Inherent Risk vs. Control Risk: What’s the Difference?

Written by
Published 02/27/2020

Inherent risk and control risk are two of the three parts of the audit risk model, which auditors use to determine the overall risk of an audit. Inherent risk is the risk of a material misstatement in a company’s financial statements without considering internal controls.  Control risk is the chance of a material misstatement in a company’s financial statements because there aren’t any relevant internal controls to mitigate a particular risk or the internal controls in place malfunctioned.  There is a distinct difference between inherent risk and control risk. The inherent risk stems from the nature of the business transaction or operation without the implementation of internal controls to mitigate the risk. Control risk arises because an organization doesn’t have…

Categorized in:

CCPA Compliance Checklist

Written by
Published 02/25/2020

If your organization has a presence in California or does business with California residents, then it probably needs to comply with the California Consumer Privacy Act (CCPA). CCPA compliance is no easy task but never fear: Using this checklist and our CCPA audit guide can help smooth the way. The first step toward compliance is knowing the law: Know if you qualify. Enacted in 2018, the CCPA takes effect Jan. 1, 2020, and mandates that certain for-profit businesses in California or doing business with Californians meet its requirements. Is yours one of them? Does your enterprise: Have annual gross revenues of more than $25 million; or Buy, receives f, sell, or shares personal information of 50,000 or more California consumers,…

Categorized in:

Proactive vs Reactive Risk Management Strategies

Written by
Published 02/20/2020

For decision making, “reactive” tends to be frowned upon in the business world. “Proactive” is the preferred mode and has been pretty much since the word was coined (in 1933). “Proactivity,” says Wikipedia, refers to “anticipatory, change-oriented and self-initiated behavior in situations.” In risk management and elsewhere, “proactive risk management” entails addressing problems before they start: in case fire fighting becomes necessary, an extinguisher needs to go here. But what if the extinguisher doesn’t work? You have a backup: a contingency plan.  Reactivity, on the other hand, involves action in response to something. A fire breaks out; you grab one of the fire extinguishers called for in the proactive risk management plan.  A “proactive vs. reactive” debate pitting one approach…

Categorized in:

Why You Need a Vendor Risk Management Policy

Written by
Published 02/18/2020

A formal, written vendor or third-party risk management policy is the first step in developing your vendor risk management program, and essential to that program’s success.  Vendor risk management encompasses third-party risks as well as that of your vendors’ vendors — fourth-party risks — and is an important component of any cybersecurity program. A vendor risk management policy spells out the identified risks your organization faces in its use of third-party vendors, and the controls in place to minimize those risks. Think of it as a sort of road map to the success of your third-party risk management program.  Having a vendor management program is more important today than ever before. The digital age has brought about a dramatic increase…

Categorized in:

ZenGRC at RSAC 2020

Written by
Published 02/13/2020

  Experience ZenGRC Live at RSAC 2020 Feb 24-28 | Moscone Center, San Francisco Booth #3332, South Expo Hall Join Reciprocity’s team of GRC Experts and Product Specialist at the RSA Conference, the largest IT Security and cybersecurity trade show. Join us at our Booth (#3332) to experience ZenGRC, the leading infosec risk and compliance platform.  With ZenGRC you can:  Simplify audit & compliance management Save time & reduce manual effort   Operationalize risk management Boost ROI  See for yourself why ZenGRC is consistently rated an industry leader on G2 and Capterra!  Three ways to engage with us at RSAC Meet us in the Exhibit Hall | Booth # 3332, South Expo Hall      Consult with a GRC Expert | Schedule an…

Categorized in:

CCPA Exemptions: The California Consumer Privacy Act and the Gramm-Leach-Bliley Act

Written by
Published 02/13/2020

A change is coming for privacy protection. Are you ready? For the past twenty years, most financial services businesses fell under the requirements of the Gramm-Leach-Bliley Act (GLB Act or GLBA). This law federally governed the collection and disclosure of customers’ personal financial information. However, on January 1st, 2020, a new privacy rule—the California Consumer Privacy Act (CCPA)—is going into effect. Although a state law, it may significantly enhance data protection requirements in the U.S. Does your business fall under this new Rule? Compliance with the GLBA does not mean your business won’t have to adhere to the CCPA. The CCPA does not exempt financial institutions or companies that provide financial services, but there are limited exemptions for certain types…

Categorized in:

Best Practices in Cyber Supply Chain Risk Management

Written by
Published 02/11/2020

Cyber supply chain risk management touches all aspects of a business. Supply chain risk management (SCRM) is not solely the responsibility of cybersecurity, but instead a partnership between sourcing, vendor management, cybersecurity, and transportation. The National Institute of Standards and Technology (NIST) released a set of best practices for cyber supply chain risk management in 2016. The best practices are vital for an organization and offer high-level advice on mitigating malware, performing risk assessments, securing information systems, and leveraging an information security program. Like all management programs, SCRM should be looked at as a lifecycle containing a clear set of security practices focused on the supply chain and supply chain management. Cyber Supply Chain Principles and Supply Chain Risks According…

Categorized in:

The Difference Between Strategic and Operational Risk

Written by
Published 02/06/2020

Strategic risk and operational risk are both valuable to organizations and are critical in managing an organization’s overall risk management program. Organizations are finding that strategic risk management is something that can’t be done the same old way and requires new creative thinking in order to execute successfully. Operational Risk Management is important to make sure there are plans in place to remove roadblocks in order for organizations to execute against their strategic plans. Risk assessments are often performed in order to get a better idea of how well the operational risk program is performing. There are two other types of risk that organizations must also include in an overall risk management program; financial risk and compliance risk. Financial Risk…

Categorized in:

The Debut of Advanced ZenGRC Risk Management

Written by
Published 02/05/2020

Written by: Scott Nash, VP of Product   Reciprocity’s mission is to connect the people, processes, and technologies critical to our customers information security risk and compliance management. As InfoSec becomes increasingly more complex, our customers want to become more agile in their risk management strategy. It is important for them to have better visibility and be able to respond to changes quickly.   We’ve built upon ZenGRC’s core risk functionality to introduce a powerful new set of risk intelligence tools. The latest additions provide visibility on how multiple risks interact, its potential impact, probability occurrence, and remediation plans.  ZenGRC Risk Management helps organizations increase their risk intelligence and evolve towards a proactive risk management strategy.  Here’s what we’ve launched:   We’ve expanded…

Top 5 Predictions for InfoSec GRC in 2020

Written by
Published 01/08/2020

January 1 ushers in a new year, a new decade, and new challenges—as well as new dimensions and re-ordering of existing challenges.  Reciprocity’s Team of GRC Experts share likely developments, trends to watch out for, and how your organization can navigate Information Security Risk, & Compliance in 2020.  With foresight, an organization can proactively take steps to address the challenges of the future. Our expert panel explores what’s coming: 1. Risk-based, Layered Approaches Eclipse One-dimensional Efforts “Risk Management and Risk Assurance will overshadow other approaches to GRC as organizations satisfy operational needs”  – Gerard Scheitlin, Founder of RISQ Management “While the requirements on information security, privacy, and compliance will only continue to expand and tighten, organizations are realizing that it…