PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Share a file Manage my documents Convert Recover PDF Search Help Contact



IT GRC TOOLS KEY ISSUES & TRENDS .pdf


Original filename: IT GRC TOOLS - KEY ISSUES & TRENDS.pdf

This PDF 1.4 document has been generated by Adobe InDesign CS5.5 (7.5.3) / Adobe PDF Library 9.9, and has been sent on pdf-archive.com on 14/08/2014 at 13:05, from IP address 122.174.x.x. The current document download page has been viewed 615 times.
File size: 216 KB (11 pages).
Privacy: public file




Download original PDF file









Document preview


www.maclear-grc.com

IT GRC

CONTENTS
Introduction

3

IT GRC Landscape

3

IT GRC Tools - Key Issues & Trends

4

Key Challenges

4

Benefits of Integrating IT GRC

5

IT Risk Management Framework

6

IT GRC Solution

7

IT GRC Solution - Key Features

7

IT GRC Framework - Implementation

8

360 Degree of Risk

8

Aggregating across IT and Security Ecosystem

9

Sustainability and Best Practices for Deploying IT GRC
IT GRC Automation

Conclusion

9
10

10

IT GRC
INTRODUCTION
2013, already being referred to as the “Year of Data Leaks”, witnessed a total of 2164 separate
cases of data breaches which exposed over 822 million records. Hacking accounted for almost
60% of incidents, and over 70% of leaked records. A report by Symantec put the average cost
of data breaches in 2013 between $1.1 million on the lowest end and $5.4 million on the highest.
When we consider that data security breach is just one of the many threats facing an
organization, the business impact estimate of security breaches, regulatory non-compliance
and lack of effective governance is staggering.
The modern organization operates in a complex high risk environment. At one level, it is
affected by macro changes in the environment such as economic downturns, political
instability and disasters. At the other level it has to contend with unprecedented volumes of
data, ensure data security and effective data validation amidst increasing consumerization
of IT, digital convergence and ever changing compliance regulations. Organizations today
are under tremendous pressure to ensure optimum governance, operational transparency
and effective risk management while maintaining profitability and competitive edge. This
necessitates a comprehensive focus on IT GRC with state of the art technology enabled
solutions to create and manage the necessary governance frameworks.
This whitepaper focuses on the ways in which IT GRC can be implemented, its best practices
and key benefits for an organization.

IT GRC LANDSCAPE
Technology enablement has been at the forefront of paradigm shifts in the GRC space over the
last few years. It has been proven beyond doubt now that organizations that use technology
to enable their GRC processes have significant advantages over others. Some of these are the
potential to reduce the cost of risk management, enhance compliance and audit controls and
processes, and streamline reporting and analytics, and better risk management. It is, however,
important to note the key issues that are faced by IT GRC and some of the recent trends in this
space.

3

IT GRC TOOLS - KEY ISSUES & TRENDS
ISSUES
• Non‐standard definition of GRC across industries - unstable
future state and ability to define requirements
• Multiple and increasingly complex regulatory environments
• Legacy GRC systems are application-specific. Vendors find
dificulty in generalizing their product or find alternate uses
• Lack of maturity of the enterprise GRC solutions to handle
complex organization structures and data flows
• Lack of visualization and advanced dashboarding
• Lack of Analytics capabilities
• Issues with gaining real-time data feeds across disparate
sources
• More often than not GRC initiatives are not driven from the
top layers of leadership

TRENDS
• Rapid growth of GRC solutions with organizations realising
need for robust risk management frameworks
• Increasing technology enablement of GRC processes within
the organization
• Entrance of many top technology companies in the GRC
space including acquisitions and alliances
• Focus on performing advanced analytics and Business
Intelligence in the GRC space
• Adoption of web-based solutions for GRC products which are
easily accessible and maintained
• Increasing use of Business Process Mangament (BPM) for
GRC processes
• Robust testing mechanisms of GRC solutions incuding
continuous monitoring

KEY CHALLENGES
With the IT enterprise generating unprecedented volumes of data, the biggest challenge before CIOs is
the effective management and analysis of information to aid the business without compromising data
security. On an average, at least one third of the information generated by an enterprise needs to be
assessed for risk and compliance. At the same time, organizations need relevant information delivered
at the right time to the right people in order to not only leverage customer insights but also maintain
and deepen the organization’s edge over competition in the market. To leverage big data effectively
and securely poses significant operational challenges in terms of IT infrastructure, governance, risk
management, data quality and compliance, especially when departments work in silos.
Evolving technologies like mobility, BYOD, cloud computing, machine to machine communication,
connected devices and trends like social media add to the CIOs GRC challenge. There is a need to
extend GRC processes to newer technologies and devices and services used by employees and the
business as a whole. In fact, most CIOs today want to work towards integrating risk and compliance
awareness into regular employee communication to ensure maximum data security and regulatory
compliance. At the same time, organizations need to evaluate and assess the effectiveness of data
security measures.

4

BENEFITS OF INTEGRATING IT GRC
The biggest question in context of a technology enabled IT GRC solution is about the benefits that it can bring to the
organization. Given the elaborate and complex implementation and deployment process of IT GRC it is important to have a
clear view of the benefits offered by the IT GRC solution:

REDUCED RISK

IMMEDIATE ROI

• Ongoing risk detection and assessment

• Compliance and Controls

• Enhanced risk mitigation

• Risk and Losses

• Assured compliance

LOWER ONGOING COSTS

BETTER BUSINESS DECISIONS

• Reduced number of IT controls

• Reputation Management

• Lower headcount requirements

• Revenue Management

• Reduction in audit and external fees

• Visibility

• Lower IT costs

• Transparency
• Strategic Value

The IT GRC solution benefit analysis can also be approached from a different angle, namely, quantitative or qualitative
benefits:

QUANTITATIVE BENEFITS
• Tight control over recommendations and action plans process and resources

• Increase risk & compliance management efficiency
and effectiveness

• Focus risk, compliance, audit and functional resources
on highest risk or opportunities

• Drive year over year performance through continuous
improvements

• Closed loop management of issues, findings,
remediation and action plans

• Greater cross-organizational visibility for risk issues
and compliance deficiencies

• Greater ROI for fees for external auditors and
consultants

• Corporate culture stressing higher compliance
awareness – reduce the need for mitigation and
remediation

• Lower risk of non-compliance based on audit finding
and observations

5

QUALITATIVE BENEFITS

• Build shareholder value through better auditing and
compliance practices

IT RISK MANAGEMENT FRAMEWORK
RISK GOVERNANCE
IT risk management practices are deep-rooted in the organization

Establish
and
maintain

Integrate
with
ERM

Make
risk-aware

Business
Objectives

Manage risk

Articulate
risk

6

React to
events

Analyze risk

Collect
data

Maintain
risk
profile

Risk Response

Risk Evaluation

IT related risk issues, handled in a cost
effective manner and aligned to business
priorities

IT related risk and opportunities are
proactively identified, analyzed and
presented in business terminology

IT GRC SOLUTION
An advanced and comprehensive enterprise level IT GRC software solution can enable streamlining IT GRC processes,
effectively managing risk, and meeting regulatory requirements. The solution enables companies to implement a formal
framework to rigorously measure, mitigate, and monitor risks. It also simplifies and reduces the cost of compliance with many
regulations governing data retention, privacy, confidential information, financial accountability, and recovery from disasters.

IT GRC SOLUTION - KEY FEATURES
Business Functions - Integrates various business functions such as IT governance, policy management,
risk management, compliance management, audit management, and incident management

Governance Frameworks - Create, measure, monitor, and manage IT governance programs based on
control frameworks like COBIT, ISO 27001, NIST, and ITIL

Compliance Requirements - Access to various compliance requirements like, FFIEC, PCI, FISMA, GLBA,
HIPAA, NIST, and many others

Threat Management - Standardized Investigation Processes to address organization level global security
threats

Workflow - Enables an automated and workflow driven approach to managing, communicating and
implementing IT policies and procedures across the enterprise

Process Management - Provides a mechanism for managing IT surveys, certifications, self-assessments,
and audits

IT Audit Management - streamline and strengthen the entire life cycle of audit management by helping to
understand, measure, analyze and improve the organization’s functions and processes

Documentation - Provides a centralized solution for storing documents related to IT risks, mitigation plans,
questionnaires, checklists, assets, defining controls, and risk assessments

Risk & Issue Management - Provides a robust issue management system for capturing and tracking IT
issues, incidents, and threats as well as implementing corrective and preventive actions (CAPA)

KRIs - Provides well defined key risk indicators with scope for customizations, assessment results, and
compliance initiatives

Reporting - Provides dashboarding and integrated reporting capabilities including self-assessments, manual
assessments, and automated control mechanisms. In built data analytics and IT GRC intelligence capabilities

7

IT GRC FRAMEWORK - IMPLEMENTATION
There are two strategies that an organization can take when implementing an IT GRC framework. These are (1) Obtaining a 360
degree view of Enterprise Risk, and (2) Aggregating across the IT and Security Ecosystems in the organization.

360 DEGREE OF RISK
Business Impact

Risk Appetite
What is the
likely loss of
magnitude?

What is the threat
landscape?

Threats

What is our
appetite and
how does that
translate into
thresholds?

How are we
vulnerable?

Vulnerabilities

• Ultimate Objective: Risk Intelligence - right metrics for better business performance through active governance
• Threat, Vulnerability, Risk, mean different things to different stakeholders - common model and taxonomy
• Threat Intelligence, Incident Response and Crisis Management - integrated, agile processes to protect against advanced,
persistent threats and complex attacks
• Information Security Eco-system is orthogonal to IT - embedded in the business process
• Governance, Risk and Compliance Management - single repository for analytics and one version of the truth

8

AGGREGATING ACROSS IT AND
SECURITY ECOSYSTEM
• Leverage a common GRC platform, with an asset inventory, risk and control framework and
nomenclature
• Integrate with Security and IT monitoring systems – provide business context for security
and IT
• Leverage Heat maps, KRIs, KPIs for decision support and business intelligence
• Use customized automated notifications when thresholds are breached
• Integrate tests and exercises with Business Continuity and Disaster Recovery programs
• Streamline risk management – single information model, cross-functional collaboration,
multi-dimensional risk assessments

SUSTAINABILITY AND BEST
PRACTICES FOR DEPLOYING IT GRC
Automation of IT GRC processes is a must have item on most CIO wish lists today. While
implementing IT GRC solutions it is crucial to remember no solution can be truly effective
without the right monitoring systems. A comprehensive overview of the objectives for IT GRC
automation, coupled with the expected deliverables and benefits against which to evaluate
performance, is an effective way of implementing a sustainable cutting edge IT GRC platform.

9


Related documents


it grc tools key issues trends
maclear egrc suite vendor management final draft
pulse time resource management solution brochure
anirban roy
ocrservicescorporatebrochure
maclear egrc suite business continuity final draft


Related keywords