arnold@everythinggrc.com
Why Is Everything GRC?
Make Cybersecurity a Mindset, Not a Checklist.
THE CORE : CIA
Establish a robust information security policy framework, including supporting policies and procedures, with visible and sustained support from leadership.
Utilize available tools to gain visibility into your assets, establish risk-based priorities, and maintain continuous monitoring. Regular patching and updates are essential to sustaining a secure environment.
Think Secure. Act Secure. Be Secure.
Cybersecurity Starts with Culture, Not Just Compliance
Effective cybersecurity isn’t defined by tools or compliance alone—it’s driven by a culture that prioritizes proactive, best-practice behaviors. At the heart of it all is Governance, Risk, and Compliance (GRC).
Leverage recognized standards like ISO 27001 and PCI-DSS—not just for regulatory alignment, but as frameworks for securing all valuable data, even if you’re not processing, storing, or transmitting payment card information. Treat your critical information with the same level of care as Cardholder Data (CHD), and embed that security mindset across your organization.
In every process, at every level, think GRC. Ownership, the risks involved, are you compliant? Be sure of your ISMS scope.
- Segregation of duties.
- Access controls.
- Information Security awareness.
- …
Have a Statement of Applicability even if you are not going for ISO 27001 certification.
Organizational Controls
Security by Design: Leadership, Policy, and Governance
The ISMS policy should reflect organizational objectives, risk tolerance, and commitment to continual improvement.
Underneath the main policy, you should define supporting policies tailored to key control domains. These include:
- Access Control Policy
- Acceptable Use Policy
- Incident Response Plan
- Data Classification & Handling Policy
- Encryption Policy
- Mobile & Remote Access Policy
- Vendor/Third-Party Risk Policy
Involve senior leadership in policy approval.
Regularly report on security performance.
Include security in strategic decision-making.
Visible and sustained support builds credibility and drives security culture throughout the organization.
Establish a regular review cycle (e.g., annually or after major changes) and version control.
Collect feedback from stakeholders and lessons learned from incidents.
People Controls
Human Firewall: Empowering Staff with ISO 27001 and PCI-DSS Principles
Technology can only take you so far, people are your first and last line of defense. Train them, empower them, and involve them in the mission of security.
1. Establish a Security-Aware Culture
Emphasize security awareness training.
Regular, role-based education helps employees recognize threats like phishing and social engineering.
Promote accountability—everyone has a role in protecting information assets.
2. Define Roles and Responsibilities
Assign information security responsibilities clearly.
Ensure staff understand what they’re securing, why it matters, and who’s accountable for which controls.
3. Ongoing Training and Testing
Conduct simulated phishing tests, incident response drills, and refresher training.
Conduct training at least annually, but ongoing micro-learning is more effective.
4. Leadership and Top Management Support
Obtain leadership commitment.
Leaders must model security behavior, endorse policies, and ensure resources for cybersecurity programs.
5. Policies that People Understand
Create clear, accessible policies.
Use plain language so that non-technical staff can comply confidently.
Physical Controls
Beyond the Screen: Physical Cybersecurity Controls Applies To Every Work Model
Fully Remote
Key Focus: Endpoint and Environment Control
Document physical risks in remote locations as part of risk assessments.
Secure Workspaces
Train employees to keep home offices secure (locked rooms, screen privacy, minimal access by family/visitors).
Use privacy screens, laptop locks, and tamper-evident seals.
Device Management
Provide company-owned encrypted devices if security is on top-priority.
Use endpoint protection, remote wipe capability, and strong access controls.
Access Logging
Require staff to log when/where they access sensitive systems or data.
Conduct random audits and reviews.
Policy Enforcement
Enforce clear teleworking (remote-work) and clean desk policies.
Document physical risks in remote locations as part of risk assessments.
Hybrid Workforce
Key Focus: Dual Controls for Office and Remote Use
Apply stronger controls for zones with cardholder data or sensitive info.
Office Site Security
Implement badge access, visitor logs, and video surveillance.
Segregate secure areas—only authorized personnel allowed near sensitive data.
Secure Desks and Screens
Lock screens after inactivity.
Enforce clean desk policy across all environments.
Device and Media Controls
Track laptops, USBs, and printed documents.
Prohibit or monitor the use of portable storage.
Split Access Zones
Classify physical zones (public, employee, restricted).
Apply stronger controls for zones with cardholder data or sensitive info.
On-premise
Key Focus: Physical Perimeter and Data Center Security
Keep audit trails of media access, movement, and disposal.
Perimeter Protection
Install physical barriers, alarms, and video surveillance.
Use multi-factor access to data centers (e.g., badge + PIN + biometrics).
Visitor Management
Require ID verification, badges, and escorting.
Maintain visitor logs for at least 90 days.
Secure Equipment Rooms
Place servers, routers, and switches in locked rooms.
Regularly inspect for tampering or unauthorized access.
Media and Document Protection
Securely store or shred any physical media containing sensitive data.
Keep audit trails of media access, movement, and disposal.
Technological Controls
Enhancing Cybersecurity Through Visibility, Prioritization & Maintenance
Asset Visibility
Classify assets by sensitivity, criticality, and data types
Maintain a comprehensive inventory of all IT and data assets
Risk-Based Prioritization
Conduct regular risk assessments to identify and rank threats
Focus resources on high-impact assets and known vulnerabilities
Continuous Monitoring
Implement real-time logging, alerting, and SIEM tools
Monitor for unusual behavior, policy violations, and threats
Patching & Updates
Establish a patch management lifecycle
Apply critical updates promptly; test before deployment
Ensure secure configuration and regular vulnerability scans
Quick Tips
Practice these Habits
Access Control
Strong Passwords, Stronger Protection
Use strong, unique passwords and enable MFA wherever possible.
Vulnerability Management & Updates
Patch. Protect. Prevent
A missed patch is an open door.
Asset and data classification
Know Your Data, Protect Your Data
Treat sensitive data like gold -lock it down.
Cybersecurity isn’t just about tools or ticking boxes—it’s about building a culture that defends from within. That is why best practices beat compliance every day all day.
Arnold Igata CISA,CISM,CC
Cybersecurity Consultant
Gold-Level Professional member ISACA, ISC2
