Given an opportunity to 'build GRC from scratch'
NOT career advice- current practitioner advice being sought.
Context - Cyber analyst team of 3(2CISSPs, with different skill sets, eg app dev, Cisco certs, cyberark etc.)- current responsibility - Infra control review and setup for on-prem FW and WAFs, EDR, vulnerability mgmt ( risk approach)
Industry relevant framework CTPAT, NIST CSF and insurance requirements. No PCI.
Cyber Manager/director left - open role for 3 months, still interviewing. We report directly to the VP of IT who asked us to build out the GRC function. Other security function are about 2/5 CMMI.
I am the one that took the opportunity as I've been pitching a risk based approachfor Vuln Mgmt. I am also looking for roles outside of this org and saw it as good career development.
After some research I presented the VP with a 12-18 month approach in 4 phases. I am currently in phase 1. Unfortunately he is not someone I can lean on for guidance and without a direct manager I'm doing this on my own. Would you practitioners be able to give me some guidance?
Phase 1 0-60 days
Risk register currency update - started
Did a presentation on why GRC for all of IT - done
GRC charter draft - done
Asset criticality - done
App criticality - not started
Policy gap analysis -done
Does this look like a good place to start? We will likely not be going with a tool but remaining in the world of spreadsheet in the near term at least.