so you get a visibility why
governance is
important so if you see this video
you'll get a better visibility
he just directly jump into the
car no parking nothing breaking a
glass you can see the way of taking taxi
it is against the law wherever you
park you jump and you break the glass no
one care even it is mentioned no helmet
he's still wearing a helmet and now you
see the entry
tan so that is a perfect example of bad
governance now understood so if they
have a system if they have a law if they
have some policies then nothing will be
happen like that so that's why I called
governance ensure accountability
transparency alignment with the goals
and objective so it is like governance
which is a process of governing or
overseeing the control and direction of
something okay if country creating
governance country governance if
parenting creating a rule for the kids
that is called parenting governance so
now question is why governance matter in
the organization
okay so the first part why governance
matter so why because the first biggest
reason is direction see when you're
talking about governance governance set
the organization goals okay and they
strategic directions just like family
you know you have a family so family is
something which set the
goals okay set they set the goals they
they set the you know the goals like
they want to planning a vacation
so or they want to save for a new car or
making sure kid do wells in a school so
governance in an organization also set
the goals and directions okay so if you
take example this is the bank we
have so this bank is doing offline
business in Delhi or Melbourne offline
business mean there's nothing online
everyone has to go to bank and Avail the
services now the bank understood they
want expansion they need to introduce
it so they have given instruction to CIO
plan the it function then CI get the
information from a ceso ensure the
security all these part of a strategic
Direction so the family have a strategic
direction to save money spend quality
time together or prioritize education
same like the company basically have a
strategic Direction okay this year this
plan next year this plan and if the
organization has appropriate strategy
and everything that should shows a good
governance that's why governance matter
second is called as an accountability
see it ensure your decisions are made
responsible with a clear and
accountability at every level that's why
if you notice in your company you have a
racy metrics racy racy metric so someone
is responsible someone is accountable
someone is need to be consulted and
informed okay so in a family same
everyone has a responsibility so parent
might manage the finance older kids
might have with the you know chores and
younger kids are responsible for the
school work so governance ensure
everyone know their roles and it can be
counted on so if anything happen for
instance a family can quickly see who
was supposed to do what hold them
accountable so they have a visibility so
accountability is very important the
third important thing risk management in
my further slide we discuss in detail so
governance structure helps to identify
assess and control the risk same like
your family face risk too like managing
expenses staying safe or preparing for
emergencies right so governance in a
family involved planning for those risk
like saving for unexpected expenses or
having an emergency contacts or teaching
kid about safety and this way risk are
minimized now let's say example I'm
getting every month salary of
$110,000 suppose I have a kid I don't
have a kid but suppose I have a kid now
he said today he need a PlayStation so I
have to see my finance and I will see
okay can I gift him a PlayStation in
this budget and if I gift him
PlayStation from this cause can I able
to run my entire house understood so
here I'm doing a risk because I don't
want if tomorrow buy and I have to face
the consequences same like company when
they go for new project and all that so
project can give reward also but it can
also give a liability a good company is
the one a good governance is the one we
do risk management because ultimately we
have to reduce the risk and prepare for
the surprises and last is called as a
governance called compliance why
governance matter in the organization
because of
compliance so like example my father has
set the rules for me so I have to abide
with that rule so I'm using a word
called comply with the rule understood
so family follow the rules right so
compliance ensure we other to the law
regulations and internal policy which
protecting the organization from fines
or reputational damage so compliance
here like family follow the rules or
maintain the harmony to ensure everyone
wellbeing like bedtime limit on screen
time are taking turns with
responsibility right like on the on the
on the dinner time no phones so we have
to comply with the rule rule was set
under the governance so because if you
see the word
g RC governance risk management
compliance so during a governance we set
the rule and now we have to comply if we
don't comply there's a risk right so
during a part of a building process they
have ensure no one will basically take a
phone during a dinner time and this is
basically we have to comply
right so
compliance basically ensure you other to
the specific things okay now question is
overall why governance matter so in this
example you notice right without
governance family might
struggle okay if you don't have a
direction the family might struggle with
you know unexpected goals confusion over
the responsibility and conflict around a
rule and by setting a goal and ensuring
accountability we can prepare for risk
and maintaining a rule and the family
can build a healthy organiz and support
environment just as a governance does
for the organization that is why
governance matter today in the
organization so let's discuss the next
part a key element of governance so the
question is what are the key elements of
the governance the first important
element is policy and standard everyone
has to wake up on time it's a law
created by it's a policy or it's a rule
of my house same like every system must
be protected with the password that is a
policy policy is nothing it is like a
law of the company same seem like policy
which is cre for my house it's a law of
my house but the standard is what time
we have to wake up like policy say that
we have to wake up on time but question
is what is a Time 7:00 a.m. is the
standard time it is for me and for my
cousin so the first important component
which is a foundation for any any
company governance is policy so if you
want to check the maturity of any
company first ask for the policy okay so
governance include setting up the policy
okay and standard that Define the
expected behavior and operational
practice and this these policies helps
to establish what is allowed required or
prohibited within the organization same
like I said in family policy are like
house rules such as no phones at dinner
table or bedtime at 9:00 p.m. so these
rules set clear expectation what is
allowed or what is not and they help
everyone understand what behaviors are
expected to maintain Harmony at the home
that is where any kind of an activity
you want to introduce policy is the
first step second important element is
called roles so governance Define who is
responsible for various activity so
there should not be any surprises okay
and this is something we document as a
decision within the organization and
this ensure the accountability and
Clarity so that everyone understand the
duties from a Senior Management to the
individual contributor so every family
member has a specific role like parent
may handle the finance grocery shoppings
older kids will taking care of the trash
or doing the dishes and so role make
sure everyone know what they're
responsible and this reduce the
confusion and making the family run
smoothly that is why in your company you
have a RAC metrix third is that whatever
the policy standard we have to follow it
is followed by the
procedures okay so on one side we are
saying we have to go on bed 9:00 a.m. or
9:00 p.m. so what is a process what is a
procedure or I have to set eight8
character password so what is a process
what is a procedure so governance
outline the procedures that ensure
consistent
okay
reliable and
repeti outcome so these process are
especially important in the critical
areas like Risk Management compliance
and quality control I'll give an example
so I am the I have appointed a Dr
coordinator Disaster Recovery
coordinator he created a procedure or
she created a procedure now in her
absence or in his absence someone can
follow the procedure blindly and that is
called as a good governance so
procedures are the one which generate
the same results consistent results like
procedures like processes in a family
like routine such as getting ready for
the school in the morning or each steps
is organize everyone wake up eat
breakfast brushes their te teeth and get
dressed so these routines helps the
things to ensure in a predictable way so
no one miss the school bus or forget
their lunch that's why that's very
important part the next thing is called
as accountability and oversight so
governance Pro provide the mechanism to
monitor the activities okay which is add
to the policies and all that and this
oversight bodies like board of directors
or governance committee they review the
report because if you ask me the overall
function of governance is three so we
have a governance part
evaluate direct and monitor and this is
my operation team when they work on that
this is basically oversight by the board
so board is the one who always get a
reports on regular basis because by that
they get a visibility and it is very
important to have that okay it is very
important so same like you know we
collecting a audits we're doing an
audits we review the reports and by this
you can hold people accountable for
their actions that's why when you face
any Audits and all that you you know
auditor give you the recommendation and
then do the followup okay that's that's
an important part so accountability in a
family mean making sure everyone does
their part so parent check if if uh
cleaning has been done properly or if
homework is completed like you know I'm
sure you also experience that so that's
example of
oversight next important thing a good
governance is the one where whatever the
strategy you have set whatever the
initiative you have set it is aligned
with the business goals for instances
governance might ensure security P
practices aligned with the business
goals so that good security governance
is the one which align with the business
goals or family might have a goal like
saving money or Vacations so making sure
everyone eat healthier so governance
helps to align daily activity with these
goals understood so that that is
something is part of the function so
these are the key components we have now
now let's understand how the overall
organization works in the functions okay
so we going to discuss now type of
governance so that give you the better
visibility see when we talking about
organization hierarchy so this is how
the actual organization works so the
first part is called as a
CEO okay now before going to discuss
this I want to discuss the higher
so as I said governance is a set of
operation okay so under the governance
we have an important element let me
change the
color okay so under the governance we
have first thing which is called as a
corporate
governance corporate governance
corporate governance okay and corporate
governance is the one who set the goal
okay they are the one who set the goals
and they are the one who set the
direction hey guys we have to start new
business we want to go digital so that
is Def by the corporate governance now
who is part of corporate governance
board and Senior Management they are the
one who set the goals so let's say
example we are doing offline business
and now we want to do online business
okay that is basically basically my
goal so we have decided because right
now we're doing offline banking so I
want to start banking services in entire
Melbourne and I want to do in Sydney
example or I want to do in Delhi or I
want to do in Mumbai so what happened is
Corporate governance said that okay
increase business increase sales and
everything so then it is giving a
direction to the IT
team which is called as it governance
they create policy CR procedures they
introduce AI ML and all that so this is
basically driven by the CIO Chief
Information officer so he so corporate
governance given given a direction to it
governance hey guys we want to go
digital now support digital but make
sure this Dell should be secure we have
one governance which is called as a
information security governance they
create their policy procedure and all
that to protect the business and protect
the it and protect the business so
that's why say C CEO is the one who said
the organization strategy we want to go
digital fine CIO will ensure how the
disal can support the goals ceso will
ensure how the security can be achieved
that then security manager create isms
and all that then security admin is
there who create a sock sop and this is
how the security technical team operate
on the local level so that is how the
entire hierarchy works so to understand
better let's understand one by one each
and every statement okay so first let's
discuss about the corporate governance
so I already explained you in the
previous slide what is corporate
governance so Foundation of GRC is
Corporate governance because they are
the one who said the thing so if you see
the hierarchy according to cobit
corporate governance is the one who
follow three thing e d m according to
covid E stand for evaluate so they
evaluate the legal requirement regulat
requirement compliance requirement
customer requirement in in my further
slide we discuss how we arrange the
sequence so they evaluating the Market
condition and they understood yes we
have to go digital okay we have to go
digital that is basically my need we
have so corporate governance understand
that particular
thing and then they
basically giving a direction to the
CIO okay so CIO is the one who drive the
initiatives so now CI got the direction
so now what happened is C based on that
create a strategy
they create the Tactical plan they
create operation plan and then so we
have a evaluate direct CIO is the one
who will do the planning building run
and monitor but parall we also have a
ceso ceso also doing a planning building
run and monitor to make sure it can able
to secure the business and provide the
report and this is basically called as a
e DM evaluate direct and monitor and
cesos and CI doing a pbrm they creating
their strategy that's called it
governance they're doing that
information security governance and
corporate doing their function that
called corporate governance so corporate
governance set the Strategic objectives
and it guide the ethical Behavior
oversee the compliance with legal
regulatory requirement so their major
Focus will be on the board oversight
they want executive to be accountable
they want transparencies and they are
actually accountable for anything what
is happening in the organization so and
but the challenge is basically balancing
profitability with the social and
environmental responsibilities because
they have to run the business also but
also respect the culture and everything
and they are the one who set the
regulated landscape and they follow the
topown approach without governance we
can't Implement anything remember that
without governance we can't Implement
anything so that is basically called as
a corporate governance now second is
called as it governance they are the one
who aligned the it strategy with
corporate objectives as I said the bank
has decided they want to go online right
now they are the one who creating it
strategy to ensure how can they go
online so they are the one who managing
a risk asociate with the digital
transformation and their focus area is
how to allocate the resources how to
create a performance metric risk
management and integrate with the
business goals but challenges basically
as the technology get changed today you
can see there is a need of AI artificial
intelligence machine learnings and all
that so they have to see how can they
optimize the it Investments and
everything
now next is called as a information
security governance see in some
companies information security reports
to it in some companies information
security directly report to the board so
here the information security governance
ensure the protection of information
asset through the policy standard and
framework and their focus area will be
data protection risk assessment inant
response compliance and everything
challenges as things getting changed and
all that growing balance is there so how
to comply with legal regulat how to
maintain security is the most important
part see when you document information
security under the information security
we have a cyber
security so difference is cyber security
is protecting a digital
assets and information security protect
all type of
assets
all type of asset I repeat again
information security protect all type of
asset where cyber security protect
digital assets if I have a laptop it has
a data that will be protect under the
cyber security I will keep this laptop
in the physical Locker that come under
the physical security okay and in the
information security we have a three
goals maintain the confidentiality
integrity and availability like I want
to make sure whatever the information we
collect it will be protect from
unauthorized disclosure it is a user who
decides this information should be
available to one person to this person
apart from that if it's available to
anyone else it's a breach of
confidentiality whatever whatever the
information we provide it must be
accurate that is called integrity and
third is it must be available whenever
it required it is same like right you're
sharing your secret with your friend and
he told everyone will you trust him no
so it's a breach of
confidentiality you ask for some advice
and he give some wrong advice will you
trust him again no that is an Integrity
he said okay whenever you need I will be
available and he was not available when
you need that is availability so that is
how the governance risk compliance and
information security works in the
organization now this is the summary
okay so here you can see corporate
governance set the Strategic objective
for
it okay they are the one so first is set
the objectives said we also Define the
compliance requirement that we need to
comply with the legal regulat
requirement and then they basically
expecting it risk assessment report from
it but it get this assessment from the
information security
governance okay information security
governance and it implement the security
controls uh information security
governance report to CIA on the it
security metrics they do the risk
assessment end to end to make sure
things are working correctly so that
they get a reports on regular basis and
they also report the it performance so
this is basically the overall type of
governance now we're going to discuss
about a day in a life of of a GRC
analyst see in different different
company the people does different
different role okay in some company GRC
analyst mean doing doing an audit work
in some company GRC analyst is the one
who does the risk assessment and the
implementation of a control so let's
understand the day of a life of a GRC
analyst so you get a visibility what
kind of a role he does okay let's move
to the next
part okay so now the question is why uh
we need a JC analyst actually this is a
very burst word GRC analyst so in some
companies it is a role of an auditor
in some companies GRC analyst do risk
assessment so I want to I want to share
you you know a very good summary of day
of a life of a GRC analyst and this is
something I got from the participant who
really worked on GRC you need to
understand one thing GRC analyst are
essential uh for ensuring your business
resilience reducing risk exposure and
maintaining a Competitive Edge I'll will
explain with the
example I have a budget of 10,000 rupees
okay or $10,000 now I want to invest so
one is that or you have a $10,000 okay
now you tell me if you want to invest in
a stock market will you use your
knowledge or will you trust the subject
matter expert of the stock market
definitely you will take the help of the
stock market expert because they're good
with that they predict the issues they
predict everything and according to they
will tell you okay invest money here or
invest money there that is how it works
same like company when they go for any
new initiative like company has decided
to go for
cloud without doing any analysis simply
move to the cloud and tomorrow Cloud was
down so Cloud was down it impact your
business and you are now saying sorry to
your customer to avoid that we assume
okay if you go tomorrow there what going
to be
happen if you take this initiative what
going to be happen so that is where the
company hire GRC analyst so you run your
business and you run your it you run all
the activity with limited impact so they
brid the gap between the operational
efficiencies Regulatory Compliance and
risk management and make them you know
important asset to any organization
today GRC analysts use for cost saving
it's supporting a business goals and um
they also protecting the organization
reputations and everything so we're
going to discuss in in in detail what
are the different profiles we have so
normally they start with I'm assuming
925 so they start with the first is
checking old emails and all that they
also check into GRC system which is
called GRC Archer and all that there's a
tool called Archer a r c e r
okay so a r c e Archer tools so they
check into GRC system for any pending
task such as any upcoming on compliance
deadline audit schedules and open risk
assessment and they try to update
day-to-day list with the high priority
items and focus on key risk like example
yesterday they want to do followup today
for something new issues
so they have a task list okay today to
you know how many of you to to to to to
which they have to do followup so that
is called as a review day priority then
9:30 9:00 a.m. to 10:00 a.m. they have
review the risk posture and monitoring
control so they review the organization
current risk postures including the kri
for unusual activities they check the
reports on system vulnerabilities access
control logs they they received
yesterday and and based on that they're
planning the future audits
and they also do the daily security
briefings okay because this is something
Ive created from an information security
GRC perspective so they they they check
the reports they monitor the
effectiveness of internal controls and
access controls incidents and everything
so daily security briefing include
attending a daily weekly meeting with it
security team risk management team to
discuss about current risk compliance
and everything and they also share a
relevant updates on compliance
requirement like okay dpdp is coming
they they demand security controls or
uh uh Dora is coming they demand as
respective control so collaborate with
security team prioritize and address all
the Urgent security compliance issues
then we do the compliance and policy
review where we com perform compliance
so now I'm talking about from the point
of view you're working for the company
who provides services and you're
handling multiple projects so now you
have a time because business also
started so you want to schedule the
meeting with the business teams so you
do the compliance and policy review you
do do the policy review updates you
document findings create a remediation
plans and everything whatever the old
documents you have then in the afternoon
you got a one task about doing a vendor
risk assessment so you're conducting a
risk assessment you involved with
vendors identify their issues and then
after you're doing a security awareness
preparing and revering reports again I'm
telling you each and every activity will
also depend will take one day example
today you're starting a GRC role okay so
this is your one day activity this is a
one day activity this is the one day
activity this is a one day activity so
you need to understand one important
thing in company when I say GRC some
people only appointed in GRC to do this
activity okay let
me so in some companies we have a very
specific role like there's a dedicated
person has been appointed to this
activity there's a dedicated person has
been appointed for this activity there's
a dedicated person has been appointed to
for this activity okay and this activity
is common in all the things so like
example when I'm doing a vendor risk
assessment so we have a dedicated team
called tprm
specialist okay doing just a risk
assessment for projects we have a risk
analyst risk analyst is it clear there's
a dedicated person has been appointed
for compliance assessment okay or
security control assessor and there is a
dedicate person has been appointed as a
security engineer so in GRC also we have
a different different vertical so let me
explain you with the uh one slide that
give you the better visibility
so here you can see the profile any
person any fresher who who always
started his journey I highly recommend
if you are a fresher Target for big four
companies because when you work for Big
Four you're handling different different
customers so there you have a profile
called GRC analyst or GRC associate
governance risk and compliance it mean
you're creating a governance also you're
doing a risk assessment also and you
ensure you comply with everything Your
Role is not an auditor there so there
you will assess the risk develop the
policies and conduct the internal audit
huh internal audit is there so question
is how to start GRC analyst Ro so my
humble request is start with Security
Plus first because you get a visibility
of it and it security Basics before
Security Plus it is always recommend to
do A+ and N plus I'm not doing I'm not
saying okay you do certification if you
can see the content which is available
on A+ n plus you can check that then
Security Plus and then is
27,1 the reason is very simple is
because when you managing risk like
example I want to manage my finance risk
so I should know what is finance if I'm
managing Cloud risk I should know first
cloud is what same like when you
managing a risk of an entire
infrastructure you should know what is
infrastructure so A+ and N plus comia A+
and N plus give you that visibility what
is Network how the computer works what
are the protocols and then Security Plus
give you the holistic view so A+ n plus
Security Plus will give you the
foundation okay drop a comment in a
section box if you want me to create and
to and video on Security Plus okay and
ISO 270001 is all about implementing
governance there is a dedicated playlist
I created I can probably say that that
playlist will give you the and to and
visibility to 27,1 it is it is a video
which has more than a Content than you
pay for any training companies okay so
that is there so you can check that so
that is a role called of GRC analyst and
in some companies what happen we have a
dedicated role for risk
analyst so we have a risk analyst mostly
this vertical you can see in the
financial vertical if you join any Bank
okay if you join any bank or financial
institution there we have a risk analyst
so they basically identifying risk work
with the IT team managing controls
because when you work in a financial
department when you're working in a
financial business they are highly
regulated business they can't take any
call they can't take any risk so they
hire the risk analyst who do the risk
assessment in all the vertical business
risk assessment process risk assessment
it risk assessments so my recommendation
is that there also I will recommend
start with Security Plus then do ISO
31,000 because it give you visibility
about Enterprise risk management
Enterprise risk management cover your
operational risk it risk business risk
and all that and then if you're looking
for the lead position then you can go
for C risk one thing I want to tell you
if you are a
non uh so if if you know if you're not
from a finance background then it is
difficult to get a top position in this
vertical which is called C because most
of the C are the company hire from a
finance background is it clear so if you
are looking for a top position in Risk
analysis sorry if your background is non
bcom so if you're non bcom if your
background is not a finance then it is
very important it is difficult to get
the position like cro I'm not saying you
can't do that but 90 5% of a companies
have a cro as a top position head by the
finance team because they want the the
risk assessor or risk operation guy from
the every vertical because Finance guy
can be teach security but security
person cannot be teach financing right
that's a reason so internal audit head
and cro which is a finance part it is
always an always lead by the finance
person okay then we have now which is a
new profile in GRC which is called as a
privacy and compliance specialist so
nowadays as you can see lot of
regulations are coming like gdpr PDP
pdpl and all that so we need a
people who who ensure our company to be
comply with the regulations so let's say
example there's a new business is coming
into the organization let's take a
hypothetical scenario there's a new
business there's a new
business is coming to the organization
this is the
organization okay so there's a new
business coming to organization so there
is a DPO who will interpret this
business and see how can we comply with
legal Reg regulat requirement is it
clear and then based on that DPO is the
one who will recommend the information
security person how what kind of a
controls we need let's say example we
have a office in
Bangalore and we have a sales team here
so they are basically supporting a EU
customer now as you're supporting a EU
customer you need to be comply with gdpr
so I'm not expecting the sales team to
know what is gdpr so we have a DPO here
DPO interpret the gdpr requirement and
according to that he will tell the
information security team what are the
controls We need he tell the IT team how
to manage the it so DPO is basically in
that case so nowadays if you're working
in a very regulated industry especially
privacy and all that we have a Now new
profile which is basically called as a
compliance specialist where again for
that also I will highly recommend start
with
27,1 okay because that give you the
security visibility we also have a ISO
privacy standard you can go with that
and then if you specializing in
particular privacy regulation than cipe
and cipm that's something you can do
that now we have a new profile which is
called IT Auditor so mostly in Big Four
the one who does the audit and all that
they do the it Auditors they are the one
who audit the controls they are the one
who audit the it systems highly
recommend start with comia Security Plus
and U A+ or n plus and then do cisa and
then you can go for CIA that is
recommended and now we have a third line
of difference defense in the company
which is called as a internal Auditors
internal auditor so they are the one who
audit the business they are the one
actually IT Auditor is part of internal
audit also IT Auditor can be work as a
separate function also so in my further
slide we're going to discuss about third
line of defense so that there you get a
visibility so inter auditor can be the
one who audit the business they are the
one who audit the process it and
security if you're in the security then
it Auditors has been appointed otherwise
we have a business and other Auditors
and recommended certification is start
with 27,1 or 9,1 and then go for CIA and
now we have another profile which is
called as a vendor risk analyst which is
called as a tprm specialist so they are
the one who assess the vendor before we
onboard them for the business again for
them also ctrp is there but before that
27,1 31,000 and then you can go for
ctrp so more than so is that we have a
core skills which is requ requir is
technical skills basic understanding of
cyber security data privacy regulations
and risk management framework we have
that is
important then we have a analytical
skill analytical skill is you can able
to analyze the data identify risk and
interpret the policies then
communication is very important because
if you don't communicate properly you
cannot able to convey things then
doesn't make sense so at one point of
time communication skills are
important and basic solid foundation
English writing Hindi writings sorry
English writings and practice along with
that basics of cyber basics of it is
very
important that is why I highly recommend
when you're making career in any part of
GRC in this any vertical A+ n plus is
minimum thing because at least you
should know computers that's a very
important part okay so next is called as
a day in a life of a IT Auditor also
okay because GC cover your risk
specialist tprm specialist in governance
but for the auditor we have one thing so
I'm taking a day in the life of IT
Auditor suppose there's one auditor who
got a task that he need to conduct one
audit for one project okay so how he do
that so he basically start the day by
reviewing audit plans okay Scopes this
include understanding the area system
controls has been tested okay do let me
know in the comment box shall I make a
dedicated video on that and there's
already one dedicated video how to
conduct internal audit okay then we have
a late morning which is called as a
field work field work is you conduct the
particular audit you drive the
particular audit so that is basically
called as a fieldwork which involves
ring the documentation inspecting a logs
conducting interview let's say example
I'm doing an audit of change management
process so I will collect the documents
of change management and everything then
we have a sample data analytics we
select the sample of data because it is
not possible for me to do the audit of
every systems so here what happen is we
doing an audit uh we doing a samples of
the systems and based on that we do the
audit so that something is part of the
function okay so then we evaluate the
evidences and document findings and then
afternoon we analyze the data we prepare
the recommendations and we have exit
meeting why I'm going very fast here
because there's a already dedicated
video I made how to conduct the internal
audit okay and late late afternoon you
refine the findings recommendations
audit reports and next steps so this is
how the role of an IT Auditor happen in
a day of life this a dedicated video I
made on the it audit to check that okay
so this is a summary if you're talking
about GRC platforms we have a tools like
RSA Archer service now metrix teams
again I'm telling you this video is not
been promoted by any vendor I'm just
giving you this visibility so that
tomorrow you encounter any interview so
you should have a visibility then if
you're doing a risk assessment we have a
tool like riskwatch or resolver or you
can use your own Excel sheet for Sim we
have a Splunk qar because we need to
collect data for data governance where
you need to classify because now in data
privacy data governance tool is very
important because it help you to
classify and organize the data right so
we have aw oness of one trust and for
documentation you can use
Excel PowerPoint and all that it is very
important if you are into GRC if you
into GRC then it is very important to
have a good understanding of excel word
and PowerPoint so in next section we're
going to discuss about what is legal and
Regulatory which is creating a lot of
doubt in in the buz in the
market so now next thing is that when
you start any organization okay we
already discussed that okay the first
thing you wherever you operate you need
to respect the law of the
land so you know when you're working in
the GRC or privacy you always use this
word you know you always get to know
this word is legal legal regulatory so I
want to clarify this what is the
difference we have not even started okay
we just covering all the basics okay so
when you start any organization or when
you start working in any organization
the first thing they say follow legal or
regulatory so legal mean the uh
obligation enforced by law established
by government okay applicable on
individual or organization so ultimate
goal of legal requirement is to protect
the interest of the citizen if you take
the example in India law created by
ministers can enforce and follow by the
courts and the purpose is that to
operate within the national and state
law simple simple is if you so this is
your house so there's a law of the house
you have to respect the law of the house
same like when you run you when you go
to any country you have to respect the
law of the country in India Saturday
Sunday is off but if you go to Saudi
there is a Friday and Saturday off if
you work in uman Saturday Friday
Saturday off so you have to respect the
law of the country so law is introduced
to protect the interest of the citizen
now if you take example of HIPPA so
Hippa is a health data Protection Law s
Sox was a financial reporting law for
the
corporations that what we have on the
other side regulations are set for a
particular industry so let's say example
law was introduced to protect the
interest of the citizen now in India for
the particular industry they cannot have
a same law so they introduce a
regulation Authority regulation
Authority was introduced to control a
particular industry like in India if you
want to start Insurance you need to be
comply with irda
if you want to start any kind of
financial services you need to be comply
with FBI sorry uh this called um RBI if
you want to start any kind of a food
kitchen and all that you need to be
comply with fssai so regulation was
introduced to control a particular
industry but that is abide by the law of
the country so if you fail to abide with
the irda they will have authority to
enforce the penalty and if you fail to
follow the penalty as for the law they
can send you jail so regulations are
rules set by the regulatory bodies to
enforce specific law mandatory for
organization to ensure the specific
sectors compliance and everything like
in gdpr we have a EU based data
protection applied to EU based data
protection also appli to us company if
they're doing a business and collecting
a data in Europe CCPA is a California
consumer privacy regulation applicable
for California
user EU here mean Based on data
protection apply in EU but if they doing
a business if the us-based company doing
a business in EU they have to comply
with gdpr CV regulation Financial market
and security regulation RBI guideline
for banking so this is basically called
as a regulation so when we talking about
the governance the first primary
requirement is it governance information
security governance corporate governance
is to be aligned with the business
objective yes so they have to be aligned
with the business objectives so they
have to ensure all these activities all
the initiatives whatever we have it
support the organization
strategy remember uh the case of um
Ashley medicon they're scaling up their
business but they're not scaling up the
it so it is not aligning with the
organization objective and what happened
they got hacked so or another example is
company want to prioritize the customer
privacy so we'll have a government
policy which focus on data protection
minimize data collections accordingly so
that something is part of a requirement
on the other side we do the governance
because we need to comply with the
regulat requirement okay we have to
comply with the regulatory requirement
like Hippa s Sox GB and all that
so that's why we always follow top down
approach now when we start any business
when we work in any organization we have
a requirement so I have seen a lot of
people they always get confused with
legal regulat how how it works so legal
and regulat is part of one which is
called as a regulatory requirement so
when you join any GRC or ceso or
security job and all that the first
thing you have to respect the law of the
land and if they're doing any business
in that law in that country they have to
respect the regulator of the industry so
let's say example if there's a us-based
company doing a business in India like
example Bank of America doing a business
in India for Indian citizens they have
to be comply with
RBI so regulatory requirements are
always called as a non-negotiable you
have to customize your business but they
cannot customize their Regulatory and
they also always come with the
deadlines strict compliance mandate and
potential B you know uh penalties so and
failure to meet this can result in legal
issues like example like if organization
handling the personal data it must be
complied with gdpr or Hippa that is
there so that is something is called so
we implement the controls to make sure
it address the legal regulatory
requirement like data access policies
access controls audit loggings and all
that so first we understand the
regulatory regulatory
requirement is then instruct by the
stakeholders because stakeholders the
one who want to follow regulatory they
want to to the business so once the
regulatory requirement are met we need
to focus on stakeholder requirement
which helps to build the trust and
credibility so we satisfy the
stakeholders such as uh customer
shareholders business partners and they
can directly impact the organization
success example like protecting customer
data strong encryptions establishing of
financial
transparencies okay through the regular
audit to meet the stakeholder need so
that is something is called like example
there's a bank in this world which is
known known for his secrecy which is
called Swiss bank so it's a stakeholder
requirement they want us
secrecy and they know if they build the
trust and credibility they can able to
gain things the third is called as a
business
requirement business requirement so when
it comes to the business requirement
business requirement focus on improving
the efficiencies reducing operational
risk and supporting a strategic goals
okay and these are the essential for
long-term success example like
streamline the internal processes
implement the better it change
management or establish regulated
backups so we implement the controls
which can helps the organization to
meets its internal objective like
example like automatic workflow sop
access management so that's how it works
so let's say example gdpr is a
requirement now business has a
requirement to protect the data privacy
and then we Implement some kind of a s
control which is a part of business
requirement to achieve the Regulatory
and stakeholder so that's how the
sequence works so when you're talking
about any organization the organization
GRC is operate in a three sector
actually if you
see first line of defense second line of
defense and third line of defense we're
going to discuss in detail so if any
business is operating this is basically
support by three type of governance
first line second line and third
actually this is called as three Wings
which support the business and when you
say you want to make a career in GRC
either you're making career in first
line you're making a c in second line or
you're making a c in third line in GRC
okay so now we going to discuss one by
one each in DET but before that you know
I want to tell you the purpose the three
Lano defense is a
model uh which is a recognized framework
which helps the organization to manage
the risk and ensure the accountability
robust governance and each line actually
play a important role in identifying
managing mitigating risk is it clear
that is a
significance so one thing so first is
called as a first line of business so
first line of defense is called as an OP
operational management they are the one
who own and manage the risk
directly okay so when you're talking
about first learn defense they are the
one who implement the control to manage
the risk and directly associate with the
function so responsibility like
identifying managing risk okay
implementing and executing the controls
and more important reporting any issues
and all that I will give an example so
you get a better visibility so let's say
example we have it team it team so they
want to ensure access controls are in
place and regularly review the user
accounts to prevent the unauthorized
access so that is called as a first line
okay so so employe manager within the
operational unit are Clos to the daily
activities and they Implement and
maintain the internal control such as
policies managing process and all that
so let's say example we have a sales
department so sales department want to
ensure the customer data is handled
securely by following a data privacy
policy right so they follow the document
process to prevent the unauthorized
access then we have it Department it
people are the one who implement the
access controls they measure they ensure
the authorized employ so that's called
they are the first line of business or
first line of defense which is called as
an operational management okay now
second is called as a second line of
defense so second line is the one who
oversight okay and monitor the
effectiveness of the controls put in
place by the first line so these line
usually comprise risk management comp
liance and control so identifying the so
example like this is your business okay
this is the business in this business we
have it
controls okay this it controls are
implemented based on risk assessment and
that is something done by the second
line this control is working effectively
that is assessed by the second line so
that's why it's called as risk
management and compliance they are the
one who Monitor and oversee the risk
management practice they provide
guidance strategy policies they monitor
compliance regulat requirement even for
this business if you want to onboard the
vendor so vendor risk assessment has
been done on the vendor is done by the
second line of defense only so in some
companies we have a profile called tprm
specialist third party Risk Managers
that is part of a second line or defense
only they are the one who assess the
vendors before they onboard them for
this business to make sure there's no
new risk come from the business okay or
you know so that something is there or
we have a compliance team we have a data
privacy team so data privacy team
compliance team comes under this
particular
section because for this business we
need to comply with some regulatory so
compliance team is the one who create a
control so next important element here
is you
know they are the one who develop the
risk management
framework standards and policies they
monitor the compliance with policy and
regulations and they provide kind of a
risk management team like nice and
support the first line of implementing a
control so example like we have a
compliance team
and we have a risk assessment team so
what kind of a jobs will be there is
suppose you the company is hiring a tprm
specialist so they work under this
particular team tprm okay
tprm then uh compliance manager risk
manager security manager data privacy
officer all are basically come under the
second lar of Defense first line is your
it administrator operation manager
business process owner department head
they are basically come under the first
Lear EV then we have a third line of
defense or three line of defense third
line of defense third line of defense is
the internal audit they are the one who
audit the first line and second line
make sure they're doing their business
correctly and they're doing the risk
assessment of this business correctly
these two things will be oversight by
the internal audit they are the one who
directly report to the board okay so I
will give an example okay if I an
investor and I want to invest a money so
my expectation is that you know uh my
expectation is that that how they
utilize my money is a companies working
as per the requirement so they so
internal audit are not doing
any uh audit based on certification so
SEC it's a second line who ensure also
the audit of the 27,000 one and all that
so you know is Auditors and all that
they are part of a second line of
organization second line of defense they
basically prepare the company for any
compliance standard and everything but
internal Auditors are the one who does
the audit based on what they have a
policies whatever they agreed on the
policies make sure they should work as
per the policies are they working as for
the policies and then they provide the
independent report to the board and this
is head by the chief audit head that's
why telling you for this position uh 99%
chances that they always hire a
financial person who has a knowledge of
financial audit and it audit because we
can teach Financial guy it audit but we
cannot teach the it financial statements
so 90% of profiles if you're looking for
the C Level mostly it is head by the
finance guy so third line of defense are
the providing an independent Assurance
they provide the unbiased evaluation how
well first and second line are managing
risk and other to the compliance okay so
we have a different type of profiles
here internal auditor uh we have like it
Auditors are there process Auditors are
there business Auditors are there so
they all are basically part of the inter
audit is it clear so in summary you you
can say first line is a business process
owner Implement encryption policies
let's take example second line ensure
encryption policy meet the regulatories
iso standard and all that and internal
audit independent review encryption
process to confirm compliance and
Effectiveness so here you can see the
hierarchy we
have they conduct the independent audits
report findings recommend and internal
Department are the one who provide the
control measure so summary is that if I
say first line with will be your
operation team and all that that is
there most of the profile jobs you can
see in JC comes in the second line
because you want to do the risk
assessment you want to comply with ISO
2701 you want a DPO so most of the GRC
profile come in the second line you know
when you say I want to learn isms that
is a role of a second line they want
it's a second line uh responsibility is
to make sure your businesses comply with
our 27,1 standard compliance data
privacy and everything so DPO has been
appointed in second line of defense
compliance officer has been appointed
second line of defense tprm specialist
who assess the vendor before we onboard
them part of a second line of defense
then we have a internal auditor where
you get paid for a thought process they
are the one who audit the first line and
second
line okay so that something is basically
there so now we're going to discuss
about the type of audit it's a very
important part I'm sure you got the new
visibility and now you're in page where
you got the visibility what is the
career you want to make okay so that
something is there so first party is the
one who manage the risk directly second
line provide the oversight and guidance
third line give the independent
Assurance okay so let's start with the
next
part so now we're going to discuss about
the audit function audit function
basically is very important so we have a
three type of audit so we have a first
party
audit we have a second party audit and
we have a third party audit first party
audit is a internal audit we just
discussed right so what is audit audit
is a systematic process I repeat audit
is a systematic process of evaluating an
organization processes control system
and operation to ensure they meet the
standard Regulatory and policy and
stakeholder requirement so when we're
talking about the internal audit so as I
said we have first line who doing a
business and implementing a control we
have second line who assess the risk in
the business and suggest the controls so
third line is third line of defense is
the one called as a first party audit
they are the one auditing the first and
second line okay their audit US based on
their defined policy procedure let's say
example we are doing an audit of chain
management process so whatever in the
process and policy mention that okay
chain need to be closed in 2 day or
chain need to be closed in 3 days based
on that we do the audit we check for the
artifacts and verify is a change has
been closed in 2 days or 3 days here the
certification here the audit is not
based on the certification okay so first
party audit is conducted by the
organization Itself by someone within
the organization and this type of audit
evaluate the organization process
internal controls and
compliance and the purpose is ultimately
to assess the internal performance
improve the operation management and
provide the
visibility so that is called as a first
line of defense then we have a second
line so this is done by the you can say
second line defense team when they
onboard any vendor so let's example we
have a vendor one we have a vendor two
we have vendor 3 and these vendors are
going to support my business business
which is my first line but make sure
there should not bring any risk so we
have a second line of defense in the
organization who does the audit of this
vendors before we onboard them so when
you doing an audit of your customer when
you're doing an audit of your vendor
before you onboard them that is called a
second party audit okay it's also called
as a supplier or customer audit it is
ConEd by one organization or another
usually as a part of business
relationship so example like I'm doing
an audit of the vendor now listen
carefully okay I'm doing an audit of
this vendor before we providing so here
we have a second line of defense who
does this audit and when this company
itself face any audit from other
customer then that is a second line of
defense who handle this also audit
that's why it's called as a supplier or
customer audit okay third party audit is
when you face independent certification
audits regulatory audits that is called
a third party audits is it clear
independent AUD like you face regulatory
audits you face any um ISO 27,000
certification that's basically come
third party so internal audit is the one
who audit other first line Second Line
internal to the organization and provide
the report independent independently to
the board second party audit is the one
who audit the vendor supplies before we
onbo them it is done by the second line
of defense of an organization which is
called as a tprm specialist then third
party mean your company itself face the
external independent audits like
regulatory certification Audits and all
that so as a management you have a
control on the first party second party
but you don't have a control on third
party so this is basically part of your
audit governance and everything now
we're going to discuss about what is
framework because when you're
implementing control we follow framework
okay so framework and standard is my
next point that I'm going to
cover so next thing is basically talk
about framework and standard see when
you're starting or building a cyber
security in the organization okay any
cyber security you want to or any
governance forget about cyber security
you want to build governance you have to
use you want to start with some some
reference point now here the reference
point has two things one based on
experience you start your governance or
the second is you use some kind of a uh
reference parameter and here the
reference parameter always we recommend
is we start with the framework let me
explain with the example let's say
example I want to construct a house so I
will first create a framework frame mean
boundary Tre work is what I have to do
so this is my
land and it is like a imaginary boundary
now in this boundary I need everything I
want uh I want to create a
house I want TV I want AC I want
refrigerator okay I want light that is
my minium necessity to run my house so
that is my framework that is something
is minimum necessity that I have okay
but I want a standard TV which is called
LG so here I'm introducing some metrics
you getting my point I'm introducing
some metrics here a quality
metrix okay I want a Samsung
AC okay so here when I'm saying I'm
using a particular name of a brand brand
is basically talk about what okay I need
uh you know I want a AC I want fridge
that's fine okay so that is basically
the need but I want a particular quality
of the AC I want a particular quality of
the TV that is called standard so
framework guides you how to
approach okay how to design or improve
the process and standard which I'm going
to discuss next part Define what to
implement to achieve a compliance or
meet the specific requirement I will
give you another example so that give
you better visibility let's say example
I want to implement cyber security in my
organization oh okay I want to implement
it function in the organization now in
the it we have multiple things example
like we have a service
management we have a security
management we have
a uh quality
management okay and we have a CP this is
the need now I have a choice so there is
a one framework which is called as a
cobit now CIT is available okay now kit
talk about the processes what is
required to run the it function so I
refer the CIT as a framework my need of
the business is required security so
they have a process for security like
create isms and all that so I pick that
process for my organization they have a
dedicated process how to implement
quality management they have a dedicated
process talk about BC CP understood okay
I I want to show you an example so this
is the cobit framework we have okay so
we have a governance and we have a
management so most of the companies use
CIT so let me type here
security so when I type security here
you can see manage security
manage security Define operate keep the
impact establish maintain
isms and uh Define manage res treatment
okay and then monitor so here what
happen is when I refer
kobit okay when I refer cobit so cobit
is a framework which help me to adopt
what is a process and practice required
so I decided I want isms but I want
which kind of isms Nest or is 27,1 and
that is basically where I go for the
27,1 standard so framework
when you're talking about it is a
flexible thing which can be customized
as per requirement and standard come
with a certification okay you cannot go
to LG showroom and say can you customize
this LG with AC functionality and all
that so we always start with the
framework first we adopt framework we
select the process and practice which
part of a business requirement and what
is not required we can ignore it one
more example is you come for my C SSP
training or CM training say example so
you're taking this training not for
certification you're taking this
training for knowledge so you it is a
framework you will come for domain one
you can skip the domain too so that's
why we called framework is used to
develop strategies and approach tailor
to in the organization context but if
you looking for the consistency if
you're looking for compliance if you're
looking for
Benchmark okay then it is a standard so
example one of the process they say you
need to have a password management
system so I refer a there's one more
framework called cyber security
framework nist so as for the framework
they say you need to implement password
management system but I want to go for
14 character password then we have a
standard called ISO or nist 837
852 so this is how it works so framework
is and that's why you never heard
framework come with the certification
okay we are n CSF certified okay but we
always heard this we are ISO 2701
certified so I'm sure you're clear
second is called as standard standard is
a set of specific detail requirement
criteria that must be followed to to
ensure the uniformity and
consistency we need a policy that's a
framework but we need a eight corre
password policy that's a standard so
standard usually mandate for a
certification or compliance requirement
so we have an example here framework is
high level guideline provide structure
like base Nest hydras and CIS and then
specific requirement in the process
practice come as a standard which is
called specific requirement which ensure
the consistency like pcss ISO and all
that so we have several Frameworks that
we need to learn see when you are in GRC
you should know this framework because
framework is a starting point of
building governance in the organization
so one framework is Nest framework
CSF so that is very important if you're
improving a cyber security of an
organization you basically use nist it
has a five to six function there's a
dedicated video on that so if you want
to start cyber security practice in the
organization so we basically follow nist
there okay nist has a 2 point
Z so that is basically nist 2.0 is a new
one which is already introduced okay so
it's already introduced so you can check
that the reason of you know because you
know it's a GRC analyst Series right so
you should know everything so in this
video I'm going to touch upon all the
basic things so you know later on you
can you know you can customize as a
requirement okay second is called Koso
actually if you talk about any company
when they start any company and all that
they always start with Koso first so
Koso is a comprehensive framework which
helps the organization to establish and
maintain effective internal control risk
management governance system and it is
widely used for improving the
organization performance ensuring
compliance and achieving a strategic
objectives okay so we're going to
discuss in the further slides what is
coo but for your information um you know
it focus on three things operation
reporting and compliance okay and they
they have a five components of internal
control so if you want me to create a
dedicated video on that do let me know
so if you want to start with the
governance most of the companies follow
the Koso first because Koso cover all
the controls and everything then we have
a CIT kit is for it governance you know
you are you want to start it governance
from a scratch you have a zero
visibility how to start they have a
different process and practice like BCP
quality management 9,000 and all that so
instead of following a direct standard
you adopt the process and practice from
CIT and then you can improve with the
help of respective control and if you're
looking for a service management
function like you know your running
technology with service management then
you basically use the I now we have some
standards also standards like 27,1 is
there that you can refer for
implementing information security in the
organization then we have another
standard for Enterprise risk management
which is called ISO
31,000 okay then we have a nist 853
which is a dedicated control for
security privacy the way we have isms
800 uh sorry 2 27,1 2022 annexure same
like we have a n 853 which talk about
the nist specific security and privacy
controls then if you're looking for the
bcms business continuity and management
system we also have one standard called
22301 we have a service management
called 20,000 and for pcss we have a
payment card industry so we have a
different different standards that we
can basically adopt now in this
particular series I'm going to focus
more on GRC which is from the itgc point
of view because when you see the
openings and all that they always ask
okay do you have itgc experience
so that is why in this in this video I'm
going to very specifically talk about
itgc okay which stand for information
technology General
controls and they are the foundation
controls within the organization it
environment okay now question is why
itgc because if you see any big jobs and
all that they always say you need to
have s Sox with itgc experience so itgc
is very important because it ensure the
Integrity reliability security of
information system okay and data with
supporting both operational and
financial process so it was introduced
to address the need for standardized
controls over the it system so in us
what happened is after the inrw fraud
which is happened in 2002 s Sox mandate
the company needs to be have a corporate
governance educate controls over the
financial reporting same like now if you
want to invest in any company you will
always look for financial reports so s
Sox has mandated any company who going
to be public listing they need to
demonstrate the reports and they need to
demonstrate the internal control over
the financial reports and one of the
section of internal control were itgc so
these controls are crucial for
maintaining a secure it environment
especially for organization subject to
regulat requirement or involved in
financial
reporting so organization began relying
more heavily on it systems in the latest
State and they need to Arrow ensure
these systems are were both reliable and
secure and that is where uh there is a
One requirement called Sabin Oakley so s
Sox in the US we have which demand
strict control of the financial
reporting so one thing you need to
understand is your financial report is
run and drive through the some kind of a
it system so this is a financial report
that report is running on any it systems
how educate is the it system for that we
have a control called itgc so this term
came from there only like you need to
have these are the mandatory it controls
on your it system because through this
it system you're generating this report
so that's why this was spe spef
specifically critical for the
organization subject to the regulat
requirement such as SX in the United
State which demands strict control over
the financial reporting to prevent fraud
and ensure data
Integrity okay so what is the key
objective of
itgc so itgc ensure the Integrity by
establishing a secure control
environment for data processing because
if you work in the financial industry
and your company is International or
companies listed in a US Stock Market
your reporting and everything is very
important because based on your data
only the company invest right so the key
objective of itgc is whatever the
financial reports we are generating okay
it should be accurate we minimize the
risk of data tampering errors or
unauthorized access second we have is R
reliability of the it operations okay so
itgc support the reliability in
consistent it operations to ensure
systems are accessible and data is
backed up and changes are managed
properly then regulatory requirement is
also there comply with s Sox Hippa gdpr
and last is itgc is a part of broader
risk management strategy so it helped to
identify mitigate it risk is very
important so this is the key objective
of itgc so these are the controls in
itgc we have team for your knowledge
okay so access control is a area change
management is one area it operation is
one area data backup and Recovery is one
area and each and every area has a
respective objectives you can see and
these are the controls are required to
be Implement so I'm not saying you have
to follow
27,1 but itgc itself has some controls
like you need to have a control for user
access management role based Access
Control multiactor authentication access
review change approval testing process
segregation of a Duty inent management
system monitoring regular backups offset
storage so that something is part of the
itgc so in my next point I'm going to
discuss about Koso that's the next
important thing we
have okay so if you are in GRC Koso you
should know because Koso is called as a
mother of all framework okay so Koso
stand for committee of sponsoring
organization of trade away commission
okay so what happened is let me first
give you the brief history so in
1985 this Koso was formed to you know uh
combat financial fraud and improve the
internal control and 1992 Koso
introduced its first internal controls
okay which is called as a integrated
framework which become the foundation
for modern internal control system okay
from there the word origin com is
internal control and in 2004 Koso
introduced the Enterprise risk
management framework which expanding it
Focus from internal control to include
the holistic risk management and in 2013
coo framework was updated to address all
the challenges like governance
technology and Global business
environment so in summary you can say
internal control in Koso framework is
all about creating structured reliable
process that support the organization
goals protect the assets and ensure the
accurate reporting and maintain the
compliance and helping the organization
to operate smoothly and responsibly and
Koso was introduced to create one
unified framework for internal control
and risk management and and addressing
the you know the need for the strong
governance ethical practice and all that
so when you say Co coo here we have a
three important objectives first is
called as an operation okay the first is
called as an operation so to ensure the
operational activities are efficient and
effective which include safeguarding
asset and preventing fraud so we have an
example like okay they have a controls
like to
streamline the and financial assets are
protect from misuse second is called as
reporting they promote the reliable
financial and non-financial Reporting
because based on that investor invest
money so reporting is basically ensure
we generating accurate Financial reports
stakeholder and third is called as a
compliance compliance mean you have to
comply with legal regulatory so in this
section we are complying with gdpr and
socks so when you're talking about Koso
okay so Koso framework provide the
guidance on designing implementing and
maintaining the internal control which
cover the control for corporate
governance it governance and all that so
in Koso we have a five integrated
component now please understand this
carefully we have a total five
integrated component the first is called
as a control environment so so control
environment you can see it is a
foundation uh for all the components and
it actually set the tone okay it is
basically set the
tone at the
top same like the policy is a foundation
for governance so policy start from
control environment and this includes
your ethics Integrity oversight which is
like a culture for an organization let's
say example is leadership need to
establish the code of conduct and they
want to ensure or that they add to the
organization policies so that is called
as a control environment second is
called as a risk assessment so as I said
when you set up the code of conduct you
have to assess the risk or you identify
analyze risk to achieve objectives and
determine the risk response so company
here assess the risk associated with the
new it systems implementations and we
are introducing some activities like
policy procedures and all that next is
called as a control activities so which
include policy procedure actions to
mitigate risk an example like
implementing access controls require
approvals for financial transactions
separation of
Duty okay then we have a information
communication which is all about
whatever the controls you have
implemented you have to convey so we
have to ensure the relevant information
flow throughout the organization to
support the decision making like regular
reporting of control performance to the
management and finally we have a
monitoring activity which is all about
obtaining the evaluations to ensure that
okay controls are functioning as
intended example we have an internal
audit team they periodically review the
compliance with it control so that's
something is there so I will explain it
with the example real time so let's say
example uh you have a retail company
okay so you have a retail
company okay they want to ensure they
want to comply so this is the company
they want to comply with s Sox because
they're going to public listing so when
they want to go public listing
and all that they will publish the
financial report they have to
demonstrate how you generating this
report and all that so as I said the
first step is control alignment first
step is called as a control alignment so
company establish the governance
policies required to require it to
safeguard financial data and here we
adopting itgc also so Koso is closely
work with
itgc because Koso talk about what is a
control it talk about a specific control
like we set up the role based access for
the Erp system and ensure only finance
staff can access the financial requ
second is we do Gap assessment we do
risk assessment so company identify
unauthorized system changes as a key
risk so with the help of itgc we
implement the control then company
require daily backups and all that
that's part of a control activity okay
they have to required report the uh
compliance reporting and all that
regulatory that's called information
communication and with the help of KP
and K you do the
metrics so coo is essential for
organization because it provides
structure approach to the internal
controls that that support the the
reliable financial reporting as a public
listing financial reporting is very
important and you also need to
demonstrate that you have adequate
control over financial reporting so by
using Koso you can helps the
organization to establish the control
over financial reporting which is a
primary requirement ofox to reduce the
error and prevent the fraud which is
crucial for public companies second is
it enhance the risk management as I said
by the COO we can able to integrate the
Enterprise risk management we can able
to improve the organization ability to
adapt and suc risk-driven environment
third we can comply with s Sox gdpr okay
then operational efficiency so by
establishing a Koso you can able to
communicate the channels it help to
streamline the operations reducing the
ineffectiveness and everything and the
most important part is here is building
the stakeholder confidence so now let's
understand how to integrate itgc with
Koso so here have an example control
environment so that control environment
if you want to implement we have itgc
control area which is called it
governance leadership so itgc ensure
secure it
environment by defining roles and
responsibility so ID Department enforce
code of conduct ensure all employer
follow the cyber security
practice second is called as a risk
assessment so itgc it risk management
identify the risk control activity so we
implement the itgc controls here
multifactor authentication information
communication so we have a system
logging reporting so accurately report
is is there and then we have a
monitoring so this is the itgc we are
integrating with Koso so so as I said
why itgc Koso together are essential
because the one thing is that foundation
for compliance for organization that
they need to be comply with s
Sox okay or other regulations so Koso
provide the overall framework Koso is
provide the overall
framework okay while itgc ensure that it
systems are comply with the security
Assurance accuracy reliability stand
second is comprehensive risk management
so Koso address the organization risk at
all the level while itgc specifically
focus on risk associated with the it
system third is consistent control
environment so itgc actually support the
Koso okay by enforcing control in it
environment and making sure the
organization systems and data are secure
and consistent with Koso principle so in
summary you can see um in summary you
can say Koso provide the overall
framework for internal control and one
of the intern controls which is called
it controls Implement with the help of
itgc that is how it works I'll give an
example here like access control itgc
and Koso so Koso control environment
emphases the importance of security and
ethical use of resources I agree so with
the help of itgc we can implement the
access controls and everything second is
we have a change management and Koso so
Koso control activity Focus to ensure
the task are perform according to policy
so we adopt the itgc here by by which we
introduce a change management control to
ensure all changes to it systems are
authorized and everything so we have
some other examples like you know
control and mam de set the organization
tone Integrity authenticity and based on
that itgc control establish policies and
everything because policy is a driving
factor for any organization then we have
a risk assessment identify analyze risk
and we we assess the risk it risk
control activities implement the
policies idgc include the access control
policies ensure information flow the
level of awareness which is part of a
COO and with the help of itgc we we
convey with the help of security
awareness regularly review and that can
be achieved in the itgc by introducing a
kpi k and everything see one of the it
control that we used is kobit so if
you're into GRC it is very important for
you to know kobit and in my previous
example I shown in it governance
framework kobit we have referred there
so kobit is now adopted by isaka and it
provide the guideline and best practice
for aligning the it operation with
business goals so let's say example
there is a
bank okay so there is a bank now Bank
was so far doing offline business now
they want to go online because they want
a customer base so it was a corporate
governance requirement that they want to
go digital so they will give instruction
to the
CIO build something around automation so
here what happened corporate governance
evaluate the need of the bank and then
based on that giving a direction to C
CIO CIO will adopt the itg framework or
sorry it governance framework so one
other framework is called
cobit now if I don't go for CIT if I
want to implement security for security
we have a particular standard which is
called
27,1 for bcms we have a standard called
2301
2231 then if you want to implement the
service management we have a 20,000 and
if you want to implement quality we have
a 9,1 so you can imagine each and every
process you have a different different
standard so it is very difficult for me
to implement all these standards on one
go so what happen is I adopt the CIT
which capture all the best practice for
it function It capture service
management activities It capture your
quality It capture the bcms and
everything so I will adopt those
practice and later stage I can go one by
one I will adopt the standard to improve
the particular processing practice so
today if you notice most of the
companies use kobit framework because
cobit is foundation for it controls and
your security comes under the
cobit so what is the purpose of kobit
the first is that kit provide the
framework for it governance and ensure
it align with the business okay kobit
also help us to implement the control
with the based on risk management and
more important you can comply with the
controls and functions parameter so we
have a key components so we have overall
two so kabit has compromised the
controls in two section one is called
EDM which is directed by corporate
governance and Apo which is driven by
the uh management function so in in CIT
corporate governance is Corporate
governance but it and information
security they don't call governance they
call management so corporate governance
have a three function e DM evaluate the
need of stakeholder and giving a
direction to I CIO and ceso and
management is responsible which is
called CIO ceso responsible plan build
run and monitor okay so first is that
bit is basically align uh with this
functions okay and let's say example
there's a bank okay so when you're
talking about EDM here so EDM domain
ensure the business goals and Ure risk
are optimized if they're going digital
and on the other side APO align plan and
organize actually it's one of the
functions so align plan organize is one
of the function so they all are part of
one parameter which is called pbrm
p brm
plan build run and monitor so that's one
of the key feature we have and based on
that we can plan the control build the
control run the control manage the
control each and every parameters have
this Apu and other things is it clear
second is each and every control
whatever you implement it has a detail
guideline and everything so that's
something we can
take so as I said cobit is a it
governance framework that we can use
okay and they have a controls and
control objectives which can be
Implement with the help of respective
standard so Koso is a high level
framework for managing organization risk
okay kit is aligned the it governance
with management okay and itgc are the
essential controls within the it that
KOB use to enforce it governance and
supporting a Koso a broader internal
control environment so Koso is the
framework that we first adopt kit is
talk what it is required and specific it
controls for that we can use it JC so
that is the first part of the GRC
analyst the second part is when you're
implementing these controls we Implement
with the help of risk
management okay so before I move to the
risk management detail I want to discuss
the basics first so risk is exist when
threat has a potential to exploit the
vulnerability and cause the harm before
going to discuss about the risk let's
understand the basics of
threats and vulnerability so let's say
example this is my system a okay when I
say system a has a weak
password weak password this weak
password is the component of the system
persistent in the system and that is
called as a vulnerability always
remember in the information security
what you can control is a vulnerability
only let's say example you're preparing
some for some interviews okay your
weakness is English speaking so now that
is a weakness and threat is what
question they can ask from that area
understood so they might ask some
English questions it is difficult for me
to answer so vulnerability is a
weakness threat is an action which
exploit the vulnerability so for you
when you go for an interview interviewer
who are going to ask you question is a
threat so threat is an action which
exploit the
vulnerability is it clear that's why we
say risk exist when threat has a
potential to exploit the vulnerability
here for me risk is like losing
business risk is like failing the exam
risk is losing the money so difference
between the risk and incident is so if
we take
example we have a risk
here versus
incident incident is a confirm action
which has already happened so I already
failed the exam it's not a risk it's
already an incident which is occurred
okay I already failed my exam that's an
incident huh if I don't prepare
this and if the question come in the
exam I might fail that is a risk so risk
is called as a probability risk is not a
confirm action confirm action if it's
already occurred then it's an incident
so risk is the potential for loss damage
or any other undesirable outcome
resulting from a given action or event
or decision is it clear I repeat again
risk is a potential for loss damage or
any other undesirable outcome resulting
from a given action or event or decision
so it is a likelihood that particular
threat will exploit the vulnerability
leading leading to a negative impact and
that leading to a negative impact is a
representation of a risk so one more
example is we have a system
a
okay hacker find the vulnerability in
the system a which is called weak
password through which he gain access to
the system and through which he can gain
access to the sensor data and that is a
loss of data for the organization that
sensor data loss is called as a risk I
don't want to lose that so when we
calculating risk we use the formula
called risk equal to likelihood Ood and
impact that is how you measure the level
of
risk okay likelihood mean probability of
happening so let's say example this
system is connected on the
internet and the system is configured
with some uh known configuration open
ports and all that so likelihood of the
threat to exploit this vulnerability
High because system is connected on the
internet so I give the likelihood is
basically suppose High H if he act he
can gain access to the pi data which is
l for me that is basically called as a
impact so impact is also high so overall
risk value is we say high in in my case
if I don't prepare the topic I might
lose the money $760 that is a money I
will lose $760 that is a risk okay so
key component of a risk is likelihood
and impact so likelihood mean the
probability the risk event will occur
and risk event will be occur based on
threat exploit the vulnerability and if
it occur what is the impact that is
called as a severity
severity of the consequences if risk is
materialized so next topic is called as
a threat so threat is anything within
the organization which cause harm to the
organization always remember threat is
always dynamic in
nature threat is something you can't
control like natural disaster you can't
control interview question you can't
control so threat can be deliberated
which is called Cyber attack or it can
be accidental which is called natural
disaster and they create a risk when
coupled with the vulnerability so for
your information when we talking about
threat threat is two type okay threat is
actually two type one is called as a
internal
threat and one is called as a external
threat so we have a two type of threat
internal threat and external threat
internal threat is like um Insider
threats human error or mismanagement
like coffee fell on the
server or employe click on the fishing
link that is a internal threat external
threat is like cyber attacks fishing
malware natural disaster and all that
next is called as a vulnerability so
vulnerability is a weakness or Gap in a
system or process which can exploit by
the threat and vulnerability increase
likelihood of a risk materializing the
impact so that is where so overall
formula of risk is risk equal to
likelihood and impact high risk low risk
medium risk is definitely calculate
based on this value and likelihood would
mean threat exploit the vulnerability
and if it happen it lead to the what
level of impact so next important thing
we need to understand the risk metric or
metrics see when you're talking about
risk management there's one statement we
called as a risk
management okay and for your information
I already created dedicated video on the
risk management how to start from a
scratch in a YouTube video so you can
check that okay and I will also try to
share the same in a description box so
I'm not going to discuss the Practical
aspect here because the purpose of this
video is to give you visibility about
all the topics so that you can do the
Mastery in each and everything and I
really made a 55 minutes video on only
on risk management where I already
discuss about this how to set all this
thing is it clear so I'm going to spend
very less time on this area so when we
talking about risk functions when we
start risk so you know we have a some
steps because we talking about risk
management here right so ultimate goal
of risk management is to reduce risk to
an acceptable level now please listen
this carefully let's say example in my
house my dad is the one who take care of
the house okay mom is a home wife
housewi so what happen is whatever the
income it is generated by D so he has a
fixed budget in that budget we have to
drive the entire house so suppose my dad
used to getting a salary of about 10,000
rupees hypothetical scenario in that in
the 10,000 he has to pay school fees and
everything thing now one day what
happened I asked that Papa I need a
PlayStation now he saw that budget okay
can I get this PlayStation 10 definitely
no because PlayStation minimum start for
35,000
rupees and then he also do the
Assumption okay if I give him today
PlayStation okay what is the threat the
threat is basically um you know he will
not be well prepared for the exam the
vulnerability is that he will weak in
the specific area because he will give
more time to the
games and all that and what is the risk
he might lose the focus on the exam he
might Focus he might lose the focus on
the
studies and it will be a carrier
parameter for him so that assess this
all this risk and if I give him the
PlayStation it will impact a budget we
will run out of the budget we will not
able to sustain for a month so here you
notice so there's a person in my house
okay who do the risk assessment before
taking any action one day what happened
is I ask him Papa can we go to Goa so
Papa what he did he assess a threat okay
what is a thread in Goa like you know U
full of water beer drinks and all that
my son might might drink because my son
is also having a vulnerability that okay
if anyone offer him dream he will say
yes to that okay so that's a
vulnerability and the risk is I might
lose my son and he will spoil his life
so here what happen is we do risk
management in a real life also but when
we doing a risk RIS assessment we have
to set some parameter so the based on
that only we do risk assessment and that
parameter is what is the risk capacity
what is the risk appetite and what is
risk tolerance so let's so risk appetite
mean that it's actually the thing we set
first capacity what is the maximum risk
I can take to pursue the mission and
vision of an organization that is called
as a
capacity okay second is called as a risk
appetite risk appeti amount and type of
risk it's pursued to achieve the
Strategic
objective and third is basically called
as risk tolerance risk tolerance is
basically my current risk so let's say
example 1001 $110,000 is the salary of
my DB now so he decided okay every month
$2,000 he will spend on my education so
10,000 is my risk capacity and risk
appetite he said 2,000 for my education
one day what happened I told him papa
there's a new training is coming which
cost
$2,500 so in that case the risk
tolerance is going beyond the 2,000
which is current risk tolerance now
become
$2,500 okay so risk capacity is the
maximum risk appetite is basically the
parameter that we said and risk
tolerance is a current risk so risk
tolerance always deviation nature same
like I'm riding a car so speed limit vs
is 60 which is appetite 120 is a maximum
but the current is basically 70 which is
called as a
tolerance okay so based on this this
Factor only we drive the risk management
function so risk management ultimate
goal of risk management is to reduce
risk to an acceptable level okay when we
hire anyone when we fire anyone we do
risk assessment so in the risk
management the first step is called risk
identification so let's say example we
identify server web server okay so this
is my web
server then we identify threat is Dos or
DS attack is possible on my server if
it's exposed on the internet and
vulnerability is that we don't have a
redundant server so if the server is
down it has a big impact so identify
asset web server and all that identify
threats the triggers which exploit my
server and vulnerability mean through
which they can able to exploit the
system now in this particular stage we
identify the RIS you know there is a
there is a
likelihood okay but but still we need to
calculate the impact so to calculate the
level of impact we do the next step
which is called as a risk analysis so we
have a two way to analyze a risk one is
called as a qualitative and one is
called as a quantitative qualitative is
like a scenario okay if the likelihood
is
low okay likelihood is there the it will
be the value called high low medium so
that is called qualitative risk
assessment it is same like you know
someone reach out to me and say how much
it will impact my body if I smoke okay
it will be high I'm not telling about
what percentage but I'm saying high low
medium so same like server is there
here okay connected with the
internet the likelihood is the DS attack
can be possible and server is down the
impact is high I don't know the numbers
but impact is high so here it is doing a
qualitative risk
assessment but on the other side
quantitative risk assessment where we
calculate the impact in the dollars so
we use some formulas okay so we use a
formula like Al annual loss expectancy
SLE single loss exposure exposure Factor
so in my that the video I have I have
covered all these things or the second
parameter is if the like if I say if the
attack is happening in every one year
the value we given is
five if it's happening in every 6 months
sorry if the if the if the event is
happening in once in a month the value
is five in every 6 months the value is
basically four if it's happening in a
one year the value is three and if it
impact my Pi data the value is five
impact is my regular impact is four
operational Data Business data is three
so here we identify server is there
connected on the internet definitely
anything connected connected on the
internet vulnerable for Doss attack so
chances that it can be happen every
month so likelihood is basically I give
five and if it compromise it can able to
hack the pi data so impact is also five
so overall value I given is 25 so that
is my current risk so during a risk
analysis we try to analyze the current
level of risk so which one is faster to
perform qualitative which is accurate
quantitative okay then we have a risk
evaluation so risk evaluation mean
whatever the impact value we see we'll
see we'll try to map with my risk
capacity risk appetite and risk
tolerance so right now 25 is my risk
tolerance is it going above the appetite
yes so we have to bring the control to
bring the risk below the acceptable
level is the risk is going above the
capacity yes so in that case we avoid
the risk so during a risk evaluation we
evaluate the result again my capacity my
appetite my tolerance so that based on
that you can take a final call you want
to avoid the risk you want to mitigate
the risk you want to accept the risk you
want to transfer the risk risk avoidance
mean I will not go for that trip which
bring more risk to my company I know the
risk is going beyond my capacity so it's
better to drop the idea so in that case
I will do go for risk avoidance I will
implement the control that's called
mitigation I will accept the risk
because cost is high so that's called
risk acceptance or we transfer the risk
to the insurance that is called risk
transfer I'll give an example okay CP
exam okay cost me 745 my salary itself
is 15,000 rupees I know even I pass the
exam I would not get any hike so I
better drop the idea because if I fail I
have to pay from my my pocket $80,000
80,000 rupees so in that case I assess
my weakness that I'm weak in
cryptography I I'm weak in GRC if they
ask the question from the area I will
might not able to pass the exam so it's
better I will drop that's CP which bring
risk to my company so in that case risk
capacity is risk tolerance going beyond
the capacity that's why I avoid the risk
second is called as a risk mitigation I
implement the control to bring the risk
to an acceptable level risk acceptance
mean the cost of training is
$10,000 exam is
$755 it's better I will I will ignore
the training andly go for the exam
because cost of control is higher than
cost of impact so that's called R
acceptance and we transfer the risk to
third party like s insurance and all
that that is called as a risk transfer
and after that we set the K key risk
indicators and kpi which inform the
management each and everything I've
discussed in that video do check that
okay the reason of you know in this
video I'm just want to give a quick
overview okay so risk identification
start with brainstorming category and
everything risk analysis all about
evaluate each risk and prioritize then
mitigation plan we develop the
mitigation strategies for that activ we
do is setting the response strategy
implement the control then we have a
risk monitoring and Reporting where we
carefully monitor report the risk and
everything and we track the K also and
then finally we communicate and
integrate so we have a training
decision- making process risk aware
culture all those things will be done in
this particular
activity so the last part is uh
important for the governance which is
called security policy or policy one
thing we need to understand policy is
the foundation of any organization okay
when you hire anyone when you fire
anyone for that everything we create a
policy and based on risk assessment when
we implementing control we first create
a policy you can say policy is a
foundation so let's say example why we
create a policy that's a very important
thing so let's say example we have a
vision of the company we have a mission
of the company we have a business
requirement we have a legal requirement
we have a stake requirement so we have
different type of requirement now it is
not possible for me the people who
working on my organization like people
process and Technology they can follow
individually all these things so it is
always a Senior Management intention
that everyone should follow the vision
mission of the company and that is where
the first thing they create a
policy seem like the parents creating a
rules for us to give a good life
discipline life same like now let's say
example policy is a need of the
organization policy is a vision of the
organization policy is a statement of
the company or you can say policy is
like a intent of the management hey guys
every system need to be protected with a
password so that is a
policy now employees say okay fine I
will follow this password but what is a
password so that is basically we have a
standard standard is a eight
character
then detailed procedure how to create A8
character password and all that that is
called as a procedure that's why here if
you can notice the first step is
policy okay then we have a standard like
policy say that all customer data must
be protect from unauthorized access and
handling in compliance with data Privacy
Law because we have to comply with
gdpr now second is called as standard
standard which is uniform across the
organization okay we have to use a a 256
to encrypt the data then we talk about
the step-by-step procedure guideline is
always optional in nature okay so like
recommend the best practice for Staffing
handling customer data and finally we
have a Baseline Baseline is specific
minimum required security configuration
so Baseline come into the picture when
you're using a specific technology
hardening let me give more one more
example so they say all employee must
use strong password to protect system
and data but password must be at least
12 character including a mix of upper
lower and character basine is at minimum
password must be at least 12 character
long
with one special one special character
one number one so this is like minimum
we cannot go below that procedures go to
log into system change the password and
guideline is in 90 days it always
recommend to change the password or
never use a family name so if you can
see Jack D example everyone at the
family gathering must have a drink the
drink must be a Jack Daniel that's a
standard for everyone 21 and old at
least one glass of any drink water must
be consumed go to the bar and have that
it is recommend that every drink respons
responsible for Hydrate with the water
so when we say policy policy set the
broad
rule okay purpose is specific exit
requirement to support the policy then
we set the minimum acceptable level to
comply with policies called Baseline
provide the stepbystep instruction so
you check my policy document video which
also give you a great visibility so one
thing always remember the sequence is
like that strategy then we have a policy
then we have a program and then we
Implement that in the organization so
policies always strategic in nature so
now we understood the basic fundamentals
now time for an action let's Implement
governance in the
organization
okay now now it's time for an action and
now we're going to discuss about how to
implement JC in the organization so so
far we understand the core GRC Concepts
where we discuss about GRC three lar
defense we also familiarize with the
Frameworks like Koso corit Nest 31,000
we also understand about Regulatory and
compliance requirement and um and now we
going to discuss about how to implement
GRC see when you're talking about GRC
the first step is called preparation and
initial assessment okay so here like I
join as a itgc consultant or I join as a
GRC analyst so what is my first step I
will speak to the business I will speak
to the Senior Management stakeholder
understand the business objectives
regulatory requirement and specific
compliance NE and here we basically
prepare two important document which is
called as a business requirement
document and stakeholder analysis now
when you're talking about business
requirement document okay so business
requirement document uh uh it's outline
the organization
objectives uh and also doc we document
the GRC goals and specific requirement
that need to be aligned with GRC effort
if you take example like if you're
building a GRC document so there are
some tips and tricks that I will I will
recommend actually different different
company have a different different name
for this but standard term is called as
a business requirement document okay so
you can involve the stakeholder from
various Department like it legal Finance
to ensure and you have to involve them
early so you want to ensure you capture
the full range of perspective and here
you can use a questionnaires or survey
to gather initial inputs on GRC rated
needs and by by having some defined
questions it can speed up your um
information gathering process and ensure
that dot coverage has been covered along
with that when you're talking about
business requirement document one thing
you need to have in this called
scope scope is very important so you
need to define the scope and objectives
it's a very important part so you can
break down the GRC objective into
specific measurable goals like example
this year I want to implement 27,1 next
year you want to go for sock 2 and in
order to measure that you can use a
smart smart metrix it is always
advisable so by using a smart metrix
like specific measurable achievable
relevant time bound you can Define each
objectives third is when you're creating
a BRD document in that you make sure you
define the list of regulat requirement
so when you're building a governance you
make sure you should meet the legal
regulatory requirement and here you can
also create one more document which is
called as a regulatory metrix regulatory
metrix now what is regulatory metrix
regulatory metrics in the BRD listing
the key regulations their related GRC
goals and departmental
responsibility make sure you can use
this template consistency so you can
have one standard which can be followed
everywhere and we have to review and
validate with the key stakeholders
second is called as a stakeholder
analysis that's another important step
we have so when you're talking about
stakeholder analysis it is all about
identifying individual and group who
influence or affect by the JC program so
in the stakeholder analysis we can
include the representative from a
critical functions like it compliance
legal and we also use influential
interest metrics to categorize the
stakeholder based on the influence over
the interest in the GRC program so for
me c management has a more influence on
GRC program okay so that something is
there and when you're creating the
stakeholder anal analysis document you
should assess the need of the
stakeholders like you can create a
simple stakeholder need assessment table
where you can list the each stakeholders
primary concerns let's say in this
way this is how the table look
like okay very simple and then on the
one side you can mention the list of
stakeholders then second section you can
basically add
um uh the list of concerns they have
okay you can add the
concerns and then you can basically
document the business requir reement so
by following this particular thing this
is also called a stakeholder need
assessment okay so all the stakeholders
primary concerns regulatory priorities
and communication preference we can
document and it is also very important
to develop the stakeholder communication
plan you know whatever the activity
doing in GRC and all that you need to
schedule and inform the activities and
make sure you should have a buy and
approval so more of the story is that
this is the first two document that we
prepare when you're building a GRC okay
business requirement document and
stakeholder analysis this is how it
looked like so if you can see there BRD
engage stakeholder early tricks use
questionnaire smart goals regulatory
metrics now stakeholder analysis is all
about identifying stakeholders by
influencing the CL uh clarify the roles
sess need and create and we can use some
kind of a documents under the
stakeholder analysis such as influence
Matrix Ry chart assessment table and
colorcoded communication schedule
so once you define the GRC objective the
next step is identify the key Regulatory
and compliance requirement because
definitely we need to follow topone
approach so we have a two documents here
one is called regulat requirement
checklist where you can list the
regulation and standards applicable and
second is called as a compliance
assessment mapping where you need to
match the regulation to a business
process let's say example I join Finance
industry in India so I know I need to be
comply with CB I want to comp with
RBI so I'm assuming this must be there
okay this must be there so we have some
industry specific regulation now like we
verify the checklist include so like if
you take example of checklist when
you're creating a checklist uh there's a
small tip I would like to suggest so
when you're organizing a checklist you
can organize the checklist in a uh I
think three or four format example
within a checklist you can have a
industry specific
regulation second is basically called as
a geographic requirement Geographic
requirement then we have a data
protection privacy standard then we have
a cyber security standard okay so you
can create a checklist and organize in
this format so we can have one checklist
but in that we can organize into group
example when I say industry specific
like uh we have a s Sox we have a HIPPA
and all that now if you go by the
geographic requirement which is called
Regional law like in us if you take
example we have a CCPA in Europe we have
a GDP PR then data protection standards
we are using here okay then we have a
cyber security stand nist or pcss so
this is how you can able to create a
checklist second is called as a
compliance requirement mapping so
compliance requirement mapping is
another important thing this document
map each regulation or standard to a
specific business process okay that's
something we have so on one so regulat
requirement checklist talk about list of
regulations that is applicable for my
organization and then compliance
requirement mapping talk about
Which business map to which regulatory
requirement so ultimate goal of creating
this document is to is to align your
what is called it is it is objective is
to align the requirement with the
business process so you can map each
regulation or requirement to a relevant
business process like gdpr s Sox and all
that we also talk about the control
objectives and specific controls where
we identify which controls are needed
for each compliance requirement okay one
more one activity we do here is uh we do
the gap identifications
where we actually flag area where no
current control exists to meet the
specific compliance requirement and
these gaps will require the remediation
and then we do the framework mapping
where you identify which standards of
framework can meet the regulatory
requirement and then we assign risk
level based on the regulatory penalties
and do the audit so that something is a
process we follow okay it's a very
simple thing very very simple stuff
first you list down the regulations and
then you can list down the regulation
map have with the business
requirement next is so first step is we
understand the business requirement in
the first step and a stakeholder and
then you create a regulatory requirement
checklist based on a business
understanding and compliance requirement
and then you will do Gap assessment see
what we have and what we need to
implement that's the important thing
instead of starting from zero I repeat
instead of start starting from zero we
do with the Gap assessment okay where we
are and what we need to achieve so Gap
and analysis report identify difference
between the current practice and
required standard so there's a tip and
trick I will suggest first clarify the
scope okay let
me so my suggestion is that first you
can clarify the
scope what is a scope you have okay
clarify the scope for Gap analysis are
you assessing a specific area like data
security regulatory or overall GRC but
my suggestion is that use a scoping
Matrix to app each area example you have
it security control against the iso
27,000 so it is easy for stakeholder to
see what the analysis has been covered
second important thing use a standard
compliance use standard
compliance that's a very important part
use a standard compliance choose a
relevant framework like kit Koso for a
benchmark practice otherwise if you have
experience you remember all the controls
you can do that but I highly recommend
if any business you have a doubt involve
the subject matter expert hold a
structure review or Workshop session
with smes using a prepared questioner to
cover all the relevant area and then you
document the gaps and then whatever the
Gap you identify you can recommend them
so that is basically called as a gap
analysis report now in this Gap analysis
you documenting possible risk it's not
something confirm risk possible risk
okay okay these controls are not there
this is a possible risk so that's
something we document in the risk
register it is always good risk is start
with the possible risk so we organize
the risk into category like operational
risk regulat risk cyber security risk
reputation risk okay that's something we
do and based on that we create a risk
register so when you're creating a risk
register use a sample risk statement
like you can write each risk in a clear
concise
statement so if you really want to
understand how to do that so we use one
we we use one tip okay I will show you
how I note down the risk statement
example like
du okay
to
C there
is a
risk
of
event resulting
an impact so this is how the statement
should be used for statement example
like we say due to cause there is a risk
of a event resulting in the impact Let
me Give an example so due to cause mean
lack of Access
Control due to lack of Access
Control okay there's a risk of
unauthorized access
event and that result into Data Rees so
when you're writing a risk statement you
can use this formula and estimate each
risk likelihood impact even you know if
approximate to provide the sense of
urgencies from 1 to 5 and all that so
you can based on Gap analysis you can
identify the risk okay and you can
create a risk register so that's why we
say risk register should be create as
early as possible which is mostly in the
risk identification stage so Gap
analysis report Define the scope we use
a framework against that we do the
assessment so it use a scoping metrix
checklist Gap descriptions and then we
have a initial risk register where we
start with categorizing using a clear
statement and we use a format from 1 to
5 so now next step is building a core
policy and
framework so policies are introduced at
at this stage because Bas on a gap you
identify some controls are required and
if you want to implement those controls
you need a policy first so policy is a
first thing so policy are introduced at
this stage because they provide the
framework guideline so if one of the
framework CIS of framework or CIT
framework says information security need
to be Implement because that is a
control we identify so first we
implementing information security policy
so we draft the policy covering all the
critical area the policy is also two
type one is called as a singular policy
where you create a single policy for
everything and then called as a group
policy group policy mean we have one
policy document which cover all the
policies one thing always remember when
you're creating a policy involve the
stakeholders because policy is the first
tool by which you comply with your legal
regulat requirement so we have some
samples here now once you create a
policy you define the standard and
procedures okay so you create Sops
detail
requirement and then you will map the
procedure with the respective framework
so you can choose a document framework
like kit is there it governance so ISO
31,000 for risk management and coo for
financial controls but if you ask me
Koso will be the starting point that is
the first thing and then you can have a
cobit on top of it and then you can have
a pillar of Standards which is called
ISO 20,000 27,1 and
22301 so we can create a framework
mapping document which basically shows
how selected framework align with the
organization compliance need I'll show
you how how to create how to do that how
to select and map the framework so let's
discuss that so if you have a control
framework with you which coo CIT and all
that and your requirement is suppose I
want to strengthen the data protection
of a customer employee that that is my
requirement now here I've aligned the
framework 27,1 gdpr requirement
regulating heppi Healthcare so I use
this metric so I'm looking for strength
in data production so I will pick the
control from
27,1 gdpr Hippa is a requirement I want
to improve the resiliency so I will use
NF to comply with the regulatory we have
S Sox gdpr and for enhancing data
governance we have a CIT so this is how
you you map the
Frameworks okay now next thing is that
you need to break down each framework to
a specific control okay I already
discussed in the in the beginning
difference between framework and
standard first we adopt the frame workor
and then looking for the consistency we
go for the standard so here like I want
to implement Access Control policy okay
I really find that standard in
27,1 and I map that with my businesses
user access management HR on boarding so
in that I introduce the
27,1 I want to do write your risk
assessment as a process I want to
introduce this as a process control
requirement is it risk management CIT is
a framework or ISO
31,000 then Anis CSF which I'm introduce
in having an instant response a very
good control that I'm introducing for
one of the process which is called it
inser management process I want data
subject concern which is part of a gdpr
why because this need to be mapped with
my business process which is called
customer data
management and then we have a sock
financial reporting for that we have a
financial accounting so this is how you
need to select and map the framework so
here it's very important that's how you
validate now once you basically select
the framework and Define the control the
next step is risk assessment and control
design okay so now it's time to do the
risk assessment but initially also we
did so that is something called as a
possible risk I'm assuming okay and now
that assumption will be SS here based on
a gaps okay I want to comply I want to
prepare my company for gdpr right we
just
discuss okay so let's say example
is so this is my company this is my gdpi
requirement I is assess current how many
controls are comply with GDP so that is
a gap we have identify but based on a
gap we need to identify the controls but
controls will be Implement based on risk
assessment okay if I don't have what is
the impact so we do the risk assessment
now because I don't want to implement
all the controls so we introduce a risk
assessment now because policy framework
are established providing a base for
assessing a compliance
so we identify the risk we analyze the
risk we treat the risk okay so we engage
department leaders to understand the
operation risk and compliance and we
create one document here is risk
register and risk assessment report
that's something we can go for
it now next is called as a design and
document the control So based on risk
assessment we have to design we have to
select the controls and there is a one
document we prepare is control design
document so one thing we need to
understand in the
Enterprise okay in the enterprise we
have a only three type of uh actually we
have a three type of control preventive
control which a control used to prevent
the incident detective control which
detect the incident and corrective is
basically if anything happen what is the
reaction to that let's say example
firewall so firewall is a example of
preventative firewall is a example of
preventative but if someone bypass the
firewall I want monitoring to be done so
S ID is part of detective and my instant
response team will be part of corrective
which isolate the system and reduce the
impact so you can say preventive is a
safeguard detective and corrective are
the counter measures so here we can see
we create one document called control
design document in ISO 2701 it is called
as a s SOA statement of applicability so
here you can see control ID is ac1 I
just give my name control name is user
access review objective of this control
is prevent the unauthorized access owner
is it security manager frequency is
quarterly need to be review and
documentation is access review locks and
approval record so by this we can
validate the things so when you're
introducing any control you need to
introduce the objective owner frequency
and
documentation so I believe this control
is required now this control need to be
Implement with the help of that we go go
for the risk mitigation plan where we
document the treatment strategies
responsible party and timeline so when
you presenting a risk you document
risk you document threat you document
vulnerability and you give
recommendation but action plan filled by
the audit only customer only and he also
mentioned the follow the date of the
completion so these two data will be
filled by the customer and this data
will be filled by you okay remember that
so now based on risk assessment we
decided we want to go for itgc we need
to implement the control that's a
important
part so now now time for the
itgc so we deployed the control for data
protection access management chain
management and the document that we
containers control implementation
checklist which track the deployment of
each control because that's very
important or we can have a compliance
control Matrix which link Implement
control as a regulat requirement my
recommendation is that you can merge
both and you can use one as a document
there's no point of creating a multiple
document so you know it's always good
that you can create one Excel sheet in
which you can document everything like
this is the risk okay this is the
control this is map with nist standard
and this is ma with the regulatory
requirement called s Sox so this is how
you can create a
table now once you implement the table
okay once you implement the control so
you create a document here like itgc
policy procedure because any control
you're introducing you need to introduce
a policy first and then you can create a
audit checklist because based on the
control what you implemented you have to
do the audit also that is also very
important part so we have this
implementation example like I want to
implement in my business access
management area what is the action is we
need to create a policies Implement MFA
and all that so example like enforce
quarterly access review Implement MFA
for critical system second is you can
see change management so we need to
establish the policy set up the cab and
track and we use a service now to log
change or cab approval we need a backup
and Recovery function in the
organization so we can action is we can
automate the backups test and recovery
and we have a daily backups and
financial system
then uh it operation and monitoring is
there which Implement monitoring inent
response and then we have a continuous
Improvement so this is just like a basic
itgc I I'm implementing now once you
implement the
controls okay once you implement the
control now it's time for monitoring
because it's very important we have to
check is the control is working as per
the business requirement or is a control
is working as per what we have agreed
so now we talking about compliance so as
I said we need to do monitoring also
what we implemented so we have action
plan to monitor the things and we create
a compliance monitoring plan example we
have a list on the process and we verify
when to monitor so normally what happen
is if we talking about financial process
we do review Financial process like
yearly and some other process we RW
every 2 year and other controls if you
want to monitor in a monthly basis you
can document that along with that that
we can have a um compliance dashboard
which give you the visibility about the
current kpi and all that you can set up
the internal audit team in the
organization which outline the audit
frequency and all that and they can
create a reports because it is their
responsibility is to make sure whatever
the control is working it should be work
as for the business
objective there's one more activity we
do here is rcss so this is something
which is done by the auditor perform
risk and control self assessment because
once you implement the control is it
working effectively as per the business
objective so we do the
rcsa so we evaluate the control
Effectiveness and we have a one document
called as a continuous Improvement log
or you can say continuous control log
you don't need to create a multiple
document if you think one document can
meet all the criteria we
can go for that so this is how you
implement the entire
itgc now it's time for training and
awareness who is the weakest link in the
organization is people
and uh no matter you have another best
solution in this world but if your
employee is vulnerable then it's a
problem in terms of internal threats so
it's very important you have to do the
regular awareness and training for the
employees so one request is that the
Thin Line difference in training and
awareness is training modify the skill
okay and awareness modify the
behavior so here we develop the training
sessions make sure training material
should have a policy overview and
everything and whenever any employee Jo
join after signing the NDA and signing a
contract the first thing he should do is
he should attend the awareness program
post awareness program we have a
attendance and all that we have a uh
quiz also by which we can able to track
but on a regular basis we also send the
fishing emails and all that and check
how how many are effective but if you're
really looking for building a metrix so
you can use two metrics like before
awareness training how many people have
reported an incident and after awareness
training how many have been reported if
there's an increase in the number number
increase in the number it mean it is
effective so if it's increase in the
number it shows the effectiveness of
awareness
training ultimate goal of awareness
training is to make the employe aware
about the responsibility so they know
okay what to report so we reinforce the
GRC we do the regular Communications if
any kind of a changes happen in the
policy procedure level we can update
through the emails now it is time that
we need to set up the audit functions so
we just discussed we have first party
second party third party so here we
establishing the first party which is
called internal audit team it's very
important if you're having a GRC it is
very important to audit the GRC on a
regular basis and management also want
to understand what is happening in the
organization so we have to set up the
internal audit here so we create an
intern AIT checklist and report we also
create an internal audit program
internal audit program it's also called
as an internal audit Charter which talk
about the presence of the team in the
organization example what what is
internal audit and what they do so that
document the internal audit Charter so
we set uping up the internal audit team
so we have a stages so first stage is
called planning there's a dedicated
video I made on internal audit okay
please check that amazing review I got
OnePlus lck review on that video which I
have taken an example so do check that
okay so in the internal audit we have
organized the entire activity into the
four section the first section is called
as a planning where we have a audit
planning memo docu risk assessment
metrics and audit program okay then we
have a field work so I'll explain you
with the example like I'm auditing a
change management process so I will
basically create audit planning memo
okay about the purpose of intern audit
chain management this chain management
is applicable for the India division the
timeline will be 6 months so that is
something is called as a audit planning
memo then we document the detailed steps
and resources that will be taken care
for this chain management okay and then
we doc the possible risk here we just
assuming possible risk based on the data
what we collected and then we outline
the audit test and procedure that is
part of a planning now I'm scheduling
the interview with the audity so
interview summary is there we document
the interview with the key people based
on that I document the requ request list
like they said okay they close change in
every two days and uh every change has
to be reviewed with the separation of
Duty so I will ask for samples which is
part of the document request list so
here I will ask for the policy procedure
proc and
everything the next important thing is
called as a test work uh test workpaper
so we capture the test results because
this workpaper are your evidence and
then you have a test summary sheets
where you document the findings analysis
and
recommendation that summary sheet become
the input for audit report the first
version of audit report is called as a
draft audit audit report that's
something you need to get convey from a
auditing and once you're done with that
you have a exit meeting summary you will
have a action plan you will give a
recommendation action plan prepared by
the audity so he given some dates okay
on this date we will close this finding
so we will do the followup on the date
to make sure they have closed this
finding so that is how the entire audit
process works we also have a second
party audit where you audit the
suppliers and all that it is always good
whatever the critical elements we have
we can create a checklist for that so
that we can follow that checklist and
based on that we audit the vendor before
you onboard them and third part audits
are basically called when You Face any
regulatory audit certification audit and
all that there's a dedicated video I
already made on 27,1 so you can check
that so this is all from my
side uh in this particular video do let
me know how do you find this video uh
you know and do you find something
special in this content do you got
something new insights do share your
suggestion comment box and do let me
know in comment box shall I continue
this series thank you so much and what
is the best thing you like about this
video do let me know and without your
love I'm nothing so please support if
you think my content is worth do
subscribe to the channel and click on
the Bell icon to make sure you should
not miss the future videos on a similar
topic good day bye
May 13, 2026
Watch Read Summary
Liver Lobules (Portal Triad)

Dr Matt & Dr Mike
Tom Bilyeu
May 19, 2026
Watch Read Summary
PDF
Governance Hierarchy

GRC Professional Roles

Regulatory vs. Business Requirements

Three Lines of Defense

Frameworks and Standards

Risk Fundamentals

Policy & Governance Hierarchy

GRC Implementation Lifecycle

Audit & Awareness

Mechanisms and Explanations

Takeaways

Frequently Asked Questions

How is risk calculated in GRC frameworks?

What distinguishes a framework from a standard in GRC?

Who is Prabh Nair on YouTube?

Does this page include the full transcript of the video?

Helpful resources related to this video

Share This Summary

Embed This Summary
