Governance, Risk, and Compliance (GRC) initiatives are a key focus in all large organizations today. Many of these organizations have addressed GRC from an administrative standpoint by mapping controls and policies to the applicable regulations and industry mandates. This approach makes sense because it provides clarity on specific regulations as they relate to the business – a crucial point given the extreme consequences of non-compliance. However, administrative GRC lacks an automated way to test controls. To stop here would mean limiting controls management to a content repository of controls that are manually validated infrequently (usually annually). The result is a limited ability to manage risk and have a comprehensive, up to date view of business adherence to policies.
The natural next step beyond the administrative aspects of GRC is to build out a robust GRC platform. An effectively implemented GRC platform not only automates compliance-related activities and risk management, but also provides a strategic governance foundation for all enterprise initiatives and programs.
One of the key elements and most reusable components of a comprehensive GRC platform is the controls sub-system. The controls sub-system consists of four components; the connectivity layer, the asset repository, continuous controls monitoring, and controls life cycle management.
The connectivity layer should leverage standard methods for data collection in real time from applications, servers, databases and infrastructure reports. The result is improved data integrity and reaction time to remediate gaps.
The asset model defines and classifies the relative importance and characteristics of assets; such as employees, vendors, contracts, business processes, departments, applications, servers, databases and infrastructure reports (SIEM, IAM, VA etc). The model includes asset relationships and the impact of assets on each other.
Continuous controls monitoring tracks the effectiveness of each control by automatically testing against assets and the data collected through the connectivity layer or through control assessments (surveys).
Controls life cycle management allows for creation, updates, approvals, and reviews of controls throughout its existence. It should also include a complete audit history, version control and workflows to manage the life cycle process.
Implementing the controls framework (GRC sub-system) across an enterprise streamlines compliance-related activities in the short term, while laying the necessary foundation for rapid ROI on future risk management and GRC initiatives.