Bringing GRC Federation into IT Security

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11
Next Bringing GRC Federation into IT Security-3 Next

Ensuring the taxonomies of risk and compliance remain unique where they need to be, and centralized at the risk and control framework level.

When looking at how your organization manages risk, you can expect to find varied approaches, disciplines and perspectives. The project management office (PMO) will be looking at a different set of risk factors than operational risk, audit or security. Security application risk assessments may leverage network and application vulnerability information, as well as business continuity information on maximum downtime tolerances. The audit group may have a different method for assessing current and emerging risks, while ensuring controls are effective and properly designed. The operational risk group may look at risk in terms of its velocity, frequency and severity when assessing internal and external loss events. All of these approaches are valid.

The actual risk rating for a set of processes will likely vary based on the perspective of the assessor. Federation respects different perspectives through an appropriate weighting and roll up, and the rationalization of perspectives against a common risk and control framework. At its very core, a federated GRC program strives to achieve a common risk and control framework and issue and remediation process, while also supporting a wide variety of taxonomies, processes, metrics and workflows.

What is federated GRC?

GRC, by definition, involves bringing together governance, risk and compliance disciplines from across an increasingly complex, extended enterprise with deep interlocks to customer and supplier eco-systems. While it’s not realistic to expect organizations to converge on a common set of GRC processes across this complex landscape, there is huge value in taking a federated approach to GRC that leverages the common risk elements from each business unit, IT and security teams, and management of third parties.

Building a federated GRC capability involves understanding the information architecture and processes that are critical to improving business performance, lowering risk exposure, and ensuring compliance with policies and regulations across the entire organization and its vendor communities. It’s important to engage stakeholders from different business units and collaboratively define what needs to be common, versus what can, or must remain federated, but rationalized through a roll-up in the context of the organization as a whole – its strategic objectives, its legal obligations and its risk appetite.

The degree of federation that makes sense will be very tightly tied to the operating model, and will reflect the reporting requirements and decision-making authority that resides within each unit. For example, a highly distributed organization with very distinct businesses may require a broader degree of federation than a global organization that is highly regulated, and therefore requires greater consistency and predictability across the business. Federation requires an understanding of your organization, its natural structure, and its objectives in order to strike the right balance.

Yo Delmar, vice president, MetricStream, has identified steps organizations can take to establish an integrated GRC and security approach using a "federated" model.


Related Topics : Unisys, Stimulus Package, Security Breaches, Symantec, Electronic Surveillance

More Slideshows

Social14-190x128.jpg 10 Ways to Improve Your Social Media Security Policy and Posture

When phone calls, video conference information, pictures, chat logs, etc. are all stored in a central location via social media, a potential hacker has access to just about everything, quickly and easily. ...  More >>

Security120-290x195 5 DDoS Myths Debunked

Unearth the real story behind five commonly held myths about distributed denial-of-service attacks. ...  More >>

Security119-190x128 8 Tips for Ensuring Employee Security Compliance

IT security ultimately depends on making sure employees use the appropriate tools and comply with policies designed to protect them and their data/applications. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.