ZenGRC

Simply Powerful GRC

ZenGRC Team

Internal Audit Checklist for Your Manufacturing Company

· ·

The manufacturing industry faces increasing scrutiny from regulatory agencies. As cybercriminals increasing target SCADA system weaknesses, an organization’s cybersecurity posture becomes more important to its ability to protect data and obtain important contracts. Starting with a security-first approach to cybersecurity often protects data, but to meet compliance requirements, the organization need to document the effectiveness of its internal controls.

Internal Audit Checklist for Manufacturing Companies

What are the Primary Cybersecurity Concerns Facing the Manufacturing Industry?

SCADA networks are a combination of hardware and software that control and monitor industrial processes. They allow manufacturers to interact with devices, log data, and control remote and local processes. Many of these devices, however, were not intended for the connectivity now necessary to maintain a modern business model. Therefore, they come with significant cybersecurity risk making the manufacturing industry a primary target for malicious actors.

However, SCADA risks can lead to not only production loss but, more importantly, loss of life. Since SCADA systems control critical infrastructure, cybercriminals increasingly target them more than they do standard business systems.

What are the Regulatory Compliance Requirements for the Manufacturing Industry?

Regulatory compliance requirements in manufacturing are generally dictated by the federal government. These requirements specify rules to ensure that national secrets are protected. They allow non-government entities the ability to create items for government use while still existing as private businesses.

International Traffic In Arms Regulation (ITAR)

ITAR covers both goods and technology, combining commercial and research objectives with national security requirements. It regulates items designed for commercial purposes that the military can also adopt, such as computers and software.

Defense Federal Acquisition Regulation Supplement (DFARS)

DFARS Safeguarding rules and clauses establish minimum security standards for information systems that process, store, or transmit Federal contract information. These basic controls must be implemented throughout the supply chain. NIST Special Publication SP 800-171 set for guidelines for compliance.

What are the Primary Industry Standards Affecting the Manufacturing Industry?

The manufacturing industry traditionally needs to implement controls based on the International Organization for Standardization (ISO) standards.

ISO/IEC 27001:2013

This risk-based approach allows a variety of organizations to and industries to apply ISO 27001. This flexibility makes it one of the most utilized information security standards. Moreover, ISO/IEC 27001 lists a series of controls in Annex A that acts more like a menu creating a choose-your-own-adventure style approach to security. These extended control sets offer management the option to avoid, transfer, or accept risks rather than mitigate them through controls.

ISO 9001

ISO 9001 supports specifies the requirements for a quality management system (QMS). Quality management systems document the processes, procedures, and responsibilities over quality and control objectives.

ISO 9001 audits incorporate three types of review: product, process, and system. The lengthy list of documentation required includes both mandatory and non-mandatory information. The list of mandatory documents includes document control procedures, records procedures, internal audit procedures, control of non-conformance procedures, corrective action procedures, and preventive action procedures. While that does not feel overwhelming at first, each of those categories lists additional documents needed to prove the process works in action.

5 Steps to an Internal Audit in Manufacturing

Although internal audits can feel burdensome, they effectively act as a “pretest” before the external auditors arrive. A successful and comprehensive internal audit can act as a “practice run” that allows you to remediate issues before the external audit and prevent official findings.

Identify your Subject Matter Experts (SMEs)

Even though this is an internal audit, you may need to incorporate stakeholders from across the organization. For example, SCADA experts and internal IT experts need to communicate and work together to create a holistic security first compliance approach.

Document your Internal Control Procedures and Your Reasons for Them

Regardless of maturity level, you need to make sure to establish a risk analysis, policies, procedures, and processes. This documentation acts as the roadmap for your compliance program which helps to create the audit scope.

Continuously Monitor for Control Effectiveness

Cybercriminals continuously evolve their threat methodologies which means that a control’s effectiveness can weaken at any time. You need to continuously monitor your controls and remediate any potential weaknesses as soon as possible.

Continuously Document your Monitoring

Audits rely on documentation. Even if you are continuously monitoring, the auditor may return findings if you do not have the documentation. Documentation proves governance over the program which enables the Board of Directors to oversee the program.

Create an Internal Audit Workflow

Communication before, during, and after the audit helps maintain security and compliance. You need to create a process for preparing, reviewing, and responding to the internal audit to ensure that all tasks are completed in a timely manner.

How ZenGRC Enables Internal Auditing in the Manufacturing Industry

Compliance programs require communication between internal and external stakeholders and an audit system that enables this.

ZenGRC offers workflow tagging so that you can delegate compliance tasks and monitor their progress and completion. Moreover, it allows you to prioritize tasks so that your team members know how to plan their activities.

ZenGRC’s workflow management capabilities include a centralized dashboard that continuously documents your control effectiveness making compliance documentation easier.

Additionally, it helps you create an audit trail by documenting and remediation activities to support your responses to auditor questions.

Using ZenGRC’s single source of information platform can speed up internal and external stakeholder communications and provide all documentation necessary thus reducing external auditor follow up requests.

For more information on how ZenGRC’s audit management workflows can streamline your process, contact us for a demo.

What are Internal Control Weaknesses?

· ·

A control weakness is a failure in the implementation or effectiveness of internal controls. Malicious actors can leverage internal control weakness to circumvent even the most robust security measures. The wide range of internal controls, countless new technologies, and the rate at which malware evolves necessitate monitoring of data security controls. Regularly monitoring allows organizations to test the effectiveness of their internal controls and expose weaknesses in their implementation-before bad actors can exploit them.

What are Data Security Controls?

Data security controls keep sensitive information safe and act as a countermeasure against unauthorized access. They enable risk management programs by counteracting, detecting, minimizing, or avoiding security risks to computer systems, data, software, and networks.

They include technical controls as well as operational, administrative, and architectural controls. These controls can be preventative, detective, corrective, or compensatory.

Effective internal controls protect your organization by providing reliable financial reporting, as required by various regulations and industry standards governing investment, capital, and credit risks. For example, section 404 of the Sarbanes-Oxley Act of 2002 (SOX) requires annual proof that companies accurately report financial statements and that their procedures ensure effective fraud prevention, as well as demonstration that they have addressed any uncertainty, such as stocks.

What are Technical Control Weaknesses?

Technical security controls focus on hardware and software. Weaknesses in technical controls stem from changes in technology and maintenance or configuration failures. In 2014, the “heartbleed” vulnerability exploited a technical control weakness in SSL to expose data, resulting in a rush of emergency patching.

What are Operational Control Weaknesses?

Operational security (OPSEC) focuses on monitoring operations and enforcing a risk management program. Operational control weaknesses stem from the human factor. When those conducting operations fail to follow established standards and policies, operational controls are weakened.

Incident response is a time-sensitive operational control. It is most effective with rapid intervention. As the interval between the incident and intervention increases, the effectiveness of incident response is exponentially reduced.

What are Administrative Control Weaknesses?

Administrative security controls are also referred to as procedural controls. Failure in daily operations to adhere consistently to established standards or regulations results in administrative control weaknesses. For example, a regularly-scheduled backup routine is an important procedural control related to disaster recovery. Failing to test the integrity and viability of backups exposes the organization to the risk of media degradation, which can have a negative impact on recovery ability or create material weakness following catastrophic events or human error.

What are Architectural Control Weaknesses?

Security architecture focuses on creating a unified design that documents and addresses the risks across an organization’s integrated information technology environment. A weakness in either design or documentation damages the foundation of an organization’s security structure. Unexpected hardware replacement is at high risk for architectural control weakness, due to circumvention of the normal change management process. The urgent nature of these replacements creates the potential for configuration irregularities, missed patches, or other implementation oversights.

How does Risk Management Support Internal Controls?

The core values of governance, risk, and compliance (GRC) focus on defining risks so that your organization can comply with standards or regulations, while continuously monitoring to ensure the processes work. Effective corporate risk management involves creating a structure to support the procedures that protect resources and assets.

Risk management is not a set-and-forget process. Established controls must evolve as the threat landscape evolves. Malicious actors modify their tactics regularly. Maintaining peak effectiveness requires periodic risk reassessment throughout the information system’s life cycle.

Why Organizations Need to Continuously Monitor Their Controls

Continuous monitoring incorporates machine learning tools to provide real-time insights into new vulnerabilities and threats facing your information systems. Although malicious actors regularly modify malware and ransomware to avoid detection, continuous monitoring enables management to respond to threats.

Effective monitoring of internal controls requires integrating internal audit and ongoing activities to ensure that the organization embedded safeguards within normal operations. This harmonizing of detective and preventive measures helps internal analysts review effectiveness. With that information, the audit committee can regularly update the Board of Directors with reports and reviews, to ensure that current information both aligns with and informs strategic decisions.

How Automation Eases the Burden of Continuous Monitoring

As organizations grow, they increase the number of internal controls they need to monitor. Technology use increases the overlap between different types of controls. For example, operational risk now becomes an IT risk. Before computers, an employee accessing hard copies of sensitive information was simply an operational risk because that meant the business did not follow employee internal control procedures. Cloud migration now makes unauthorized access an IT risk as well as an operational risk.

Information systems continue to scale, mirroring businesses’ expanding footprints. Organizations that attempt to rely on manual monitoring face the daunting and expensive task of hiring and training staff. With a shortage of experienced professionals in the field, this constant increase is both cost-prohibitive and reactionary. The result of manual monitoring is an organization with an out-of-date security program that falls behind and eventually becomes a victim of an attack.

Continuous monitoring systems that utilize machine learning and automation allow organizations to keep pace with the integration of new technologies, increased number of internal controls, and the ever-evolving threat landscape.

How ZenGRC Enables Corporate Data Security Control Monitoring

ZenGRC allows you to prioritize tasks so that everyone knows what to do and when to do it. Teams can more rapidly review the “to do” lists and “completed tasks” lists, understanding at a glance current task status.

With our workflow tagging, you can assign tasks to the individuals in your organization responsible for the activities involved in risk assessment, risk analysis, and risk mitigation.

Finally, with our audit trail capabilities, you can document remediation activities to prove that you maintained data confidentiality, integrity, and availability as required by law.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

What You Need to Know About California’s New Data Protection Law

· ·

Senate Bill 1121, more commonly known as the California Consumer Privacy Act (CCPA) was passed on September 23, 2018, and becomes effective on January 1, 2020. Already being compared to the European Union’s General Data Protection Regulation (GDPR), the new law focuses on privacy rights and encompasses both consumer protection and data protection. Thus, organizations need to know how to secure and protect information to meet the CCPA’s regulatory requirements.

Understanding California’s New Data Privacy Law

What is the CCPA?

In response to increased data breach activity, the Californians for Consumer Privacy non-profit advocated for the new consumer protection law.

Their suggestions led to the creation of the bill which, incorporated under the California Civil Code, subject businesses to lawsuits and statutory damages when compromised data security leads to disclosure of consumer information.

Who enforces the CCPA?

The California Attorney General enforces CCPA fines. However, individual residents can also bring civil lawsuits against a business.

What are the fines and penalties for violating CCPA?

Statutory damages can be $100-$750 per California resident and incident, actual damages (if they are greater), or any other relief that the court determines.

Moreover, any intentional violation can be fined up to $7,500 while unintentional violations can incur a fine of up to $2,500.

How does the CCPA define personal data?

As part of the consumer protection initiative, the CCPA defines twelve categories of personal information:

  1. Real name, alias, postal address, unique ID, IP address, email address, account name, social security number, passport number, or anything similar
  2. Anything considered personal information in Civil Code 1798.80
  3. Anything related to race, ethnicity, gender, or other protected class information as defined by California or federal law
  4. Commercial information such as property records, products or services, or purchasing histories/tendencies
  5. Biometric data
  6. Any information collected from the internet or network activity such as browsing history, search history, or website/application/advertisement interaction
  7. Geolocation data
  8. Audio, electronic, visual, thermal, olfactory, or similar information
  9. Psychometric information
  10. Professional or employment information
  11. Inferences made based on any of the other ten types of information
  12. Any of these categories of data collected for children or minors

Who must be compliant with CCPA?

The CCPA creates broad privacy requirement. Unlike the EU, the United States lacks a cohesive data protection regulatory structure. CCPA enhances consumer protection by applying to businesses that meet any of the following three requirements:

  1. Generate an annual gross revenue of over $25 million
  2. Receive or share California resident personal information more than 50,000 people
  3. Earn at least 50% of its revenue from selling California resident personal information.

Non-profits and companies not meeting the above requirements remain exempt.

Who is protected by the CCPA?

The CCPA defines consumers as

  1. People living in California for more than a temporary period or
  2. Residents of California, United States whose primary residence is in the state but live outside the state for a temporary period
  3.  Customers of household good and services, employees, or business-to-business transactions.

Thus, even businesses not located in California may need to comply with the law.

What does “provide upon request” mean?

The CCPA allows consumers to request the personal data that a company collects. Moreover, it stipulates that the business provides at minimum a toll-free telephone number and website where people can request their information. Then, companies must disclose and deliver the information within 45 days of the request.

What is the “right to know”?

Any information that a business sells or that it discloses to a vendor falls under the consumer’s right to know. Not only does the company need to provide contact information about the third-party, but it also needs to explain the business purpose for disclosure/sale. If no business purpose exists, it has to tell the consumer.

What does a business need to do to comply with the “right to know” requirement?

First, the business needs to verify the customer request by linking information the consumer provides to information collected. Moreover, companies need to identify the category or categories of data collected for the preceding 12 months.

If the business sold or disclosed consumer information to a third party, they also must provide names and contact numbers for the third party and the categories of information sold or disclosed to the third parties for the preceding 12 months.

What is the “right to opt out”?

The right to say no, or “opt out,” means that a consumer can choose to keep a company from selling or disclosing information to a third party.

What do businesses need to do to comply with the “opt out” requirement?

First, a company needs to provide a “clear and conspicuous link” on the homepage that says “Do Not Sell My Personal Information.” Unlike the GDPR’s cookie policy which can be confusing, the CCPA requires specific language that a homepage needs to include.

If a business does not have this link on their homepage, the CCPA specifies that it needs to maintain a second website just for California residents that does include the link. Functionally, businesses need to choose between creating two websites or adding the disclaimer to their primary site, as such, simplifying the process by adding the link to the homepage creates a way for anyone, anywhere, to opt out.

On the “Do Not Sell” page, businesses need to outline their privacy policies and California-specific descriptions of rights. Moreover, they must clearly link to a California specific page detailing consumer privacy rights and opt-outs for the CCPA.

How ZenGRC Enables CCPA Compliance

CCPA compliance will require documentation collection, storage, and retrieval. Additionally, with more people interacting with vendors who interact with consumer data and employees monitoring consumer requests, CCPA compliance will require more communication between internal and external stakeholders.

With our workflow tagging, organizations can delegate tasks and follow progress to ensure appropriate completion. Particularly crucial for CCPA’s 45-day timeline, businesses can monitor consumer request fulfillment activities to maintain compliance.

Our task prioritization mechanism allows businesses to review workflows so that they can mitigate cyber risks as well as review controls within the organization necessary for maintaining opt-out and opt-in information.

Finally, ZenGRC acts as a single-source of information so that all workforce members involved in CCPA compliance can access the same information and documentation to support audits.

For more information, or to schedule a demo, contact us.

Workflow Automation For Compliance

· ·

The time-consuming, administratively burdensome compliance process is riddled with potential human errors that can lead to violations. As securing data increasingly relies on proving controls’ effectiveness, compliance becomes more stressful for everyone in the organization. However, building compliance workflow can streamline the process leading to a more cost effect and auditable outcome.

Compliance Workflow

What is a Compliance Workflow?

Any workflow is based on dependencies. Someone needs to set tasks and assign responsibilities. Then, that person needs to ensure that tasks are completed on time.

In compliance, the compliance officer should be setting the tasks and monitoring their completion. Maintaining visibility into the compliance program requires communication across the organization.

However, a traditional compliance workflow often becomes burdensome as organizations scale. Emails and calendar notifications become lost in the day-to-day clutter of business operations and meetings. This outdated process can lead to missed deadlines which overwhelm the compliance officer.

Why Automate the Compliance Workflow?

With automation, you can use technology to streamline the business process. Rather than having to update your tasks manually, you can use software that automatically renews and tracks the items that need to get done.

For example, if you need to meet the Health Insurance Portability and Accountability Act (HIPAA) requirements, you need to review patch management processes.
Often, this requires the IT department to submit documentation. However, if the IT department loses the document request in the stream of emails, the compliance officer is the one who needs to follow up. That follow up process means sending reminder emails and nagging the responsible party. Automation allows for a “set and forget” approach to task management and follow up which saves time and better controls the process.

Why Does Streamlining the Compliance Process Matter?

Compliance managers need to balance a variety of regulatory and industry standard requirements. Depending on the industry, they may need to maintain compliance with cybersecurity as well as human resources, document retention, and internal operations requirements. All of this becomes more complicated as regulatory and industry standards evolve requiring more time and more documentation.

Thus, juggling all those balls at once can lead to the compliance manager dropping one. A dropped ball can lead to a compliance violation. A compliance violation can lead to fines and penalties. For example, HIPAA violations can cost anywhere from a minimum of $100 per violation up to $50,000 per violation, depending on the negligence involved.

Even worse, if a covered entity knowingly obtained and disclosed individually identifiable health information a 1-year prison term and a fine of $50,000 could be enforced. Thus, ensuring effective controls and compliance with them becomes not just a financial, but also a personal, risk.

Streamlining the process with workflow automation makes documenting the process easier. Ultimately, any area that requires compliance also requires an audit. Audits rely on documenting policies, processes, and procedures. With workflow automation, the necessary documentation resides in a single location to enable auditability.

How to Use Compliance Management Software

Once you decide to automate the compliance workflow, you need to find one that works for the organization. Various automated tools provide different functionalities. Thus, choosing the right compliance management software requires understanding the inherent capabilities you need, what the tool offers, and how to use the system.

Assign Responsibilities

Each person involved in the compliance process has responsibilities. Unfortunately, as organizations scale, people often lose track of who needs to do what and when it needs to be done. Moreover, as people move throughout the organization, they may no longer be responsible for the same activities.

Thus, the first step is to assign responsibilities so that everyone knows where in the compliance process they fit, like a puzzle. IT managers need to know what reports they have to provide. Department managers and the human resources department need to know where their responsibilities overlap with IT.

For example, if an employee moves from marketing to sales, that person may no longer need access to the same information. Each department, therefore, needs to communicate with others to ensure control effectiveness.

Assign Tasks

Once you assign responsibilities, you need to assign tasks. Each responsible party needs to know what documentation they have to provide the compliance manager. These tasks can be automated reports such as monitoring logs or responses to auditor interview questions.

Compliance workflow automation makes assigning and tracking these tasks more manageable. Once you assign them, it sends reminders to the people who need to complete the tasks regularly. It also provides visibility into what has been submitted, what remains outstanding, and whether the task is overdue.

Store Documentation

Compliance relies on documentation. Auditors can trust your company, but to meet their professional standards, they need to document that your company maintains compliance. To do this, you need to give them proof that you monitor your internal controls and align with what your policies and procedures say.

A complete compliance workflow management system not only tracks people and tasks but also stores documentation. Rather than having to sift through a shared cloud drive, the compliance management system can organize documentation and tag the responsible parties. This process removes the human error that often plagues compliance managers using manual or outdated methods.

How ZenGRC Enables Compliance Workflow Management

Compliance programs require communication between internal and external stakeholder and compliance workflow automation tools that enable this.
ZenGRC offers workflow tagging so that you can delegate compliance tasks and monitor their progress and completion. Moreover, it allows you to prioritize tasks so that your team members know how to plan their activities.

ZenGRC’s workflow management capabilities include a centralized dashboard that continuously documents your control effectiveness making compliance documentation easier.

Additionally, it helps you create an audit trail by documenting and remediation activities to support your responses to auditor questions.

Using ZenGRC’s single source of information platform can speed up internal and external stakeholder communications and provide all documentation necessary thus reducing external auditor follow up requests.

For more information on how ZenGRC’s audit management workflows can streamline your process, contact us for a demo.

How to Audit Governance

· ·

Governance, risk, and compliance (GRC) have become buzzwords in cybersecurity. As governments and industry standards organizations respond to the data breach landscape by creating new compliance requirements, governance has become fundamental to creating an effective risk management program. Auditing governance requires organizations to communicate with internal and external stakeholders.

Auditing Governance

What is corporate governance?

To prove governance, companies need to establish rules, practices, and processes.  Even more critical, governance places responsibility on senior management and the Board of Directors to review risk knowledgeably.

What is corporate governance in cybersecurity?

In cybersecurity, corporate governance shifts slightly. While senior-level executives and the Board do not make the security decisions, they need to understand the cybersecurity risks that may arise from business objectives.

Additionally, cybersecurity governance requires reviewing the effectiveness of internal controls.

What is the audit committee’s responsibility?

As cybersecurity compliance increasingly becomes a focus for many companies the audit committee acts as the bridge between the audit program and the Board of Directors.

Thus, while the audit committee members may not need to be technical, they do need to understand cyber risk more than others within the organization. To engage in more detailed conversations, the audit committee needs to incorporate the information technology (IT) leaders within the organization.

How to incorporate cyber risk as part of the audit plan

As companies increase their use of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) vendors, their audit plans need to address the internal controls that protect from data breaches. Audit plans focus on how you determine key performance indicators (KPIs) for your compliance program. Thus, creating a cybersecurity audit plan becomes the roadmap for how you establish and prove governance.

Timing

Planning for internal audits should be a continuous process. Before setting out an audit plan, you need to review your previous audits for control deficiencies. Then, you can determine the scope.

For example, if your company lacked appropriate software and operating system patch management, then that needs to be considered as part of the scope for the next audit. However, if patching was excellent, but your previous audit found that several systems or networks retained their factory-preset logins, then you should focus on that.

In short, timing and planning should be a continuous process based on consistent improvements to your cybersecurity oversight.

Risk Assessment

Any audit plan needs to incorporate a holistic view of cybersecurity risk.

When creating an audit plan, you need to ensure that you have established a risk tolerance that incorporates data, location, data breach potential, and potential data breach cost.

When determining the audit plan scope, you need to focus on the information assets with the highest risk.

Compliance Committee

A compliance committee includes internal stakeholders who monitor and document internal controls.

The compliance committee, in conjunction with the audit committee, works to keep the company aligned with changes to standards and regulations. As such, they stand as the first line of defense for working to keep controls effective and provide governance over the program.

How internal auditors review cybersecurity governance

The audit plan sets out the scope and contains the needed steps for proving governance. Your internal audit acts as a second-set-of-eyes.

Internal auditing requires an independent individual to review and assess whether your cybersecurity program meets industry standard and regulatory compliance requirements. The internal auditor considers all the documentation related to your cybersecurity compliance program and then tests whether you maintained compliance with the internal controls defined.

In terms of governance, the internal auditor will review not only the controls defined by policies and processes but will also examine whether the compliance committee reports to the audit committee. For example, the internal auditor may review the compliance committee and audit committee meeting notes to ensure that the two teams are communicating risk and monitoring effectively. Then, the auditor will compare those notes to the Board meeting notes to ensure that the information flows through all stakeholders.

In essence, documenting communications and activities provides the proof auditors need to audit governance over the cybersecurity program.

How to use automation to ease auditing governance

Automation facilitates internal auditing of governance by enabling stronger communication and documentation.

Depending on the organization’s size, coordinating communication across the compliance committee, audit committee, and Board of Directors can become burdensome. Moreover, best practices also suggest that audit committee materials include executive summaries needed for identifying risks, issues, and next steps.

Thus, automation provides a way to streamline the governance auditing process. Shared drives can ease some of the communications burdens. Unfortunately, shared drives update any changes automatically which makes finding historical documentation time-consuming. The automatic updates also limit the information’s integrity since anyone with access can make changes, undermining governance.

Thus, organizations need a single-source-of-information that allows them to not only document their compliance activities but provide control over who can edit and change documents.

How ZenGRC enable auditing governance

ZenGRC’s System-of-Record makes continuous auditing and reporting easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.

For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, but it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.