SimpleRisk is an enterprise grade tool that can be used for all of your Governance, Risk Management and Compliance needs. It boasts functionality that is comprehensive enough to be utilized by some of the largest organizations on the planet while presenting a user interface that is so simple and intuitive it can be used by the least technical people in your organization. Our SimpleRisk Core can be downloaded for free from our website, installed in minutes, and provides all of the capabilities that you need when first launching your GRC program. As your organization grows and matures its processes, our SimpleRisk Extras are licensed modules that provide enhanced functionality that is on par with competitors that cost orders of magnitude more and require months of professional services to install and configure. There's no need to waste all of that time and money when you can be up and running with SimpleRisk today.
What is Enterprise Governance?
Enterprise governance activities are designed to ensure that the information that reaches your executive team is complete, accurate and timely. When done effectively, these activities enable appropriate management decision making and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively. Enterprise governance encompasses all of the regulatory requirements that may be required for your organization. For example, if your organization processes credit cards, you would be required to adhere to the requirements of the Payment Card Industry Data Security Standard (PCI DSS). Or if your organization handled the medical records of patients in the United States, you would be required to adhere to the requirements of the Health Insurance Portability and Accountability Act (HIPAA). Enterprise governance also includes all of the internally-defined standards your organization needs to adhere to in order to meet management and customer expectations. This could include compliance with standards like the NIST Cybersecurity Framework (CSF), ISO 27001, or AICPA SOC2 Trust Services Criteria (TSC). Utilizing a GRC tool, like SimpleRisk, brings a structured approach to how you manage governance in your organization.
Common Frameworks and Controls
A critical part of every GRC program is managing the frameworks that you are required to adhere to and all of the associated controls. SimpleRisk speaks to a lot of different organizations and we commonly find that these organizations will fall into one of the following categories:
- Healthcare: Healthcare organizations are typically required to comply with HIPAA based on their possession of Personal Health Information (PHI). We've seen a number of them look towards proprietary frameworks like HITRUST to help them demonstrate compliance. Additionally, many healthcare organizations process credit cards and are, therefore, subject to PCI DSS.
- Government: Government organizations are typically required to comply with various NIST requirements. These include the NIST Cybersecurity Framework (CSF) as well as frameworks like the NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations.
- Public Utilities: Some public utility organizations are run by their local governments and are subject to similar requirements as outlined above. We also frequently work with utility organizations in this space that are required to comply with the North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP) requirements.
- Education: Education organizations include both K-12 and higher education institutions like universities. These organizations typically hold a lot of Personally Identifiable Information (PII) on their students, faculty, and staff. While there are some local requirements on PII like the General Data Protection Regulation (GDPR) or California S.B. 1386, we typically see these organizations opting for broader compliance frameworks like the NIST Cybersecurity Framework (CSF) or ISO 27001.
- Technology: Technology organizations are typically looking to adopt broader compliance frameworks like ISO27001 or the NIST Cybersecurity Framework (CSF). Many will also be subject to compliance with the General Data Protection Regulation (GDPR) if they are doing business in the European Union (EU) and compliance with PCI DSS if they process customer credit cards. Where these organizations are directly servicing customers, we also frequently see requirements for third-party attestations of compliance that are typically based on the AICPA SOC 2 Trusted Services Criteria (TSC).
- Non-Profits: Non-profit organizations typically don't have many regulatory requirements. While some may take credit cards and are subject to compliance with PCI DSS, most are typically looking to adopt broader compliance frameworks like ISO27001 or the NIST Cybersecurity Framework (CSF).
Managing Frameworks and Controls
The reality is that it doesn't really matter which requirements your organization needs to adhere to, SimpleRisk can easily manage all of your frameworks. Simply click on "Governance" and under the "Define Control Frameworks" menu you will see a list of all of your frameworks:
Now, click on the "Controls" tab and you'll see a list of all of your controls along with the ability to filter them by framework, family, owner, and more:
Commonly, customers will want to associate multiple framework names with a single control and SimpleRisk handles this scenario as well.
Adding Frameworks and Controls
There are essentially three different ways to add frameworks and controls into SimpleRisk. The first, and least common, is to manually add them. By clicking the plus button shown in the images above, a new form will be displayed allowing you to manually create new frameworks and enter all of the values we track for a control. That said, nobody wants to spend hours manually entering their controls so we typically advise customers to skip past this option and look at one of the other two.
The second option is to register your SimpleRisk instance and download the ComplianceForge Secure Control Framework (SCF) Extra. This free SimpleRisk Extra currently contains 874 security and privacy controls that have been expertly mapped across 148 different frameworks. The SCF is what's referred to as a Common Control Framework. It is a super set of proprietary security and privacy oriented controls that they created and then analyzed them against other frameworks in order to map where they overlap. While the language isn't exactly the same as it is in the source control, it's usually pretty close. But there are two major advantages to this approach:
- Adding new frameworks is literally just a matter of selecting another one of the 148 frameworks currently supported by the ComplianceForge SCF.
- Because you are using common controls, you have the advantage of being able to test one control to cover all of the associated frameworks.
Sometimes, auditors can be particular about the controls that your organization is using. If the language isn't specific to the requirements, then they will consider that as failing the control, even if you meet the spirit of the requirement. This leads us to our third option. One of our licensed Extras, called Import-Export, enables you to import a CSV file full of controls (among other things) by simply mapping the columns in your spreadsheet to the fields in SimpleRisk. We've even created a number of these CSV files for you to make this import process as simple as possible.
Tracking Your Governance Documentation
Regardless of which industry your organization falls into or which frameworks you adhere to, you will undoubtedly need a single repository to store all of your policies, guidelines, standards, and procedures. In fact, many of the current security control frameworks, like PCI DSS and HIPAA, have requirements to ensure that your policies have been documented and are accessible to your employees. SimpleRisk has you covered for this by selecting the "Governance" menu followed by "Document Program". By default, you will see a hierarchical list of all of your program's documentation. By clicking on any of the tabs for Policies, Guidelines, Standards, or Procedures, you can see both past and present versions of these documents. If you click the plus button, you can add your documentation, link it to various frameworks and controls, and set the status, owners, approvers, and review configurations. Another one of our licensed Extras, called Email Notification, will check daily for documentation coming due for a review and automatically send out emails to your defined stakeholders to let them know that it's time for another review.
Defining Exceptions to Policies and Controls
Life would be so simple if every person, system, application, or process explicitly followed all of our policies and controls. Unfortunately, we know from experience that there will always be situations where compliance is completely outside of our control. We need to analyze the risk and determine whether it is something that we can accept or if we need to take action to reduce the risk. If we determine that risk reduction is necessary, then we track the risk and work required using our standard risk management processes. If, however, we determine that this exception is something that we can accept, we still need to track our authorization and justification for that decision and ensure that it continues to be re-reviewed on a regular basis.
As an example, almost every organization out there has a documented Password Policy. While NIST's guidance has recently changed with respect to password rotation, many Password Policies still reflect a requirement to change passwords every 90 days and this is likely still a good idea for your organization's service accounts. Inevitably, however, there will be applications within your organization that cannot rotate their passwords every 90 days. Often times these applications support production applications with significant uptime requirements and downtime is required to change the passwords. As a result, the business has decided to only have their passwords changed as part of a major release or upgrade and that process happens only once or twice a year. In that situation, you have a choice to make. Do you go against the needs of the business and incur additional downtime to patch a password that hasn't been compromised? Or do you document this situation as an exception to your stated policy and change the password the next time there is an acceptable window of downtime to make the change?
This situation is typically exacerbated where third-party external auditors are involved in ensuring the effectiveness of your controls. These auditors will typically ask for a copy of your stated policies and then evaluate your systems against them to find places where your controls are failing. If you are unable to provide a sufficient justification as to why, these will end up being highlighted as control deficiencies that may be brought to your executive management team or Board of Directors. If you've documented these policy and control exceptions, however, you simply point the auditors at them. Now, you've been able to prove that 1) you were already aware of this exception to your policy, 2) why you believe this exception was justified, 3) the decision was approved by management and 4) the decision will be reviewed again in the future to make sure the situation hasn't changed. This documentation is typically enough for an auditor to accept it and move on to other issues.
In SimpleRisk, we can track all of your policy and control exceptions by clicking on "Governance" followed by "Define Exceptions". When an exception is first reported by clicking the plus button, it will go into the "Unapproved Exceptions" tab until a user with the "Able to Approve Exceptions" permission in SimpleRisk determines that the exception has been approved. Once approved, the "Policy Exceptions" and "Control Exceptions" tabs will provide you with a list of all of your approved exceptions along with the policy or control they are linked to, the justification, and next review date. You can click on the exception to view even more details about it. These exceptions integrate with our Email Notification functionality to check daily for exceptions coming due for a review and will automatically send out emails to your defined stakeholders to let them know that it's time for another review.
SimpleRisk was built by a security professional with a decade of experience running the Information Security Program for a large, publicly traded, global enterprise. He realized that it was critically important for an auditor to be able to look at the data contained in SimpleRisk and trust that it has not been modified. For that reason, all activities that take place within the tool are logged and an audit trail is maintained. At any point in time, an auditor can go back and establish what has been done, who did it, and when.
SimpleRisk was designed from the ground up to be as simple and intuitive as possible in order to enable users of varying skill levels to be effective in using it. Over the years, SimpleRisk has evolved into a comprehensive GRC platform encompassing all of the Governance, Risk Management, and Compliance needs of organizations, regardless of their size or industry, while retaining its underlying simplicity. Most of the features discussed here are available in the free SimpleRisk Core, but even the licensed functionality can be obtained for a fraction of the cost of other GRC tools. We would welcome the opportunity to join you on your GRC journey and would encourage you to schedule a call with our team, where we can discuss your requirements and demonstrate, firsthand, how SimpleRisk can help you accomplish your goals.