GRC is a relatively new and little known concept. So, what is it? Gartner gives the following definition: “GRC is neither a project nor a technology, but a corporate objective for improving governance through more-effective compliance and a better understanding of risk impact on business performance.” In other words, GRC can be expanded into three elements: governance of organization by senior management (Governance), information security risk assessment (Risk Management) and legislation compliance assessment (Compliance). The idea behind GRC is to manage all the three processes.
GRC concept allows information security professionals to speak the language of business, justifying investment in information security projects, using concepts of financial and reputational risks which are close and significant to the business.
It is worth noting that GRC is not a one-box solution, but a set of integrated modules or products plus a documentary database, which includes policies, procedures, regulations, and competent staff that will certainly be guided by this documentation in its work. Each implementation of GRC is inherently unique and should be maximally adjusted to the tasks, processes and technology of a particular business. Effectiveness of GRC system depends on this.
The advantage of GRC system implementation is that at any time it is possible to receive up to date information about the current state of IT infrastructure and on associated information security risks in relation to a specific business process, using the automatic integration of security controls of various types and vendors deployed in the company (security scanners, SIEM solutions, etc.). This makes it possible to minimize the human resources involved in processing of large amounts of information, which was previously generated by each security control individually, and allows manager to build a more efficient IT infrastructure management process in the company.
GRC systems are divided into Information Technology GRC (IT GRC) and Enterprise GRC (EGRC).
EGRC is mostly used by employees of non-IT departments: legal, operational, human resources, etc., while the IT GRC is focused on IT processes. At the same time, IT GRC is built in such a way that non-IT staff also have the opportunity to enjoy all the benefits of the system to assess the impact of IT on business.
According to Gartner, IT GRC technology has a positive growth in the global market and has already experienced its first peak of popularity, but has not yet entered the stage of stable development, while EGRC is already considered to be a mature technology.
Unlike western companies that need to comply with the requirements of SOX, Basel-II, HIPAA and others, Russian regulators do not yet require mandatory implementation of GRC. However, ISO 27001 standards already include recommendations on company rules and procedures allowing to effectively manage information security risks.
Forrester Agency noted a positive effect on the business related to GRC implementation at 50% of foreign companies in its analytical report (What The Business Doesn’t Understand About IT GRC). However, unsuccessful implementation attempts are also known caused by wrong approach to build the system.
Building of an integrated IT infrastructure management process with the use of GRC solutions is still worth to be recommended to companies with mature information security, which implemented security risk management processes, vulnerability and information security incident management processes, information asset management procedures, and established processes of periodic internal audits of enterprise information security at least partially, while the management is aware of the importance of these processes and of the impact of information security level to the business.