Detection, Response & GRC
Compliance & GRC Frameworks
4 min read
GRC (Governance, Risk, Compliance) knowledge is essential for security leadership roles. This lesson covers major frameworks and audit preparation.
Major Compliance Frameworks
Framework Comparison
| Framework | Focus | Who Needs It |
|---|---|---|
| SOC 2 | Service organization controls | SaaS vendors, cloud providers |
| ISO 27001 | Information security management | Global organizations |
| PCI DSS | Payment card data | Anyone processing cards |
| HIPAA | Healthcare information | Healthcare providers, associates |
| GDPR | Personal data (EU) | Anyone handling EU citizen data |
| NIST CSF 2.0 | Cybersecurity framework | US federal, critical infrastructure |
SOC 2 Deep Dive
SOC 2 evaluates controls against Trust Service Criteria:
| Criteria | Description | Common Controls |
|---|---|---|
| Security | Protection against unauthorized access | Firewalls, MFA, encryption |
| Availability | System uptime and performance | Monitoring, DR, SLAs |
| Processing Integrity | Accurate, timely processing | QA, change management |
| Confidentiality | Protection of confidential info | Encryption, access controls |
| Privacy | Personal information handling | Consent, data minimization |
Interview Question
Q: "What's the difference between SOC 2 Type 1 and Type 2?"
Answer:
- Type 1: Point-in-time assessment - Are controls designed properly?
- Type 2: Period assessment (6-12 months) - Are controls operating effectively?
Type 2 is more valuable because it demonstrates sustained compliance, not just a snapshot.
NIST Cybersecurity Framework 2.0
Released February 2024, NIST CSF 2.0 is the gold standard:
The Six Functions
┌─────────────────────────────────────────────────────────────┐
│ NIST CSF 2.0 │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ GOVERN │ │IDENTIFY │ │ PROTECT │ │ DETECT │ │
│ │(NEW) │ │ │ │ │ │ │ │
│ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │
│ │
│ ┌─────────┐ ┌─────────┐ │
│ │ RESPOND │ │ RECOVER │ │
│ │ │ │ │ │
│ └─────────┘ └─────────┘ │
└─────────────────────────────────────────────────────────────┘
GOVERN (New in 2.0):
- Establishes organizational context
- Integrates cybersecurity with enterprise risk
- Sets accountability and oversight
CSF Maturity Levels
| Tier | Description | Characteristics |
|---|---|---|
| Tier 1: Partial | Ad-hoc, reactive | No formal program |
| Tier 2: Risk Informed | Some awareness | Risk not enterprise-wide |
| Tier 3: Repeatable | Formal, approved | Policies in place |
| Tier 4: Adaptive | Continuous improvement | Lessons learned applied |
PCI DSS 4.0
The 12 Requirements
| # | Requirement | Key Controls |
|---|---|---|
| 1 | Install and maintain network security controls | Firewall configuration |
| 2 | Apply secure configurations | Remove defaults |
| 3 | Protect stored account data | Encryption, key management |
| 4 | Protect cardholder data in transit | TLS 1.2+ |
| 5 | Protect against malicious software | Anti-malware |
| 6 | Develop secure systems | Secure SDLC, patching |
| 7 | Restrict access | Need-to-know basis |
| 8 | Identify users and authenticate | MFA, strong passwords |
| 9 | Restrict physical access | Physical security |
| 10 | Log and monitor access | Audit trails |
| 11 | Test security regularly | Pen testing, scanning |
| 12 | Support security with policies | Governance |
GDPR Key Concepts
Data Subject Rights
| Right | Description | Response Time |
|---|---|---|
| Access | Get copy of personal data | 30 days |
| Rectification | Correct inaccurate data | 30 days |
| Erasure | "Right to be forgotten" | 30 days |
| Portability | Receive data in portable format | 30 days |
| Object | Stop processing for marketing | 30 days |
Key Roles
| Role | Responsibility |
|---|---|
| Data Controller | Determines purpose of processing |
| Data Processor | Processes on behalf of controller |
| DPO | Data Protection Officer - oversees compliance |
Interview Question
Q: "A customer requests deletion of their data under GDPR. What do you do?"
Answer:
1. VERIFY REQUEST
└── Confirm identity of requester
└── Check if request is valid (some exceptions apply)
2. SCOPE DATA
└── Identify all systems containing their data
└── Include backups, logs, third-party systems
3. EXECUTE DELETION
└── Delete or anonymize data
└── Document what was deleted, when, by whom
4. HANDLE EXCEPTIONS
└── Legal holds - cannot delete
└── Legitimate interest - may keep some
└── Document reasoning for any retained data
5. RESPOND TO CUSTOMER
└── Within 30 days
└── Confirm deletion or explain exceptions
Audit Preparation
Evidence Collection
| Control Area | Evidence Types |
|---|---|
| Access Control | User lists, role assignments, access reviews |
| Change Management | Change tickets, approval workflows |
| Monitoring | Alert configurations, incident logs |
| Training | Completion records, training materials |
| Policies | Documented policies, version history |
Common Audit Findings
| Finding | Prevention |
|---|---|
| Stale user accounts | Quarterly access reviews |
| Missing MFA | Enforce MFA for all users |
| Unpatched systems | Automated patch management |
| Incomplete logging | Log coverage assessment |
| Policy gaps | Annual policy review |
Building a Compliance Program
Compliance Maturity
Level 1: Reactive
└── Respond to audit findings
└── Manual evidence collection
Level 2: Managed
└── Defined processes
└── Regular internal audits
Level 3: Proactive
└── Continuous monitoring
└── Automated compliance checks
Level 4: Optimized
└── Compliance as code
└── Real-time dashboards
└── Predictive gap analysis
Tools for Automation
| Category | Examples |
|---|---|
| GRC Platforms | ServiceNow GRC, OneTrust, Vanta |
| Compliance as Code | Chef InSpec, Open Policy Agent |
| Evidence Collection | Drata, Secureframe |
| Policy Management | PowerDMS, LogicGate |
Interview Tip: When discussing compliance, emphasize that it's a floor, not a ceiling. Compliance ensures minimum standards, but good security often goes beyond what's required by regulations.
Next, we'll cover risk assessment methodologies. :::