tashatuvango - stock.adobe.com
Overseeing governance, risk and compliance manually -- by using spreadsheets, for example -- might be sufficient if GRC is deemed only minimally or moderately important.
Yet, if your organization, regardless of size, recognizes the significance of a structured and continuous approach to GRC, then it may make sense to automate those activities.
But where to start? And why automate at all? Let's examine some fundamental considerations of automating GRC activities, and cite some of the benefits that may result.
Where GRC fits into an enterprise security strategy
GRC can apply to virtually any aspect of business operations, from strategic planning to operational management. From an IT perspective, GRC is an integral part of achieving the best possible infrastructure and operational environment.
Good governance of IT operations ensures various functions will be performed according to established policies and procedures, with monitoring, review, assessment and updating of functions as needed. Managing risk is an essential element of IT management, especially as cybersecurity threats become more frequent and severe. Identifying and managing operational risks, threats and vulnerabilities is perhaps the most important IT activity today. IT organizations that are periodically audited must ensure they are compliant with a broad range of regulations and standards, among them NIST Special Publication 800-53, HIPAA and Gramm-Leach-Bliley Act. Rules for good IT practice, such as ITIL service management, must also be followed. Achieving audit compliance also encompasses the development and approval of IT policies and procedures that address a broad range of activities.
Why automate GRC?
As IT organizations become bigger and more complex, GRC automation makes greater sense. It provides a systematic, predictable and easy-to-manage environment for all GRC issues. Spreadsheets can be used to manage GRC activities and can be programmed to create a dashboard that displays important GRC data. However, as companies wrestle with effectively managing an ever-growing number of GRC issues, automation makes sense. A GRC automation framework can handle many more transactions, provide greater analysis of GRC metrics and issue alerts when those metrics exceed normal performance boundaries.
GRC systems are also essential cybersecurity tools. They can examine activities and responses, support post-event analyses and ensure compliance with established performance metrics. This gives IT managers the ability to determine if their companies' operations are performing optimally, that risks are minimized and that compliance standards are being met.
GRC automation benefits and challenges
Effective management of a large, complex IT organization requires a lot of information. Data produced by GRC systems identifies what is working well, what may be moving into a "yellow" area and what activities are not performing, measured against policies, procedures and performance metrics. Timely management and operational adjustments are easier to make with the right data, and GRC systems -- if configured correctly -- can present results in a format that is easily understood and actionable.
Conversely, GRC systems have some drawbacks. They may be too costly for some IT organizations, and staffing must be sufficient to ensure the system can be managed and configured correctly. Additionally, some companies might be swamped with other IT developments and find it too difficult to launch a GRC automation project.
Finally, senior management may not be supportive of a GRC initiative. With the right due diligence and a careful review of available GRC options, however, it may be possible to persuade senior management that a GRC initiative will generate organizational benefits. An argument that might help: Present management with an analysis of the risks the firm may face if it does not invest in GRC automation.
An example of GRC automation in action
A major automobile manufacturer that uses SAP for ERP decided to implement an SAP authorization model. To do that, it wanted to establish GRC controls for access management, governance and compliance. The winning product also needed flexible reporting capabilities to manage future IT audit engagements.
Because the company is an existing SAP user, it selected SAP's Dynamic Authorization Management app to plan and orchestrate the process. The system uses enterprise processes and profiles as a means to design access authorization based on roles and responsibilities. The manufacturer also rolled out SAP GRC Access Control, which assesses the process of user access management and defines workflows to automate the procedure. GRC made it easier for the company to design superuser privilege management processes, access rules, mitigation controls and setup alerts. The software also made it possible for the vendor to create an easy-to-manage authorization process, launch a training and awareness program, and simplify system maintenance.
When properly designed and configured to the organization's requirements, GRC systems can make it easier for companies to oversee complex IT activities, in particular those involving security.