This is quite a topic... and i dont think there is a single "good" or "wrong" way to GRC, so i cant just tell that we designed eramba by implementing our way and whenever is possible, we adapt to others.
- In general, i seem to take the same approach as Noah does
- The link in between Control Catalogue / Policy Exceptions and Assets could work. It would respond the question of "what assets are part of this exception".
- The link in between Compliance Management / Compliance Analysis and Assets could work. It would respond the question of "what assets are subject to this and that compliance requirement".
Good example, thank you for that. I (and im sure there are other ways) would:
1- Talk to the control owner (the person that run end-point systems for example) and agree what system are in the scope of malware. I would define them as "generic assets" under Asset Management / Asset Identification..for example: "Windows End-Point Systems"
2- Define what the malware control is and what governance will have (how is installed, how is monitored, how is going to be updated, how we will react to an alarm, how we'll audit it, etc). I'll then create one or more controls and policies under "Control Catalogue/*"
3- Create a Risk Mgt. / Asset risk Management , set as input the assets in #1 , set "mitigation" and controls / policies defined in #2. print a pdf of the risk, get sign off from the system guys.
If later on they want to excempt the antimalware end-point in some system for whatever reason, that would need a "Control Catalogue / Policy Exception" which would be tied to the policies defined in #2.
If any of you have attended our trainings, do we explain things well enough?