Case Study

3C Model of Governance

By November 1, 2019 June 24th, 2024 No Comments

3C Model of Governance Case Study

In today’s world, a CISO or a compliance officer has to comply with an increasing amount of regulations and standards every day. The number of ransomware attacks and data breaches has also been increasing at a considerable rate in the last few years. This makes it even more crucial to build your defenses well and plan controls to strengthen the cyber posture of the organization.

The key to building cyber resilience is good and strong governance. A very effective model that we have been practicing within our organization for the last 4-5 years is the “3C Governance Model” – Achieve Continuous Improvement through Continuous Monitoring & Continuous Auditing.

Here is a brief on how to apply the model

A. Setup the compliance program – This involves the complete design and implementation of a compliance program including business & strategic objectives to be met, controls that need to be set up, policies and processes that need to be developed, skillset required, etc. A key point to be kept in mind here is that any controls that are or would be implemented should be based on the results of the risk assessment.

A thorough cost-benefit analysis should be done before implementation of a new control and any control which does not address or mitigate any risk, should not be implemented.

B. Plan for Continuous Monitoring – Once the compliance program has been set up, controls need to be monitored on a continuous basis for their effectiveness. There are many ways to do this, some of them could be – function reviews, KPIs/metrics review, compliance self-assessments (manual through excel or automated though any GRC), review of incidents logged, review of weaknesses in the system, monitoring the compliance posture of the organization. In this manner, a control is monitored continuously, and any defects found can be addressed in a timely manner rather than waiting for them to be identified during external audits as non-compliances.

C. Develop an Audit Program – Just implementing the controls and monitoring them is not enough, these controls also need to be tested for their design and effectiveness of implementation. Best way to achieve this is through a continuous auditing program.

This practice ensures that the controls are tested on a continuous basis throughout the year and no surprises are there at the time of external audits. Also, doing so helps to address the weaknesses within the system on time.

D. Continuous Improvement – Results of risk assessment, continuous monitoring and continuous auditing help the organizations to understand their areas of improvement. This enables the CISOs/compliance officer/designated individual to plan for the action points to bring about necessary improvements within the operating environment.

Doing so helps organizations improve their overall governance program in a continuous manner and information security no longer becomes just a tick in the box, rather, ingests within the DNA of the organization.

Key Takeaways

In a nutshell, focus should be to build up a strong governance program, design & implement controls which are a result of risk assessment, keep monitoring the compliance posture of the organization, identify threats & vulnerabilities and keep improving upon them before they are exploited by any external resources. Idea is to build up & strengthen defenses to remain cyber resilient.

About SDG

SDG is a global cybersecurity, identity governance, risk consulting and advisory firm that advises and partners with clients to address their complex security, compliance and technology needs and delivers on strategy, transformation and long-term management of their cybersecurity and IAM programs.

SDG [Technology + Passion] - Risk