Chapter 3

Statutory and Regulatory GRC


Security criteria for governance, risk, and compliance are covered in this chapter, to include US federal statutory laws and requirements, federal agency regulatory requirements, and various international and industry standards and requirements.


Today’s security world includes a major change from the past. All security and corporate managers now need to be concerned with compliance and governance of risks, security, and the information usage in their systems. These processes have evolved over the past 10 years into an area known as GRC. GRC is an acronym for governance, risk, and compliance and includes corporate considerations of risks, methods, ...

Get Security Controls Evaluation, Testing, and Assessment Handbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.