Generally, GRC stands for Governance, Risk Management, and Compliance – in the world of IT, we tend towards a particular view of the term, which we will come to.
GRC are three disciplines that can help ensure an organization meets its objectives. An organization:
- needs processes to monitor the achievement of its goals (governance)
- should attempt to assess and mitigate the risks that may prevent this, (risk management) and
- should comply with relevant internal and external policies, regulations, and laws (compliance).
We tend to assume that those objectives are “good”, and that GRC is about “good behaviour” – but GRC is equally valid for a criminal organization (for example), with rather different aims!
GRC in IT: security is typically a major objective
Applied to the world of IT, much of our focus will be around data, who has access to it, how it is protected, and are (increasingly onerous) legal requirements being met? Other considerations include timely and accurate provisioning of IT services, cost controls, service levels, and the risks of losing data (for example through an attack or disaster) and the ability to recover from that.
The IT processes and solutions associated with GRC include:
- Good identity management – automated provision/de-provisioning, maintaining accurate identity data across systems, and “knowing what you know”.
- Good access management – from robust request/approval processes to automated group management, to formal Roles Based Access Control (RBAC).
- Automation of certification/attestation processes: regular campaigns to re-approve or deny user access (roles and permissions)
- Reconciliation: measuring the actual access users have against what it is intended to be according to business rules, reporting on the gaps according to risk classification, and – where possible – automatically remediating
IT GRC can be particularly complex, so contact us if your organization is looking for a solution or guidance. Our team of experts is ready to advise you.