GRC stands for Governance, Risk Management, and Compliance.
GRC are three disciplines that can help ensure an organization meets its objectives. An organization:
- needs processes to monitor the achievement of its goals (governance)
- should attempt to assess and mitigate the risks that may prevent this, (risk management) and
- should comply with relevant internal and external policies, regulations and laws (compliance).
We tend to assume that those objectives are “good”, and that that GRC is about “good behavior” – but GRC is equally valid for a criminal organization (for example), with rather different aims!
GRC in IT: security is typically a major objective
Applied to the world of IT, we are (or we should be!) very familiar with processes that help us achieve objectives. Appropriate security is typically a major objective, and many procedures will be concerned with security. Other processes will include timely and accurate provisioning of IT services, cost controls, services levels, and disaster recovery. Risks will focus on such areas as loss of data through attack or disaster, identity theft etc. Organizations are having to pay more and more attention to laws and regulatory requirements, particularly with regard to data they keep about customers and employees, and who has access to that data.
The IT processes and solutions associated with GRC include:
- Good identity management – automated provision/deprovisioning, maintaining accurate identity data across systems, and “knowing what you know”
- Good access management – from robust request/approval processes, to automated group management, to formal Roles Based Access Control (RBAC)
- Automation of certification/attestation processes: regular campaigns to re-approve or deny user access (roles and permissions)
- Reconciliation: measuring the actual access users have against what it is intended to be according to business rules, reporting on the gaps according to risk classification, and – where possible – automatically remediating
Many tools are available, for example as features in Azure AD, and much more so in third party tools such as IDdriven and Saviynt (there is huge variation in capability, and price).
IT GRC can be particularly complex, so if your organization is looking for a solution or guidance, contact us. Our team of consultants is ready to advise you.