Of course, you do. But, managing your IT infrastructure holistically is not an easy task! Ensuring everything is always under control and meets regulatory requirements is even more difficult.
What you need is an effective approach to governance, risk management, and compliance or GRC.
More than just another acronym, your IT GRC strategy is your hall pass to staying out of trouble.
And, because your IT infrastructure compliance strategy is part of your overall IT GRC, it’s critical to address the internal complexities brought on by today’s dynamic physical and virtual data centers with both new technologies and new ways of doing things.
Makings of a Good IT GRC Platform
Some organizations might already use IT GRC technology to align controls with departmental and corporate policies (e.g. service-level agreements) and regulations. However, most organizations still function as silos and don’t have the right technologies or processes to measure activities, provide efficiencies, and evaluate risks.
An IT GRC platform should help an organization to:
- Define IT policies and controls based on external and internal requirements
- Manage policy content
- Map policies to controls
- Evaluate IT risk
- Automate auditing and regulatory reporting
So, how do you keep everything under control and maintain compliance in the IT infrastructure?
The answer is both the right technology and the right processes. A good example of the right tool set can be found in the integrated RSA Archer/EMC/VMware platform.
But, the secret to success is not just in the right platform, it’s in the right management approach to people and processes. It’s a recurring theme here at Managed View: understanding changing roles in the data center.
A 5-Step Program
Here are 5 steps you can take to make everything align:
Whether you are just starting your IT GRC strategy or revising an existing one, it’s important to keep in mind that quick wins will make it easier for the organization to change.
Ideally, you should target making those early 3 to 5 use cases a big success in order to get traction. Your organization then will adopt naturally.
For the quick wins:
- Focus on formalizing the risk process: Look for risk metrics from existing IT infrastructure management technologies. Better visibility and awareness of risk at the senior executive level will help justify new security projects.
- Determine inconsistencies in processes: Drive automated control testing and identify compliance issues. If your organization uses a manual compliance process and not an integrated compliance framework, this is an opportunity for standardization.
2. Automate whenever possible through integration
You should monitor configuration settings and measure vulnerabilities in the IT infrastructure. Look to tools such as VMware vCenter Configuration Manager (vCM), and EMC Network Configuration Manager (NCM) and Storage Configuration Advisor (SCA) to collect data automatically and to perform correlations, analysis, and assessments.
Cost savings can be achieved in many different ways after your compliance processes are implemented. The obvious value is the improvement in organization’s external audit posture.
Once integrated with your IT infrastructure management technologies, your GRC framework provides savings on reporting and any fines and related expenses that might have resulted from not meeting regulatory requirements.
Additionally, cost savings can be derived from:
- Improvements in business system availability,
- Fewer trouble tickets
- Less time spent on problem management and validating compliance
4. Make it easy for executives
There is a lot of complexity behind those infrastructure management technologies. However, their results can be used by executives if the reporting provides a simple way to roll up compliance data. A GRC framework like RSA Archer allows quick creation of simple dashboards with information like the current state of process and control compliance, vulnerabilities, and IT asset use.
Another argument for simplified compliance reporting is to meet the needs of internal and external auditors. Without automation made possible by an integrated compliance framework, it’s very likely that the data collected is inaccurate.
5. Involve key stakeholders early
GRC strategies can be driven from either the top-down and bottom-up.
IT GRC will have more IT-centric requirements when driven from the bottom-up. Alternatively, Enterprise GRC or eGRC will be more about enterprise risk and driven from top-down.
Both approaches will require a certain level of coordination amongst an organization’s IT, security, audit, and risk management teams.
Allow time to negotiate change. GRC can involve simply a new nomenclature (e.g. “incidents” become “issues” in the new lexicon) or seemingly innocuous or even radical change to processes.
Regardless of the breadth of change, people need time to digest the impact of a new way of thinking or doing things and assess what it means to them and their jobs. Leave out key stakeholders or rush this step and you could find yourself with the right GRC strategy but all alone.
Wait, There’s More
One recommendation is to learn more about the technologies available.
Once your organization understands the flexibility of the framework and usefulness of the integration, you can move quickly to accelerate the IT GRC journey enabled by those technologies.