Partners and business customers, in turn, may require regulatory compliance or adherence to standards such as Cobit or ISO 27001 as a condition of doing business. For your part, vendor management requires you to ensure that suppliers, service providers and so on are adhering to your standards.
Maintaining a strong security and risk posture is problematic. It's difficult to enforce strong change control, identify and remediate gaps in IT controls, manage the audit process and assess threats to your business. Mature companies have some sort of enterprisewide and, in some cases, centralized GRC programs, but are hamstrung by manual, redundant processes.
Also see Enterprise risk management: Get started in six steps [CSO Insider registration required]
"People are doing IT GRC whether they are calling it that or not, but they are document-centric [solutions], using spreadsheets and other documents, SharePoint," says Michael Rasmussen, president of Corporate Integrity. "Spreadsheets are a recipe for disaster. Eventually, they outgrow this; they don't have proper audit trails and it becomes unmanageable."
IT GRC challenges include:
Mapping policies and controls. Compliance with most regulations and standards can be maintained mainly through overlapping policies and controls. The same or similar access controls, data encryption, password standards, separation of duties and strong authentication requirements may satisfy the demands of multiple regulations. But enterprises typically fall short in mapping those controls to applicable regulations and using that knowledge to reduce redundancy from one audit to the next.
Audit fatigue. In the absence of centralized policy and control standards, each regulation is dealt with separately and audits are done individually. Enterprises and their business units and departments go through each audit as a discrete exercise.
Security exposure. IT regulatory requirements are intended to enforce good security policies and controls. Ironically, the enormous effort required to audit a large enterprise for compliance often distracts from a company's ability to focus on identifying its true level of exposure. Uncoordinated information gathering makes risk assessment difficult.
"Without having one location to see how policies and controls map, organizations fall into audit fatigue," says Anthony Johnson, director of information security for the compliance management group at Advance Auto Parts, an Agiliance customer. "They are chasing compliance and not managing security risk, and security risk is what protects the organization."