article Is IT Governance, Risk and Compliance Management Greek to You? in Enterprise Security Trends Blog | HP Blogs http://h30507.www3.hp.com/t5/Enterprise-Security-Trends-Blog/Is-IT-Governance-Risk-and-Compliance-Management-Greek-to-You/ba-p/103375 <p><font color="#000000"><font size="3">So what is Government Risk Compliance (GRC)? There is much confusion when it comes to GRC and you may be saying “it’s all GReeC to me” (excuse the topical pun). Let me explain briefly.</font></font></p><p><font color="#000000" size="3"> </font></p><p><strong><font color="#000000"><font size="3">G = Governance</font></font></strong></p><p><strong><font color="#000000" size="3"> </font></strong></p><p><font color="#000000"><font size="3">Governance, which is an over-used term, is nonetheless essential for ensuring that what is most important to us is actually protected appropriately through strong processes and oversight by accountable senior stakeholders.</font></font></p><p><font color="#000000" size="3"> </font></p><p><strong><font color="#000000"><font size="3">R = Risk (Management)</font></font></strong></p><p><strong><font color="#000000" size="3"> </font></strong></p><p><font color="#000000" size="3">All companies face </font><a href="http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-339290&amp;pageTitle=enterprise-security&amp;contentView=business" target="_blank"><font color="#0000ff" size="3">enterprise security</font></a><font size="3"><font color="#000000"> risks. Sometimes these are physical risks like the possibility of a burst pipe in your data center, but most security risks involve your critical information. Risk management is not about eliminating all risks but addressing those which you consider to be unacceptable to your organisation in its current state and context.</font></font></p><p><font color="#000000" size="3"> </font></p><p><strong><font size="3"><font color="#000000">C = Compliance</font></font></strong></p><p><strong><font color="#000000" size="3"> </font></strong></p><p><font size="3"><font color="#000000">Compliance may sound like the least exciting of these and seem to be a passive activity – literally, to comply, in everyday English, is to “go along with” someone else’s “rules” or expectations. We all know that being reactive however, i.e. not being in the driving seat, can be expensive and exhausting, especially in the context of much regulation. So, in my opinion, compliance is an unfortunate term and should be considered in much more of a proactive, holistic light.</font></font></p><p><font color="#000000" size="3"> </font></p><p><strong><font size="3"><font color="#000000">3 Parts of Governance, Risk and Complaince</font></font></strong></p><p><strong><font color="#000000" size="3"> </font></strong></p><p><font size="3"><font color="#000000">The 3 facets of GRC do give more of a rounded approach and ideally should be considered together as they are interlinked, e.g. good risk management can help in achieving compliance through providing focus.</font></font></p><p><font color="#000000" size="3"> </font></p><p><font size="3"><font color="#000000">Good GRC consultants will help you consider your organisation’s aspirations and maturity with respect to security. To use a school analogy, achieving full marks in a test does not mean the questions have been fully understood or were even the right questions for you. </font></font></p><p><font color="#000000" size="3"> </font></p><p><font size="3"><font color="#000000">To avoid repeatedly being required to “score an A grade on each test” by yet another “independent auditor,” experienced GRC consultants should be able to help you:</font></font></p><p><font color="#000000" size="3"> </font></p><ul><li><font color="#000000"><font size="3">Understand and plan for regulatory compliance appropriate to your organisation’s sector, maturity and size – ideally taking a matrix approach, i.e. avoiding addressing each regulation/standard in isolation (considerable money can be saved by eliminating compliance overlap)</font></font></li><li><font color="#000000"><font size="3">Formulate a risk management approach that is appropriate to your organisation’s size and culture, i.e. as simple and understandable as possible, yet includes risk ownership and some accountability</font></font></li><li><font color="#000000" size="3">Consider information governance, i.e. understand and monitor where your critical information is (this is particularly pertinent if </font><a href="http://www8.hp.com/us/en/solutions/solutions-detail.html?compURI=tcm:245-300983&amp;pageTitle=cloud-computing&amp;contentView=business" target="_blank"><font color="#0000ff" size="3">cloud computing</font></a><font size="3"><font color="#000000"> services are being considered and/or you are subject to powerful legislation such as the US Patriot Act)</font></font></li></ul><p><font color="#000000"> </font></p><p><strong><font size="3"><font color="#000000">Some Additional IT Risk Management Tips</font></font></strong></p><p><strong><font color="#000000" size="3"> </font></strong></p><p><font size="3"><font color="#000000">Activities that should incrementally improve your organisation’s security posture and can help compliance demonstrations become less and less painful are suggested below:</font></font></p><p><font color="#000000" size="3"> </font></p><ul><li><font color="#000000"><font size="3">Consider certification against a well-respected information security standard, e.g. ISO27000 – this can take rather a long time but even the journey itself can go a long way to show compliance with some/all of most other standards/regulations </font></font></li></ul><p> </p><ul><li><font color="#000000"><font size="3">If the above is not feasible for you, consider the rest of the tips below:</font></font><ul><li><font color="#000000"><font size="3">Persuade the bosses of the importance of the business’s information and the benefits of proactive protection, rather than firefighting later</font></font></li><li><font color="#000000"><font size="3">Assess what policies you have, especially for incident management – should be easily accessible and brief (with fuller versions available if required)</font></font></li><li><font color="#000000"><font size="3">Consider where automation is feasible, e.g. aspects of data centre automation</font></font></li><li><font color="#000000"><font size="3">Identify and equip an individual or team to monitor vulnerabilities and threats</font></font></li><li><font color="#000000"><font size="3">Consider how and what you monitor plus how you can improve your capability to examine event histories</font></font></li><li><font color="#000000"><font size="3">Provide some basic training for all personnel in security awareness</font></font></li><li><font color="#000000"><font size="3">Ensure that senior management are regularly updated, in an appropriate way (i.e. in business terms), about changes in the organisation’s risks, so that they see this as being aligned with and relevant to the real business   </font></font></li></ul></li></ul><p><font color="#000000" size="3"> </font></p><p><font size="3"><font color="#000000">This list is not exhaustive but is an indication of what is widely accepted as good and reasonable practice - which is what a good compliance auditor should really be looking for, in my opinion.</font></font></p><p><font color="#000000" size="3"> </font></p><p><font size="3"><font color="#000000">What have your experiences been with Governance, Risk and Compliance? Do you have any additional tips to add?</font></font></p><p><font color="#000000" size="3"> </font></p><p>For more information, you can download HP’s <a href="http://h20195.www2.hp.com/V2/GetPDF.aspx/4AA3-5510ENW.pdf" target="_blank"><font color="#0000ff">Governance, Risk, and Compliance Consulting and Project Services</font></a> capability fact sheet.</p> Fri, 02 Dec 2011 15:01:02 GMT NeilPass 2011-12-02T15:01:02Z Is IT Governance, Risk and Compliance Management Greek to You? http://h30507.www3.hp.com/t5/Enterprise-Security-Trends-Blog/Is-IT-Governance-Risk-and-Compliance-Management-Greek-to-You/ba-p/103375 <p><strong><font color="#000000">If GRC is Greek to you, you’re not alone. But it doesn’t have to be complicated. Check out these tips and steps to help simplify Governance, Risk and Compliance Management starting with an easy definition.</font></strong></p> Fri, 02 Dec 2011 15:01:02 GMT http://h30507.www3.hp.com/t5/Enterprise-Security-Trends-Blog/Is-IT-Governance-Risk-and-Compliance-Management-Greek-to-You/ba-p/103375 NeilPass 2011-12-02T15:01:02Z Re: Is IT Governance, Risk and Compliance Management Greek to You? http://h30507.www3.hp.com/t5/Enterprise-Security-Trends-Blog/Is-IT-Governance-Risk-and-Compliance-Management-Greek-to-You/bc-p/115679#M61 <p>Nice read on GRC.</p> Tue, 12 Jun 2012 00:51:18 GMT http://h30507.www3.hp.com/t5/Enterprise-Security-Trends-Blog/Is-IT-Governance-Risk-and-Compliance-Management-Greek-to-You/bc-p/115679#M61 Bob Jones 2012-06-12T00:51:18Z