What is GRC Software?
Governance, Risk, and Compliance (GRC) are inherently intertwined. Many regulatory bodies and industry frameworks require organizations to first understand the risk to sensitive assets before implementing controls.
Efficient and well-structured governance enables an organization to set a tone from the top and take steps to address risk through policy and procedures.
However, in many organizations, compliance and risk are managed in silos.
This fragmented approach can result in inefficiencies and a lack of a consistent approach to risk and compliance across the organization as a whole. It also makes it harder for companies to get a full picture of the organization’s security posture.
Many organizations are turning to GRC or also referred to as IRM (Integrated Risk Management) software to help address these problems and better integrate GRC holistically throughout the organization.
GRC software enables a holistic, integrated approach to compliance and risk management by storing, managing, and automating GRC processes. Gone are the days of using separated systems and spreadsheets to track critical information.
Compliance teams can access and analyze regulatory and framework requirements as well as audit controls in one secure place.
Risk managers can analyze data to spot patterns and monitor risks, and employees can easily access the policies and procedure they need to efficiently and effectively perform their duties.
What’s the Right GRC Solution?
There are many GRC platforms on the market ranging in pricing and functionality depending on your organization’s budget and needs. Since entering the world of GRC, I’ve been exposed to many of the industry-leading platforms, and like other fiscally responsible professionals, I began searching for an open source platform that would meet my needs and within an SMB budget. My search led me to Eramba.
Eramba is an open source enterprise-grade GRC platform, and like many of the industry leaders, it includes modules for risk management, compliance management, audits, and policy management. Eramba also includes asset classification and reporting capabilities and all from the convenience of a single pane of glass. Eramba offers a custom API allowing developers to create connects between Eramba and third-party products and feeds. What sets Eramba apart from the rest of the platforms, is the cost.
Eramba offers two versions of its GRC platform:
- Community Version – completely free but lacks some functionality and only receives updates and new features on an annual basis
- Enterprise Version – based on an annual subscription model, starting at $2,200 for small companies, and offers regular updates and new features as well as technical support. Being a non-profit company, the subscription is only meant to recover the cost of developers and support staff.
One of the core principles behind Eramba is organizing your company’s Information Security Management System into one easy to use and manage tool.
Eramba is an intuitive product that includes batch operations and uploads, making it fast and easy to get your information into the tool or edit in bulk.
The individual modules are broken out into categories that may or may not make sense to you initially, depending on your region. However, a comprehensive set of support documentation and video tutorials on each module helps get you up to speed on methodology and terminology used throughout the platform.
What Does Eramba Do?
This module allows companies to identify asset types at a high level and map asset level risks to asset types. Assets can be people, information, software, facilities, hardware or systems. When defining data assets, Eramba allows organizations to perform data analysis on each asset, helping to identify data flows and life cycles. This analysis is especially critical when it comes to the Global Data Protection Regulation (GDPR), which is why Eramba also offers a GDPR analysis tab to help organizations comply with the EU regulation.
The data asset analysis allows you to create detailed information about the life cycle of a specific data asset type (e.g., PII, ePHI, Cardholder Data). This module is necessary because it helps organizations understand how sensitive information flows through their environment and the people, processes, and technology that come into contact with that information.
This module allows organizations to identify and track their security controls. Anything that is implemented to treat a risk can be added to this section. This module includes Policy Management, Security Services, Business Continuity Plan, and Support Contracts.
This session allows organizations to document their policies, procedures, and standards then map them to risks, compliance requirements, other controls, and awareness initiatives. There is also a separate portal for accessing your documentation that’s controlled through LDAP, allowing users to see only the documents that apply to them.
Workflows help ensure that documents stay up-to-date by automatically creating annual reviews that can be assigned to the appropriate personnel.
A policy management module wouldn’t be complete without exception tracking capability, and Eramba doesn’t fall short here. Exceptions are tracked, approved (for a set amount of time), and reviewed for reinstatement.
Eramba’s policy management module isn’t the flashiest or loaded with the most features, but it’s simple to use, and it gets the job done.
Designed to track security controls including logical, technical or physical safeguards that have been implemented to treat identified risks. This module, like the policy management module, has workflows design to audit these controls.
Let’s illustrate this by using PCI-DSS requirement 1.1.7, which states that an organization must review firewall and router rule sets at least every six (6) month. In Eramba, you would create the security control called Firewall Review, map it to a supporting policy, procedure, and the PCI-DSS control within your compliance requirements. In the Firewall Review control, you would set the audit criteria and schedule a task to kick-off every six (6) months that’s assigned to someone within your security and network team. The item will show up in their email notifying them it’s time to complete a Firewall Review. It is the responsibility of the assignee to complete the task, attach supporting evidence and determine whether or not the control is in compliance. If the assignee were to miss the deadline for this task, Eramba would flag it as missing an audit and would inherently fail the PCI-DSS requirement.
Through dashboarding and reporting capabilities, you can see a quick, high-level view of your compliance with any identified regulation, framework, or standards your organization adheres to. We’ll come back to this example in the Compliance Management section.
Business Continuity Plan
Designed to track your company’s BCP/DR plan at a high level. Eramba lets you specify the objectives and initiation criteria of your BCP/DR plan as well as define responsibilities, but the real objective here is establishing audit criteria and an audit schedule for testing your plan.
Again, just like security controls, you can map your BCP/DR plan to associated authoritative documentation, identified risk, and compliance requirements which provides a holistic view of GRC. You can perform a business impact analysis on Business Unit processes defined under your Organization as a function of risk management. We will discuss that later.
Designed to keep track of vendor agreements and service level agreements with third parties, customers, and business units. You can map contracts to security controls to keep budgets clear, and also receive warnings when a contract is set to expire or up for review. Another way to utilize this section is managing and tracking multiple SSL certificates. You can manage them within this section to ensure they don’t expire.
This module allows organizations to manage asset, vendor and business process risk. The key to using this module is first identifying asset classes, including data assets, and any business processes that pose a risk to your organization. Optionally, you can import all of your security controls first that way you have treatment options during your risk analysis.
Depending on which treatment option you select, Eramba will enforce specific mandatory fields (e.g., decision to accept risk requires a risk exception). You can remove these mandatory requirements if your goal is to build a risk register and decide on treatment and corrective actions later. Many regulatory and industry standards require a risk assessment to be performed first and then prioritize risk remediation with established corrective action plans/projects. This makes sense since controls are meant to mitigate risk, so a control without an associated risk is an unnecessary control.
Eramba provides a few ways of calculating risk scores. Eramba already assumes you’ll be using a qualitative approach to assessing risk. There are ways to use quantitative data outside of Eramba and then input that data into the tool, however, we will focus on the qualitative options provided.
Eramba defaults to the “Eramba” method which takes into consideration the risk classification and the liabilities associated with each asset, third party or business process. Assets can also have classifications (e.g., score the effect on Confidentiality, Integrity, and Availability), however only the Magerit method considers Asset Classification.
First, you must establish your risk classification (e.g., likelihood and impact scores) before you can apply any calculations to risk. The Eramba method will provide a sum of the risk classifications and liability scores you optionally added to your assets, third parties, or business processes.
Let’s illustrate this, I have established a risk associated with the unauthorized disclosure of protected health information and scored the likelihood as a medium (2) and the impact as high (3). This will give me a risk score of five (5). However, I have also added a third party liability of having to comply with HIPAA and added a risk magnifier of one (1). I also have the information asset electronic protected health information (ePHI) that is associated with the same HIPAA liability which now increases my risk magnifier to two (2). We now have an overall risk score of (2+3)+(1+1) = 7. Eramba also gives you the option to calculate the product instead of the sum.
Next, you will need to establish your risk appetite based on the method you choose. Eramba gives you two ways of establishing your risk appetite. The first method is by using an integer based on the residual risk score remaining after treatment and applying a subjective percentage of risk reduction.
Let’s use the prior example to illustrate. I have a risk score of seven (7), and I have established a risk appetite of five (5) which is the amount of risk I’m willing to accept. If I apply the treatment documents of a data classification policy and media handling procedures that provide governance and standards around handling ePHI, I could say that my over risk score was decreased by 10% which leaves me with a score of 6.3. This score is still over my appetite so Eramba will report this risk as being over appetite.
Let’s say I also apply the security controls of encrypting ePHI at rest (disk encryption) and in transit (email encryption). We could now increase the percentage of risk reduction to 40% which would give us a residual score of 4.2. This risk is no longer above our appetite, and Eramba also established a review date to ensure analysis and treatment are still relevant.
The second method is using a threshold. Anyone who’s ever been involved in a risk assessment has come across a risk heat map or matrix. These graphical representations of likelihood and impact help executive management quickly see where their highest risks are to aid in decision making. Eramba provides a threshold method that assigns risk scores and colors based on the risk classification combination (e.g., likelihood and impact).
Again, taking the earlier example, I would assign a score of High to the combination of likelihood of Medium and impact of High with a color code of red. Instead of building the entire heat map with individual thresholds, I could simply create the thresholds I want to track as being above my risk appetite and leave the other thresholds as a default “Acceptable Risk Score.” You can customize thresholds to fit your organization’s needs.
Eramba lets you customize based on the risk methodology adopted by your organization. There are many different methodologies around risk assessments, and each of them has slightly different nuances. NIST, ISO, and ISACA all provide guidance around performing a risk assessment, and the information needed to have a full understanding of the risk.
Recently, I have been building an Eramba risk register using COBIT risk methodology. Cobit tracks additional items such as Actor and Time to build a full understanding of the threat vector and impact on the business. Eramba allows for the tracking of these items by creating custom tabs and fields. This allows organizations to adopt methodologies that fit their business environment.
Laws and regulations are constantly changing. It can be hard for organizations to keep up, but Eramba helps ease the burden by maintaining all of your compliance requirements in one easy to manage module.
Eramba allows organizations to create custom compliance packages for whatever framework, standard or regulation affecting your organization. By using the downloadable template, you can create custom compliance packages or use the preconfigured templates available on Eramba’s support site (e.g., PCI, HIPAA, etc.). Once you’ve identified your compliance portfolio, you can perform an analysis of each requirement to determine if you’re in compliance.
The analysis session gives you the ability to map risk, policies, controls, exceptions, and projects to each compliance requirement and identify an owner. When gaps are discovered during this process, Eramba helps organizations track deficiencies by logging them as findings. In many cases, a finding may apply to multiple requirements, so Eramba provides a one-to-many relationship to map findings to multiple requirements.
Using the same process and methodology as assessing internal compliance requirements, you can apply that process to your vendors. By creating a custom questionnaire for your vendors, you can track their security posture and identify risk related to doing business with a particular vendor.
Finally, we will discuss the security operations module which helps organizations track completion of the security awareness campaigns, projects related to mitigating deficiencies, and security incidents.
Eramba isn’t a replacement solution for an enterprise Learning Management System (LMS), but for those of us on a budget, it’s a great solution for creating and tracking regular awareness programs. Eramba gives you the option of using videos, text or HTML to create awareness content. By using a CSV file, you can create multiple choice questions to test comprehension of your users after reviewing the content.
Eramba tracks completion and has a configurable threshold percentage of completion to ensure you’re meeting target goals.
This is a simple project management module that allows you to create timelines, assign task and track to completion. The purpose of this module is to define and manage corrective action projects across your GRC program. Once defined, projects can be mapped to compliance requirements, risk, controls, and exceptions. If you already have a project management solution, you can enable API access to this module in order to pull information from your source of truth.
Most Service Management tools already offer workflows for tracking security incidents, but wouldn’t it be nice to have that information correlate with your risk registry? Eramba gives you the ability to define your incident response lifecycle and track completion of each step. Again, this is at a high level but the intent is to have real data that can transform your qualitative risk assessment into a quantitative one based on risk realization.
Companies looking to create their security program from scratch using Eramba, or any GRC solution, may find it difficult to jump straight into the tool and start building. Practice development takes time and input from all affected people, process, and technology. Dryve specializes in helping companies define their program scope, improve the visibility of risk while gaining a real-time understanding of compliance status against their unique needs, and establish the controls and processes to address critical issues. We’ll help you leverage Eramba to streamline and automate your GRC processes, enable risk-based decisions to meet business needs, and reduce the cost of managing GRC while improving effectiveness and value.