AutoCompliance

Automating the Implementation of a Cybersecurity Governance, Risk and Compliance Programme using Distributed Ledger Technologies

Research Questions and Deliverables (WIP)

1. Can DLTs help implement a GRC programme better than other means?
   • A comparison report of DLT performance compared to the conventional means for implementing a GRC programme.
   • DLT solution(s) that assist with the implementation of a GRC programme in any given organisation.
2. Is there anything that can’t or should not be automated in the implementation? Why?
   • A breakdown on all items that can not be automated with in depth technical analysis as to why that is the case.
3. Are existing implementation solutions suitable or is there more work to be done?
   • A definition on what is to be classified as “suitable”.
   • An outline of all that needs to be done to reach a suitable state.
4. What possible future technical developments need to be accounted for in the GRC space?
   • A list of future technical areas and a description on how they should be accounted for in the future.
5. Is machine learning the best way towards total zero trust security solutions?
   • A comparison report of ML performance compared to the conventional means for implementing zero trust security in an organisation’s network.
   • ML solution(s) that assist with the implementation of a zero trust security network in any given organisation.

Project Abstract

This project takes a look at how to automate the implementation of a programme of Cybersecurity governance, risk management and compliance in any given organisation through the use of Distributed Ledger Technologies. A comprehensive review of relevant and appropriate literature has been undertook to inform the knowledge contained within the report. Consideration has been given for Cybersecurity and governance frameworks, risk management frameworks as well as global laws and regulations. Generic security missions, visions and values have been outlined to better inform the identification of GRC requirements for any given organisation. Using various professional practices that dynamically apply to any given organisation, a plan is to be automatically outlined and executed to implement the aforementioned programme of Cybersecurity governance, risk management and compliance using Distributed Ledger Technologies.

The report has been broken down into several sections for this. These sections are the introduction, background research, Cybersecurity GRC requirements, implementation approach and conclusions. The introduction sets the scene for the project. Background research examines the legal and regulatory issues relevant to different kinds of organisations as well as governance and risk management frameworks that may be of assistance when implementing a programme of Cybersecurity governance, risk and compliance in the organisation. In the Cybersecurity GRC requirements section various kinds of organisations are introduced and so too are the GRC requirements of each kind of organisation. A description of how Cybersecurity governance, risk management and compliance could be implemented using Distributed Ledger Technologies in a given organisation type is covered in the implementation approach. Finally, the conclusion enumerates on the conclusions of this project.

The following frameworks are covered and implemented within this project to some extent; NIST, OSSTMM, PMMM, PMBoK, COBIT, ISO/IEC 27014:2020, National Cyber Security Strategy - Government of Ireland, NIST RMF, ISO/IEC 27005:2018, CMMC, GDPR, PCI DSS, ENISA Strategy, AT-101 (SOC2), ISO 9001:2015 and ISO/IEC 27001:- 2013.