Good governance, risk, and compliance management has become a key-operating imperative for many organizations, both large and small. Boards and executives alike struggle to gain better visibility into their true risk and compliance profile in order to prioritize spending on remediation of risks. Having a coherent, integrated GRC management framework is table stakes for good GRC program management – and can really accelerate an organization’s ability to respond to increased pressures to gain real visibility into its true risk and compliance profile. Continue reading

If there is one element of a GRC framework upon which all else depends, it is the correct formulation of risk appetite, and the translation of appetite into tolerances, thresholds and limits that the organization must operate within. Without this, it’s simply impossible to manage risks effectively. Risk appetite can be defined as the quantity and types of risk that an organization is willing to assume in pursuit of its strategic objectives. Boards are typically responsible for setting risk appetites, and executive teams then implement them into the business by translate those appetites into more granular risk-taking limits within the most fundamental operating processes. Continue reading

What’s the best practice process and governance for managing a Risk Framework? Managing updates to the Risk Framework can be a bear if you don’t have good governance around that information once it is defined. Basically, we have three phases to the process, outlined below. Many GRC Technology platforms (shameless plug, yes, RSA Archer does this) support this type of process, but word of caution: you still need to define the Risk Framework that makes sense for your organization, and work through the step by process for each stakeholder community, and of course, train people on it, and implement the governance process to support it. Continue reading

At the core of a risk ontology is a risk framework. Last post, we went into what a Risk Ontology is, why we need one and what it contains. In this post, we look at Five Easy (some may say not so easy…) steps to get started. Continue reading

At the heart of GRC is adopting a coordinated, coherent approach to risk management across the organization, and core to that objective is developing and adopting a risk ontology. Continue reading

Why do we have governance, risk, and compliance? here is an interactive video on why GRC is so important supported by an overview of the 5 forcing functions of governance, risk, and compliance. Continue reading

EMC has been sponsoring the annual IDC Digital Universe Study for five years – and we’ve been saying the horrendous growth in information is one of the main Five Forcing Functions driving growth and adoption of GRC. The 2011 Digital universe Study is in – and the numbers will shock you. Here's a taste: Digital information in the world is doubling every two years Continue reading

Many organizations get their first taste of the promise and power of a GRC program when they begin to implement a Privacy Program. Why? Because privacy is an enterprise issue that spans legal, IT, compliance and business operations. The latest Ponemon Study and Generally Accepted Privacy Principles (GAAP) tell us a great deal about why and how to set up Privacy as part of a GRC Program.Privacy is a core GRC use case that is broad in its application, constantly evolving, delivered through many channels, and as a result needs to be managed as a program Continue reading

Five basic questions that form the building blocks of a successful GRC program:• What is our end-to-end GRC program and what do we need to invest in to achieve our goals? • How can we align business requirements with our policies and day-to-day operating processes? • What is our real exposure and what controls need to be implemented to contain risks? • How can we leverage technology to manage GRC holistically across the enterprise? • How can we govern our GRC processes across silos and stakeholders? Continue reading

Japan's devastating earthquake, subsequent tsunami and current power plant threats remind us that we live in a world where the combination and cascading effect of threats raises risks beyond what we consider a reasonable threshold. Centralizing approaches to business continuity, disaster recovery, risk and crisis management is a pure GRC use case. And increasingly an urgent one. Continue reading

GRC in the Cloud - Control + Visibility = Trust – Some examples from VmWare and RSA Here’s the basic problem: Information in the cloud is constantly on the move – that’s the side effect of cloud’s basic benefits of resource utilization and service availability. This mobility, of course, is what drives security and GRC people crazy because it implies we don’t have visibility into where our information is, or control over where it goes, how it is used or who accesses it. Hybrid cloud GRC platforms can gain unprecedented levels of visibility and control by harvesting from monitoring systems to ensure that the hybrid cloud infrastructure conforms to security specifications, and that information is controlled in compliance with policies and regulations. Continue reading

After this week at the RSA Conference I’m convinced more than ever that one of the five forcing functions – virtualization and cloud computing- in particular, the hybrid cloud - is going to give GRC a majorly big push this year – driving the need for more standardization, visibility and control that GRC can provide. Hybrid Cloud makes GRC all that more vital. Why? Think of the hybrid cloud as meta-silos – now we aren’t just dealing with the need to integrate GRC across the internal organization – but now across the entire extended enterprise. Continue reading

Check out the of CSA’s main accomplishments has been advancing the adoption of the Cloud Controls Matrix into international standards communities. An important new development is the Consensus Assessments Initiative (CAI) Questionnaire – a spreadsheet that cloud consumers and assessors can use to understand what security controls Cloud Service Providers (CSPs) have implemented in their exist in IaaS, PaaS, and SaaS offerings. The Questionnaire is a companion to the CSA Guidance and the CSA Cloud Controls Matrix. Use it with CSPs you are considering – test it and give feedback to on what works and what doesn’t to the CSA working groups. Continue reading

Cloud Trust – Are you keeping up with your organization’s plans for monetizing the cloud? Many enterprises are now embracing cloud computing – especially as a model to quickly launch new products and services. As GRC professionals, we are not always privy to these plans until they are well underway and can find ourselves in the position where we are trying to assure governance and security controls are in place in hosted environments – after the fact. Continue reading

Cloud Security -Certification of Cloud Security Knowledge - there is a good certification now available online (for $195 through Dec 2010) at the Cloud Security Alliance. Launched in July, it is a 50 question, multiple choice test that must be completed in 60 minutes - but don't worry - there is a study guide available at CCSK Study Guide. Continue reading

I’ve just joined one of the Cloud Audit working groups – focused on developing controls for cloud computing. What has been holding us back are consistent and standardized frameworks, open standards and interfaces that address not only controls but also easy to implement processes to provide assurances on levels of GRC and security in cloud environments. Enter Cloud Audit, designed to smash down the roadblocks and getting us flying in the cloud. Central to the groups’ work is something called A6 – which stands for Automated Audit, Assertion, Assessment, and Assurance API. The idea is that cloud providers and consumers of their services should be able to leverage an open, extensible and secure set of interfaces for Cloud GRC and Security. Continue reading

IT GRC Lifecycles – supporting each of Governance, Risk and Compliance – how about ITIL? One of the big issues I hear from many customers and colleagues facing us in GRC is that there just so many different approaches and methodologies in play to address our challenges – implementing an end-end GRC program is hampered. What all these lack is a common high-level approach that resonates with what a CIO is increasingly building as IT becomes more of a service. We absolutely need to start aligning our approaches, even at the highest level, if we are to advance the cause of integrating and gaining synergies with end-end programs for GRC. Continue reading

The most recent edition of ON Magazine contains fabulous articles and interviews industry luminaries reflecting on the 20th anniversary of the Web and on its potential over the next 20 years. Interviewees were posed three questions by EMC: ○ How has the Web changed your life? ○ How has the Web changed business and society? ○ What will the Web look like in 20 years? Continue reading

As the Cloud evolves to become GRC-enabled, there are likely to be events that force its evolution. I am thinking of a few, and you may have many others. They may happen sequentially, but a more likely to happen simultaneously for all practical purposes… 1. Bad things happen early on, forcing adoption of GRC-enabled cloud services. Cloud consolidates lots of information in one world, making it attractive to those who would benefit from exploits. Clouds will be tested by some of the best criminal minds, not to mention the best intentioned humans who simply mess up. We will learn where... Continue reading

When we talk about the Cloud, whether it is an internal cloud and external cloud (i.e. public cloud) or a private cloud (i.e. hybrid cloud), we are inevitably led to consider GRC. To date the Cloud GRC discussion has been limited to issues of privacy, trust, reliability and availability, narrowly focused at times on security. Going forward, we need to broaden the Cloud discussion to imagine the scenarios where the Cloud is GRC-enabled, at the appropriate level, matching the precise needs of its diverse and distinct user communities. Continue reading

This post is about Believing GRC. We discussed how Seeing and Understanding gives us the ability to see risks through analytics and in context, but unless we base our risk assessments and metrics on largely empirical or solid evidence, our management will have a hard time believing that is it necessary to take action. We can have all the fancy visualization of control tests and threat-vulnerability scenarios we like, but if we can’t defend the rationale and the evidence, all is for not. Continue reading

GRC is transforming from an adhoc, rationalized stage to a more mature, optimized stage leveraging real-time information that gives us dynamic GRC – a new way of Understanding provides contextual relevance, traceability and the way we map the ecosystem. Continue reading

We need visibility and transparency to see our current exposure and give us the confidence to not only manage risks within our appetite but to exploit new opportunities with quantified risk. Continue reading