Governance, Risk and Compliance (GRC) at Sourcegraph

What is GRC

GRC (Governance, Risk, and Compliance) is a critical component of a comprehensive security program. It provides a framework that helps organizations proactively identify and manage security risks, ensure compliance with security standards and regulations, and align their security operations with their strategic business goals.

How does GRC help and work at Sourcegraph

By implementing a GRC (Governance, Risk, and Compliance) program, Sourcegraph has established a structured approach to managing governance, risk, and compliance activities, providing several key benefits:

  • Our security policies help employees to perform their tasks with security in mind and with consistent security practices.
  • Our security risk register provides an overview of the most vulnerable areas, enabling Sourcegraph to prioritize its resources effectively.
  • Our control compliance was verified by an external party in the form of the SOC 2 attestation, which provides additional assurance to customers that Sourcegraph’s controls are effective and aligned with industry best practices.
  • Our GRC tool provides us with continuous visibility into the compliance (aka health) of our security controls , which gives us improved decision-making capabilities through the ability to track, analyze and report on GRC-related activities, data, and metrics.
  • By implementing and maintaining a GRC program we have improved our overall organizational reputation due to a well-managed and effective GRC program.

Tooling we use for GRC

Anecdotes is a tool we use internally for our risk register and control library

Our new GRC tool, Anecdotes, is helping us in the following ways:

  1. Automation: Anecdotes automates several tasks such as data collection, analysis, and reporting. This means that we don’t have to spend hours manually updating spreadsheets or collecting evidence from all systems manually. This saves time and reduces the risk of errors through poor spreadsheet hygiene.
  2. Audibility and Collaboration: Anecdotes allows multiple users to access and work on the same set of data simultaneously, and all actions are tracked and recorded. This means everyone has access to the same up-to-date information and can share evidence without duplication. It also enables auditors to easily review our controls and compliance activities.
  3. Workflow management: Anecdotes provides us with workflow management capabilities, which enable us to work cross-functionally and in our familiar systems (such as Slack), to track the progress of tasks and approvals in real-time. This maintains the consistency in our processes, which is crucial to support efficient operations. Examples of workflows include evidence requests, risk approval/acceptance, risk mitigations tracking, and fulfillment.
  4. Reporting: Anecdotes provides advanced reporting capabilities, enabling us to generate reports quickly and easily. This means that we can easily identify areas of risk and compliance gaps and take corrective action. It also allows us to share reports with key stakeholders to demonstrate our commitment to security and compliance.
  5. Scalability: As our organization grows and evolves, Anecdotes can scale to accommodate new risks, controls, and compliance requirements. This means we can stay on top of our GRC responsibilities without needing to constantly adjust our processes and tools.

Overall, Anecdotes has helped us establish a more streamlined and efficient approach to GRC activities. It allows us to focus on the most important areas of risk and compliance, while providing auditors and other stakeholders (customers) with the evidence they need to ensure our controls are effective and aligned with best practices.