GRC Information Architecture – Building Out Libraries for Success

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20
Next Next

GRC Libraries

You will want to review all GRC libraries and draw the library data model and define the ontology aspects. For each library, define related libraries that will be mapped and related GRC activities. This may take multiple meetings, reviewing and exercising the data model with various stakeholder teams as you go through all the use cases in scope.

Pay special attention to:

  • What relationships in the abstract data model support GRC libraries?
  • What needs to change or be enhanced?
  • What are key GRC activities related to each library – risk, compliance, policy, issue, audit, etc.
  • What external content feeds are required as input to GRC libraries?
  • How will content be mapped at the library level?

Integrated GRC Demands an Information Governance Approach

Governance, risk and compliance in today's world is becoming increasingly integrated across a wide and diverse set of use cases, ranging from traditional risk management to cybersecurity, third-party management, business resilience, environmental health and safety and regulatory compliance. Fundamental to success in integrated GRC is building an information architecture that supports not only day-to-day operational processes, but also yields the metrics and analytics your organization must leverage to make decisions that improve business performance. The core objective of GRC information architecture is to establish the right framework for your organization based on tightly integrated foundational libraries of organizational elements, risks, controls, policies, vendors, products, assets, regulations, business requirements and best practice content.

GRC Information Architecture Considerations

Managing GRC information requires an information architecture and governance approach that aligns with your organization. This can be a unique challenge considering GRC information comes from a variety of sources – external feeds of best practice frameworks and regulations, threats and vulnerabilities, and internal sources such as directories, security and IT inventories and monitoring systems. Added to this are the subtleties of setting up a risk and control framework that functions at multiple levels – for example, enterprise risks at the top level reflecting key categories intended for Board and leadership review and discussion, operational risks at a middle level that describe specific business risks within various business units and say, IT or security components at a deeper level that hone in on cyber threats and vulnerabilities.

In addition, a GRC Information Architecture involves mappings to curated content that provides additional GRC intelligence – for example, mapping a section of a security policy to a regulation, as well as a common control from a source like the Unified Compliance Framework (UCF) to give context on how that policy supports requirements from say ISO, FISMA or NIST.

Setting up foundational GRC libraries requires thoughtful consideration to the use case itself, but also the larger picture of how these libraries will be built out over time to support other complementary and extended use cases that are on your GRC program roadmap.

Good Practice in Building Out GRC Libraries

What's the best practice on how to approach this? Common questions are:

  • What libraries are best to start with and what's mandatory for a specific use case?
  • How can I know that the structure and mappings I choose for the first use case will not need to be redesigned to support later use cases?
  • What is the optimal sequence of library setup and what are the dependencies?

In this slideshow, Yo Delmar, MetricStream, covers seven steps that you can take that will help you build out your GRC foundational libraries in a sequence that aligns not only with initiatives on your GRC roadmap, but provides you with a sustainable, ongoing governance process that allows your organization to continuously improve and enrich your GRC information architecture.

  1. Information Architecture - Level setting on information governance, taxonomies, ontologies and GRC libraries
  2. Information Needs - Defining information required of governance bodies and day-to-day practitioners
  3. GRC Framework - Placing GRC libraries in the context of other initiatives across your organization
  4. GRC Libraries – Defining and exercising the GRC data model with specific GRC activities
  5. GRC Libraries and Mappings – Defining what is common and what is federated at various levels
  6. GRC Information Governance – Implementing a sustainable governance program for GRC information
  7. GRC Apps – Extending GRC libraries with each GRC roadmap work stream and app
 

Related Topics : A Big Market for Big Data Jobs, Midmarket CIO, IT Management Automation, SharePoint, Technology Markets

 
More Slideshows

infra97-290x195 7 Tips to Improve Data Backup and Ensure Business Continuity

With today's modern solutions, enterprises should be able to transform backup and recovery from a low-level legacy IT function to a modern function delivering continuity and value to the entire business. ...  More >>

NETSCOUTShadowIT0x 6 Tips for Combating Shadow IT Once and for All

To mitigate the risks of shadow IT, organizations must demonstrate the necessary agility and high quality of complex service assurance that users are looking for. ...  More >>

IT_Man85-290x195 Business in the Front, Balance All Around: Working with Gen Z

In order to attract Gen Z talent, employers will need to take into account that this group of the workforce may expect a different set of benefits. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.