Enterprises can customize these mappings for internal policies and controls as well as for external requirements. Mappings greatly reduce redundant efforts, enabling an "assess once, comply many" approach, so that the same information can be applied to multiple assessments and audits. For example, the same policies and responses regarding strong passwords can be re-applied for multiple regulations.
"We have some 800 general control requirements from the IT side," says Advance Auto's Johnson. "The GRC tool helps us map requirements automatically and dig that information out when we need it. It's a much clearer way to map and manage it all."
They automate information gathering.
Questionnaires can be distributed through the IT GRC tool interface or a Web portal and collated and correlated automatically, without swapping e-mails and spreadsheets.
Existing spreadsheets and policy documents can be ported to the automated tool. In addition, these tools will automatically collect data from IT and security systems. They automate assessment and remediation of technical controls.
Based on data gathered from people and other systems, GRC tools reduce the time and resources that must be devoted to identifying compliance gaps and managing remediation, and they improve the accuracy of assessments.
They provide up-to-date, customizable, automated reporting and analysis.
The tools make change-control workflow and accountability more efficient by tying in to your existing systems and assuring that the right people made and approved changes. This provides accountability and allows for the creation of an accessible audit trail on demand.
They improve security.
GRC tools can perform automated gap analysis, and they can rapidly extract relevant data and assess risk based on current posture, asset value to the business and threat status. In some cases, controls can be mapped against risk scores and vectors.
"If one of these high-risk controls have any sort of failure deficiency, I can automatically see that," says Johnson. "Our architects or engineers can start looking at that; we can focus on immediate risk and not just compliance risk."
They enable enterprises to rapidly adapt to change.
As new applications and systems come on line, employees come and go, and relationships with new partners and vendors are established, IT GRC tools help organizations adapt to and absorb the changes rapidly.