IT-GRC 101: FAQ's
What is IT-GRC?
Gartner stated that the broad Governance, Risk, and Compliance (“GRC”) market includes the following areas:
- Finance and Audit GRC
- IT GRC Management
- Enterprise Risk Management
Governance is defined as, “ the responsibility of senior executive management and focuses on creating organizational transparency by defining the mechanisms an organization uses to ensure that its constituents follow established processes and policies. A proper governance strategy implements systems to monitor and record current business activity, takes steps to ensure compliance with agreed policies, and provides for corrective action in cases where the rules have been ignored or misconstrued.”
Risk (or risk management) is defined as, “ is the process by which an organization sets the risk tolerance, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization.”
Compliance is defined as, “the process that records and monitors the controls, be they physical, logical or organisational, needed to enable compliance with legislative or industry mandates as well as internal policies.”
What do Governance, Risk, and Compliance have to do with each other?
Efforts should be made by an enterprise to find an appropriate balance between risk and reward. It is impossible to consider just one GRC factor without considering the other two. For example, if proper governance controls are not in place, you cannot effectively manage risk or compliance. These three activities are distinct and solve different problems in an organization, but are related. The goal is to get these three areas to work together and share information and processes.
But I am an IT professional.
Do I really have to worry about IT-GRC?
Yes. IT has a dual role in GRC. IT plays a supporting role in the infrastructure managing enterprise GRC factors. The other role is the one IT has in managing is own set of governance, risk, and compliance concerns within the IT context.
IT GRC is a business issue, not just a technology issue.
Although it may seem overwhelming, entities of all sizes are meeting the challenge. If a company experiences a security breach, significant damages may occur on many levels, including the loss of investor and customer confidence. If a company fails a regulatory audit, the executives may be subject to criminal and civil penalties. Corporations must ensure the confidentiality, integrity and availability of their data.
So now that I know I should care, what next?
There are many information security standards and government regulations, such as CoBIT, ISO 17799, HIPAA and PCI DSS, provide a great foundation for corporate security policy.
According to the IT Governance Institute, there are five areas of focus:
Strategic alignment: Linking business and IT so they work well together. Typically, the lightning rod is the planning process, and true alignment can occur only when the corporate side of the business communicates effectively with line-of-business leaders and IT leaders about costs, reporting and impacts.
Value delivery: Making sure that the IT department does what’s necessary to deliver the benefits promised at the beginning of a project or investment. The best way to get a handle on everything is by developing a process to ensure that certain functions are accelerated when the value proposition is growing, and eliminating functions when the value decreases.
Resource management: One way to manage resources more effectively is to organize your staff more efficiently—for example, by skills instead of by line of business. This allows organizations to deploy employees to various lines of business on a demand basis.
Risk management: Instituting a formal risk framework that puts some rigor around how IT measures, accepts and manages risk, as well as reporting on what IT is managing in terms of risk.
Performance measures: Putting structure around measuring business performance. One popular method involves instituting an IT Balanced Scorecard, which examines where IT makes a contribution in terms of achieving business goals, being a responsible user of resources and developing people. It uses both qualitative and quantitative measures to get those answers.
In order to meet the above areas of focus, a program should be into place to meet certain inititatives:
- Central repository of IT mandates, controls and control testing
- Policy and controls library
- IT control self-assessment
- Automated control monitoring
If all employees help to implement the policies, an organization's information security and regulatory compliance posture should be strong. The best way to get employees on board is through corporate security awareness and training.
What is Security Awareness Training?
Security Awareness Training is designed to educate users on the appropriate use, protection and security of information, individual user responsibilities and ongoing maintenance necessary to protect the confidentiality, integrity, and availability of information assets, resources, and systems from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. Many organizations require formal security awareness training for all workers when they join the organization and periodically thereafter, usually annually.
Security awareness training should include discussion of the
following topics:
- The nature of sensitive material and physical assets they may come in contact with, such as trade secrets, privay concerns and government classified information.
- Employee and contractor responsibilities in handling sensitive information, including review of employee nondisclosure agreements.
- Requirements for proper handling of sensitive material in physical form, including marking, transmission, storage and destruction
- Proper methods for protecting sensitive information on computer systems, including password policy and use of two-factor authentication.
- Other computer security concerns, including malware, phishing, social engineering, etc.
- Workplace security, including building access, wearing of security badges, reporting of incidents, forbidden articles, etc.
- Consequences of failure to properly protect information, including potential loss of employment, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil and criminal penalties
Can we conduct security awareness training alone or do we need outside help?
Tools are available to help the IT professional plan and execute an appropriate GRC policy. One such tool is SecureAware Policy & Awareness Suite. It is a policy management database for creating, maintaining and communicating your business’ security policies, procedures and guidelines. Using SecureAware Policy, you can collect policies and IT controls from disparate locations and consolidate them in one place to cost-effectively respond to new compliance mandates and audit requests.
What can happen if I don’t implement
it effectively?
According to the European Network and Information Security Agency, “Awareness of the risks and available safeguards is the first line of defense for the security of information systems and networks.”
Here are some examples of bad training:
- Telling users not to open emails from people they don't know
- Telling users not to click on random links on Web pages
- Making users responsible for patching their own systems
Everyone has heard this sort of advice, and while in theory it's good, it doesn't take business realities into consideration. Good security training focuses on broader problems that don't lend themselves to pure technology solutions.
On average, 80% of security threats that impact the business are a result of employees who just didn’t know any better. Most security incidents occur when employees with authorized access to precious corporate assets are unaware they are using these assets inappropriately. Security risks can be dramatically reduced when people understand the nature of security in their daily business functions. When employees are able to recognize security threats and take the proper corrective actions this dramatically reduces risk and improves your business’ bottom line.
Conclusion
There are many motivators associated with IT GRC. These include pressure from shareholders, customers, and executive boards of directors. These also include the need to comply with a growing list of regulations related to financial and technological accountability.
A realistic and well-executed IT GRC program pays big dividends in reduced costs, reduced risk, consistent compliance, increased business and even better morale. Failing to comply with industry and governmental regulation comes at a great cost both in the form of penalties, damage to the organization's brand and financial loss. To protect valuable data, enterprises today must look to improve their IT GRC programs both from a policy and technology standpoint. The good news is that the executive suite is increasingly aware of the stakes and recognizes that IT GRC is a business decision that affects the viability of the whole company.
Remember there are tools available to help you navigate the overwhelming IT GRC landscape. Whether your issues are PCI compliance, governmental regulations, ISO 27000 best practices or managing evolving business risks, SecureAware allows your organization to respond effectively to these challenges and "future proof" your compliance program.
Sources:
http://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance
http://www.cmcrossroads.com/cm-journal-articles/10213-effective-it-grc-starts-at-the-top
http://csrc.nist.gov/groups/SMA/ate/index.html
http://www.cio.com/article/111700/IT_Governance_Definition_and_Solutions#what
