GRC Information Architecture – Building Out Libraries for Success

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20
Next Next

GRC Apps

Pay special attention to:

  • What extensions are required to this library to support this new initiative?
  • What is the data migration and QA process for new fields?
  • Are any of the new fields required?
  • What is the impact to existing apps with new fields?
  • Are any upgrades required? If so, has this been worked into the master plan?
  • For each roadmap initiative, identify library and taxonomy levels that will need to be built out.
  • Define explicitly, as much as can be known, specific fields and sources.
  • Identify MMD considerations.
  • Identify data migration considerations.

Integrated GRC Demands an Information Governance Approach

Governance, risk and compliance in today's world is becoming increasingly integrated across a wide and diverse set of use cases, ranging from traditional risk management to cybersecurity, third-party management, business resilience, environmental health and safety and regulatory compliance. Fundamental to success in integrated GRC is building an information architecture that supports not only day-to-day operational processes, but also yields the metrics and analytics your organization must leverage to make decisions that improve business performance. The core objective of GRC information architecture is to establish the right framework for your organization based on tightly integrated foundational libraries of organizational elements, risks, controls, policies, vendors, products, assets, regulations, business requirements and best practice content.

GRC Information Architecture Considerations

Managing GRC information requires an information architecture and governance approach that aligns with your organization. This can be a unique challenge considering GRC information comes from a variety of sources – external feeds of best practice frameworks and regulations, threats and vulnerabilities, and internal sources such as directories, security and IT inventories and monitoring systems. Added to this are the subtleties of setting up a risk and control framework that functions at multiple levels – for example, enterprise risks at the top level reflecting key categories intended for Board and leadership review and discussion, operational risks at a middle level that describe specific business risks within various business units and say, IT or security components at a deeper level that hone in on cyber threats and vulnerabilities.

In addition, a GRC Information Architecture involves mappings to curated content that provides additional GRC intelligence – for example, mapping a section of a security policy to a regulation, as well as a common control from a source like the Unified Compliance Framework (UCF) to give context on how that policy supports requirements from say ISO, FISMA or NIST.

Setting up foundational GRC libraries requires thoughtful consideration to the use case itself, but also the larger picture of how these libraries will be built out over time to support other complementary and extended use cases that are on your GRC program roadmap.

Good Practice in Building Out GRC Libraries

What's the best practice on how to approach this? Common questions are:

  • What libraries are best to start with and what's mandatory for a specific use case?
  • How can I know that the structure and mappings I choose for the first use case will not need to be redesigned to support later use cases?
  • What is the optimal sequence of library setup and what are the dependencies?

In this slideshow, Yo Delmar, MetricStream, covers seven steps that you can take that will help you build out your GRC foundational libraries in a sequence that aligns not only with initiatives on your GRC roadmap, but provides you with a sustainable, ongoing governance process that allows your organization to continuously improve and enrich your GRC information architecture.

  1. Information Architecture - Level setting on information governance, taxonomies, ontologies and GRC libraries
  2. Information Needs - Defining information required of governance bodies and day-to-day practitioners
  3. GRC Framework - Placing GRC libraries in the context of other initiatives across your organization
  4. GRC Libraries – Defining and exercising the GRC data model with specific GRC activities
  5. GRC Libraries and Mappings – Defining what is common and what is federated at various levels
  6. GRC Information Governance – Implementing a sustainable governance program for GRC information
  7. GRC Apps – Extending GRC libraries with each GRC roadmap work stream and app
 

Related Topics : A Big Market for Big Data Jobs, Midmarket CIO, IT Management Automation, SharePoint, Technology Markets

 
More Slideshows

NETSCOUTShadowIT0x 6 Tips for Combating Shadow IT Once and for All

To mitigate the risks of shadow IT, organizations must demonstrate the necessary agility and high quality of complex service assurance that users are looking for. ...  More >>

IT_Man85-290x195 Business in the Front, Balance All Around: Working with Gen Z

In order to attract Gen Z talent, employers will need to take into account that this group of the workforce may expect a different set of benefits. ...  More >>

KavaliroITSkills0x 5 Essential Skills for the IT Leader

Successful IT leaders have to have very specific skills, but still know how to run a team, meaning they must master the so-called soft skills that are not taught formally. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.