dcsimg

GRC Information Architecture – Building Out Libraries for Success

Email     |    
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20
Next GRC Information Architecture – Building Out Libraries for Success-19 Next

Conclusion

In summary, by building an integrated GRC information architecture, organizations benefit from common GRC libraries with common terms for core elements such as business units, risks, controls, products, processes, assets, vendors and people. Setting up GRC libraries helps an enterprise to maintain associations and mappings at the desired level of granularity to support business and risk and regulatory compliance needs.

GRC libraries structure a logical compliance and controls hierarchy, including processes, sub-processes, objectives, associated risks, controls and control activities. This can significantly reduce the amount of time IT and security professionals spend defining and maintaining an integrated risk and control framework. This makes it much easier to define risk management essentials, including appetite, thresholds, risk analysis methods, risk calculations for rollups, metrics and analytics.

By balancing common and federated processes for risk identification, analysis and issue management, all business units and stakeholders can participate in a common model, while supporting their unique methods and practices. Getting a sustainable GRC information architecture in place involving the right stakeholders, an evolving model, and building it out over time brings you a long way toward orchestrating GRC intelligence across your organization with a trusted system of record and version of truth. 

Integrated GRC Demands an Information Governance Approach

Governance, risk and compliance in today's world is becoming increasingly integrated across a wide and diverse set of use cases, ranging from traditional risk management to cybersecurity, third-party management, business resilience, environmental health and safety and regulatory compliance. Fundamental to success in integrated GRC is building an information architecture that supports not only day-to-day operational processes, but also yields the metrics and analytics your organization must leverage to make decisions that improve business performance. The core objective of GRC information architecture is to establish the right framework for your organization based on tightly integrated foundational libraries of organizational elements, risks, controls, policies, vendors, products, assets, regulations, business requirements and best practice content.

GRC Information Architecture Considerations

Managing GRC information requires an information architecture and governance approach that aligns with your organization. This can be a unique challenge considering GRC information comes from a variety of sources – external feeds of best practice frameworks and regulations, threats and vulnerabilities, and internal sources such as directories, security and IT inventories and monitoring systems. Added to this are the subtleties of setting up a risk and control framework that functions at multiple levels – for example, enterprise risks at the top level reflecting key categories intended for Board and leadership review and discussion, operational risks at a middle level that describe specific business risks within various business units and say, IT or security components at a deeper level that hone in on cyber threats and vulnerabilities.

In addition, a GRC Information Architecture involves mappings to curated content that provides additional GRC intelligence – for example, mapping a section of a security policy to a regulation, as well as a common control from a source like the Unified Compliance Framework (UCF) to give context on how that policy supports requirements from say ISO, FISMA or NIST.

Setting up foundational GRC libraries requires thoughtful consideration to the use case itself, but also the larger picture of how these libraries will be built out over time to support other complementary and extended use cases that are on your GRC program roadmap.

Good Practice in Building Out GRC Libraries

What's the best practice on how to approach this? Common questions are:

  • What libraries are best to start with and what's mandatory for a specific use case?
  • How can I know that the structure and mappings I choose for the first use case will not need to be redesigned to support later use cases?
  • What is the optimal sequence of library setup and what are the dependencies?

In this slideshow, Yo Delmar, MetricStream, covers seven steps that you can take that will help you build out your GRC foundational libraries in a sequence that aligns not only with initiatives on your GRC roadmap, but provides you with a sustainable, ongoing governance process that allows your organization to continuously improve and enrich your GRC information architecture.

  1. Information Architecture - Level setting on information governance, taxonomies, ontologies and GRC libraries
  2. Information Needs - Defining information required of governance bodies and day-to-day practitioners
  3. GRC Framework - Placing GRC libraries in the context of other initiatives across your organization
  4. GRC Libraries – Defining and exercising the GRC data model with specific GRC activities
  5. GRC Libraries and Mappings – Defining what is common and what is federated at various levels
  6. GRC Information Governance – Implementing a sustainable governance program for GRC information
  7. GRC Apps – Extending GRC libraries with each GRC roadmap work stream and app
 

Related Topics : A Big Market for Big Data Jobs, Midmarket CIO, IT Management Automation, SharePoint, Technology Markets

 
More Slideshows

gig economy How the Gig Economy Is Changing the Tech Industry

The gig economy is clearly disrupting the tech industry, both in positive and negative ways. ...  More >>

Fake news How Can We Fix the Fake News Problem?

Is fake news a security issue? Some say yes, as it can be used as a social engineering tool to spread disinformation and conceivably to get unsuspecting users to click on malicious links. ...  More >>

IT security skills 7 Top Skills for Security Pros

Executives at several top tech firms outline the skills they need now and in the near future, including IaaS and IoT security expertise. Other skills listed may surprise you. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

By submitting your information, you agree that itbusinessedge.com may send you ITBbusinessEdge offers via email, phone and text message, as well as email offers about other products and services that ITBbusinessEdge believes may be of interest to you. ITBbusinessEdge will process your information in accordance with the Quinstreet Privacy Policy.

×
By using this site, you agree to the Privacy Policy