Problem solve Get help with specific problems with your technologies, process and projects.

IT GRC: Combining disciplines for better enterprise security

IT governance, risk management and compliance (GRC) is a growing area of information security that isn't clearly defined. In this tip, Forrester Research's Khalid Kark defines the components of IT GRC and offers advice on how CISOs and organizations can adopt unified governance, risk management and compliance strategies to build a successful IT GRC program.

IT governance, IT risk management and IT compliance are three distinct disciplines that in the past have existed...

in silos within organizations.

Today, many organizations no longer see these activities as individual, one-time projects handled in separate parts of an organization. Many commonalities and interrelationships exist between these three disciplines.

Adopting a unified IT governance, risk management and compliance (IT GRC) approach, and managing the associated activities coherently will create efficiencies, provide a holistic view of the IT environment and ensure accountability.

Defining the components of IT GRC
Business imperatives, increased regulatory pressure and customer demands are forcing many CIOs and CISOs to adopt a structured, enterprise-wide approach to IT GRC. Today, enterprises are acknowledging that a mishmash of technologies and processes working in silos inevitably leads to inefficiency, increased costs and present higher risks to the organization.

There is currently a lot of confusion on what exactly IT GRC is and what subcomponents to consider when establishing a program. Although the specifics of developing an IT GRC program will vary based on the individual circumstances of every organization, having common definitions and broad objectives for each will establish a high-level approach for the program.

    Want to know more?
For more information on GRC geared specifically toward financial services security professionals, visit our sister site,

IT governance establishes decision structures and tracking mechanisms. At its most basic definition, IT governance primarily determines how decisions are made, who makes the decisions, who is held accountable and how the results of decisions are measured and monitored. Although many organizations have some form of IT governance in place, the governance processes are ad hoc, siloed and informal.

Organizations need to ensure that they have the appropriate governance structures in place; structures such as technology steering committees, architecture review boards and project review boards.

The second step is to ensure that the appropriate processes exist to guarantee consistency and transparency. For example, processes for proposing projects, approving IT investments and prioritizing IT projects.

Third, organizations need to ensure that there is appropriate communication and accountability to measure the outcomes of IT decisions, whether these decisions are technical, monitory, human resource, etc.,. Project status reports, ROI analysis and balanced scorecards would be examples of such communication and monitoring.

IT risk management helps mitigate adverse effects and identifies opportunities. IT risk management activities go far beyond traditional IT security responsibilities. As IT environments have become more complex and business reliance on technology has increased, CIO and CISOs are faced with a daunting challenge. Not only are they asked to deal with ever-increasing and multifaceted threats, but they are also challenged to provide increased capabilities within their businesses. That means successfully adapting to changing business needs and enhancing technology capabilities while guarding against adversity. An organization's technology architecture must support this effort though greater flexibility, automation and efficiency.

For more information:
In this Compliance School tip, Richard E. Mackey explains how to approach control and governance frameworks and why they're helpful in mitigating risks.

Contributor Khalid Kark defines the framework behind implementing a successful enterprise risk management .
Mike Rothman looks back at the key compliance events of 2007, and examines what security professionals can expect for 2008.

IT compliance establishes and monitors IT controls. IT compliance should ensure that an organization is not only adhering to laws and regulations, but is also taking into account corporate responsibilities and industry standards. An organization should also be mindful of corporate intellectual property protection responsibilities and develop a control framework based on industry standards such as COBIT.

Compliance activities include conducting regulatory research, mapping control requirements to regulations, designing IT controls, advising IT and third parties on control requirements and assessing and reporting compliance with regulatory and other requirements.

Many organizations are moving toward a common control framework that can meet multiple regulatory, legal and audit requirements simultaneously. Many software vendors now offer products with built-in mappings for multiple regulations, frameworks and management.

Take a unified approach to align IT GRC initiatives. IT GRC initiatives have traditionally been scattered across organizations without any coordination or synchronization. It's not uncommon for different business areas to develop their own solutions for the same requirement or for IT to deploy multiple technologies to address a common issue. These separate initiatives create inefficiency and make it very hard to assess and manage risks holistically.

"IT governance primarily determines how decisions are made, who makes the decisions, who is held accountable and how the results of decisions are measured and monitored.

As a result, there is a growing demand for products that help IT organizations effectively break down these silos and create a centralized approach to managing risk and compliance while simultaneously ensuring good governance.

Ensuring IT GRC success
To make an IT GRC program effective, CIOs and CISOs need to:


  • Understand dependencies and provide a common approach. Governance, risk and compliance functions depend on each other to be successful. The governance program measures against the control frameworks and IT compliance requirements to implement the IT strategy. The compliance program utilizes IT and business risks to rationalize the controls it needs to execute and maintain. Finally, the risk program determines risks based on IT governance activities and utilizes control activities and measurements from the compliance program to determine the existing risk profile for an organization. All three programs running in parallel, but in coordination with each other, are required for an effective GRC program.


  • Unify controls for IT risk and compliance. The processes for identifying and reporting IT risk and IT compliance may be different, but a common control framework can be to establish and measure security controls. Establishing a common control framework that fulfills the internal and external compliance requirements, while managing IT risk to corporate resources reduces duplication of effort, ensures consistency and breaks down the silos.


  • Enable IT governance by establishing accountability. Establishing accountability is an essential part of an IT GRC strategy that many organizations struggle with. The step for establishing accountability is to ensure that roles, responsibilities, governance structures and processes are clearly articulated, communicated, and understood by a board of directors, executive management, business management, IT management, employees and shareholders. The second step is to ensure appropriate measurement and reporting mechanisms are in place in order to monitor and measure critical areas and adjust the course based on those measurements.


  • Align technology and processes for efficiency and consistency. Although technology plays an important part in automating, aggregation, analysis and reporting of IT controls, it's not the only ingredient CIOs and CISOs need to establish a core set of processes and define touch points between IT governance, risk and compliance activities. Once those processes are established, only then can technology help automate and augment those processes.

    Coordinating and pushing a coherent IT GRC approach across different parts of the organization requires significant effort and persistence. The benefits may not be evident right away, but having a structured program ensures long-term benefits such as enhancing IT governance capabilities, helping mitigate IT threats more effectively and simplifying regulatory compliance.

    About the author
    Khalid Kark is a principal analyst at Forrester Research where he contributes to its offerings for security and risk management professionals. He is a leading expert in security management, compliance, best practices and services. For more information on Khalid or to review additional research, please visit:

This was last published in January 2008

Dig Deeper on Information security policies, procedures and guidelines