1 Introduction
Systems implementing Governance, Risk and Compliance (GRC) have successfully made their way into many organizations. Based on the individual requirements for maintaining security, achieving compliance and providing evidence for well-executed governance, these systems focus on various and often isolated aspects of IT, security and the modelled business processes. Many organizations still define and implement their information security and GRC along existing organizational structures, though achieving a proactive and comprehensive view for the overall cybersecurity resilience has to be the actual goal.
The term Cyber Risk Governance has been recently coined to describe a holistic view on security, compliance, governance and risk management beyond the typical organizational silos. Information from existing security solutions and the entire IT infrastructure is aligned through industry standards, frameworks and best practices as well as company-specific security guidelines and workflows.
A standard way of defining, measuring and communicating cyber risk is a must to achieve adequate communication towards all relevant stakeholders, making Cyber Risk Governance a business differentiator and a strategic management instrument. The identification, execution and communication of adequate, consistent and sustainable decisions require an in-depth insight into the overall security posture.
Risk Assurance is an important element for implementing such an enterprise-wide governance program. It covers the processes and the organization that are required to make sure that the overall goals of an organization form the foundation for all business actions by ensuring IT is adequately executing well-defined business processes. Apart from requiring adequate organizational efforts, Cyber Risk Governance is a technological challenge as there is a strong need for a standards-based platform which implements a single view on the overall organization business needs with Information security guidelines, while maintaining risk governance and resilience.