GRC Information Architecture – Building Out Libraries for Success

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20
Next GRC Information Architecture – Building Out Libraries for Success-6 Next

Information Needs

Information Needs: Defining information required of governance bodies and day-to-day subject matter experts.

In this step, it is critical to understand the high-level information needs of governance bodies that are in scope for your GRC program by looking at standard reports and dashboards used today, envisioned to support tomorrow, and available in your GRC technology apps. What are the high-level needs and what are the gaps? Are there information requirements that cannot be supported thorough GRC reports and dashboards?

For example, the Board and leadership may need a quarterly dashboard looking at the top 15 to 20 risks across the organization and have the ability to 'drill down' to get the context around risk for discussion – a risk size, scale and scope, if you will. Operational leaders may focus monthly on key performance indicators and key risk indicators that trigger action when metrics move outside of accepted guiderails and thresholds. Analysts and SMEs may require daily and weekly reviews of issues, threats or the results of control testing.

Integrated GRC Demands an Information Governance Approach

Governance, risk and compliance in today's world is becoming increasingly integrated across a wide and diverse set of use cases, ranging from traditional risk management to cybersecurity, third-party management, business resilience, environmental health and safety and regulatory compliance. Fundamental to success in integrated GRC is building an information architecture that supports not only day-to-day operational processes, but also yields the metrics and analytics your organization must leverage to make decisions that improve business performance. The core objective of GRC information architecture is to establish the right framework for your organization based on tightly integrated foundational libraries of organizational elements, risks, controls, policies, vendors, products, assets, regulations, business requirements and best practice content.

GRC Information Architecture Considerations

Managing GRC information requires an information architecture and governance approach that aligns with your organization. This can be a unique challenge considering GRC information comes from a variety of sources – external feeds of best practice frameworks and regulations, threats and vulnerabilities, and internal sources such as directories, security and IT inventories and monitoring systems. Added to this are the subtleties of setting up a risk and control framework that functions at multiple levels – for example, enterprise risks at the top level reflecting key categories intended for Board and leadership review and discussion, operational risks at a middle level that describe specific business risks within various business units and say, IT or security components at a deeper level that hone in on cyber threats and vulnerabilities.

In addition, a GRC Information Architecture involves mappings to curated content that provides additional GRC intelligence – for example, mapping a section of a security policy to a regulation, as well as a common control from a source like the Unified Compliance Framework (UCF) to give context on how that policy supports requirements from say ISO, FISMA or NIST.

Setting up foundational GRC libraries requires thoughtful consideration to the use case itself, but also the larger picture of how these libraries will be built out over time to support other complementary and extended use cases that are on your GRC program roadmap.

Good Practice in Building Out GRC Libraries

What's the best practice on how to approach this? Common questions are:

  • What libraries are best to start with and what's mandatory for a specific use case?
  • How can I know that the structure and mappings I choose for the first use case will not need to be redesigned to support later use cases?
  • What is the optimal sequence of library setup and what are the dependencies?

In this slideshow, Yo Delmar, MetricStream, covers seven steps that you can take that will help you build out your GRC foundational libraries in a sequence that aligns not only with initiatives on your GRC roadmap, but provides you with a sustainable, ongoing governance process that allows your organization to continuously improve and enrich your GRC information architecture.

  1. Information Architecture - Level setting on information governance, taxonomies, ontologies and GRC libraries
  2. Information Needs - Defining information required of governance bodies and day-to-day practitioners
  3. GRC Framework - Placing GRC libraries in the context of other initiatives across your organization
  4. GRC Libraries – Defining and exercising the GRC data model with specific GRC activities
  5. GRC Libraries and Mappings – Defining what is common and what is federated at various levels
  6. GRC Information Governance – Implementing a sustainable governance program for GRC information
  7. GRC Apps – Extending GRC libraries with each GRC roadmap work stream and app
 

Related Topics : A Big Market for Big Data Jobs, Midmarket CIO, IT Management Automation, SharePoint, Technology Markets

 
More Slideshows

Five9RemoteEmployees0x 5 Best Practices to Enable Remote Workers

Recent years have seen a significant increase in the remote workforce as developments in technology have given employees the freedom to work anywhere, anytime. ...  More >>

DataM62-190x128 10 Steps for a Proper Data Governance Plan

Establishing a digital governance plan can be a challenge, but with the right education and tools, the job can be made a lot simpler. ...  More >>

PlexxiITRoles0x IT Roles: The New Faces of Network Infrastructure

The newfound emphasis on tools and service integration is shaping a new crop of industry professionals — the actual faces behind the IT infrastructure. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.