Governance, Risk & Compliance

Governance, Risk, and Compliance

Governance, Risk, and Compliance (GRC) is an emerging topic in

the world of business and information technology. However, to date there is a

lack of research on an integrated approach to GRC has hardly been researched.

In this Bradsworth perspective, we construct an integrated process model for high-level IT GRC

management. First, we discuss existing process models for integrated GRC.

Then we set the scope of our research within the GRC domain and offer an

explanation of it. We select and discuss frameworks for the separate topics of

IT governance, IT risk management, and IT compliance management. Finally,

these frameworks are merged into a single integrated process model for IT GRC

management.

Keywords: integrated, IT GRC, governance, risk management, compliance,

process model, information technology

Risk & Governance - Everyone's Responsibility

Bradsworth's leadership has successfully implemented several complex transformations and programs due to the understanding of the operational and reputation risks.  Ensuring the proper engagement with both the business and technology at the leadership levels to drive out the proper policies are in place for users based on requirements are as critical as the standards, processes, and baselines to ensure adherence on the technology side. 


This deep understanding by Bradsworth ensures good communication and working relationship between all partners in highly complex programs that require a more heightened level to compliance and security now more than ever.

Data Classification

ISO 27001 does not prescribe the levels of classification – Done by Data Steward


Data Classification Levels

*  Public (everyone can see the information)

*  Private (Company, Internal)

*  Internal use (lowest level of confidentiality) (LESS)

*  Restricted (medium confidentiality level) (MORE)

*  Confidential (top confidentiality level) (HIGHEST - PERSONAL, PII, Soc. Sec., etc.)


Data Stewards

Data Stewards assess Impact Levels, specify data usage guidelines, and assign a corresponding Data Classification to Data Types or Data Sets. They authorize access to data for which they are responsible and use reasonable means to inform those receiving or accessing the data of their obligations in so doing.


Data Custodians

Data Custodians ensure that systems handling Restricted or Internal data provide security and privacy protections according to the Data Classification, the Data Steward’s policies, obligations, and authorizations, and as may be identified in the Data Usage Guide. They are the communicators of policy.

The complexity of the governance, risk and compliance domain mandated a clear

classification of the elements of GRC to be considered in our research. Based on a

previously developed GRC definition and frame of reference for GRC research, we

restricted the scope to IT GRC management. Consequently, we selected and analyzed

models for the three separate IT GRC disciplines – IT governance, IT risk

management, and IT compliance. In the final stage of our research, we merged the

three selected high-level process frameworks into a single process model. First, we

explained how IT compliance can be integrated with risk management through

consideration of the risk of non-compliance and the mapping of IT compliance

processes to similar processes in risk management. Second, we examined the relation

of IT governance to IT risk management and IT compliance before merging the three

disciplines in a single process model through the identification of commonalities and

mapping of overlapping or combinable processes.


Policy / Process / Guidelines / Standards

Policy - An information security policy consists of high-level statements relating to the protection of information across the business and should be produced by senior management.

• Standards - Standards consist of specific low-level mandatory controls that help enforce and support the information security policy.

• Guidelines - Guidelines consist of recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.

• Procedures - Procedures consist of step by step instructions to assist workers in implementing the various policies, standards, and guidelines.

Mission Statement

Leadership

Partners

Testimonials

Careers

Customer Logos