Security GRC Framework

Progress Distribution’s security GRC framework draws on our many years of experience in providing global enterprise security solutions across a broad range of sectors, at both operational and management levels. Our pragmatic approach and methodologies quickly identify key areas of risk and their cost implications, helping achieve fast results and quick wins.

Overview

The principles of Progress Distribution’s security governance, risk and compliance (GRC) framework form a sound basis for measuring an organisation’s maturity against standards such as ISO/IEC 27001, Best Practice Information Security Management System (ISMS), Information Security Forum Standard of Good Practice for Information Security (ISF), Control Objectives for Information and Related Technologies (COBIT), and HMG Security Policy.

The framework includes proven methodologies to embed good security practices within the organisation’s technology, processes, culture and governance structures. It is employed by Progress Distribution in standard build blueprints for integrating security and data privacy requirements into enterprise architectures. These include traditional and cloud infrastructures, cloud-based applications and ‘bring your own device’ environments, as well as in operational security for data centre and storage management, incident management, business continuity and disaster recovery.

Progress Distribution staff hold full security clearance to work in public sector environments in the UK.

Core framework deliverables

Scoping and discovery

  • Measure maturity of all security domains within scope of project against appropriate security standards
  • Assess compliance against specific applicable standards, e.g. PCI-DSS
  • Validate assessment findings with samples from ‘live’ documents, processes and tools
  • Deploy appropriate centralised discovery, tracking and reporting tools where these do not already exist
  • Map data flows across the enterprise to identify underlying causes of common security control gaps
  • Compare results with findings from any previous security audits

Gap analysis

  • Prioritise gaps by impact on business and infrastructure: confidentiality, integrity, availability (CIA) and business impact analysis (BIA)
  • Prioritise gaps by cost to remediate

Remediation

  • Policy and standards documentation
  • Transformation of process and tools
  • Resource and deploy specialist staff
  • User education and knowledge transfer
  • Due diligence security review of third party suppliers
  • Establish monitoring and reporting structures and compliance
  • Formalise continuous improvement process

Example output

Company85 GRC framework example output