GRC Information Architecture – Building Out Libraries for Success

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20
Next GRC Information Architecture – Building Out Libraries for Success-4 Next

Information Architecture

GRC libraries, on the other hand, reside in the technology itself. Libraries are aligned with information architecture principles, and derived from ontology and taxonomy – then realized in the technology database. Libraries include mapping to content sources, and are built out over time to match use cases in the GRC roadmap. Libraries are foundational to analytics, workflow behavior and reporting in the GRC app environment, and as a result are built up as new apps are brought online. Extending library elements may have upgrade and performance constraints in the app so it is important to thoroughly understand the GRC technology data model and how it is evolving through product roadmaps.

Integrated GRC Demands an Information Governance Approach

Governance, risk and compliance in today's world is becoming increasingly integrated across a wide and diverse set of use cases, ranging from traditional risk management to cybersecurity, third-party management, business resilience, environmental health and safety and regulatory compliance. Fundamental to success in integrated GRC is building an information architecture that supports not only day-to-day operational processes, but also yields the metrics and analytics your organization must leverage to make decisions that improve business performance. The core objective of GRC information architecture is to establish the right framework for your organization based on tightly integrated foundational libraries of organizational elements, risks, controls, policies, vendors, products, assets, regulations, business requirements and best practice content.

GRC Information Architecture Considerations

Managing GRC information requires an information architecture and governance approach that aligns with your organization. This can be a unique challenge considering GRC information comes from a variety of sources – external feeds of best practice frameworks and regulations, threats and vulnerabilities, and internal sources such as directories, security and IT inventories and monitoring systems. Added to this are the subtleties of setting up a risk and control framework that functions at multiple levels – for example, enterprise risks at the top level reflecting key categories intended for Board and leadership review and discussion, operational risks at a middle level that describe specific business risks within various business units and say, IT or security components at a deeper level that hone in on cyber threats and vulnerabilities.

In addition, a GRC Information Architecture involves mappings to curated content that provides additional GRC intelligence – for example, mapping a section of a security policy to a regulation, as well as a common control from a source like the Unified Compliance Framework (UCF) to give context on how that policy supports requirements from say ISO, FISMA or NIST.

Setting up foundational GRC libraries requires thoughtful consideration to the use case itself, but also the larger picture of how these libraries will be built out over time to support other complementary and extended use cases that are on your GRC program roadmap.

Good Practice in Building Out GRC Libraries

What's the best practice on how to approach this? Common questions are:

  • What libraries are best to start with and what's mandatory for a specific use case?
  • How can I know that the structure and mappings I choose for the first use case will not need to be redesigned to support later use cases?
  • What is the optimal sequence of library setup and what are the dependencies?

In this slideshow, Yo Delmar, MetricStream, covers seven steps that you can take that will help you build out your GRC foundational libraries in a sequence that aligns not only with initiatives on your GRC roadmap, but provides you with a sustainable, ongoing governance process that allows your organization to continuously improve and enrich your GRC information architecture.

  1. Information Architecture - Level setting on information governance, taxonomies, ontologies and GRC libraries
  2. Information Needs - Defining information required of governance bodies and day-to-day practitioners
  3. GRC Framework - Placing GRC libraries in the context of other initiatives across your organization
  4. GRC Libraries – Defining and exercising the GRC data model with specific GRC activities
  5. GRC Libraries and Mappings – Defining what is common and what is federated at various levels
  6. GRC Information Governance – Implementing a sustainable governance program for GRC information
  7. GRC Apps – Extending GRC libraries with each GRC roadmap work stream and app

Related Topics : A Big Market for Big Data Jobs, Midmarket CIO, IT Management Automation, SharePoint, Technology Markets

More Slideshows

gig economy How the Gig Economy Is Changing the Tech Industry

The gig economy is clearly disrupting the tech industry, both in positive and negative ways. ...  More >>

Fake news How Can We Fix the Fake News Problem?

Is fake news a security issue? Some say yes, as it can be used as a social engineering tool to spread disinformation and conceivably to get unsuspecting users to click on malicious links. ...  More >>

IT security skills 7 Top Skills for Security Pros

Executives at several top tech firms outline the skills they need now and in the near future, including IaaS and IoT security expertise. Other skills listed may surprise you. ...  More >>

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.