How did I learn and get experience in Governance Risk and Compliance (GRC)?
I supported US Special Operations Command (USSOCOM) for many years. Inside and outside the Headquarters. The security on the communications systems is very secure and undergoe routine risk assessments and system testing to ensure they remain secure.
I was fortunate that I worked on fielding a variety of systems which involved rigorous testing. I also managed a lab in a government facility were we developed new capabilities that had to be compliant. Oh, and I was also a Technical Project Manager, where I managed new system installations, enhancements, and upgrades.
This all required audit and assessments it seamed all the time.
There are a number of frameworks out there which govern organization or business units. The major one in the US Government and civilian sector is National Institute of Standards and Technology (NIST). All these publications are available on the NIST website. The major document containing all the controls, a dictionary, is the NIST SP800-53, currently at Rev 5.
There’s also Systems and Organization Controls (SOC) Framework which includes Security and Financial Controls. This is one framework that I’m not as familiar with, but I’m changing that the moment.
There are many more. One good certification one can earn is the Certified Information Systems Auditor (CISA) for ISACA. It covers a variety of them and how they interact with one another.
I took a refresher a year or two ago called GRC Analyst Master Class taught by Gerald Auger. It’s available in several places and is good content. The 2CyberChicks podcast also has a number of episodes that go into GRC in just enough detail for many people interested in the subject.
There’s no one stop shopping. One must do research and just “dig in”.
-Doug