One of the key GRC challenges that Risk and InfoSec professionals face today is gaining a consolidated view of risk, compliance and internal controls across the enterprise. To achieve this, organizations are moving away from a siloed approach, towards an integrated enterprise GRC program with well-structured and visible risk reporting frameworks, unambiguous control systems, streamlined infose risk management processes, all of which can improve accountability and communication.Download an Insight
Securing IT assets against widely prevalent incidents such as data and identity threats and other security breaches has become a top priority for businesses. The advent of the cloud, advanced mobile technologies, and other complex infrastructures has also dissolved traditional network parameters, and increased the bottlenecks in information security
A futuristic governance strategy combined with a common risk and control framework, and efficient compliance processes can provide a gateway to better security and risk intelligence.
The financial cost of information breaches can deal a hard blow to an organization’s profits in the long run. Therefore, organizations need to be more vigilant, and devise reliable ways of mitigating potential risks posed by the new virtual and mobile eco-system. The need of the hour is an enterprise-wide, consolidated, and integrated approach to Governance, Risk, Compliance (GRC) and internal controls.
A financial services firm, a law firm, and a large pharmaceutical company will all have totally different governance strategies and protocols. There is no “one size fits all” method. Yet governance is becoming an increasingly complex issue today. Below is a brief look at a few significant governance challenges:
How do you express vulnerabilities due to an un-patched piece of software or an access control violation in business impact terms?
- Often, it is difficult to get the business to own risks that have security or technology antecedents. While security professionals view most risks as security or IT risks, risk management teams consider the same as control failures or threats and vulnerabilities. Traditional risk managers prefer to describe risks in terms of their potential business impact. But that is difficult to do in the field of security.
- Getting a business owner of a risk to make a sound decision on remediating that risk can be a major hurdle. Also, while compliance related risks such as SOX or PCI issues gain more prominence, attempts to protect critical information assets, are often sidelined. This “reactive” or “passive” governance hurts organizations.
- Another challenge is aligning policies with the desired behavior, regulatory requirements, contracts (SLAs), and business obligations. Very often, organizations don’t update their policies to reflect changing technologies or new business risks. For instance, consider an organization that still has policies on modems even though modems have almost become more or less obsolete.
The pressing problems in governance can be resolved in the following ways:
The first step is to define a set of thresholds that reflect risk appetite, and then map these thresholds to policies that govern people, processes, and systems. By doing so, it is possible to link risks that are unique to security and IT to the thresholds, and ultimately define business ownership of these risks.
Alongside, an integrated GRC framework can be adopted to map regulatory and business requirements to policies and controls standards, and further link them to assets and controls. When security risks are introduced into this “content tree,” businesses can better understand their impact.
A GRC platform will help to explicitly map all policies to the relevant controls, and thereby gain a much better idea of risk exposure.
Eschewing paper-based solutions for an automated system will speed up policy updating and controls monitoring.
Organizations can improve accountability for security and IT risks by clearly understanding their governance model. Where are decisions being made, in which committees, and with what mandate? It’s very important to lobby to find a working group or committee that the security team can present the big picture to.
ENHANCING RISK MANAGEMENT
Many organizations lack sufficient visibility into IT risks and controls across the enterprise, as well as the supplier and cloud eco-system. Some do not have a clear process to identify and treat emerging cloud, social, and geo-political risks. There is also the difficulty of getting clarity into risk appetites and thresholds.
Bad decisions on technology and application requirements can lead to application sprawl and the spread of complex and often inter-related technologies across the enterprise, which only heighten IT risks. This problem is compounded by the fact that many organizations don’t give enough importance to change management.
Organizations can stay ahead of these risks through the following methods:
New processes have to be devised to deal with new risks. It is also critical to have an effective change management process in place.
As security architectures become more complex, there is a greater need to correlate information in real time, and separate the wheat from the chaff i.e., the real risks from the simple threats. This is only possible when security teams have sufficient visibility into risks and the controls used to mitigate them. A coherent risk and control framework facilitates a common issue management and remediation process, and can be achieved by leveraging a GRC platform.
It is also important to form special executive and working committees who regularly conduct meaningful and ongoing risk conversations. All key stakeholders across an organization must be part of the wider discussion on acceptable risk levels. Security professionals also need to take the time and effort to communicate with executive management teams, and bring to light key risks and threats.
A GRC platform allows organizations to transcend business and functional silos, and gain greater control over their risks.
The dynamic and stringent regulatory environment makes compliance a daunting exercise. Most times, organizations end up testing too many compliance controls, or failing to automate control monitoring processes. The process of continuously monitoring controls is tough, and is further complicated by a patchwork of multiple point solutions which hamper data correlation. Moreover, organizations are often not updated on changing regulatory requirements, and fail to gauge their impact on the enterprise.
Compliance issues can be resolved by adopting the following key steps:
The focus while testing controls should be - “test one, report many.” A single control assessment should be designed to take care of multiple regulatory requirements.
The emphasis must be on simplifying and streamlining compliance processes. Many visionary organizations understand that the key is to implement GRC systems with embedded regulatory content. These systems integrate with regulatory monitoring feeds, giving organizations the ability to see precisely what policies and controls are affected by regulatory changes or new requirements.
A robust risk and control framework that is well mapped to regulations, policies, and controls, will help measure the impact of new regulations and controls more accurately and quickly. In addition, a consolidated framework for automated controls monitoring and management is critical to be able to identify patterns in vast amounts of data, and derive security intelligence.
MEETING SECURITY CHALLENGES
Organizations today face three fundamental security issues. The first is the challenge of distinguishing between a real security threat and a normal activity or issue that can be safely ignored.
The second is poor integration and correlation across security operations. And the third is immature security services across threat intelligence, vulnerability management, or IT risk assessments - which can cripple an organization’s defenses. Threats these days are much more advanced, insidious, and sophisticated than ever before. So organizations can’t rely solely on basic firewalls.
The way to a secure IT environment:
It is critical to build a formal threat intelligence function, and effectively assess threats against one’s specific vertical and organization. The findings must be integrated into risk tolerance discussions, so that organizations can identify and evaluate the real risks.
The integration and correlation across security operations (SOC/ SIEM/ DLP/ IDM) must be improved. This will help weed out the “false positives” and “noise,” and identify what one really needs to know.
An integrated GRC technology framework can help by bringing together IT security, risk, and compliance, and linking it to enterprise GRC within one consolidated system. It can also help in seamlessly routing various risk and control issues through incident and issue management processes.
OVERCOMING CLOUD CONCERNS
In the last few years, the cloud has introduced a whole new level of flexibility and cost-efficiency to business operations. But it has also brought in new security risks, which are difficult to manage and mitigate.
The issue is that security professionals are hardly ever involved in cloud strategies. They are often the last to know that some part of the organization is being outsourced, or that a new cloud service provider has been introduced. So they end up conducting security assessments too late, and are often scrambling to catch up.
There is also a lack of consistent reporting on controls across cloud service providers. Thus cloud auditing becomes difficult.
Another challenge is aggregating and rationalizing control and compliance information across multiple Cloud Service Providers (CSPs). Add to this the lack of consensus on what risks are truly cloud related, and it is no surprise that many security professionals have sleepless nights.
Clearing security issues from the cloud:
What needs to be done is simple - security teams should become active partners in driving the cloud strategy.
The ENISA Cloud Risk Assessment, published in 20091, is a good reference for addressing risks in the cloud.
Businesses need to demand better control information from providers, and explore new innovations like CloudAudit1. They could also define CSP control frameworks, and drive these requirements in Service Level Agreements (SLAs).
A GRC technology framework can help by integrating with CSPs to automatically aggregate specific control states, risks, and events, and route them through an incident or issue management process.
Organizations should be able to distinguish between the controls they own, and the controls the CSP owns. These controls, in turn, should be mapped to security compliance requirements.
Organizations need to assess the business value of security services, and outsource certain security services to achieve more tangible results.
It is also important to keep abreast of new cloud security risks and issues. A lot of work done has been done in this area, but much is still in a nascent state. Ultimately, it is left up to each company to stay abreast of cloud risks and issues, and understand the best ways to mitigate them.
IN A NUTSHELL
The roadmap to stronger IT security must lay out a centralized governance strategy and a consolidated risk and controls framework.
Organizations also need to have foresight while performing regular risk assessments, and the internal security teams need to proactively participate in these exercises. In addition, security methodologies and controls processes must be evaluated for their maturity and effectiveness.
Organizations can meet the challenges in the cloud by accurately determining CSP controls, and fixing the scope of responsibility.
An advanced GRC platform can enable organizations to drive these risk and control processes, with a bird’s eye view of compliance. It helps eliminate organizational silos, facilitates integration and collaboration, and offers a unified view of enterprise and IT risks. Organizations can thus fortify their IT infrastructure more efficiently and effectively.