Dos and don’ts for IT GRC success

Special Report on GRCIT GRC tools: Control your environmenteGRC vs. IT GRC

See more in

and

DO agree on an IT-GRC implementation strategy. Moving disjointed, manual processes into an automated, centralized tool is an enormous undertaking. While a giant boa constrictor can unhinge its jaw and swallow a large mammal whole, that strategy is not advisable for your enterprise.

Choose a high-priority area for your initial implementation, preferably one that will produce a quick ROI. This will give you a record of success to build on and give you and the users a working knowledge of how to use the software, assess its value and share their knowledge with others. Take a top-down approach that will serve as a model as you expand, rather than a controls-centric tactic that won’t scale well.

This first deployment should be initiated in the context of a larger plan for rolling out the IT GRC across the enterprise. After all, the goal is a centralized, automated, standards-based enterprisewide deployment.

“Initiate a GRC road map, looking at all different GRC processes,” says RSA Archer’s Aldrich. “Where do I need more help in terms of automating processes? Where can I increase speed by getting more information and make sure it becomes valuable to the business?”

DON’T neglect the stakeholders. IT GRC is a massive undertaking. It cannot succeed unless the people who are expected to use the tools effectively are intimately involved in the process. They know where the pain points are and how the processes work, they understand the business risks and potential benefits, and they are familiar with the polices, controls and compliance obligations.

Stakeholders include (but aren’t limited to): IT operations and security, enterprise and operational risk, business continuity and disaster recovery, IT audit, general audit, and corporate compliance.

“You also want feedback from the lines of business,” says Rasmussen. “They have to interact with the system. Look for champions out there.”

DO make your case with ROI. You can make a strong argument for IT GRC based solely on ROI. Companies can save many thousands of dollars on external audits alone—Rasmussen says one company reduced its expense on external IT auditors by 18 percent. Symantec’s Achard says one client made the case for its IT GRC tool based on the cost of a three-day service outage that was caused by a database misconfiguration.

You can calculate the man-hours spent collecting information from questionnaires, populating spreadsheets, gathering audit data and keeping it current, and responding to auditor requests. As you evaluate the tools on the market, you can estimate savings. These savings will increase as you implement the GRC tools for more requirements and as it becomes more deeply entrenched in the enterprise.

In addition, as processes become more automated and efficient, organizations can spend less time gathering and managing information, allowing them to devote more time to risk mitigation and remediation.

“Start looking through the organization and the different compliance processes,” says RSA Archer’s Aldrich. “What tool sets you are using, what’s manual, how many people [does] it take? Then tie that back to ROI metrics.”

For a contrarian view, see Forrester’s blog post Avoid the ROI discussion if possible (but if you can’t here are some tips)

DO use IT GRC to facilitate mergers and acquisitions. Newly acquired companies come with their own policies, IT controls (or lack thereof), change-control processes, IT and security systems and applications, and so on. You can effectively use your IT GRC tool to perform a series of analyses to determine how their current policies, processes and practices stack up against yours, so you understand where you need to make changes, especially where you find areas of high risk.

DO look for integration with your existing infrastructure. IT GRC tools should be able to consume data from your IT and security systems and applications. This integration is crucial to automating your processes. Key areas include change-control mechanisms (ticketing systems, configuration management, and so on), asset management and vulnerability management.

Some other tools that bring value through automated information gathering include data loss prevention tools, intrusion detection or intrusion prevention systems, and security information and event management systems. If you don’t already have systems for handling such tasks as asset management, change-control workflow, and vulnerability scanning, some vendors offer their own tools.

DO assess your organization’s maturity level. Organizations that already have a strong, if inefficient, GRC program in place are most likely to benefit from IT GRC tools. Enterprises that create well-defined corporate IT policies, follow standards such as Cobit and ISO, and have strong change-control processes are prepared to take the next step with automation.

Less-mature organizations may want to apply these tools in a more limited scope, perhaps relying on consultants and professional services to bring their GRC programs along to the point at which they can realize greater value.