BestGRC was co-founded by a longtime Chief Audit Executive (CAE) and longtime networking and web development professional. We have performed and/or responded to countless security and software audits at many public and private companies. So when it came time to develop BestGRC, our mission was to create an environment where our subscribers’ data is as or more secure than if it were stored/accessed in their own enterprise. These protections are as follows:

Hardware/Data Center/Back-up/Operations

For our GRC Hosting, BestGRC is hosted on Microsoft Azure in the cloud. Azure maintains ISO, SOC 1/2 and several other certifications. The database is not accessible at all from the public internet. It is on a local subnet that has no external access. Microsoft Azure is a highly secure and redundant platform. More information is @

Data Encryption “At Rest” and “Over-the-Wire”

The entire portal is encrypted with 256 bit SSL encryption. Subscriber data is encrypted in the standing database on the server and to/from your computer/mobile device and the server.

User Passwords and Sign-on

  • Two factor authentication (ID/password & device): At logon, BestGRC validates both the user credentials (User ID & password) and the device (IP) address. An unregistered device prompts BestGRC to send an email to the user with a secure link to register the device (IP) address and gain access.
  • User ID: A user’s system ID cannot be their email address, which is typically well known.
  • Complex passwords – Passwords must include one or more of the following – a capital letter, a lower case letter, a number and a special character.
  • Minimum Password Length – passwords must contain eight or more characters.
  • Maximum Sign-on Attempts – user accounts are “locked” after 5 bad password attempts. Additionally, any IP address attempting > 10 unsuccessful logins in a 24 hour period is blocked.
  • User Passwords Encryption – BestGRC uses one-way encryption. A forgotten password must be reset because it is unrecoverable.
  • Password Expiration – passwords expire after six months of inactivity. We believe this is long enough to avoid nuisance for active/legitimate users, but short enough to inactivate old/unused accounts.
  • Unique Passwords – the previous 10 passwords cannot be re-used.

Subscriber User Administration Tools

  • Role-Based Security – BestGRC uses role-based security to allow subscribers to easily assign their user to roles. One or more roles can be assigned to a user to grant desired access.
  • Multi-tier Access Rights – BestGRC defines certain “power user” roles who grant access to sites (e.g. stores), processes, audit test, control performance and others. This permits granting access to everything and only what a user requires to perform their tasks and manage their process.
  • Limited Data Export – most user roles have access to view everything need but cannot export/download information.

Application Security and Review of Security Logs

  • BestGRC has commercial grade application level security using Microsoft’s SQL Membership Provider.
  • All activity on each portal is logged, and the logs are reviewed regularly for suspicious activity.

Network Security Monitoring

  • All network traffic to and from the BestGRC application is continuously monitored by the Ra Security Systems Eye of Ra™ network security monitoring tools and the service team. Using the RaBox™ security appliance, all traffic is analyzed for indicators of compromise and malicious activity. Detection of suspect activity initiates prompt investigation and appropriate escalation in accordance with BestGRC security policies and procedures. See for more specifics of the network monitoring include with BestGRC.