SECURITY COMPLIANCE
​​​​​​​Governance, Risk & Compliance (GRC)

4. Implementation

A range of security measures across people, process and technology will then need to be implemented to ensure you fill the gaps identified in the previous step and ensure you stack up against the standards. Having a detailed understanding of your key risk areas before spending money on security controls allows you to focus your budget and resources on the priority areas to avoid a ‘spray and pray’ approach.

5. Auditing & measurement

It’s one thing to meet the requirements of a given standard and another thing to be able to prove your compliance against that standard. This is where an independent 3rd party comes in to audit and verify that you meet the requirements. Auditing typically relates to mandatory standards, while frameworks can sometimes be self-assessed because they’re not mandated by government regulation. Becoming compliant gives you visibility of your risk profile while getting certified avoids missing out on market opportunities and reduces supply chain risk.

Benefits of Governance, Risk & Compliance (GRC)

Supply Chain Risk

The biggest threat to most organisations by not being compliant is the risk of losing valuable supply agreements with partners who require you to have certain certifications in place. This 3rd party risk can come as a surprise with little notice for you to achieve compliance before being dropped from the supply chain. Would you trust your suppliers if they weren’t certified? Why would your partners trust you if you’re not, especially if your competitors are?

Looming Audits

If you are already focused on compliance, then you will likely know when your next audit is coming up. However, if you’re just getting started, you may be uncertain about how it all works and when audits may be required. Preparing for an audit often takes far longer than expected and costs more than budgeted - easily costing in the tens of thousands of dollars and typically needing to be done every year. Instead of being overwhelmed, treat compliance audits like a year-long product launch. In other words, allocate resources (people, budget and tools) to your compliance project, just like you would an income generating product (because compliance can actually help you generate additional income).

Income Generating Opportunities

Becoming compliant can help your company generate new business. Ultimately, it’s a simple cost-benefit analysis. First, calculate the cost of becoming compliant. This cost may include hiring a compliance expert on a full-time or contract basis such as Red Piranha’s vCISO service. It may also include securing a third-party firm to conduct the audit and buying software and products that are requirements to meet compliance standards or that enable you to do so.
On the other side of the equation, try to calculate how much business you could pursue (and win) if you achieve certification with various standards. This benefit will have a significant impact on what type of projects your sales team can go after. For many organisations, while the upfront cost of compliance can be high, it is well worth the opportunities it opens for your sales teams.

Standards & Frameworks for achieving Governance, Risk & Compliance (GRC)

The Governance, Risk & Compliance can be a bit of minefield and it’s hard to know which standards and frameworks apply to your organisation. It’s important to map out a compliance journey that’s relevant to your business. As with any significant commercial undertaking, thinking long-term is key to ensure you futureproof your compliance strategy and make the most of your investment.

ISO/IEC 27001 is often a good framework for many organisations to start with to lay the foundations for a long-term compliance journey and other standards and frameworks can then apply to specific industries from there.

Achieving compliance opens new business opportunities for your company such as launching into new regions and expanding into new verticals. Organisations that plan to operate in Europe almost certainly need to be GDPR compliant to enable this business growth. Similarly, organisations planning to launch a new product in the fast-growing fintech and healthtech spaces will most likely need to be PCI or HIPAA compliant. Importantly, even those companies who may not currently have mandated certification requirements should be starting their compliance journey by applying proper security practices to not only reduce their risk, but also ensure they are prepared for their future compliance needs. It’s a very costly and resource-hungry problem to have to rush a compliance process if the foundations aren’t already in place.

Not implementing a suitable security framework can have devastating effects for any business, even where mandatory regulations don’t apply.

LandMark White was a publicly-listed property valuation company which experienced two major data breaches in 2019 due to a lack of security process. This led to the company being temporary suspended from the ASX and forcing them to change their name to Acumentis to minimise reputational damage. The direct costs relating to the breach were estimated at over $7M plus all the indirect costs associated with the fallout.

Given the significant impact to the bottom line, shareholders are holding Directors accountable if proper security controls aren’t being put in place that could avoid a data breach or security incident. This has led to a trend where shareholder class actions are one of the fastest growing sectors within the legal profession to handle such cases.

Although industries such as critical infrastructure, fintech, manufacturing, technology and managed services are high on the radar for compliance obligations, it is becoming increasingly important for all business to follow a robust information security framework.

The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to provide high-quality information and communications technology (ICT) security assessment services to government. ASD endorses suitably-qualified ICT professionals to provide relevant security services which aim to secure broader industry and Australian Government information (and associated) systems. IRAP Assessors assist in securing your ICT networks by assessing your security compliance and highlighting the information security risks facing your organisation.

Red Piranha is an IRAP-aligned organisation and we’re undertaking the process for our products to go through the certification process. We also have a strategic partnership with the Australian CyberSecurity Centre based on our share ideals and we share threat intelligence data.

The NIST Cybersecurity Framework provides information security guidance for private sector organisations in the US to prevent, detect, and respond to cyberattacks. It was developed by the National Institute of Standards and Technology, which is an agency of the United States Department of Commerce. It includes a Framework Core, Framework Implementation Tiers and a Framework Profile. The Framework Core defines 5 key functions of information security:

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
   
   

1. Transparency and modalities
2. Information and access
3. Rectification and erasure
4. Right to object and automated decisions

1. Pseudonymisation
2. Records of processing activities
3. Security of personal data
4. Data protection officer

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to regulate the flow of healthcare information in the US and define how Personally Identifiable Information (PII) maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft. Although it mostly applies to organisations in the US, it can also apply companies dealing with healthcare data with customers and partners in the US. The Act is broken into 5 Titles:

1. Privacy Rule
2. Transactions and Code Sets Rule
3. Security Rule
4. Unique Identifiers Rule (National Provider Identifier)
5. Enforcement Rule

   PCI

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle branded credit cards from the major card schemes.

The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.

Validation of compliance is performed annually or quarterly, by a method suited to the volume of transactions being handled. PCI typically doesn’t apply to companies accepting credit card payments through a 3rd party payment gateway, but would usually apply if you are handling the credit card details yourself.

   COBIT

Control Objectives for Information and Related Technologies (COBIT) is a framework created by Information Systems Audit and Control Association (ISACA) in the US for IT management and IT governance. It defines a set of generic processes for the management of IT and is broken into 5 key components as follows:

1. Framework
2. Process descriptions
3. Control objectives
4. Management guidelines
5. Maturity models
   
   

Technologies

Compliance isn’t about creating policies that sit on a shelf to collect dust. A major part of the process is implementing hard and fast security controls and implementing relevant security procedures to prevent incidents occurring. Compliance drives a process of continuous improvement and measurement to ensure your organisation is getting more secure over time.

Compliance Mapping

It’s important to understand how various security services map against the requirements of various standards. Our eCISO™ service delivers the following compliance outputs, as they relate to the corresponding standards shown below. Our tailored security services can also deliver compliance requirements you may have beyond this.

Compliance mapping to our products and services

Compliance isn’t about creating policies that sit on a shelf to collect dust. A major part of the process is implementing hard and fast security controls and implementing relevant security procedures to prevent incidents occurring. The compliance process drives a process of continuous improvement and measurement to ensure your organisation is getting more secure over time.

Security Compliance - Governance, Risk & Compliance

You need to start your compliance journey with an overarching framework from which to build a solid foundation to establish your security posture. We can help you get started on the right foot along this journey with our Governance, Risk & Compliance services.

Security Resourcing

Red Piranha’s cost-effective CISO services give you the benefits of having access to a pool of industry-leading security specialists to help you achieve compliance, without the expensive overhead of a full-time CISO. Our eCISO™ service provides automated compliance features to get the job done as efficiently as possible.

Cyber Security Awareness Training

Staff awareness of security issues and threats is one of the greatest risks to an organisation. We offer standard and tailored online cybersecurity awareness training programs to help your staff and your Board understand risks as well as your policies and procedures to better protect your organisation.

Security Assessments

Security risk assessments and audits help you understand your organisation’s security maturity model, identify potential gaps in your security controls and recommend changes to meet your compliance requirements.

Security Testing

Security testing is a hands-on technical engagement which gives you a view of the known and unknown vulnerabilities that exist in your IT environment, as well as providing a plan to mitigate and manage those risks. Red Piranha offers a full service capability across Vulnerability Assessments and Penetration Testing (VAPT).

Security Management

Our Managed Detection and Response service applies machine learning to automatically detect and block security threats using the Crystal Eye Platform. We also offer managed SOAR and managed SIEM capabilities to provide an even greater level of assurance.

Security Investigation

Digital Forensic services can help you get to the bottom of what happened in relation to a security breach in your network, coupled with a comprehensive Incident Response plan to help you recover from the breach and get back to business as quickly as possible with minimal impact.

** Cost of a Data Breach Report, Ponemon Institute, 2023