Video Screencast Help
Security Response

IT Governance, Risk, and Compliance

Created: 08 Apr 2010 23:24:09 GMT • Updated: 23 Jan 2014 18:28:25 GMT
Marco Ceccon's picture
0 0 Votes
Login to vote

IT Governance, Risk, and Compliance (GRC): A method of analysis based on the Symantec Response Assessment Module (RAM)

1.1    Introduction
1.2    GRC Analysis: a new method based on the Symantec Response Assessment Module
          1.2.1    PHASE 1: Design
          1.2.2    PHASE 2: Build
          1.2.3    PHASE 3: Assess
          1.2.4    PHASE 4: Operate
1.3    Final conclusions

1.1   Introduction

In recent times, companies, organizations, and consulting firms from various sectors have started to address the great issues that lie at the base of IT. These issues are governance, risk management, and compliance. Every organization should be able to transform these problems into opportunities to continually improve IT. In practice, everyone realizes that these three issues are related.

The term "IT governance" refers to a part of the wider corporate governance that deals with the management of information technology inside organizations. The main purposes of IT governance are information risk management and the alignment of systems to business objectives, which help to ensure that IT investments can generate value for the company.

To achieve these objectives, the organization should provide an organizational structure with clearly defined roles and responsibilities within a comprehensive framework of documents. The framework should regulate matters, including:

o    Management of IT assets (liability and classification of assets);
o    Physical and environmental security;
o    Protection from harmful codes and malware in general;
o    Management of business continuity;
o    Incident management process;
o    Physical and logical access control;
o    Application development;
o    Auditing

To pursue the objectives of IT governance it is necessary to establish and use an appropriate risk analysis methodology as well as formalize statements into appropriate policies, standards, guidelines, and procedures that are recognized and accepted into the entire organization.

The IT Governance (G) maturity level of an organization becomes a function of:

1)    The optimization degree of the IT Risk Management (R) process;
2)    The state of Compliance (C) relating to the security policies framework of the organization.

This is summarized by the function:

G = f (R,C)

The function above integrates the three issues into a unique, well-established concept that was given the acronym "GRC” (governance, risk, and compliance).

1.2   GRC Analysis: a new method based on the Symantec Response Assessment Module

The Italian advisory team, of which I am a member, successfully uses a new method of analysis that aims to concretely apply the above theory of GRC. The method can be demonstrated in a case study using customer ABC as an example. ABC has requested an analysis of the IT security of its datacenters that are located in different parts of the world.

In this case, Symantec proposed the adoption of a new technique of investigation, the GRC analysis. The GRC technique can obtain different views of the current state of the security levels of datacenters and, further, allows the ABC managers to activate effective remediation plans.

In short, the methodology is based on four main phases, the last of which provides a panorama of the state of IT security. In this case, the scope includes the datacenters of ABC.

Below is a diagram of the four phases:

Figure 1. The four phases of a GRC project.


*Note: Please check back here on the Security Response Blog for the rest of this blog series, in which I will further discuss four GRC phases and present final conclusions.