Governance, Risk, & Compliance (GRC)

Services » Project & Advisory » Governance, Risk Management and Compliance (GRC)

Ready to take GRC responsibilities off your plate?

Assura can make it happen.

With Assura as your GRC partner, we can help create a framework for cybersecurity that best aligns with your organization’s business objectives. We do this through GRC leadership, policies, plans, procedures, and analysis. All to improve your organization’s cybersecurity posture, better manage risk, and ensure it remains compliant with all applicable regulations.

If you're in Virginia, are you in compliance with the
new SEC530 standard?

Deadline to comply is 3/31/24.

This new information security standard establishes a cybersecurity and risk management baseline for Commonwealth of Virginia agencies, commissions, and authorities. SEC501 to SEC530 introduced over 100 new controls, reflecting the evolving landscape of cybersecurity threats. If you need help navigating these requirements, we’re here to help. Please reach out with any questions and check out our SEC530 Cheat Sheet.

The Nuts and Bolts of our GRC Solution

Business Impact Analysis (BIA)

Provides a Foundation for the Availability Requirements of the Organization’s Business Continuity and Information Security Programs. 

What does the BIA accomplish?

  • Details recovery requirements of business functions and IT systems.
  • Provides impact information that can be utilized by various risk management functions within the organization.
  • Identifies which organizational units, operations, procedures, and processes are essential to stakeholders following a severe operational disruption, such as a disaster or data breach.


What value does the BIA deliver to the organization?

The analysis identifies the business units, operations, and processes essential to the recovery and security of the organization following a business disruption or disaster. This information is critical for developing Continuity Planning, IT Disaster Recovery, Crisis Management, and Information Security Incident Response Plans.

Data classification

Data Classification and System Sensitivity Analysis Identifies the Information Created and Managed by your Organization. 

This classification and analysis also includes the data protection requirements related to confidentiality, integrity, and availability.

What value does Data Classification deliver to the organization?

  • Allows you to understand what data it stores, transmits, or processes.
  • Classifies your data’s sensitivity as it relates to confidentiality, integrity, or availability.
  • Provides a process and structure for evaluating future data to ensure you have positive control over all its information.
  • Helps to right-size the controls for the data so that it meets the needs of the organization while being sensitive to system performance, resources, and cost.

Policies, standards, and guidelines

Includes all Activities to Develop, Refresh, or Refine Information Security Policies, Standards, and Guidelines with Supporting Procedures (PPSGs).

This effort brings everything into full compliance with ISO 27001, FFIEC, GLBA, FISMA, HIPAA, NIST, PCI DSS, and others as required or desired.

What value do policies, standards, and guidelines deliver to the organization?

PPSGs are the foundation of any information security program and must be completed first when an organization establishes a program.

Assura works with organizations to ensure:

  • PPSGs reflect the decisions made by the organization and not just a generic collection of requirements.
  • Any existing policies and procedures are utilized if possible to reduce the number of new materials introduced.
  • If existing policies and procedures carry over, they are compliant with standards and regulatory requirements.

Security Plans

Planning That’s Focused on Developing Security Capabilities within the Organization. 

Security Plans consist of documentation detailing the strategies, roles/responsibilities, actions, security/recovery controls, and resources necessary to meet security and resiliency requirements.

What value do Security Plans deliver to the organization?

Assura performs planning activities that result in many deliverables as listed below:

  • Auditable Event Plans
  • Backup and Restoration Plan (if not included in Information Technology Disaster Recovery Plan)
  • Change Management Plan
  • Configuration Management Plan
  • Continuity of Operations Plans
  • Continuous Monitoring Plans
  • Incident Response Plan
  • Information Technology Disaster Recovery Plans
  • Key Performance Indicators Plan
  • Media Sanitization and Destruction Plan
  • Policies, Standards, and Guidelines
  • Ports, Protocols and Services Plan
  • IT Operations and Security Procedures
  • Secure System Acquisition Plan
  • Software License Management Plan
  • Software Vulnerability Management Plan
  • System Hardening
  • System Security Plans
  • Ad Hoc Plans as Needed

Incident Response

Developing an Incident Response Plan for Information Security that Ties to the Organization’s Continuity and Crisis management Capabilities. 

Assura tests the capabilities of this program by utilizing testing strategies aligned with the organization’s risk profile, maturity of the program, and experience level of participants. We develop planning and exercise requirements with supporting documentation. These requirements are consistent with the selected program framework, Continuity Planning, and Information Security Planning for all legal, regulatory, contractual, and stakeholder requirements.

What value does Incident Response deliver to the organization?

As recent data breaches have shown, it rarely just affects the Information Security Program when an incident occurs. These types of events require coordination and input from various stakeholders. Incident response planning and exercise management create a powerful capability within your organization. You’re able to respond to any disruption or incident affecting information security and the organization’s continuity.

Risk Assessment

Providing a Structured and Systematic Analysis that Details the Hazards, Impact of Threats Realized, and Risk Mitigation Recommendations with Prioritization of Activities. 

Assura performs various risk assessments, such as:

  • Information Security Programs
  • Information systems/applications
  • Data centers
  • Network and infrastructure
  • Physical security
  • Third-party vendors


What value does Risk Assessment deliver to the organization?

  • Presents leadership with quantitative and qualitative risk information regarding information security risk.
  • Allows leadership to make informed decisions regarding the treatment of risk.
  • Provides resources to address the risk if it poses too much for the organization.

Compliance and security for any industry.

Guaranteed compliance with the following standards and regulations.










ISO 27001/27002

ISO 31000


IRS 1075


NIST SP 800-53

NIST SP 800-37

NIST SP 800-171




SSAE-18/SOC 2 & SOC for Cybersecurity

State-level data breach reporting and cyber security standards and data protection laws

If you get audited, Assura has you covered. Our AuditArmor® Audit Defense Guarantee means that we guarantee our work to be compliant with the identified cybersecurity frameworks and regulatory requirements (unless waived by you). We defend our work at no additional cost. Yes, we’re serious. And yes, we’re that confident in the quality of our work. We have you covered from entrance conference to exit conference and will work with your auditor or regulator to defend our work. On the off chance that a change needs to be made to the deliverable, we’ll do that for free. It’s that simple.

How we've helped protect industries like yours.

Protecting a university’s network against both hackers and a student workforce.

A university approached Assura with a unique challenge that most other organizations don’t have. Because they employ students to help run various aspects of the school, they needed a way to ensure these work-study employees didn’t accidentally put the university’s data at risk.

Helping a Virginia municipality discover a dangerous backdoor.

With attacks on municipalities on the rise, a midsized county in Virginia knew it needed to improve its cybersecurity posture. The problem was they were not sure where to begin. So they enlisted our services to help them determine their strengths and vulnerabilities.

An IT team of one quickly takes control of 400 vulnerabilities.

Organizations are inundated with hundreds of thousands of vulnerabilities every year. After years of experience, we know most organizations can only patch about 1 in 10 (10%) vulnerabilities discovered in their environment based on resource capacity.