A global financial firm must comply with GDPR and SOX. The CISO wants to consolidate controls across frameworks using a single set of controls. Which approach best addresses this requirement?
Trap 1: Focus only on the most stringent regulation
Ignores overlapping requirements
Trap 2: Implement automated GRC tools without changing controls
Does not address control consolidation
Trap 3: Maintain separate control sets for each regulation
Increases complexity and redundancy
- A
Adopt a unified control framework such as NIST SP 800-53
Allows mapping to multiple regulations
- B
Focus only on the most stringent regulation
Why wrong: Ignores overlapping requirements
- C
Implement automated GRC tools without changing controls
Why wrong: Does not address control consolidation
- D
Maintain separate control sets for each regulation
Why wrong: Increases complexity and redundancy