Driven largely by compliance requirements for the Sarbanes-Oxley Act of 2002, many organisations in the U.S. are adopting governance, risk and compliance (GRC) tools to help manage their activities in these three areas.
GRC suites and toolsets automate the collection, correlation and reporting of information to offer a broader picture of how well the company is not only performing, but also how well it is complying with the law and managing risk.
But there are many factors to consider -- from initial steps, like whether or not to invest in the technology, to making the case for ROI on the software, to evaluating how well the GRC suite is giving you the information you seek.
The following veteran security-professional members offered the following tips for getting GRC right.
Dave Notch, CISO, Thomson Reuters:
1. The big tip for me is don't try to get it perfect, even though you may know what you want. Take an iterative approach. This lets you make progress and learn what yours and others' requirements really are. Which leads me to my second point:
2. Expect to throw away some of your work. As you learn what the different audiences need, you will have to throw away some of your work. Don't take it personally -- this is just part of the learning process.
3. Get a handle on your assets (and this has nothing to do with tool selection.) Unless you know what you have, it will be difficult to quantify what is wrong. We tiered our assets into three categories and those became the lenses we used to look at things.
4. Build a team that spans legal, HR, product, IT, and security. Work together regularly. This will help keep all of you from duplicating each other's work, such as policy development. Also, this makes it easier when you step on each other's toes. We are so matrixed in big companies these days that this is going to happen. Don't take it personally if you step on each other's toes -- and work together deliberately which makes this a lot easier to work through when it does happen.
Kristen Knight, Privacy Director/Sr. Privacy Officer, NA Philips Electronics North America:
5. Make sure you understand the operational impacts of the product before you commit to it. GRC products are all-encompassing by nature. Even your company's top executives will be impacted by a GCR implementation, so make sure they are willing to go through training and to adapt to the new system. If I had fully understood the product when I was purchasing it I would have realised the unlikelihood of training a busy executive on how to use it.
Sign up for Computerworld eNewsletters.