Governance, risk and compliance frameworks are no longer isolated company initiatives but an integrated approach toward protecting information, meeting regulatory mandates and ensuring that organizations have sustainable and repeatable processes for accomplishing these through growth and change.
Virtually every business, organization and government agency has valuable and sensitive digital information in its care such as Microsoft Word documents, Excel spreadsheets, PowerPoint presentations and multimedia files. As a result, they have various GRC mandates to meet. Most organizations today are juggling manual processes for auditing data use and attempting to mitigate business risk with policies that bring together all of the persons and departments who are data stakeholders. In fact, some businesses have even begun to define leadership positions whose charters and titles are GRC.
Nevertheless, GRC is still a concept or market category that elicits some skepticism and confusion. It is broad in its scope in that it aims at company-wide attitude and behavioral changes as they apply to critical digital asset handling. Given this, the path to GRC success can appear daunting.
The challenge for individuals and project teams with GRC responsibilities is is simply too much inconsistent information as how to achieve GRC imperatives, what types of tools and products to use and which standards and frameworks to apply. Adding to the confusion and complexity is the fact that:
Many security technologies have at least some GRC relevant functionality.
There are multiple frameworks for GRC (i.e., International Organization for Standard, Federal Financial Institutions Examination Council, Control Objectives for Information and related Technology),
There are numerous regulations to meet (i.e. Sarbanes-Oxley Act, Federal Information Security Management Act, Gramm-Leach-Bliley Act, Payment Card Industry Data Security Standard).
Given these challenges, how can IT operations departments and/or risk managers initiate and implement a successful GRC strategy? Getting started with GRC may vary depending on the organization and its structure, but five basic guidelines will to help with long-term GRC success.
1. Inventory all data assets. The natural place to get started with GRC is to identify all of the places where data or digital assets are stored. This includes in-line and offline storage, databases and endpoint devices. In the case where organizations are particularly large and distributed, locating the largest data aggregation points is key, as is generating an audit of how much and what types of data are stored there, who has access, and what the entitlements and privileges of data users are. Doing this allows GRC strategists to define the scope of the challenge and work. It also takes care of a very time-consuming first step toward establishing the business materiality of the data.
While it is important to create as comprehensive an inventory as possible, those organizations just getting started with GRC will want to consider that according to more than 80 percent of enterprise data takes an unstructured form (i.e. documents, spreadsheets, web pages, image and media files) and 25 to 35 percent of it is security and compliance intensive. Thus, an inventory of network-attached storage and storage area network storage as well as file system contents is a logical starting point.
Technologies that give complete visibility to unstructured data as well as the permissions and access controls that are in place can greatly help with the inventory process.
2. Identify data business owners. Business owners have the most context for the data they create, its value and its sensitivity. Giving administrators the means to collaborate with data owners on projects increases their accuracy and expediency. This can save hundreds of hours from storage clean-up projects, data migrations, access control revocations and even domain consolidations. And doing this as part of first steps for GRC planning will also ensure future communication for the purposes of defining data protection and preservation policies. Technologies that maintain detailed statistics on data creation, access and use is essential in terms of providing administrators with the insight necessary to carry out GRC tasks.
3. Link IT and the business units. Currently, IT operations and personnel are almost solely responsible for managing where data resides and the security policies, access controls and monitoring facilities that are in place. This means that when it comes to data entitlement and access authorization management, the process is managed by people with no in-depth context for the data or its business materiality. In fact, most decisions about the data are the burden of the technical staff of organizations as opposed to the business units. Plans for GRC initiatives should aim to establish a broad organization-wide management framework for data so that business owners manage access and IT operations remains responsible for maximizing its availability. And in those functional areas where responsibilities overlap, a properly functioning GRC environment enables and enforces collaboration among all data stakeholders. Technologies that can link IT, data business owners, data users and process auditors are key to carrying out this part of the GRC process. Specifically, a product that can broker user requests to data and enforce the decisions of the authorizers is essential.
4. Delete unwanted data. GRC projects are challenging in part because of the sheer volume of data they are meant to address. Thus, organizations should focus specifically on data that is valuable, sensitive and business material. For most organizations, deleting stale and orphan data as well as data which falls outside the scope of GRC (music files, personal photos, etc.) will increase the efficiency and expediency of any project to consolidate and manage digital assets. The key to doing this accurately is to ensure that the data to be deleted from company storage is not preservation worthy. This requires some intelligence about data use and access activity, data ownership and data business materiality. Technologies that can track all access activity of data on file systems and NAS and provide statistics on the frequency and types of access is pertinent so organizations can determine which data is stale and can be deleted.
5. Remove excess access. Establishing an ongoing process and systems for ensuring that access to data is always warranted is central to a GRC implementation. But while the GRC rollout is in the planning stages, data remains at risk from access controls that are overly permissive and outdated. This risk increases during difficult economic times when data breaches and mishandling significantly rises.
Organizations can make a big dent in risk reduction by removing rules and policies that allow large groups of users to access shared data unfettered. These are access controls that allow everyone or domain users to access directories and files. Often they are in place because of file system defaults that are assigned when a new data folder is created on a file share. Removing these controls and replacing them with more restrictive ones that limit access to only the groups that require it (i.e. the finance group to the finance folder and HR group to the HR folder) will significantly reduce the risk of unstructured data loss and misuse.
Technologies that provide visibility into all user access permissions enable organizations to more effectively remove excess access. Administrators can effectively use this information to remove unwarranted access and assign business rules without business disruption.
GRC is a broad-reaching initiative that organizations of all types are in the midst of or are planning to undertake. GRC efforts aim at putting in place the processes, technologies and behaviors that ensure the proper security, handling and management of digital assets in all of their forms and locations. This cannot be accomplished overnight, but it is important to get started now because data stores are growing exponentially and with them the risk of data loss and misuse.
As a guide for getting started, understanding what data you have and which of it is valuable to the business are important first steps. Identifying the business owners is also imperative in that doing so begins a vital collaboration between IT and the business. This communication and cooperation will ensure that any further efforts are properly vetted.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access