Today, organizations of all shapes and sizes face stringent industry regulations and standards that often threaten hefty fines or even punishment for decision-makers in the case of non-compliance.
In addition, to Sarbanes-Oxley (SOX), CIOs and CSOs must understand and achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA) for health-related industries; the Payment Card Industry Data Security Standard (PCI DSS) for organizations processing credit card transactions; and the Federal Information Security Management Act (FISMA) for federal agencies as well as many other global, national and industry-wide regulations and mandates.
While many CIOs secretly – and sometimes not so secretly! – wish to disregard such migraine-inducing acronyms, they exist for a reason: To bolster computer and network security in order to protect personal and private information as well as increase corporate accountability.
Ignoring compliance and getting caught is truly a CIO's worst nightmare since he is likely to be the “fall guy” who takes the blame. Failing a compliance audit could easily cost a CIO his or her job and the company millions of dollars in the event of a data breach or lawsuit.
Unfortunately, organizations have traditionally been slow to adopt unified systems for measuring risk, governing IT usage, and achieving compliance. They instead choose to go with a piecemeal, regulation-by-regulation approach because they are forced to put some makeshift measures in place.
Though compliance regulations are inherently complex, broad and confusing in scope, addressing them can be simplified by uniting three previously independent corporate silos – governance, risk, and compliance – into one comprehensive automated technical platform known as IT GRC.
GRC: New Acronym – New Concept?
Governance, risk and compliance are daunting concepts that each corporate department often faces on its own. Let's take a look at the meaning of each concept.
IT governance describes IT policies that define who within an organization is responsible for key decisions with regards to IT adoption and usage, who is held accountable for such decisions, and how results are monitored and measured. In real life, implementing IT governance strategies includes assigning committees to steer technology adoption, architectural reviews, and project analysis. Governance is about processes, processes, processes – all of which should support consistent and transparent methods for managing your information technology acquisitions and usage.
The next piece of the GRC pie is IT risk management. Almost always a constant source of paranoia for CIOs, risk management not only requires adapting to constantly changing business requirements, but also forces monitoring what technologies are deployed within the organization and digesting all potential risk factors stemming from partner solutions and acquired source code. In addition, risk management encompasses surviving a constantly changing threat landscape by tightening and optimizing an organization's information security, both perimeter and internal, while improving business agility and efficiency.
And now, for compliance, we return to the alphabet soup of corporate responsibilities and industry standards, namely, SOX, HIPAA, PCI DSS and FISMA, which all affect IT practices. IT compliance approaches governance in that, at its core, compliance relies on designing, assessing and implementing controls. These controls must map back to the various industry requirements and “best practices” that ultimately determine success or failure during an IT audit.
Spin the wheel of IT GRC, and you'll see why it makes sense to combine these domains.
Amongst governance, risk and compliance, there is significant overlap that can create inefficiencies and redundancies when addressed separately. For example, to mitigate risk and achieve compliance, IT governance processes must be fine-tuned and relevant.
Similarly, many compliance efforts are aimed to improve security and overlap with risk reduction efforts. Better governance typically helps one succeed in the compliance game.
In other words, IT governance, risk and compliance are interdependent and will be slower and more costly if addressed in isolation. Further, because each department within an organization (i.e. – finance, marketing, operations and, of course, IT) must be involved in all three, why not ensure consistency, eliminate redundancy and maximize efficiency by tying “G,” “R” and “C” initiatives across all departments?
Useful GRC vs choosing the "lesser Evil?"
So, by now, I hope you have made the switch to believing in IT GRC as a practical scheme for protecting your business from security threats, helping you pass your next audit and improving controls across the organization. What are the practical steps to success?
My suggestion is to approach GRC efforts as you would your own health and wellness program. First, realize that Rome was not built in a day. No matter how many high-fiber cereals you eat, how many hours you sleep, and how many times you visit the treadmill, you may not see immediate results and must also guard against overexertion and injury. In other words, start by implementing technologies that are guaranteed to improve your success with all three pillars of GRC, then build up from that.
As defined by analyst firms, common components of IT GRC include:
- Log management,
- Identity and access management,
- Configuration management, and
- Segregation of duties analysis.
Identifying automated technology solutions to address each of the above requires understanding their functions as applicable to GRC.
First off, the role of log management is to provide the first layer of detection, monitoring and, ultimately, accountability within your environment. Log data needs to be collected from your network, firewall, applications, databases, and more, in order to assess who is touching what, when, where and how. Log data cannot be a “dead weight.” It must be analyzed and reported on to assess the internal and external activities of an organization.
Interestingly enough, log data management tools also enable identity and access management efforts. When optimizing IdM deployments, managing inactive roles and capturing rogue identities, logs provide continuous fingerprints of all events occurring inside your organization.
Logging plays a role in configuration management as well by enabling a continuous audit of configuration changes and earning system for unauthorized configuration changes. While a review takes a snapshot of all configurations for operations or compliance, logging provides a way to monitor them and detect changes as they occur without waiting for a configuration audit.
Finally, logging helps bolster segregation of duties efforts by providing an assurance and accountability layer. Evidence of bad SoD practices and violations will appear in logs and can then be detected and investigated. As you can see, log management is at the root of IT GRC. When choosing a log management solution to automate and enable IT GRC, don't forget the need for scalability. The broad use of logging leads to intense scalability requirements; in addition, a logging solution should be able to grow with your business. Combining IT governance, risk and compliance activities may seem like an insurmountable obstacle for CIOs today, but, when approached holistically, GRC will ultimately simplify and strengthen your IT battery. Remember, there's no need to run before you can walk. Consider taking easy steps to building your IT GRC fortress: implement a scalable log management solution to begin capturing the events that will help determine future governance processes, risk analysis gaps and compliance goals. Gather input and feedback from individuals at all levels of your organization, and build a discipline by which everyone can abide. In short, the end goal of IT GRC should focus on creating standards of accountability, not only for your business, but for everyone.
GRC will simplify and strengthen your IT arsenal
