Please enable JavaScript.
Coggle requires JavaScript to display documents.
003 Security Governance Principles - Coggle Diagram
003 Security Governance Principles
GRC
Governance
Governance is about setting direction, policies, and accountability for security within an organization.
What it includes
Defining security roles and responsibilities
Establishing security policies, procedures, and frameworks (e.g., ISO 27001, NIST)
Ensuring leadership support and strategic alignment
Goal
Ensure that cybersecurity supports business goals and is driven from the top down.
Risk
Risk involves identifying, assessing, and managing threats to the organization’s assets and operations.
What it includes
Risk assessments (e.g., identifying threats, vulnerabilities, and impact)
Implementing controls to mitigate or accept risk
Continuous
monitoring
and reporting of risk posture
Goal
Understand and minimize the potential impact of cyber threats.
Compliance
Compliance ensures the organization follows relevant laws, regulations, and standards.
What it includes
Adhering to regulatory requirements (e.g., GDPR, HIPAA, SOX)
Performing audits and maintaining evidence
Managing policy enforcement and documentation
Goal
Avoid legal penalties, protect reputation, and ensure proper handling of sensitive data.
GRC in a nut shell
Governance defines the structure.
Risk management identifies what could go wrong and how to address it.
Compliance checks if you're meeting legal and policy obligations.
Due diligence
Due diligence is the process of
investigating
and understanding risks, and then making informed decisions to mitigate those risks.
Due diligence is all about
discovery
and being
proactive
It involves
ongoing
activities to ensure that organizational security practices, policies, and controls are effective and compliant with laws and standards.
To remember: Due diligence is taking the initiative to investigate, identify potential risks, and plan. It’s the decision-making phase.
Due Care
It takes due diligence to the next level
While due diligence is about finding things, due care is about
take actions
To remember: Due care is about implementing the appropriate actions or safeguards based on the information gathered from due diligence. It’s the action phase.