Presented below is a high-level schematic summarizing a Baseline Controls framework that can be used to address a variety of IT Governance, GRC, and statutory requirements. A high degree of reuse is realized, because, contrary to what you may have heard, not all of the GRC-to-domain mappings need to be recreated for each regulatory initiative.
When considering strategies to mitigate regulatory compliance risk, it is possible to restrict the threat analysis to a single probability: pass or fail the certification or examination. Regulatory examination scenarios can also be considered from a game theory standpoint, viewing the examining authority as an advisory in a non-zero sum game (with less than perfect information), where we have much more to loose than our advisory has to gain, whether it is in fines, loss of reputation, or total cost of compliance. When developing strategies, considering risk, and prototyping, it can be useful to consider multiple perspectives in order to focus on practical solutions.
Although Baseline Controls are specifically designed to be effective in these regulatory scenarios, they are engineered within a broader context to help ensure that enterprise and operational risks are figured into the equation. In an ideal world, we would design and implement only those controls that are required to mitigate operational risk to an acceptable level, assuming that the regulatory scope aligns within these thresholds. Regardless of any potential mismatches in this regard, thinking in terms of baselines can reduce the total cost of compliance.
Furthermore, if sound process architectures are already instantiated, optimizing existing operational processes to achieve regulatory compliance is less expensive than implementing new procedures. Any leveraging that can be achieved in this regard lessens the time commitment of valuable resources, which can also help to reduce costs.
