Download - SLVA - Developing an IT GRC Strategy
Presentation Title Comes HereName & SurnameCompany
Developing an IT GRC StrategyAssess once, test once, satisfy many…
Kris Budnik
MD, SLVA Information Security
What is GRC?
An academic definition of the word “mess” – CFO Magazine
A prickly tangle of controls and practices buried inside functional or geographic silos with hundreds of isolated activities. Bewildering complexity and duplication, even as it leaves major gaps uncovered and fails to deliver the desired results - Deloitte
Isn’t the GRC acronym invented by consulting and technology firms to help sell services and software? – Risk Management Magazine
Current state of GRC activities in IT
BIAs
Information Risk Assessments
Data Classification
Maturity Assessments
Vulnerability Assessments
GCCs
SLA/OLA management
Configuration Management
Policies
Standards
Application Control and Authorizations (ACR)
Penetration Testing
Change Control
Perf
orm
ance
M
anag
emen
t
Incident Management
Access Management
Project Management
Laws/Regulations
But why is GRC important?
While there may be debate about the GRC term, there is near consensus on the following:
- Executives and directors are being held to higher standards and levels of accountability - Compliance costs have spiralled amidst the increasing volume and complexity of laws, regulations and rules - Stakeholders are more active and aggressive - More transparency is demanded - The speed and consequence of “risk events” have dramatically increased - Lee Dittmar, Deloitte Consulting
So what is GRC really?
A system of people, processes and technology that enables an organisation to:
- understand and prioritize stakeholder expectations - set business objectives that are congruent with values and risks - operate within legal, contractual, internal, social and ethical boundaries - provide relevant, reliable and timely information to appropriate stakeholders - enable the measurement of the performance and effectiveness of the system - OCEG
“…call it whatever you want. For the sake of argument, throw away the term altogether. Now ask yourself: Did the underlyingbusiness issues go away?”
- Lee Dittmar, Deloitte Consulting
Fitting the pieces together
• Identify all who play part in the process- IT Ops, Security Ops, Information Risk, IT Audit, Information Security, Ops Risk, ERM, executive, etc.
• Identify what drives IT GRC in your environment- Laws/Regulations, Industry standards, Common practices, Internal requirements
• IMap the key elements of the IT operation that contribute to GRC in the environment
• IAlign the elements to remove duplication, identify control gaps and define effective measurement criteria
Integrated IT Governance, Risk and Compliance
Policies
Standards
Procedures
Laws/Regulations
BIAsInformation Risk
Assessm
ents
Data Classification
Maturity Assessments
Vulnerability Assessments
GCCs
ACRs
Maximising efficiency…
Laws & RegulationsLaws & Regulations Industry Standards & Frameworks
Industry Standards & Frameworks Internal requirementsInternal requirementsDrivers and
ConstraintsDrivers and Constraints
• Eliminating “silo” responses creates opportunities for harmonization and consolidation
Harmonised GRC
objectives
Harmonised GRC
objectives
Consolidated GRC
activities
Consolidated GRC
activities
Assess Once, Test once, Satisfy manyAssess Once, Test once, Satisfy many
R1R1 R2R2 R3R3 R4R4
C1C1 C2C2 C3C3 C4C4
C5C5 C6C6 C7C7 C8C8
C9C9 C10 C11C11 C12C12
Does it work?
The following is an example of the level of consolidation realized by a global financial services company’s Information Technology division…
139 Authoritative sources that applied to the global Information Technology division at the organisation
4,900 + Over 4,900 individual requirements
276 Reduction by over 17 times from 4,900+ to 276 rationalized requirements
3 to 1 Over 3 million hours of assessment and reporting reduced to 1 million hours across 30,000 employees
5 to 1 Information Security, BCP, FFIEC & FDICIA, PCI, and SOX assessments reduced to a single integrated RCSA
Source: Deloitte
Questions?Thank you
