Risk Compliance Manager

Responsibilities:

Managing security governance, risk, and compliance (GRC) within enterprises presents challenges due to increased complexity and resource requirements. This is particularly the case with IT system security risk because of continuously evolving compliance requirements, the number and complexity of IT systems, and their interdependencies. Additionally, security risk and compliance activities are often distributed among multiple stakeholders, which can result in varying approaches, dispersed knowledge, duplicated efforts, and oversight gaps.

This fragmentation affects the ability to maintain an up-to-date understanding of the organization's risk profile, compliance status, and necessary actions. This subsequently limits the organization's capacity to identify, assess, and address risks proactively.

This initiative seeks to improve enterprise security governance and assurance by implementing a GRC platform in conjunction with relevant policies, processes, and procedures. The solution aims to deliver ongoing compliance monitoring and risk assessment, encourage consistent and effective management of compliance information, and centralize the tracking of risks and outstanding actions. The initial scope will cover information and cybersecurity, with plans to extend capabilities to other areas as development progresses.

The users and their needs

As a system implementer, I want to:

· Understand the current security compliance requirements for my system

· Understand the compliance status, inherent risks, and shared responsibilities for components upon which I am dependent on for the security of my system

· Capture the intended approach for complying with applicable security controls

· Reference existing control treatments for components upon which I am dependent

· Capture outstanding control treatment actions, milestones, and associated risks.

As a system maintainer, I want to:

· Understand changes to security compliance requirements for the systems I maintain

· Capture the intended approach for complying with changed or new to security controls

· Capture outstanding control treatment actions, milestones, and associated risks

· Capture the outcome of regularly occurring assurance activities

· Capture any risks that arise through operational activities.

As a system owner, I want to:

· Understand the current risks inherent in my system

· Collate and present the information needed to seek authorization to operate my system in accordance with the 6-step risk management process defined in the ISM

· Keep a record of the authorization to operate my system and any associated conditions

· Collate and present the information needed to provide the authorizing officer with annual updates on my system's security posture and associated risk.

As an IT security risk manager, I want to:

· Centrally store, disseminate, and maintain security control baselines, catalogues, and other regulatory requirements

· Identify systems impacted by changes to security control baselines so that system owners, managers and maintainers can be proactively notified

· Centrally report on risks at the enterprise and system levels

· Track progress towards remediation of identified risks.

As a security risk executive, I want to:

· Understand security risks at the enterprise and system levels

· Review applications to authorize systems for operation in accordance with the 6-step risk management process defined in the ISM and provide a record of my decisions.

As an IT Security auditor, I want to:

· Understand the intended approach for complying with applicable security controls

· Describe the efficacy of implemented controls, the method used to test, when it was tested, and recommendations for effective treatment

· Capture human-readable security assessment report.

Key dates/ milestones

We are seeking to implement the GRC system within this financial year.

Essential criteria

1.The GRC system must facilitate the continuous import and maintenance of common security control baselines, specifically the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF), preferably via automated methods.

2.The GRC system must support custom enterprise risk frameworks and enable risk register management and reporting, including the ability to categorise, rate, assign ownership, define and select controls/treatments, and schedule reviews of identified risks.

3.The GRC system must support compliance and audit processes by enabling standardised and automated reporting of individual system security posture and compliance status, as well as status of control implementation and risk treatment across many systems i.e. enterprise view.

4.The GRC system must enable efficient and dynamic referencing of control treatments and related risks managed by other systems or the deployment environment. Any change in compliance or risk for a treatment must be automatically updated across all dependent systems.

5.The data model implemented by the GRC system must support all stages of the 6-step risk management process outlined in the ISM. Note: This 6-step risk management process is derived from the publication NIST SP Rev. 2 - Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

6.The GRC system must provide an API allowing GRC tasks to be automated.

Desirable criteria

1.The GRC system's data model should be designed to minimise the need for customisation while accommodating the 6-step risk management process described in the ISM. It is preferable if the GRC system supports OSCAL data models, allowing for ongoing import of ISM control catalogues and profiles in OSCAL format.

2.The GRC system should facilitate cyber risk quantification methodologies.

3.The GRC system should support integration with external work request/service management systems (such as Azure DevOps) to support tracking of outstanding risk treatment actions.