Governance, Risk & Compliance (GRC)

Overview

A robust security program requires ongoing, transparent risk management that addresses both shared and domain-specific risks across Information Technology (IT) & Operational Technology (OT) environments, particularly involving Emerging Technology (ET). We develop integrated GRC processes, practices and tools to reduce security risks and improve enterprise security maturity.

Approach

Industry Standards Alignment

  • Conduct a comprehensive gap analysis of GRC documentation against relevant industry standards and frameworks, including but not limited to:  NIST CSF, SP800-53, SP800-82, SP800-171, 800-172, AI RMF, NIST-AI-600-1, CIS Controls, CSA guidelines, OWASP (including Top Ten for LLMs and GenAI), ISO 27001/21434/42001, and ISA/IEC 62443.

Risk Management Practice 

  • Assess automated and manual processes and tools used to identify, track, mitigate, and report risks across the organization.

  • Evaluate integration points between asset management and risk management, such as asset tagging practices and automated inventories connected to risk registers or repositories.

  • Examine the last previous audit and assessments to identify common risks towards consolidation into current action plan / master risk register.

Outcomes

Governance, Risk & Compliance (GRC) Optimization

  • Create or update the organization’s GRC framework, processes, and artifacts—such as risk models, matrices, action plans, risk registers and risk treatment plans (RTPs)—to fully incorporate IT, OT, and ET domains.

    • Ensure reusable templates and governance documents such as risk models include controls and considerations for AI, quantum technologies, and other emerging technologies.

  • Support GRC tool acquisition by developing procurement language and RFP evaluation criteria for vendor assessment.

  • Develop and/or update contractual and technical security requirements and provisions in organizational/Security business unit’s procurement processes and documents.
Targeted Threat Risk Assessments (TRA)
  • Per above, develop contractual and technical security requirements for an RFI or RFP requesting security services. 

  • Deliver a comprehensive Threat Risk Assessment (TRA) report and actionable plan for in-scope IT, OT, and ET systems.