The Wacky World of GRC

March 7, 2017 Douglas Barbin

Few areas of technology are as contradictory as governance, risk and compliance. A company might do everything to be secure yet still not be in compliance.

For some, maintaining a focus on the governance, risk management and compliance (GRC) landscape is data security nirvana, the epitome of an ideally balanced data strategy. For others, it’s a maddingly frustrating and impossible task where conflicting geographic rules and industry standards make strict compliance untenable and the attempt counter-productive. Just to make life interesting, it turns out that both these perspectives have a semblance of truth.

The most popular suggestion for GRC compliance is to focus on the intent of regulators and standards bodies – most of which base almost everything on security and privacy best practices – and not the letter of their edicts. Many regulators, auditors and assessors are much more forgiving when they see that someone truly is trying to deliver a safe and secure environment and avoiding the checkbox mentality approach. That said, “many” does not equal “all,” which is why data security in 2017 is not for the faint of heart.

To read the full whitepaper, along with my comments on the topic, you can download direct from SC Magazine.

About the Author

Douglas Barbin

Doug Barbin is a Principal at Schellman & Company, Inc. Doug leads all service delivery for the western US and is also oversees the firm-wide growth and execution for security assessment services including PCI, FedRAMP, and penetration testing. He has over 19 years of experience. A strong advocate for cloud computing assurance, Doug spends much of his time working with cloud computing companies has participated in various cloud working groups with the Cloud Security Alliance and PCI Security Standards Council among others.

More Content by Douglas Barbin
Previous Article
Compliance as Code
Compliance as Code

Codifying Your Configuration Standards If you have already gone through a PCI DSS, SOC, HIPAA/H...

Next Article
“Keep It Simple” and Just Call Me SOC
“Keep It Simple” and Just Call Me SOC

SSAE 18. You have probably seen blog articles circulating about the "new change" to SSAE 18, in...

×



Subscribe now
to receive content updates once a week

First Name
!
Success
Error - something went wrong!