Governance, risk, and compliance (GRC) issues are hot topics today, thanks to a myriad of high-profile stories about companies that failed to meet regulatory requirements governing finance, environmental compliance, and other areas.
Addressing individual regulations can prove to be a costly and complicated process. Quickly organizations start to wonder can they afford compliance and regulations, and where are all the FTE staff going to come from.
SAS70 type audits are now being replaced. SSAE 16, the new standard for SAS70 compliance. How do you keep it all straight? Should we have a compliance department just dealing with all of this? Most cases, yes. In addition, the compliance department should not report up through the CIO, it should belong to the risk or legal group.
Many companies have responded to regulatory mandates by implementing disconnected, tactical processes and point solutions that address a single regulation or corporate initiative. But these fragmented efforts can make compliance far more costly and complicated than it needs to be. You would need to purchase and deploy multiple GRC applications for each enterprise application and then define risks, set policies, and monitor compliance for each application. At the same time, you need to find a way to manage countless GRC policies, decisions and GRC data - data that is likely based on different metrics, standards, software, and methodologies. The resulting complexity can make it impossible to aggregate this data to gain complete view of enterprise risk.
A true cross-enterprise GRC solution dramatically simplifies management and execution of these activities - making it easy to compile data for comprehensive perspective on overall exposure, monitor compliance and risk effectively, and adjust business processes to meet changing business and regulatory mandates.
I propose to you that whatever GRC solution you are looking at, make sure you do a five year cost evaluation. Year 1 looks very good, but make sure you clearly understand the cost matrix for year 2- 5. Many of these vendors love to raise license cost(s) or maintance cost(s) after year 1.
In summary, it only makes sense to have a enterprise wide initiative and approach to compliance. A accurate and complete application inventory, data management (classification, retention, storage), and a security framework will help drive the success of this initiative. Don't be afraid to audit yourself internal to measure how you are doing, and how you can improve.
Keep engaged and postive!
Scott Arnett
scott.arnett@charter.net
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
No comments:
Post a Comment