Governance, Risk & Compliance
Governance, Risk, and Compliance
Governance, Risk, and Compliance
Governance, Risk, and Compliance (GRC) is an emerging topic in
the world of business and information technology. However, to date there is a
lack of research on an integrated approach to GRC has hardly been researched.
In this Bradsworth perspective, we construct an integrated process model for high-level IT GRC
management. First, we discuss existing process models for integrated GRC.
Then we set the scope of our research within the GRC domain and offer an
explanation of it. We select and discuss frameworks for the separate topics of
IT governance, IT risk management, and IT compliance management. Finally,
these frameworks are merged into a single integrated process model for IT GRC
management.
Keywords: integrated, IT GRC, governance, risk management, compliance,
process model, information technology
Risk & Governance - Everyone's Responsibility
Risk & Governance - Everyone's Responsibility
Bradsworth's leadership has successfully implemented several complex transformations and programs due to the understanding of the operational and reputation risks. Ensuring the proper engagement with both the business and technology at the leadership levels to drive out the proper policies are in place for users based on requirements are as critical as the standards, processes, and baselines to ensure adherence on the technology side.
This deep understanding by Bradsworth ensures good communication and working relationship between all partners in highly complex programs that require a more heightened level to compliance and security now more than ever.
Data Classification
Data Classification
ISO 27001 does not prescribe the levels of classification – Done by Data Steward
Data Classification Levels
* Public (everyone can see the information)
* Private (Company, Internal)
* Internal use (lowest level of confidentiality) (LESS)
* Restricted (medium confidentiality level) (MORE)
* Confidential (top confidentiality level) (HIGHEST - PERSONAL, PII, Soc. Sec., etc.)
Data Stewards
Data Stewards assess Impact Levels, specify data usage guidelines, and assign a corresponding Data Classification to Data Types or Data Sets. They authorize access to data for which they are responsible and use reasonable means to inform those receiving or accessing the data of their obligations in so doing.
Data Custodians
Data Custodians ensure that systems handling Restricted or Internal data provide security and privacy protections according to the Data Classification, the Data Steward’s policies, obligations, and authorizations, and as may be identified in the Data Usage Guide. They are the communicators of policy.
The complexity of the governance, risk and compliance domain mandated a clear
classification of the elements of GRC to be considered in our research. Based on a
previously developed GRC definition and frame of reference for GRC research, we
restricted the scope to IT GRC management. Consequently, we selected and analyzed
models for the three separate IT GRC disciplines – IT governance, IT risk
management, and IT compliance. In the final stage of our research, we merged the
three selected high-level process frameworks into a single process model. First, we
explained how IT compliance can be integrated with risk management through
consideration of the risk of non-compliance and the mapping of IT compliance
processes to similar processes in risk management. Second, we examined the relation
of IT governance to IT risk management and IT compliance before merging the three
disciplines in a single process model through the identification of commonalities and
mapping of overlapping or combinable processes.
Policy / Process / Guidelines / Standards
• Policy - An information security policy consists of high-level statements relating to the protection of information across the business and should be produced by senior management.
• Standards - Standards consist of specific low-level mandatory controls that help enforce and support the information security policy.
• Guidelines - Guidelines consist of recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.
• Procedures - Procedures consist of step by step instructions to assist workers in implementing the various policies, standards, and guidelines.
Here’s what we’ve been working on..........
Here’s what we’ve been working on..........
Bradsworth GRC
Bradsworth GRC
Proving compliance isn’t always an easy task. Gathering the detailed information needed from across the enterprise, pulling from a range of resources and disparate systems can be confounding.
Coordinating reporting and matching it back to the requirements – some of which change frequently – can be time consuming if you don’t have the right visibility.
Compliance takes knowledge
Compliance takes knowledge
Constantly reacting to compliance mandates or updates to the requirements can seem exhausting, and most teams don’t have experts on staff.
Imagine feeling secure in the knowledge that you’ve got access to industry or regulation experts who can do more than just keep you compliant, they can help you get ahead of compliance challenges.
The challenge of complexity
The challenge of complexity
More systems, more data. The complexity of technology is always increasing, but budgets and staff sizes never seem to keep up.
And compliance regulations seem to evolve just as quickly, leaving IT, security and compliance teams constantly struggling to meet baselines, let alone get ahead of those basic requirements.