Selecting GRC Software?

The term GRC (Governance Risk and Compliance) is a hugely overloaded term. By overloaded in this case, I mean that it has multiple definitions. Think of a method in code that has several meanings some dependent on their location in the process stack. Lets take the terms (GRC) apart so you can see further what I am driving at.

Governance of IT most often means aligning the needs of the business to the capabilities of the IT resources. What if we could automate governance, what would it look like? I would argue that it looks like a change management system, but it also could be a policy management system, and a performance scorecard. Risk, often looked at as management of the risk to the enterprise created by the IT infrastructure of the business. To IT shouldn’t we really only be concerned about the risk to the business resulting from IT’s ability to manage business data? Does that mean Disaster Recovery and Business Continuity? Well yes but it also means data loss prevention, incident management, and vulnerability management. Compliance, usually IT security compliance, means data protection using IT governance, and IT risk management tools and techniques. It could also mean software licensing compliance, security setting management, security alert logging, and intrusion detection.

My purpose with this discussion is to remind those new to GRC and in particular those looking for GRC software, that GRC has many meanings and means many things to different organizations. First focus on the GRC needs of the organization. Prioritize and price those needs, compare existing software and tools, and then go looking for software to close the organizations GRC gaps. Very rarely will a GRC gap analysis result in a single software package purchase. Likewise, GRC is heavily people and process driven so don’t expect software to close much more than about 20% of the GRC gaps in your organization.

Compliance Guide Published by Microsoft

Socair Solutions was one of the authors of an information security guide which mapped COBiTs information categories to various national and international regulations including EUDPD, Sarbanes-Oxley, and the Health Information Portability and Accountability Act. This guide was just released by Microsoft to the general public and can be found at the link below.
(Click here to access the guide)

Compliance for Microsoft System Center Operations Manager and Configuration Manager

Socair is providing specialized input and support for the development of Security and Compliance packages for Microsoft System Center Operations Manager (SCOM 2007) and Microsoft System Center Configuration Manager (SCCM 2007) for information on these packages contact our partner Secure Vantage Technologies.