GRC Tools Help Manage Regulations
This article can also be found in the Premium Editorial Download "Information Security magazine: Five crucial virtualization do's and don'ts."
Download it now to read this article plus other related content.
Our goal was to create tests that address the promise of GRC while not favoring any particular technical strategy for getting there. We wanted to test the heart of GRC, the products' ability to:
Purchasing a GRC product is difficult, so we designed a flexible testing approach tied to real-world deployment scenarios to account for the range of corporate requirements, the expansive nature of the products and their varying levels of maturity. To do this, we foremost wanted to create a set of hypothetical scenarios that simulate how most organizations would typically use and deploy GRC products. We drew on real-life experiences and pain points to create regulatory, oversight and technical challenges, such as any organi- zation might face, and how the products might solve these challenges in a typical deployment context. Specifically, our goal was to test the "promises" of GRC (see "'Promising' Products," below).
- Author, distribute and map policy and controls to the governing regulation, as well as to keep track of exceptions to those policies/regulations (compliance)
- Assess the proper technical and non-technical operation of controls, and to mitigate/remediate areas where controls are lacking or not operating properly (governance)
- Assist in quantification, analysis and mitigation of risk within the firm (risk)
This was first published in June 2008