As enterprises approach a high level of maturity in their IT governance, risk and compliance (GRC) programs, they face a conundrum: How can they effectively implement and manage policies and their supporting controls to maintain a strong risk posture? To add to the difficulty, the environments they manage are often widely distributed and subject to multiple regulatory requirements and internal audit requirements, and must adapt to changing business needs. GRC tools are designed to help.
"It's mostly about the maturity of the organization," says Paul Proctor, vice president of security and risk management at Gartner. "Are you ready for a more formalized and automated way of tracking controls? If you have your act together, you should be looking at this."
See more in
These products help automate GRC initiatives that are either largely manual or beyond the capabilities of most enterprises. They enable organizations to:
- Create and distribute policies and controls and map them to regulations and internal compliance requirements.
- Assess whether the controls are actually in place and working, and fix them if they are not.
- Ease risk assessment and mitigation.
The GRC market is broadly divided into enterprise and IT products, though there is considerable overlap and the distinction is far from clear. This article focuses on IT operations, the problems organizations face and how IT GRC tools can help.
Analysts say the leading companies that are most clearly identified as IT GRC include Agiliance, Modulo, RSA Archer, Rsam and Symantec, but there are wide differences even among their tools. Expect to spend considerable time defining your requirements and matching them against the capabilities and focuses of the various tools.
The GRC Morass
Large organizations, in particular, struggle with a complex burden of IT policies and controls that can directly affect corporate risk. Almost all enterprises are subject to multiple sets of regulations—upwards of 20 in some cases—that require implementing and managing policies and their supporting controls, preparing and executing audits, and remediating risks. Regulations may apply across the enterprise or to specific business units.
Partners and business customers, in turn, may require regulatory compliance or adherence to standards such as Cobit or ISO 27001 as a condition of doing business. For your part, vendor management requires you to ensure that suppliers, service providers and so on are adhering to your standards.
Maintaining a strong security and risk posture is problematic. It's difficult to enforce strong change control, identify and remediate gaps in IT controls, manage the audit process and assess threats to your business. Mature companies have some sort of enterprisewide and, in some cases, centralized GRC programs, but are hamstrung by manual, redundant processes.
Also see Enterprise risk management: Get started in six steps [CSO Insider registration required]
"People are doing IT GRC whether they are calling it that or not, but they are document-centric [solutions], using spreadsheets and other documents, SharePoint," says Michael Rasmussen, president of Corporate Integrity. "Spreadsheets are a recipe for disaster. Eventually, they outgrow this; they don't have proper audit trails and it becomes unmanageable."
IT GRC challenges include:
Mapping policies and controls. Compliance with most regulations and standards can be maintained mainly through overlapping policies and controls. The same or similar access controls, data encryption, password standards, separation of duties and strong authentication requirements may satisfy the demands of multiple regulations. But enterprises typically fall short in mapping those controls to applicable regulations and using that knowledge to reduce redundancy from one audit to the next.
Audit fatigue. In the absence of centralized policy and control standards, each regulation is dealt with separately and audits are done individually. Enterprises and their business units and departments go through each audit as a discrete exercise.
Security exposure. IT regulatory requirements are intended to enforce good security policies and controls. Ironically, the enormous effort required to audit a large enterprise for compliance often distracts from a company's ability to focus on identifying its true level of exposure. Uncoordinated information gathering makes risk assessment difficult.
"Without having one location to see how policies and controls map, organizations fall into audit fatigue," says Anthony Johnson, director of information security for the compliance management group at Advance Auto Parts, an Agiliance customer. "They are chasing compliance and not managing security risk, and security risk is what protects the organization."
Redundancy and inefficiency. Without a common control-assessment framework, policies are likely to be inconsistent, out of date and scattered across file shares. Different stakeholders and parts of the organization are going to give different areas of the business their own assessments.
So, for example, a business unit or department may have to deal with one assessment and internal audit from legal, another from security, another from enterprise risk management, another from compliance, and so on. Rinse and repeat for each regulation, standard or internal policy. Typically, they cover many of the same or similar controls and policies, but neither the assessment-and-audit effort nor the information obtained are shared.
"It's not unheard of for one team to get five to 10 risk or compliance questionnaires, all from separate groups working in silos," says Philip Aldrich, senior manager for RSA Archer. "So you wonder, 'Isn't anyone talking to each other? Why do I keep answering the same questions, the same way every time?'"
Spreadsheets and questionnaires are time-consuming and redundant, plus they quickly fall out of date and are difficult to share. They place an enormous burden on those providing the information and on those who collect, correlate and analyze it. Vendor management, for example, can be a particularly time-consuming, resource-intensive burden.
"You have to do due diligence and assess vendors, but the scope is beyond corporate resources," says John Ambra, director of technical services at Modulo. "We have clients with 10,000 vendors and a huge vendor-management team—20 people just doing calls."
How IT GRC Tools Help
IT GRC tools provide coordination and standardization of policies and controls.
They offer a common interface for users and create a common repository for information covering internal and regulatory requirements, and for data gathered from documents, questionnaires, and other security and IT systems.
They map policies and controls to regulations and standards.
"With a relational data model that has a unifying control set, you can collect data and look at it without having to collect it again," says Melanie Achard, senior product manager at Symantec. "You can de-dupe and rationalize controls to reduce the amount of effort [required] to comply with multiple regulations."
Enterprises can customize these mappings for internal policies and controls as well as for external requirements. Mappings greatly reduce redundant efforts, enabling an "assess once, comply many" approach, so that the same information can be applied to multiple assessments and audits. For example, the same policies and responses regarding strong passwords can be re-applied for multiple regulations.
"We have some 800 general control requirements from the IT side," says Advance Auto's Johnson. "The GRC tool helps us map requirements automatically and dig that information out when we need it. It's a much clearer way to map and manage it all."
They automate information gathering.
Questionnaires can be distributed through the IT GRC tool interface or a Web portal and collated and correlated automatically, without swapping e-mails and spreadsheets.
Existing spreadsheets and policy documents can be ported to the automated tool. In addition, these tools will automatically collect data from IT and security systems. They automate assessment and remediation of technical controls.
Based on data gathered from people and other systems, GRC tools reduce the time and resources that must be devoted to identifying compliance gaps and managing remediation, and they improve the accuracy of assessments.
They provide up-to-date, customizable, automated reporting and analysis.
The tools make change-control workflow and accountability more efficient by tying in to your existing systems and assuring that the right people made and approved changes. This provides accountability and allows for the creation of an accessible audit trail on demand.
They improve security.
GRC tools can perform automated gap analysis, and they can rapidly extract relevant data and assess risk based on current posture, asset value to the business and threat status. In some cases, controls can be mapped against risk scores and vectors.
"If one of these high-risk controls have any sort of failure deficiency, I can automatically see that," says Johnson. "Our architects or engineers can start looking at that; we can focus on immediate risk and not just compliance risk."
They enable enterprises to rapidly adapt to change.
As new applications and systems come on line, employees come and go, and relationships with new partners and vendors are established, IT GRC tools help organizations adapt to and absorb the changes rapidly.
"What drives a lot of interest is need for agility," says Rasmussen. "You can go from acceptable to unacceptable risk, from compliance to noncompliance in a second. With these tools, you can manage risk and compliance in the context of change."
IT GRC Selection Criteria
As mentioned earlier, these tools are complex and vary widely—one size does not fit all. Some are strong on policy management, others excel in their support for integration with other tools and systems. One tool may have the richest content library of controls, compliance mappings, threat information, and so on, while another may be notable for its flexibility and extensibility.
"The first question you should ask," says Gartner's Proctor, "is what audience—executives, internal auditor regulators—are you trying to serve? It stuns me how many companies just don't think of this."
Here are some criteria for determining your corporate IT GRC needs and what you should look for to meet them:
Assess your programs for managing policy, investigations, audit, compliance, and risk. Then determine which of these are your highest priorities and match them against each tool's capabilities. "You want to understand the complexity and burden on your business to see how to make it more efficient through the software you buy," says Rasmussen. "Take an inventory of what are you trying to do today. What assessments are out there, what risk areas, compliance areas?"
See if the data repository is robust and scalable enough to meet your current and future requirements.
Determine what kind of content you have and what kinds you expect the vendor to supply.
Use the interface. Is it clear and concise? Will your users be able to navigate it and accomplish their tasks easily?
Learn how much integration will be required. Will you have to use in-house or third-party developers?
Decide how much you can do on your own and where you may need professional services.
Assess the automation capabilities. Does the tool have an easy way to automate complex processes? Does the automation deliver value where your organization most needs it?
Investigate how the tool models risk. Some may have rudimentary dashboards that only display a red, yellow or green light, while others may apply sophisticated metrics and risk analysis and provide detailed diagrams and models.
See what external data sources are tied in. What threat and compliance update feeds can be linked to keep risk assessment and compliance current?
Look for a business-process-modeling feature that allows you to visually lay out your business processes, define risk and control points, and see where risks and exposures are.
Study the survey capabilities. Are they advanced enough to meet your needs?
Evaluate whether the tool meets your reporting requirements for management, operations and audit.