Why do we need Governance Frameworks, SOC 2 Audits, & Compliance?

Yesterday I met my previous roommate who’s a Computer Science nerd and recently completed his internship at one of the best tech companies in the Valley.

We met after a long time and soon after discussing how we’ve been, he asked about my work. I told him – “I am currently working on the Governance Frameworks as we are going to have SOC 2 in the near future”. And as curious as he is, he started all sort of questions.

What is Governance?

What’s a Governance framework?

Why do we need a framework?

Can I do things without a framework?

What is SOC 2?

How these all conjoin?

and so on…

After 30 min of deliberate discourse, I hope I was able to put some rationale about why I do what I do.

Here’s my attempt to (answer all those questions) – (all the GRC jargons).

For the purpose of this discussion, let’s assume I am opening a new bank, SMBC, for which I need IT resources and Security.

Now, when I start the bank, there is a board which gives the directives about how the bank should be run. Which businesses they should target to get the bank up and running, generating revenue ASAP? Should they invest their time and resources in Investment Banking or Retail Banking? Which companies should they acquire? How much risk the bank is willing to take? and so on. These decisions are directives from the Senior Management (read Board) on how to operate the bank. These directives are drilled down to the Management team which works with the employees on the ground and enable the employees to achieve those targets. 

For the sake of simplicity – consider all the C-suite executives as the Governance team of the bank. 


Now, what’s a Governance Framework?

Say after 5 years, the bank is running fine and they need to streamline IT Services and apply security controls around those IT services. 

Where should they start? 

That’s where the Governance frameworks come into play.

The bank can simply adopt the ITIL Framework to streamline all the service management / IT requirements. The framework will detail all the IT requirements for the bank.

For example – the Configuration Management process will detail the best practices to implement the Configuration Management process in the organization. 


Alright, we have all the IT process requirements from ITIL, now how will I make sure these are secure as per the requirements of the organization. [Note: In Security, one size doesn’t fit all. Each organization has its own Security appetite and hence the level of controls will vary for each of them]

For these, there are different frameworks namely ISO 27001, NIST, COBIT 5, etc. which can be used to map the ‘must-have’ requirements for each of the process.

For instance, if I am planning to implement a formal Configuration Management process, then who is responsible for approving the Configuration Item (CI), who will actually implement the change? 

To answer these questions, COBIT 5 already has a RACI chart that they can simply adopt for the bank, without getting stuck in the intricacies of the process. 

In essence, COBIT addresses “what is to be achieved,” while ITIL addresses “how to achieve it.”

To add, here’s the entire mapping of ITIL and the control objectives from COBIT.



OK, ISACA gave all the guidelines on the control objectives for Configuration Management but I don’t feel like using those. They are too much for me. Do I have to implement all the processes.

Absolutely not!

As I mentioned above, you only adopt those processes which are required for your organizations and then progress to come to an optimized state (the COBIT 5 Capability Process Model is outside the scope of this post).


Now, why do we need Audits? For the sake of simplicity, I will consider SOC 2 Type 2 Audit.

Suppose, the bank has matured now and started developing solutions for itself for security tokens. These tokens are physical supported by bank’s infrastructure. The bank is so confident in its system that they reach out to other banks to sell their product.

The other bank, PMBC, is interested in buying the product but how can they be sure that the SMBC bank has all the security controls they claim to have implemented in the system. And thus PMBC asks for the SOC 2 Type 2 report.

In simple terms, a SOC 2 Type 2 report certifies that the bank has maintained it’s security controls at least for the period of 6 months. (the different parts of SOC 2, how it relates to COBIT and ITIL, etc. are outside the scope of this post). This is called a SOC 2 audit and is done by a third party.


The purpose of this post was to give a peek of the day-to-day in the life of a GRC professional from 10,000 feet view. There are many, many things which we have omitted here (Certification v/s Accreditation, Assessment v/s Audit etc.) which I plan to write about in the next posts.

References:

  • ISACA, Configuration Management using COBIT 5 – Link
  • Axelos, ITIL – IT Service Management – Link
  • AICPA, SOC 2 for Service Organizations – Link

Cheers,
Shobhit