One of the big issues I hear from many customers and colleagues facing us in GRC is that there just so many different approaches and methodologies in play to address our challenges – that implementing an end-end GRC program is hampered. In the IT GRC world alone, we have, to mention a few:
·
IT Governance Institute’s COBiT and
governance guidance
·
ITIL framework
for IT Service Management
·
ISO 27000 series for security, which
touches many aspect of IT
·
NIST
approaches for Risk Management, including 800-30
·
OCEG’s Red Book, covering many
aspects of Enterprise GRC, including IT GRC.
CIOs need approaches
that dovetail with transforming IT as a Service
What
all these lack is a common high-level approach that resonates with what a CIO
is increasingly building as IT becomes more of a service.
We
absolutely need to start aligning our approaches, even at the highest level, if
we are to advance the cause of integrating and gaining synergies with end-end
programs for GRC.
One of my past colleagues, Scott
Crawford, Research Director at
Enterprise Management Associates, completed a study a few years ago that
showed that organizations that adopt ITIL have more mature GRC programs. I want
to say ‘of course!’ but as it turns out, this isn’t that obvious to those GRC
practitioners that have little insight into ITIL.
Here’s
a thought – why not abstract approaches to a higher level that can accommodate the
internationally accepted standards and methods – using the main stages of ITIL?
At EMC Consulting,
in fact, that is what we are doing, and it works well. IT GRC involves all the
aspects of IT – from business continuity and data protection, through
information governance and life cycle management, asset management, change and configuration
management and of course, security management.
Integrating
ITIL stages with GRC
Here’s
a diagram showing how to pull together the main phases of ITIL: Strategy,
Design, Implement and Operate – and move around the life-cycle
whether you are looking through the governance-only lens, the risk management/security-only lens, the compliance-only lens or any combination.
This
sort of approach typically resonates more with the cloud and datacenter folks,
the pure IT folks. But as we transition
to the cloud – (and a good read on this, pulling concepts together is Chuck
Hollis’s recent post on the 10 Big Ideas Shaping IT Infrastructure Today) - isn’t that what we need to do as GRC practitioners?
It’s the GRC-enable cloud, whether private or public, a key end-state?
Recent Comments