IT GRC tools: Control your environment
IT governance, risk and compliance (GRC) tools help bring order to enterprises' crazy quilt of overlapping regulations, redundant audit programs and manual processes
By Neil Roiter
March 07, 2011 — CSO —
As enterprises approach a high level of maturity in their IT governance, risk and compliance (GRC) programs, they face a conundrum: How can they effectively implement and manage policies and their supporting controls to maintain a strong risk posture? To add to the difficulty, the environments they manage are often widely distributed and subject to multiple regulatory requirements and internal audit requirements, and must adapt to changing business needs. GRC tools are designed to help.
"It's mostly about the maturity of the organization," says Paul Proctor, vice president of security and risk management at Gartner. "Are you ready for a more formalized and automated way of tracking controls? If you have your act together, you should be looking at this."
These products help automate GRC initiatives that are either largely manual or beyond the capabilities of most enterprises. They enable organizations to:
- Create and distribute policies and controls and map them to regulations and internal compliance requirements.
- Assess whether the controls are actually in place and working, and fix them if they are not.
- Ease risk assessment and mitigation.
The GRC market is broadly divided into enterprise and IT products, though there is considerable overlap and the distinction is far from clear. This article focuses on IT operations, the problems organizations face and how IT GRC tools can help.
Analysts say the leading companies that are most clearly identified as IT GRC include Agiliance, Modulo, RSA Archer, Rsam and Symantec, but there are wide differences even among their tools. Expect to spend considerable time defining your requirements and matching them against the capabilities and focuses of the various tools.
The GRC MorassLarge organizations, in particular, struggle with a complex burden of IT policies and controls that can directly affect corporate risk. Almost all enterprises are subject to multiple sets of regulations—upwards of 20 in some cases—that require implementing and managing policies and their supporting controls, preparing and executing audits, and remediating risks. Regulations may apply across the enterprise or to specific business units.
Partners and business customers, in turn, may require regulatory compliance or adherence to standards such as Cobit or ISO 27001 as a condition of doing business. For your part, vendor management requires you to ensure that suppliers, service providers and so on are adhering to your standards.
Maintaining a strong security and risk posture is problematic. It's difficult to enforce strong change control, identify and remediate gaps in IT controls, manage the audit process and assess threats to your business. Mature companies have some sort of enterprisewide and, in some cases, centralized GRC programs, but are hamstrung by manual, redundant processes.