Bringing GRC Federation into IT Security

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11
Next Bringing GRC Federation into IT Security-6 Next

Balancing coordination of shared IT, security and GRC data and resources and services with distributed business unit management of GRC to provide more centralized oversight.

Federated risk management establishes enterprise-wide risk taxonomies for risk identification, analysis and treatment, while supporting distinct risk taxonomies, methods and workflows that meet the needs of a particular organization. Risk information is aggregated, rationalized and normalized for enterprise risk reporting based on a common framework, a process for capturing incidents, findings and issues, and a workflow for executing remediation plans.

A flexible data model is table stakes for a successful federated approach. Technology can really help build a foundation for federation - in fact, federation can’t really be done well without it. A GRC data model needs to support the definition of organization entities, and libraries of shared policies, risks, controls and assets, but also be capable of extending to support unique data and workflows within a business unit or group. In this way, a GRC platform can act as a central repository that provides a single version of the truth.

What is federated GRC?

GRC, by definition, involves bringing together governance, risk and compliance disciplines from across an increasingly complex, extended enterprise with deep interlocks to customer and supplier eco-systems. While it’s not realistic to expect organizations to converge on a common set of GRC processes across this complex landscape, there is huge value in taking a federated approach to GRC that leverages the common risk elements from each business unit, IT and security teams, and management of third parties.

Building a federated GRC capability involves understanding the information architecture and processes that are critical to improving business performance, lowering risk exposure, and ensuring compliance with policies and regulations across the entire organization and its vendor communities. It’s important to engage stakeholders from different business units and collaboratively define what needs to be common, versus what can, or must remain federated, but rationalized through a roll-up in the context of the organization as a whole – its strategic objectives, its legal obligations and its risk appetite.

The degree of federation that makes sense will be very tightly tied to the operating model, and will reflect the reporting requirements and decision-making authority that resides within each unit. For example, a highly distributed organization with very distinct businesses may require a broader degree of federation than a global organization that is highly regulated, and therefore requires greater consistency and predictability across the business. Federation requires an understanding of your organization, its natural structure, and its objectives in order to strike the right balance.

Yo Delmar, vice president, MetricStream, has identified steps organizations can take to establish an integrated GRC and security approach using a "federated" model.

 

Related Topics : Unisys, Stimulus Package, Security Breaches, Symantec, Electronic Surveillance

 
More Slideshows

BitSightRansomware0x Ransomware: The Rising Face of Cybercrime

Ransomware is a legitimate threat, with estimates from the U.S. Department of Justice showing that over 4,000 of these attacks have occurred every day since the beginning of the year. ...  More >>

Security121-190x128 5 Ways CFOs Can Implement an Effective Cybersecurity Strategy

While cybersecurity concerns are widespread, finance remains one of the most vulnerable areas for malicious attacks. ...  More >>

infra100-190x128 Top 10 Strategic Technology Trends for 2017

Here are the top 10 strategic technology trends that will impact most organizations in 2017. Strategic technology trends are defined as those with substantial disruptive potential or those reaching the tipping point over the next five years. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.