Applying Information Security and Privacy Principles to Governance, Risk Management and Compliance

Corporate Governance, Risk Management and Compliance (GRC) is typically thought of in terms of adhering to particular compliance regimes (such as Sarbanes-Oxley) while addressing information security and privacy mandates (such as those found in HIPAA) is typically thought of as its own discrete task. This paper will bridge the gap between these two disciplines and identify how they interrelate and how efforts to comply with one regime can be leveraged to apply to the other. The topic is appropriate for GSEC because much of InfoSec practice has legal implications, and many of them intersect with traditional GRC. This paper offers enterprises and government agencies the ability to minimize the duplication of total compliance efforts while improving InfoSec effectiveness. Perhaps more importantly, InfoSec professionals will have the ability to demonstrate their need for appropriate resources to upper management from a new perspective. Others will be interested in this paper for two reasons: (1) it demonstrates the many various applications of InfoSec to legal requirements and (2) it gives InfoSec professionals an importance to upper management that they previously did not possess. This paper will both build upon the legal aspects of InfoSec taught in class and add an entire new dimension to thinking about the implications of InfoSec as it applies to corporate GRC.