Are you happy with the alphabet soup of governance, risk and compliance you have to deal with?
You know: PCI DSS, SOX, FISMA, GLBA, GDPR, COBIT . . . and all the other acronyms emblazoned on your folder names and email headers?
Governance, risk and compliance (GRC) has a way of doggedly pursuing you once it’s part of your job. Imagine spending your work week dealing with constant change, shrinking deadlines, minuscule budgets, overtaxed staff and unmerciful regulations. You sit down to a warm bowl of alphabet soup on a brisk weekend afternoon and find “HIPPA” spelled out in your spoon.
What a drag.
Governance, Risk and Compliance for the Real World
GRC tends to spill over into IT a lot. Sure, your organization may have its own compliance officers or consultants to make sure that you’re following all the guidelines and regulations. But that requires a lot of reporting, and those officers and consultants eventually knock on your door with a long list of requests:
- A report of all systems, applications and devices in use
- Evidence that operating system and database vulnerabilities are patched
- A list of privileged users, such as administrators, contractor accounts and shared accounts, and evidence that they are not misusing their access rights
- List of users and functions they may perform in Active Directory
- Lists of local users and groups
- Employee logons from unusual locations or at unusual times/days
Fulfilling their requests keeps you from your ordinary tasks and can get on your nerves, especially if you’re not into that whole regulatory thing. Still, living in the real world of IT GRC means you have a lot of report generating ahead of you, so you may as well get used to it.
Don’t forget that there’s an upside to all of the regulations you have to comply with: They exist to keep your organization’s name off the front page of the newspaper. Most of the data breaches, identity theft, financial catastrophes and network vulnerabilities that make the headlines occur when organizations ignore or overlook these guidelines. Standards bodies make lists of the silly things companies overlook, like terminated employees with valid administrator rights or lax policies for applying security patches, and turn them into mandates.
Would you rather spend a couple of days generating reports or a couple of months untangling the mess from a breach that PCI DSS is designed to help you avoid?
New E-book to Help You Sift Through the Alphabet Soup of IT GRC
You’ll probably want to use governance, risk and compliance software to collect and report all this information, but before you even start shopping for it or learning how to use any compliance solutions, do yourself a favor and learn WHY to use it first.
My GRC team and I have put together a new, two-part e-book called Governance, Risk and Compliance for the Real World. Part 1 outlines GRC and its relationship to IT to help you connect the dots between the requests you’re receiving from compliance officers, consultants and auditors and the real world of regulations and mandates.
Read it over a hot bowl of alphabet soup, if you like. But not on the weekend; that’s downtime, even for IT.