« Why Moonraker was a GRC failure | Main | GRC makes up for this geek’s limitations »

01/12/2010

GRC summed up in 5 steps

However which way you look at this, GRC can be summed up in 5 simple steps. No matter what the area, you need to:

1.      Have a policy that reflects your goals and make sure people know about it

2.      Have a way to carry out the policy

3.      Have a way to make sure the policy is being carried out

4.      Have a way to find out how well the policy is working

5.      Have a way to deal with the times the policy’s not being effective.

Many aspects of IT (and of business for that matter) fall into one or more of these 5 steps. To be honest, most of them fall under step 2…carrying out the policy, but over the years we’ve increased the number and diversity of tools and processes that carry out the rest of these steps.

Now I’m a security guy – so let’s think of this in security terms for a moment.  In the early days of security, goals were simple – “stop the bad guys”. And they still are to a certain extent.

So we developed a bunch of tools that did precisely that…firewalls, antivirus are great examples. As computers started getting used more, the requirements became more complex, and sometimes conflicting, especially when security and performance butted up against each other. Bad guys worked out how to make their stuff not quite as obvious any more – so we had to develop more formal policies that mapped our goals to what we did. Also, what constituted “bad stuff” changed rapidly, as did technologies and the way people use, so we had to better keep tabs on what was going on and adapt what we were doing.

Over time, things have gotten more and more complex, and we’ve needed more and more stuff to carry out policy, and keep tabs on what’s going on. Also, the people who pay for this stuff, i.e. management, have had the audacity to start asking probing questions about where their money’s going. And don’t get me started on types of things we’re now being *required* to do from a security perspective by governments, partners and customers.

So, risks have gotten much more complex, our goals aren’t just about “stopping the bad guys” any more - add “keeping the auditor at bay”, and “singing for your supper” to that list – and the rules we need to play by have exploded.

Enter tools that will track all of these steps. Over 150  leading organizations are using Archer to set and communicate security policy, and show why the policy is in place from a regulatory standpoint. They’re also using Archer to define processes to carry verify and visualize that policy’s being carried out properly, and deal with those instances where things aren’t as they should be, like when a security incident happens, or an audit deficiency gets called out.

 In the next post we’ll talk about how these principles extend beyond security and into the wider realm of IT

Posted at 09:12 AM |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54ed2404488330120a7c88b6e970b

Listed below are links to weblogs that reference GRC summed up in 5 steps:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Subscribe to this blog's feed
My Photo
About Paul Stamp
Paul is SIEM Solutions Evangelist with RSA, the Security Division of EMC. Prior to joining EMC, he was an analyst with Forrester Research covering security technology.
During the day, he enjoys most chatting with customers about stuff they're doing around security.
Outside of work, Paul is currently contemplating resurrecting his social rugby career.

Disclaimer
The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by EMC and does not necessarily reflect the views and opinions of EMC.

Twitter Updates

    follow me on Twitter

    About

    Categories