So what is Government Risk Compliance (GRC)? There is much confusion when it comes to GRC and you may be saying “it’s all GReeC to me” (excuse the topical pun). Let me explain briefly.
G = Governance
Governance, which is an over-used term, is nonetheless essential for ensuring that what is most important to us is actually protected appropriately through strong processes and oversight by accountable senior stakeholders.
R = Risk (Management)
All companies face enterprise security risks. Sometimes these are physical risks like the possibility of a burst pipe in your data center, but most security risks involve your critical information. Risk management is not about eliminating all risks but addressing those which you consider to be unacceptable to your organisation in its current state and context.
C = Compliance
Compliance may sound like the least exciting of these and seem to be a passive activity – literally, to comply, in everyday English, is to “go along with” someone else’s “rules” or expectations. We all know that being reactive however, i.e. not being in the driving seat, can be expensive and exhausting, especially in the context of much regulation. So, in my opinion, compliance is an unfortunate term and should be considered in much more of a proactive, holistic light.
3 Parts of Governance, Risk and Complaince
The 3 facets of GRC do give more of a rounded approach and ideally should be considered together as they are interlinked, e.g. good risk management can help in achieving compliance through providing focus.
Good GRC consultants will help you consider your organisation’s aspirations and maturity with respect to security. To use a school analogy, achieving full marks in a test does not mean the questions have been fully understood or were even the right questions for you.
To avoid repeatedly being required to “score an A grade on each test” by yet another “independent auditor,” experienced GRC consultants should be able to help you:
- Understand and plan for regulatory compliance appropriate to your organisation’s sector, maturity and size – ideally taking a matrix approach, i.e. avoiding addressing each regulation/standard in isolation (considerable money can be saved by eliminating compliance overlap)
- Formulate a risk management approach that is appropriate to your organisation’s size and culture, i.e. as simple and understandable as possible, yet includes risk ownership and some accountability
- Consider information governance, i.e. understand and monitor where your critical information is (this is particularly pertinent if cloud computing services are being considered and/or you are subject to powerful legislation such as the US Patriot Act)
Some Additional IT Risk Management Tips
Activities that should incrementally improve your organisation’s security posture and can help compliance demonstrations become less and less painful are suggested below:
- Consider certification against a well-respected information security standard, e.g. ISO27000 – this can take rather a long time but even the journey itself can go a long way to show compliance with some/all of most other standards/regulations
- If the above is not feasible for you, consider the rest of the tips below:
- Persuade the bosses of the importance of the business’s information and the benefits of proactive protection, rather than firefighting later
- Assess what policies you have, especially for incident management – should be easily accessible and brief (with fuller versions available if required)
- Consider where automation is feasible, e.g. aspects of data centre automation
- Identify and equip an individual or team to monitor vulnerabilities and threats
- Consider how and what you monitor plus how you can improve your capability to examine event histories
- Provide some basic training for all personnel in security awareness
- Ensure that senior management are regularly updated, in an appropriate way (i.e. in business terms), about changes in the organisation’s risks, so that they see this as being aligned with and relevant to the real business
This list is not exhaustive but is an indication of what is widely accepted as good and reasonable practice - which is what a good compliance auditor should really be looking for, in my opinion.
What have your experiences been with Governance, Risk and Compliance? Do you have any additional tips to add?
For more information, you can download HP’s Governance, Risk, and Compliance Consulting and Project Services capability fact sheet.