Enterprise Security Trends Blog | HP Blogs

turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Subscribe
Article Options

Is IT Governance, Risk and Compliance Management Greek to You?

by NeilPass on 12-02-2011 03:01 PM

So what is Government Risk Compliance (GRC)? There is much confusion when it comes to GRC and you may be saying “it’s all GReeC to me” (excuse the topical pun). Let me explain briefly.

 

G = Governance

 

Governance, which is an over-used term, is nonetheless essential for ensuring that what is most important to us is actually protected appropriately through strong processes and oversight by accountable senior stakeholders.

 

R = Risk (Management)

 

All companies face enterprise security risks. Sometimes these are physical risks like the possibility of a burst pipe in your data center, but most security risks involve your critical information. Risk management is not about eliminating all risks but addressing those which you consider to be unacceptable to your organisation in its current state and context.

 

C = Compliance

 

Compliance may sound like the least exciting of these and seem to be a passive activity – literally, to comply, in everyday English, is to “go along with” someone else’s “rules” or expectations. We all know that being reactive however, i.e. not being in the driving seat, can be expensive and exhausting, especially in the context of much regulation. So, in my opinion, compliance is an unfortunate term and should be considered in much more of a proactive, holistic light.

 

3 Parts of Governance, Risk and Complaince

 

The 3 facets of GRC do give more of a rounded approach and ideally should be considered together as they are interlinked, e.g. good risk management can help in achieving compliance through providing focus.

 

Good GRC consultants will help you consider your organisation’s aspirations and maturity with respect to security. To use a school analogy, achieving full marks in a test does not mean the questions have been fully understood or were even the right questions for you.

 

To avoid repeatedly being required to “score an A grade on each test” by yet another “independent auditor,” experienced GRC consultants should be able to help you:

 

  • Understand and plan for regulatory compliance appropriate to your organisation’s sector, maturity and size – ideally taking a matrix approach, i.e. avoiding addressing each regulation/standard in isolation (considerable money can be saved by eliminating compliance overlap)
  • Formulate a risk management approach that is appropriate to your organisation’s size and culture, i.e. as simple and understandable as possible, yet includes risk ownership and some accountability
  • Consider information governance, i.e. understand and monitor where your critical information is (this is particularly pertinent if cloud computing services are being considered and/or you are subject to powerful legislation such as the US Patriot Act)

 

Some Additional IT Risk Management Tips

 

Activities that should incrementally improve your organisation’s security posture and can help compliance demonstrations become less and less painful are suggested below:

 

  • Consider certification against a well-respected information security standard, e.g. ISO27000 – this can take rather a long time but even the journey itself can go a long way to show compliance with some/all of most other standards/regulations

 

  • If the above is not feasible for you, consider the rest of the tips below:
    • Persuade the bosses of the importance of the business’s information and the benefits of proactive protection, rather than firefighting later
    • Assess what policies you have, especially for incident management – should be easily accessible and brief (with fuller versions available if required)
    • Consider where automation is feasible, e.g. aspects of data centre automation
    • Identify and equip an individual or team to monitor vulnerabilities and threats
    • Consider how and what you monitor plus how you can improve your capability to examine event histories
    • Provide some basic training for all personnel in security awareness
    • Ensure that senior management are regularly updated, in an appropriate way (i.e. in business terms), about changes in the organisation’s risks, so that they see this as being aligned with and relevant to the real business  

 

This list is not exhaustive but is an indication of what is widely accepted as good and reasonable practice - which is what a good compliance auditor should really be looking for, in my opinion.

 

What have your experiences been with Governance, Risk and Compliance? Do you have any additional tips to add?

 

For more information, you can download HP’s Governance, Risk, and Compliance Consulting and Project Services capability fact sheet.

We encourage you to share your comments on this post. Comments are moderated and will be reviewed and posted as promptly as possible during regular business hours.

To ensure your comment is published, please follow our community guidelines.

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 

Find HP in Social Media

Facebook Twitter YouTube SlideShare Flickr
About the Author
  • After graduation from Oxford University, Paul developed laser technology for NASA satellites, before moving into IT Security at Cable & Wireless in 2000, where he led the development of Internet Security Services. In 2005, Paul joined Vistorm, now HP Enterprise Security Services, as a Security Architect, where he is technical lead for mobile device and endpoint security solutions. Paul is CISSP and ITPC certified, is a CLAS consultant and M.Inst.ISP. He has recently completed the MSc Information Security at Royal Holloway, University of London.
  • A business first, senior executive, with over 20 years of hands on experience in defending banks, governments and corporations against cyberwarfare. My career in security started when I was employed to crack a secure system, which had locked down the boot process, whitelisting of applications and encrypted disks. I linked TeamOffice (an ICL email and collaboration system) with Microsoft Word to send an email which allowed me to do anything the person reading the email could do and send the results back to me, all without there knowledge. Having proved this vulnerability, I worked with Peter Simpson to create Defuse, a tool that blocked inappropriate actions. This successfully blocked Winword Concept, the first known malicous code in the wild. From these begginings I have investigated all aspects of security to provide an holistic approach to security as a business enabler and currently advising organisations on the suitability of the cloud to their needs.