Table of Contents
GRC Overview GDPR (Data Privacy) SOC 2 ISO 27001 PCI DSS HIPAA Building a GRC ProgramGRC Overview
Governance, Risk, and Compliance (GRC) is an integrated approach to ensure an organization aligns IT with business goals, manages risk effectively, and meets compliance requirements.
Key Components
- Governance: Policies, procedures, organizational structure
- Risk Management: Identify, assess, and mitigate risks
- Compliance: Meet regulatory and contractual obligations
GDPR (General Data Protection Regulation)
EU regulation protecting personal data of EU residents. Applies to any organization processing EU citizen data.
Key Requirements
- Lawful Basis: Consent, legitimate interest, contract, legal obligation
- Data Subject Rights: Access, rectification, erasure, portability
- 72-Hour Breach Notification: Notify authority within 72 hours
- Data Protection Officer: Required for certain organizations
- Privacy by Design: Build privacy into systems
Penalties: Up to €20M or 4% of global annual revenue
SOC 2
AICPA framework for service organizations. Demonstrates security and privacy controls to customers.
Trust Service Criteria
| Security | Protection against unauthorized access (required) |
| Availability | System availability per SLA |
| Processing Integrity | Accurate and timely processing |
| Confidentiality | Protection of confidential info |
| Privacy | Personal information handling |
SOC 2 Type I vs Type II
- Type I: Point-in-time assessment of control design
- Type II: Assessment over 6-12 month period (more valuable)
ISO 27001
International standard for Information Security Management Systems (ISMS).
Implementation Steps
- Define ISMS scope
- Conduct risk assessment
- Select Annex A controls (114 controls in 14 domains)
- Implement controls
- Internal audit
- Certification audit (Stage 1 & 2)
- Surveillance audits (annual)
PCI DSS
Payment Card Industry Data Security Standard. Required for any organization handling credit card data.
12 Requirements
- Install and maintain firewalls
- Change default passwords
- Protect stored cardholder data
- Encrypt transmission of data
- Use and update anti-virus
- Develop secure systems
- Restrict access on need-to-know
- Assign unique IDs
- Restrict physical access
- Track and monitor access
- Regularly test security
- Maintain security policy
HIPAA
US regulation protecting health information (PHI). Applies to healthcare providers, insurers, and business associates.
Key HIPAA Rules
- Privacy Rule: How PHI can be used and disclosed
- Security Rule: Technical safeguards for ePHI
- Breach Notification Rule: 60-day notification requirement
Building a GRC Program
- Inventory: Map data, systems, and compliance requirements
- Gap Analysis: Compare current state to requirements
- Roadmap: Prioritize remediation activities
- Implementation: Deploy controls and document
- Continuous Monitoring: Ongoing compliance validation
Last updated: December 2024