This is one of the 52 terms in The Language of Cybersecurity published by XML Press in 2018 and the contributor for this term is Flavio Valenzuela.

What is it?

A combination of three approaches that organizations use to demonstrate compliance with international standards, global rules, laws, and state regulations. Referred to as IT GRC when a company uses information technology (IT) to apply GRC.

Why is it important?

Governance, risk management, compliance (GRC) is often implemented by companies that are growing globally to maintain consistent policies, processes, and procedures across all parts of the organization. It is important for business professionals to understand and follow the internal information security rules, company risk factors, and industry requirements that drive the implementation of GRC in order to ensure that the company as a whole remains compliant.

Why does a business professional need to know this?

For companies to provide quality products or services, grow, and achieve success, they need an efficient vision, correct guidelines, internal controls, and mature operations.

Compliance is central to this effort because companies must adhere to international standards, requirements, and certifications to succeed. Compliance is a combination of internal processes that ensure that all operational procedures follow guidelines and specifications from industry regulations, local laws, and information security best practices.

Business professionals should consider incorporating innovative solutions and technologies designed to protect intellectual property (content) and personally-identifiable or sensitive personal information (data) from the prying eyes of competitors, disgruntled employees, and mischievous pranksters. However, introducing new technologies introduces risk. Digitally-savvy organizations adopt risk management best practices to reduce potential negative impacts from these cybersecurity efforts.

Risk management is the discovery, evaluation, and prioritization of business risks. Risk management activities involve determining, minimizing, and controlling the probability or impact of unfortunate events. Risk managers work to help organizations develop rules, adopt controls, and take steps designed to both protect information assets and eliminate cybersecurity vulnerabilities. Risk managers also develop response plans and proactive protection strategies focused on limiting the impact of cyber attacks.

Risk management and compliance efforts must be aligned to address these needs, which leads companies to adopt governance. Governance refers to a set of policies, processes, and procedures that define how a company ensures that critical systems and sensitive information are kept secure, confidential, and available.