It’s easy to bash the IT department; to deride it as the land of no and slow, a roadblock rather than a resource, a group it’s easier to work around than to work with when addressing urgent and rapidly changing business needs.
But given the current and on-the-horizon risks of digital disruption of business models (example: one-hour photo shops were a rapidly growing business in 1988, but their numbers have plunged from more than 3,000 shops across the U.S. in 1998 to less than 200 today) from developments like 3D printing, cloud computing, and the Internet of Things (IoT), technology is playing a bigger role than ever in businesses of all kinds.
That makes IT’s role more vital than ever. Practices, processes, and in some cases even attitudes need to change, to be sure, but now is the time to engage IT, not hate it. Forward-thinking companies like Nordstrom and Starbucks—while not “technology companies”—are embracing IT internally and externally to improve both operational efficiency and the user experience for customers and employees alike.
The increasing sophistication of data thieves, proliferating number of potential breach points, and growing value of stolen data combined to drive the number and cost of data breaches to new highs last year. And the risks to enterprises continue to expand.
But despite the growing threats, many enterprises remain woefully unprepared—even after investing in IT security solutions. According to recent research from Lieberman Software reported in Infosecurity magazine, “69 percent of (IT professionals) do not feel they are using their IT security products to their full potential. As a result, a staggering 71 percent…believe this is putting their company, and possibly customers, at risk.”
From serious breaches of customer data at Target, Home Depot and other major retailers to leaked private celebrity photos, data security issues seem to be everywhere in the news.
The circumstances and causes behind each intrusion vary. But the costs to business are substantial and nearly always include lost sales, legal expenses, and reduced customer confidence.
As the malicious exploits become more sophisticated, enterprises must constantly reassess their tools, policies and processes to keep sensitive information secure. In some instances, security improvements require significant new investments. But often, access—both digital and physical—can be made more secure while efficiency is simultaneously improved.
Frequently, organizations optimize security based on best practices within each functional area. This may (or may not) be effective, but from the perspective of the enterprise, it’s clearly not efficient.
A new white paper explains how enterprise request management (ERM) provides a a better approach to securing access, both to facilities and systems. An ERM strategy combines a single, centralized web portal for requesting any type of enterprise service with a workflow automation engine that orchestrates approvals, scheduling and fulfillment by communicating with and between in-place enterprise and department management and control systems.
In the ERM approach, all of information needed to arrange for specific security clearances for a new employee, contractor, or project team, is entered (and validated) only once. All back-end tasks (e.g., conducting background checks, setting up a corporate email account, printing a security badge) are automated per pre-defined rules and workflows.
The result is more accurate information, reduction or elimination of manual tasks, and reduced risk of any aspect of the secure access process being missed. Security and efficiency are both enhanced.
IT Governance, Risk Management and Compliance Enables Competitive Differentiation, Cost Reduction and Growth.
By Nancy Nafziger
No one can deny that IT departments are under constant change. This is a huge challenge considering that IT departments are consistently under pressure to deliver greater number of services faster, with more approvals, more complex processes, budget cuts, and to top it off, greater regulatory requirements.
How does IT keep up with the demands of increased operational efficiency and governance, risk management and compliance mandates at the same time?
Wikepedia defines, Governance, Risk Management, and Compliance or GRCas the umbrella term covering an organization’s approach across these three areas. Being closely related concerns, governance, risk management and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps.
IT governance, IT risk management and IT compliance are three well-defined disciplines that, in the past, existed in silos within large organizations.
Michael Rasmussen at Corporate Integrity, LLC defines GRC as follows:
Governance is the culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed.
Risk Management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events.
Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as corporate policies and procedures.
Rasmussen continues, “GRC is an approach to business. It is about individual GRC roles across the organization working in harmony to provide a complete view of governance, risk, and compliance. It is about collaboration and sharing of information, assessments, metrics, risks, investigations, policies, training, and losses across these business roles and processes.”
A successful integrated GRC strategy uses a single set of control material, mapped to all of the primary governance factors being monitored.
What are the three most common individual GRC roles?
Financial GRC. Relates to the activities that ensure the correct operation of all financial processes, as well as compliance with any finance-related mandates.
IT GRC. Relates to the activities that ensure the IT (Information Technology) department supports the current and future needs of the business, and complies with all IT-related mandates.
Legal GRC. Relates to tying all three roles together via a legal department and Chief Compliance Officer.
What exactly is IT GRC?
Using IT to manage the various Governance, Risk Management and Compliance Management processes of an organization.
Ensuring proper governance, risk management and compliance management of all IT systems and processes that support the business operations.
Implementing a unified IT GRC approach, and managing the associated processes coherently will create operational efficiencies, provide visibility into IT processes and ensure accountability. IT plays a significant role in integrating GRC process.
Okay, so how does IT keep up with the demands of increased operational efficiency, governance, risk and compliance mandates and reduce costs—all at the same time?
Encapsulate compliance processes into an automated system
Create structured, controlled software development processes
Apply Best Practice Methodologies
Collaborate, Collaborate, Collaborate
Develop Specific Compliance Reports/Templates
Bring on New Technology
In my opinion, encapsulating compliance processes into an automated system and bringing on new technology are most important.
Magid continues, a strong software compliance solution should:
Establish repeatable, automated compliance and change processes.
Link change lifecycle workflow to Best Practice Methodologies .
Include Compliance-related report templates supporting standards.
Create centralized management and visibility of IT assets, and progress reporting for auditing and performance improvement.
Provide a collaborative communication infrastructure that ensures IT services and software initiatives support overall business goals.
Reduce IT costs by ensuring project teams build the application correctly the first time around.
Enable communication between stakeholders of all changes in projects, and ensure appropriate notification, reviews and approvals.
Provide a secure, visible repository of all application artifacts.
If you are looking for a way to manage your IT GRC processes now is the time to implement a request management system and an advance workflow engine such as Kinetic Request and Kinetic Task. With this powerful system you can automate your IT GRC processes such as:
Audit and Risk Processes. Includes the processes necessary for establishing internal audit and risk teams, conducting internal audits, and audit reporting.
Configuration Processes. Includes all the processes required for hardware and software configuration.
Human Resources Processes. Today’s IT organization mandates a detailed description of the IT organizational structure and additional hiring practices such as security requirements. This HR process starts with the hiring process and moves through training, job descriptions, job performance, and the end of a staff”s job cycle (job transfer to another department, promotion, or leaving the organization).
Operational Processes. Includes everything from roles and responsibilities though help desk processes, managing IT configurations, capacity management, allocating costs, accountability, and all other processes that keep an IT organization on track.
Acquisition Processes. Includes the processes necessary for planning and the documentation crucial for acquiring new software and hardware.
Kinetic Request and Kinetic Task enable you to reduce costs, streamline your IT GRC processes, improve IT efficiency and gain full control of complex GRC approvals and tasks.