Article Options
Enterprise Security Trends Blog | HP Blogs
Keep up with the latest cyber, cosumerisation, collaboration and cloud enterprise security trends from the team of HP information security professionals.

Is IT Governance, Risk and Compliance Management Greek to You?

NeilPass| December 2, 2011
1 Comments
0

So what is Government Risk Compliance (GRC)? There is much confusion when it comes to GRC and you may be saying “it’s all GReeC to me” (excuse the topical pun). Let me explain briefly.

 

G = Governance

 

Governance, which is an over-used term, is nonetheless essential for ensuring that what is most important to us is actually protected appropriately through strong processes and oversight by accountable senior stakeholders.

 

R = Risk (Management)

 

All companies face enterprise security risks. Sometimes these are physical risks like the possibility of a burst pipe in your data center, but most security risks involve your critical information. Risk management is not about eliminating all risks but addressing those which you consider to be unacceptable to your organisation in its current state and context.

 

C = Compliance

 

Compliance may sound like the least exciting of these and seem to be a passive activity – literally, to comply, in everyday English, is to “go along with” someone else’s “rules” or expectations. We all know that being reactive however, i.e. not being in the driving seat, can be expensive and exhausting, especially in the context of much regulation. So, in my opinion, compliance is an unfortunate term and should be considered in much more of a proactive, holistic light.

 

3 Parts of Governance, Risk and Complaince

 

The 3 facets of GRC do give more of a rounded approach and ideally should be considered together as they are interlinked, e.g. good risk management can help in achieving compliance through providing focus.

 

Good GRC consultants will help you consider your organisation’s aspirations and maturity with respect to security. To use a school analogy, achieving full marks in a test does not mean the questions have been fully understood or were even the right questions for you.

 

To avoid repeatedly being required to “score an A grade on each test” by yet another “independent auditor,” experienced GRC consultants should be able to help you:

 

  • Understand and plan for regulatory compliance appropriate to your organisation’s sector, maturity and size – ideally taking a matrix approach, i.e. avoiding addressing each regulation/standard in isolation (considerable money can be saved by eliminating compliance overlap)
  • Formulate a risk management approach that is appropriate to your organisation’s size and culture, i.e. as simple and understandable as possible, yet includes risk ownership and some accountability
  • Consider information governance, i.e. understand and monitor where your critical information is (this is particularly pertinent if cloud computing services are being considered and/or you are subject to powerful legislation such as the US Patriot Act)

 

Some Additional IT Risk Management Tips

 

Activities that should incrementally improve your organisation’s security posture and can help compliance demonstrations become less and less painful are suggested below:

 

  • Consider certification against a well-respected information security standard, e.g. ISO27000 – this can take rather a long time but even the journey itself can go a long way to show compliance with some/all of most other standards/regulations

 

  • If the above is not feasible for you, consider the rest of the tips below:
    • Persuade the bosses of the importance of the business’s information and the benefits of proactive protection, rather than firefighting later
    • Assess what policies you have, especially for incident management – should be easily accessible and brief (with fuller versions available if required)
    • Consider where automation is feasible, e.g. aspects of data centre automation
    • Identify and equip an individual or team to monitor vulnerabilities and threats
    • Consider how and what you monitor plus how you can improve your capability to examine event histories
    • Provide some basic training for all personnel in security awareness
    • Ensure that senior management are regularly updated, in an appropriate way (i.e. in business terms), about changes in the organisation’s risks, so that they see this as being aligned with and relevant to the real business  

 

This list is not exhaustive but is an indication of what is widely accepted as good and reasonable practice - which is what a good compliance auditor should really be looking for, in my opinion.

 

What have your experiences been with Governance, Risk and Compliance? Do you have any additional tips to add?

 

For more information, you can download HP’s Governance, Risk, and Compliance Consulting and Project Services capability fact sheet.

Tags: Compliance| Consulting| Governance| hp| Project Services| View All (6)
Comments
Bob Jones(anon) | ‎06-12-2012 01:51 AM
Options

Nice read on GRC.

0
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author
  • A business first, senior executive, with over 20 years of hands on experience in defending banks, governments and corporations against cyberwarfare. My career in security started when I was employed to crack a secure system, which had locked down the boot process, whitelisting of applications and encrypted disks. I linked TeamOffice (an ICL email and collaboration system) with Microsoft Word to send an email which allowed me to do anything the person reading the email could do and send the results back to me, all without there knowledge. Having proved this vulnerability, I worked with Peter Simpson to create Defuse, a tool that blocked inappropriate actions. This successfully blocked Winword Concept, the first known malicous code in the wild. From these begginings I have investigated all aspects of security to provide an holistic approach to security as a business enabler and currently advising organisations on the suitability of the cloud to their needs.
Follow Us