GRC Information Protection Basics
01 August 2024
We suggest a concise and structured approach to information protection. It emphasizes the key principles of Governance, Risk Management, and Compliance (GRC) with a focus on simplicity, scalability, and security.
Setting Boundaries
Setting Boundaries for Data Access starts with "the six Ws of information gathering".
What, Where, Who, Why, How and When.
These questions provide context for risk evaluation for our information assets and provide guidance for proper Data Privacy and Data Security governance.
Starting with the What (What our Assets are), each of these essential questions helps us to evaluate risk for that context and leads us to the next essential question.
- What – An Inventory of the information assets
- Where - Where are these assets located (domains, computers, volumes)
- Who - Who has (or will need) access to these assets
- Why - Why do these entities need access
- How - What methods will be used for access
- When - During what periods do these entities require access
Determining Risk
- What – What is the Risk Category for each asset
- Where – What are the data location exposure risks
- Who – What are the entity access exposure risks
- Why – Does this entity require access
- How – How should this entity access it
- When – What are the appropriate periods of access
Key Highlights:
-
Data Access Boundaries: This approach outlines a clear framework for setting boundaries for data access by considering factors such as what information assets are involved, where they are located, who needs access, why they need access, how they will access it, and when the access is needed. This holistic approach ensures comprehensive coverage of all aspects of data access control.
-
Risk Assessment: This approach also emphasizes the importance of determining risk categories for each asset, understanding data location and access exposure risks, and evaluating the necessity and timing of access. This risk-based approach helps in prioritizing and mitigating potential exposure and other threats.
-
Prevention Focus: Our recommendation strongly advocates for a preventive approach.
Awareness is Security
You can't secure what you aren't aware of, don't know where it's located, who can access it, whether they need to, how they access it, or when access is required.
It is founded in our thinking that the "Prevention Beats Remediation Every Single Time." This aligns with White Cloud Security's philosophy of using Default-Deny and Zero-Trust Protection to minimize risks before they materialize.
Overall, this approache provides a solid foundation for organizations looking to implement or enhance their GRC strategies, particularly in terms of data protection and access management. The focus on clear, actionable steps and preventive measures makes it a practical resource for stakeholders involved in information security and compliance.