Truth & Tech

I took an online Teachable class with Dr. Gerald Auger on how to be a GRC Analyst. I’m actually really glad I took this course. The class is less than 8 hours, but does a great job of helping equip an individual on how to be a GRC Analyst. The Title of the class is “GRC Analyst Masterclass“.

It’s clear from the get-go that Dr. Auger has the experience necessary to equip individuals to fill this role. And rather than belabor each control in a Cybersecurity Framework, he instead gives practical insights as to what your role should look like if you were to take a position as a GRC Analyst (or Information Security Analyst) and how to do the job.

While I don’t intend to try to give you all the material from his class, I do want to give a brief overview of what I learned about the GRC Analyst role. To be honest, I believe the class is more than worth the cost of the class (I got it at $15), so go take the class if you’re interested in this role. Even if you’re not really into the GRC side of cybersecurity/technology, I believe it’s helpful to anyone in this domain to learn about cybersecurity frameworks and how they work.

The GRC Analyst’s (Information Security Analyst’s) Role

The GRC Analyst’s Role is essentially an ally for an organization to know how to align their company to a cybersecurity framework and to help strengthen the company’s security posture. This is done by knowing the cybersecurity framework, it’s controls, and the company’s policies, procedures, and actual practices to know whether or not the company has the proper controls in place. To do this, the analyst performs “audits”, helps establish a company’s current “profile” and “implementation tier”, and helps move the company to their desired “profile” and “implementation tier”.

If you’re not familiar with the NIST Cybersecurity Framework, a lot of my wording in the last paragraph is taken from that framework. This is partially because Dr. Auger really emphasizes how great this framework is, and after taking the class and then going through it, I see why. The framework is simple enough to implement, but complex enough to give a strong structure to a ISMS (Information Security Management System).

Auditing

The first step to auditing a framework within an organization is the prep work and actual audit. This is essentially the information gathering stage and includes  audit prep, logistical work, the actual audit and post audit reconciliation. For any controls that already exist, fact checking to make sure those controls are in place and obtaining the evidence of these controls is important.

The next step is the analysis. In the analysis step, you are going through the framework’s controls and evaluating what controls are already in place based on what was found in the audit phase. This usually includes an evaluation of whether or not the controls are fully implemented, partially implemented, or not implemented at all. Risk is evaluated and rated to help the organization recognize the severity of impact the controls have on the business. This can be done from a traditional (comprehensive model), or a modern model (reverse engineering a threat and the likelihood of that threat having an impact on the business). Whichever model is used, the risk is evaluated based on impact and likelihood of the effect of the control not being in place or failing.

Reporting is the final step. This gives a breakdown of what happened during the audit and whether or not an organization is compliant with the chosen framework. This usually includes a brief summary at the beginning detailing a high level overview of what was found and then includes details that help provide objective evidence as to the conclusion along with the risk assessments. The reporting step can also include recommended steps to move towards or obtain compliance with the framework.

Conclusion

There is much more to this class than this, so please take the class. It’s being updated with new materials and is incredibly helpful in understanding this area of cybersecurity. And you will have many moments in the class where you ask yourself, “Why did he just run off screen again?”. There’s a lot of energy in this class, so don’t feel like this is going to be a boring GRC class!