Skip to content
This repository has been archived by the owner on Jul 17, 2024. It is now read-only.

Latest commit

 

History

History
38 lines (26 loc) · 2.37 KB

First Working Group Meeting - March 1, 2024.md

File metadata and controls

38 lines (26 loc) · 2.37 KB
Raw

Meeting Notes - March 1, 2024

Attendees

Ayoub, Justin, Akshay, Austin

Topics

What do we envision doing to make GRC Engineering a thing?

  • Other folks at Apple, LinkedIn, Plaid, Raytheon, etc. may want to help woith this
  • Automate ourselves out of a job - improve our quality of life
  • Make control evidence as transparent and constantly updated as possible
  • Allow stakeholders to run an on-demand audit by themselves

What do we think a GRC Engineering community movement should look like? And where do we start with building it?

  • Start small with projects - even something simple like the Risk Register Template project idea

  • Manifesto is a great start

  • What does it look like to fit GRC practices into modern engineering tools/processes? What does it look like to shift GRC left?

    • Imagine if we had Terraform templates or Checkov

  • HIPAA compliance, PCI compliance, etc. - imagine if we had compliant-by-design compliant-by-default config/deployment templates?

    • Using UCF / SCF as a starting point to beginning mapping compliant-by-default tooling/templates to control frameworks

  • Being able to make "control violation" data easily available can help other teams see the same big picture that GRC has which can help foster proactive collaboration from e.g. AppSec helping dig into that data set of known problems to start chipping away at them more proactively

  • The importance of relationships with e.g. product teams

    • You can have the best FAIR analysis in the world, the most rigorous evidence-based assessment of risk, but if you don't have solid relationships with the people you work with, they'll spend more time trying to poke holes in your data than take it front what it is
    • We're basically in the business of "Sales" - always trying to "sell" to others
    • Need to figure out how to put yourself in others' shoes, make sure what you're asking people to do is not intrusive
    • Need to really understand what the business cares about

Next steps

  • Invite other like minded people to the Slack
  • Start populating in GitHub a list of already published docs and articles etc. in an Awesome GRC Engineering list (example: https://github.com/emreugurlu/security-grc-tools/tree/main)
  • Identify likeminded technical auditors who can champion GRC Engineering practices/principles to effect auditor culture change