IT Governance, Risk, and Compliance: A method of analysis based on the Symantec Response Assessment Module (RAM)
Part I of this blog series introduced the concepts of IT governance, risk, and compliance (GRC). To quote:
“In recent times, companies, organizations, and consulting firms from various sectors have started to address the great issues that lie at the base of IT. These issues are governance, risk management, and compliance. Every organization should be able to transform these problems into opportunities to continually improve IT. In practice, everyone realizes that these three issues are related.”
Here I will continue to expand on GRC issues by touching on phases 1.2.1: Design and 1.2.2: Build.
1.2.1 Phase 1: Design
In the Design phase, datacenter security analysis begins and a questionnaire for the datacenter managers is prepared. The main objective is to acquire all of the basic information required.
To facilitate the work of the interviewees and the subsequent processing of their responses, the survey is designed so that:
1. Each question is in close relation with a given control or security countermeasure.
2. Interviewees need to choose from a selection of only six answers for each question. Each answer is associated with six different scores, as follows:
The possible responses and related scores.
In addition to the general preparation of the survey, during the design phase the answers are constructed so as to be able to map the managers’ responses using the three dimensions of governance, risk, and compliance (GRC). An abstract schema is used, as is shown in the following figure:
Response elaborations related to GCR.
As we can see above, every answer is associated with its own score, which assumes different values depending on the topic under consideration (governance, risk, or compliance). These values, in the subsequent final elaboration and development, contribute to the definition of different reports and GRC graphs.
1.2.2 PHASE 2: Build
The complete management of the questionnaires (their definition, their preparation, and their distribution to the interviewees) is facilitated through the adoption of the Symantec Response Assessment Module (RAM) technology, now integrated into the Symantec Control Compliance Suite 9.0. The collection of the responses is also managed with RAM and the survey invitations are sent out via email.
The complete package of Symantec RAM, including Web Components, is installed on a server that is accessed from the Internet. In this way, each interviewee has the ability to access the questionnaire after an authentication phase, using the SSL secure protocol.
RAM integrates some interesting features that can greatly simplify the implementation of the questionnaire. Some features that we normally use are:
• Ability to assign a value of importance or severity to each question: in company ABC’s case, this feature is used to assign a weight (importance) to every question. The weight is in a range of values between 1, 2, and 3.
• Ability to attach all related documentation to each question.
• Ability to add some comments to the questions—this feature is used to clarify the meaning of the various response options (documented, implemented, or checked/ measured).
Below is an example of the layout that is normally used for the Web survey:
Web survey screenshot.
Please keep an eye out for the concluding blog in this series, in which I'll cover off the final two phases of 1.2.3: Assess and 1.2.4: Operate. I'll also offer up my final conclusions on GRC issues and how we can all better manage them.