Governance, Risk management,

and Compliance
abbreviated as GRC, is a service that
helps organizations identify the direction
of security and, by creating a structure
appropriate to the business field, aligns
security objectives with business strategies.
Information security is a set of activities aimed at protecting computer networks, usually known by the abbreviation
“Infosec”. Information security is the practices, policies, and principles that protect digital data and other types of
information. These practices and policies protect organizations’ computer networks from internal and external attacks
and threats. Data security is very important for organizations. All hardware and software resources must be secured to
prevent unauthorized access, so security solutions must be taken seriously to achieve networking and data security in
organizations.
Information security generally involves a set of business processes that protect the information assets of any organization
or group. Information is constantly being transmitted, processed, or stored, so data is always at risk. An organization
implements information security to protect digital information as part of an overall cyber security program. Information
security is the protection of information and data from unauthorized activities. These activities include unauthorized
access, misuse, disclosure, reading, copying, modifying, and manipulation. Information security in an organization allows
employees to access the data they need and prevents others from accessing it. Therefore, creating data security in an
organization is critical.
Importance of information security in organizations

One of the most critical assets of an organization is its information and data. Therefore, maintaining and protecting
data in the organization is very important. If the most minor security problem occurs, it may affect the departments
of an organization. For this reason, all security holes should be identified and eliminated in the organization. Lack of
information security in an organization can have consequences that include:
• Decrease in the organization’s income
• Increasing costs in the organization
• Loss of reputation of a brand or organization
• Destruction of essential data and information
• Disruption in the current processes of the organization
• Loss of customer trust
The benefits of investing in information security

To maintain their information, organizations must invest in their data security and
develop a security strategy. The benefits of information security in organizations
include:
• Activation of systems and programs and permanent access to them
• Increasing Productivity
• Protecting valuable data
• Protecting Intellectual Property
GRC introduction (Governance, Risk management, and compliance)

Generally, the deployment of a GRC unit requires changes in the organization’s culture, and any organization of any size can use the GRC structure. Developing a
GRC unit can be essential and efficient, especially for large organizations with governance requirements, risk management, widespread compliance, and programs
to meet those requirements. The following are three basic concepts and definitions of a GRC unit in an organization:
Governance: Refers to the proper and conscientious management of an organization by its leaders based on approved business plans and strategies. Governance
is the tool by which the organization is led and controlled. In the GRC, governance is essential to direction through process and policy, monitoring performance and
controls, and evaluating results.
Risk management: Risk is uncertainty and a potential event that can cause damage, loss, or disruption to the organization achieving its grand goals. In GRC, risk
management ensures that the organization identifies, analyzes, and controls risks. Risk management refers to identifying, classifying, evaluating, and implementing
strategies to minimize existing risks and control and improve the organization’s performance.
Compliance: Refers to ensuring compliance with standards or a set of guidelines, regulations, and business requirements approved by government agencies and
adherence to them by organizations. In the past, these three activities operated almost separately. In the GRC-based approach, each of the three components
interacts with and supports existing business operations.
activities operated almost separately. In the GRC-based approach, each of the three components interacts with and supports existing business operations.
If the GRC is appropriately implemented, the following benefits can be considered for the organization:

• Cost reduction
• Improving leadership effectiveness in all aspects of governance
• Increasing awareness of dangers, threats, and vulnerabilities
• Continuous compliance with required standards and regulations
• Protection against adverse internal audits, fines, and lawsuits
• Risk reduction throughout the organization, including business risks, financial risks, operational risks, and security
risks
 Company Management

Information security management system (ISMS)

legal and contractual
company objectives company risks
provisions

Governance Risk Management Compliance

implementation af and identification acssessment Implementation of and compliance

compliance with company and trearment of risks with regulatory,
objectives objectives Rules contractual and legal requirements

Managment Reports
Risks

Compliance Reports
objectives
Risk Management
Rules
information security

Risks

Information security requiremants (requirements,control objectives, policies)

Risks

Controlling information security

Information security measures (control,measures)

BO/IT

Business organization and IT managemant

figure 1: Incorporating the ISMS into corporate control processes
Types of services provided in GRC

1. Assessing and auditing security in information technology

The purpose of reviewing and evaluating compliance with the information security management system is to analyze the compliance of the organization’s performance
and processes based on reference standards in security, such as ISO/IEC 27000 series, and technical security frameworks, such as CIS and NIST. In evaluating the
security of the organization, according to the reference framework in each case, the requirements and standard controls as well as the worksheets for measuring
the organization’s maturity in implementing the requirements are measured.
The method is that the people related to each part of the standard requirements are identified. During the interview sessions with each one, the current situation
of the organization for the relevant requirements and controls is checked. The results of the review of the organization’s maturity assessment worksheets are
presented in reports and graphs showing the organization’s maturity in information security.
Service type: Commercial - systemic and technical
The benefits of this service are:
• Protecting Organizational Information against Threats, Vulnerabilities, and risks. (As much as Possible)
• Preparedness to deal with incidents and security risks of the organization’s information
• Creating more confidence for the organization’s stakeholders (managers, employees, customers, etc.) about information security
• Reducing the cost of compensation for deficiencies in security standards
• Identifying, evaluating, and protecting the organization’s critical assets such as the organization’s reputation, key employees, staff knowledge, and information
about the organization
• Ensuring business continuity and reducing harm by securing information and decreasing threats
• Identifying deviations and non-compliances
• Providing appropriate corrective and preventive measures to eliminate identified non-compliances
2. Identify, analyze, and evaluate security risks in information technology

Incorrect identification and disregard for security risks, in addition to posing serious problems for companies and organizations, may even pose severe challenges
to the survival and continuity of their business activities. So all organizations must choose strategies to reduce their security risks.
Identifying, evaluating, and managing information security risks is one of the key steps in reducing organizations’ cyber threats, and it increases the readiness
of organizations to face cyber risks. The risk assessment process, the first phase of risk management activities, significantly helps organizations make the right
decision to choose security solutions. Risk assessment answers the following questions:
• If a particular risk occurs in the organization, how much damage will result?
• What is the probability of any risk occurring?
• How much does it cost to control each risk and is it cost-effective?
The results of risk assessment can help in choosing the right solutions (That is, repelling the main threats) and can also be used in formulating and modifying the
security policies of the organization. Risk management is a comprehensive process used to determine, identify, control, and minimize the effects and consequences
of potential events. This process allows managers to strike the right balance between operating and financial costs.
Type of service: commercial-systemic and technical
The benefits of this service are:
• Identification of risks in security and technology
• Prioritizing risks and identifying a suitable solution for managing them based on the recognized service chain
• Identifying the service chain and the assets of each chain separately, as well as their connections
• Defining the structure to identify and maintain the configuration and settings of the service chain
3. Security system structuring

Familiarity with current information and communication technology knowledge to benefit from the facilities and opportunities available in this technology is
considered necessary and unavoidable. The possibility of quick access to the intended information through searching in databases, without time and geographical
limitations, and the possibility of viewing a document at the same time by multiple users in different places, sending and receiving information, conversation, and
exchange of text, audio, and video, are good opportunities that can be benefited from more than before. The growth of this technology is so fast and easy that it
has entered different parts of the personal and social life of people and shows off its powerful presence.
Many governments and private departments and institutions, banks, companies, educational, research, promotion, and information centers use this technology in
performing their duties and missions and offer their services through it. One thing that should not be forgotten is that along with these opportunities and facilities,
human or natural risks and threats, especially unexpected events, should also be considered. If we look at the news and information related to information and
communication technology, we will see much news related to sabotage operations on servers, networks, and websites.
Breaking into banking systems, stealing bank accounts and information, deleting information, and disabling servers are among the incidents that frequently occur
in different parts of the world. Despite the use of security mechanisms, it is still expanding. Therefore, a solution must be defined to avoid the risks and threats.
This solution, which focuses on information security services in organizations, includes a wide range of organizational activities, organization products, and its
capital, and defined processes to prevent unauthorized access, change, and deletion of information. Information security is responsible for protecting network
resources and preventing their disintegration against incidents and attacks that may be mainly out of the control of the organization’s information security officer.
The percentage of risk in this field must be reduced with the necessary planning and foresight. To deal with these risks, it is essential to have a written and clear
plan for prevention, exposure, cleaning, and optimization.
The nature of providing information security is based on three physical, operational, and managerial foundations, each of
which is related to different parts of information security. The information security big plan referred to as the “security
roadmap”, must evaluate the risks in each of these three areas and have strategies and methods to explain them. Therefore,
information security objectives form the framework for developing and maintaining a security plan. Achieving these goals
is more challenging than it seems and requires experts to analyze the organization’s security needs and provide a road
map for it.
Looking at information security as a department in organizational structures is one of the most critical issues in structuring
responsibilities in information technology (security organization) and at a higher level, in the entire organization. Different
organizations and companies, according to their size, type, range of performance, and organizational maturity, consider
other structures and mechanisms for structuring information security. These mechanisms and forms of structuring are
very diverse.
According to the business strategies and organizational culture in security, the necessary structures in this field are
defined by considering the analysis performed and the identified needs. The primary purpose of creating an information
security structure is to assign a specific custodian for information technology security issues, operations, policies, and
procedures with laws, risk management, and audit.
Type of service: commercial-systemic and technical
The benefits of this service are:
• Definition of security organizational structures
• Alignment of security structures according to business requirements
4. Business continuity in providing services

The business processes in any organization are the most vital processes on which the survival and continuity of an
organization depend. For this reason, one of the challenges of managers is the use of policies and mechanisms that can
guarantee the continuity of the organization’s business. In this regard, standards, and management systems, such as the
information security management system that complies with the ISO/IEC 27001 standard, can be used to maintain and
ensure business continuity.
But the importance of business and its continuity has led to the publication of a different standard under the ISO 22301
Business Continuity Management System (BCMS). Many businesses face an increasing number of frameworks and best
practices of continuity management, which has confused managers in using the best and most applicable model for their
organization.
The universal framework in this direction is the Business Continuity Management System (BCMS) framework, known as
the best framework in business continuity management among thousands of companies and organizations in different
industries. The BCMS framework is implemented in the organization’s operational layer and focuses more on how to
perform daily tasks and continuity in business continuity management. In this regard, the ISO/IEC 22301 standard is one
of the appropriate criteria for measuring compliance with the BCMS framework in organizations. According to the current
architecture of technology services, its various components and the location of these components, the analysis of threats
and vulnerabilities on each element, the level of the organization’s current readiness, and its distance from the expected
goals are investigated.
Considering the principle of protection as the first step in creating the continuity of technology services, efforts are made
to identify and fix the weak and vulnerable points of the services (Single Point of Failure) as much as possible. Then the
existing emergency solutions and their effectiveness are measured according to the scope defined for the continuity of
services, the RTO and RPO limit of each service or information asset, and the distance between the current situation and
the capability required by the business regarding the continuity of services is determined. Service continuity strategies
are defined and implemented for the organization by covering the expected RTO and RPO level for each service, solutions
to create resistance against critical conditions, and the ability to restore services.
Type of service: commercial-systemic and technical
The benefits of this service are:
• Analysis of the current situation of the organization’s services and their sensitivity and performance effect on the
business (BIA)
• Risk assessment
• Decision-making on business continuity management strategies
• Develop methods and instructions for recovering from the consequences of accidents (Response Plan)
• Developing a business continuity plan test and ensuring its implementation and effectiveness
5. Governance and management of technology services

Nowadays, business processes in organizations are significantly affected by information and communication technology,
which has led to new concerns and requirements in information technology service management (in the internal size) and
customer expectations (in the external size). These concerns and expectations in organizations are different according to
the diffusion coefficient of information technology and the dependence of business processes on it.
In some organizations, information technology plays the role of supporting business processes. In some organizations,
information technology has a strategic and competitive position in the organization and the market so it is no longer possible
to separate business processes from information technology. According to the extent of your business’s dependence
on information technology, the information technology service management system (ITSM) can answer your needs and
concerns and its correct deployment can bring many benefits, including meeting expectations and creating value for
customers, and other stakeholders.
IT service management allows the organization to evaluate events, incidents, problems, risks, and service level agreements
(SLA). Based on the analysis obtained from the output of these processes, the organization can consider its future IT
strategy and plan to achieve business goals. Thus, ITSM structures the life cycle of an organization’s IT services.
Type of service: commercial-systemic and technic
The benefits of this service are:
• Identifying the current conditions and expectations of customers and stakeholders of information technology services
in the organization
• Alignment of information technology with the organization’s strategic business goals
• Planning and targeting in providing information technology services
• Increasing efficiency and effectiveness of IT services
• Determining the roles, responsibilities, and authorities in the management and operational layers of providing
information technology services
• Planning and improving customer relationship processes and communication with IT service providers
• Planning and improving the processes of responding to customers’ requests and problems
• Creating value and increasing the satisfaction of customers, employees, IT managers, and other stakeholders
• Increasing productivity and reducing IT costs
• Improving the level of information technology services
• Improving information security indicators, availability, and continuity of information technology services
• Improving the management of human resources and consumption of information technology services
About Spara

Today cyber risks are a critical threat to all organizations worldwide. In the past, organizations tried to provide their
cyber security only by using the security equipment and software available in the market. But today, cyberattacks have
a very complex structure, so it is no longer possible to deal with them using traditional methods. Therefore, to deal with
advanced cyber threats, organizations need to use advanced detection and prevention systems to identify them in the
shortest possible time in case of cyber penetration.
In this regard, “Spara” company and a group of the best cyber security experts in the country have produced new products,
diverse services, and comprehensive cyber security solutions. “PAM”, “EMS” and “EDR” are the most important products
of Spara. Spara’s security services and solutions also include a wide range of security services such as “Security Operations
Center”, “Penetration Test”, “Threat Hunting”, “Red Team”, “Governance, Risk Management, and Compliance”, “Incident
Response”, “Consulting” and “Training”.
We have been trusted by:
+98(0)21-22275003

[email protected]

www.spara.ir