IT governance, risk and compliance (GRC) reflects a new way organisations focus on and manage an integrated approach to these areas, including the supporting measures, mechanisms and processes.
The aim of a GRC application is to ensure consistency, efficiency and transparency to multiple GRC processes throughout the organisation, with the collaboration from those responsible for corporate governance, compliance, risk management and IT auditing.
In a GRC application, bespoke solutions can be built from a set of core functions that should include:
* Visualisation
* Control and policy management
* Asset management
* Remediation
Visualisation
A GRC application should support highly flexible visualisation through dashboard and reporting functions. The data requiring representation should be stored in an underlying repository that will typically hold information collected and stored over time, including assets, policies, controls, risks, vulnerabilities, configuration, threats, projects, SLAs, etc.
The aim of visualisation is to present a dynamic view of IT GRC across the organisation in a personalised fashion to each of the support members in the GRC community, providing - at a glance - both status and detailed drill-down status of individual assets.
The flexible visualisation of a GRC application can significantly reduce the costs of manually collecting, collating and coordinating production of reports to support the organisation's GRC processes, including alleviating the extent and load of internal and external IT audits.
Control and policy management
Organisations today are inundated with regulatory mandates to force companies to behave responsibly. The quagmire of requirements, suggestions and best practices are leaving companies buried under mounds of paperwork, with IT staff working to manage policies and associated controls.
A GRC control and policy management solution can help an organisation with a framework to automate supporting processes, and management of policies, and controls. This framework should contain the following set of functionalities:
* Controls and policy mapping: This entails the ability to map the organisation's specific controls and policies into defined control objectives. This should include a controls and policy library based on industry-recognised control frameworks, regulations, standards and IT best practices such as Cobit, ITIL and ISO 27001.
* Policy distribution and attestation: This function supports the distribution of relevant policies and other soft information, and should include the management of the attestation process, ensuring policies have been read and understood, and that individuals across the organisation will comply.
* IT control self assessment and measurement: In addition to the GRC application being able to collect machine-sourced data, the application should enable the organisation to create and manage automated periodic questionnaires to capture knowledge stored within the company's most valuable assets - personnel.
Whether used to implement a weekly audit remediation status update, a monthly IS27001 assessment for site security officers, or a quarterly security awareness survey across the organisation's entire population, all results - when centrally collated and visually represented - can provide key metrics around the company's GRC posture.
Asset management
A GRC control and policy management solution can help an organisation with a framework to automate supporting processes, and management of policies, and controls.
Logan Hill is a business unit executive at Faritec.
Assets include all the items of an organisation where information is created, processed, stored, transmitted or discarded. Mapping and managing assets are essential to prioritise investments and concentrate efforts on most critical assets that sustain organisational processes.
A mature GRC application should be in a position to automate the asset management process by providing asset inventory (of IT and non-IT assets like people, processes and facilities), centralised repository and risk management, enabling the company to gather and store evidence and manage compliance with all standards relevant to its industry sector and improve the organisation's external audit posture.
Remediation
Identified gaps in compliance and authorised exceptions need to be effectively tracked through their lifecycles. When risk remediation tasks are closed by ticketing systems, the GRC application must be in a position to provide bi-directional communications for verification and presentation thereof in order for the risk team to be in a position to report effectively on the closure and or remediation/mitigation of the original risk.
Mature remediation management solutions can help an organisation manage the response to both ongoing risks that require remediation and the management and monitoring of audit point remediation to quickly improve the organisation's audit posture.
A mature GRC application, when effectively deployed, will provide the following support:
* Enable the implementation of a common framework to manage all GRC-related processes.
* Align risks and controls to policies, regulations and SLAs.
* Automate auditing and regulatory reporting requirements.
* Provide remediation and exception management.
* Logan Hill is a business unit executive at Faritec.
Share