Archive for the ‘GRC’ Tag
How to Simplify Your Governance, Risk Management and Compliance Process
Filed under: Best Practice, Industry, Technology | Tags: compliance, GRC, IT risk, IT-GRC, Maturity model
Leave a Comment This week’s eWeek has my article on how to simplify governance, risk management and compliance processes with a new model.
Table of Contents:
- How to Simplify Your Governance, Risk Management and Compliance Process
- Roadblocks of Traditional Maturity Model
- Process-Only Technologies Can’t Scale
- A Better Deployment Maturity Model
- Benefits of Vertical Maturity Model
Please give it a read. I would love to hear your feedback on the article.
Agiliance recognized as top GRC vendor by Gartner two years running
Filed under: Annoucements | Tags: Agiliance, Automation, Gartner, GRC
Leave a Comment 
Pravin Kothari
This is that time of the year when all the IT GRC vendors hold their breath to see how they are ranked in the Gartner IT GRCM MarketScope. I’m happy to say that for the second year in a row, Agiliance RiskVision has received the highest possible rating of “Strong Positive”. Not only have we retained the highest ranking from last year, we scored at the top for all three core IT GRC capabilities. As a result, we have further separated from other vendors in terms of having the most capable IT GRC solutions. Here are the actual scores:
- Controls and Policy Mapping: 5.0 out of 5.0, highest of all vendors
- Automated General Computer Controls Collection: 5.0 out of 5.0, highest of all vendors
- IT Compliance Dashboard: 4.5 out of 5.0, highest of all vendors
This also gives us the highest score of 4.8 out of 5.0 for the Automated Technology Control Assessment use case. This is a very important accolade because the true value of IT GRC solution lies in the automation. The GRC market is quickly maturing to focus on the Risk component. Risk is dynamic and inherently real time, especially when it comes to IT and security risks. As business processes continue to be automated and data become electronic, every single risk in the enterprise will be correlated to IT and security risks. Thus, it is impossible to manage enterprise risk unless you can manage risk in real-time, and managing risk in real-time requires end-to-end automation. Of all the IT GRC technology components, automated technology control and risk assessment are by far the most difficult to build. This type of automation requires highly scalable engines to perform real time data correlation and calculation across large data sets. I would like to give kudos to my Agiliance engineering team for achieving the highest score on the toughest portion of the evaluate criteria.
Two major changes are noteworthy in this year’s MarketScope. The first is the inclusion of some EGRC vendors and the addition of Financial and Operations GRC Support as the fourth Critical Capabilities. This change is somewhat controversial, because it is based on the hypothesis that the traditional EGRC and IT GRC markets as we know them today will converge into one. While there are signs of that buying pattern, we also see a very strong trend that indicates possible convergence of IT GRC with security and configuration management products. The two different trends are driven by the two different buying centers. CFO and internal audit are the buying centers for EGRC solutions. They are now asking for more in-depth and timely data from IT, thus driving the EGRC solutions to include better IT GRC capabilities. However, CFO and internal audit do not look for the very granular and real time data that CIO and CSO need, so for the CFO buying center, some limited extension of EGRC solutions maybe all that is required. There maybe more IT data, but the data is still static and high level. CIO and CSO on the other hand, are the buying centers for security and configuration management and now IT GRC solutions. CIO and CSO look for real-time risk management and situational awareness with continuous connectivity to the IT infrastructure. CIO and CSO need GRC solutions that can support IT operational requirements. A pure survey and workflow based solution maybe useful to check-the-box for compliance needs, but it is of no practical use as an IT operations tool. So how important is EGRC requirements when you are looking for an IT GRC solution? It depends on what is your function and what are you looking to achieve with the solution.
The second change in this year’s MarketScope is that Garter has done away with the Out-of-the-Box vs. Rapid Development Platform differentiation. The new differentiation is Top-Down vs. Bottom-Up. This new differentiation is a good way to capture the difference between the EGRC vendors and the IT GRC vendors. It is a short-hand to summarize the different buying centers needs we discussed above. The CFO and audit approach is top-down with little detail from IT and security. Top-down approach provides a nice enterprise wide picture quickly, but lacks details and is not capable of reflecting the real-time nature of risk. Bottom-up provides the real-time visibility and ability to react, but can be more narrowly focused on just IT risks. Most organizations will need a combination of both Top-Down and Bottom-Up approaches to be effective. Today no one solution can meet the needs of both buying centers and it is likely that no one solution ever will. The best approach for most organizations is still to buy the best of breed solution based on requirements and roadmap. For CIO and CISO we talk to, they are looking for a strong automation GRC platform that can integrate to their existing IT and security management tools to provide real-time visibility and operations support. They also want the tool to have very good Top-Down capabilities to support process centric use cases. This was my goal when I founded Agilinace years ago and it’s gratifying to have Gartner validate that our solution and approach is a great fit for our target market of CIO and CSO.
Article: How can healthcare organizations get started with GRC?
Filed under: Best Practice, Industry | Tags: compliance, GRC, Industry, policy, Risk Management
Leave a Comment Pravin Kothari
This is a nice article just published on Health Management Technology. It is written by my colleague Ed King. It spells out some very concrete ways a healthcare organization can start using GRC solutions to manage risk and achieve continuous compliance. The 3 top level suggestion are:
- Improve the integrity and efficiency of compliance
- Improve visibility and effectiveness of policies
- Improve awareness of and ability to mitigate risks
Give it a read and I would love to hear your feedback on the article.
Forrester’s Robert Whiteley: Note to CISOs – Be the Automator, Not The Automated
Filed under: Industry | Tags: GRC, Industry, Risk Management, Security
Leave a Comment Pravin Kothari
Here is an insightful blog entry from Robert Whitley of Forrester Research. This is very timely with our recent discussion threads around how CISO must take a more risk centric approach to security and you cannot manage risk effectively without automation. The more progressive CISOs are actively looking to increase the degree of automation around security operations, and at the same time increasing their scope of responsibility to become the Chief Risk Officer for the organization.
GRC and the Cloud
Pravin Kothari
This is RSA Conference week, so let’s take a short break from our threat management discussion and talk about RSA Conference a little bit.
It’s always interesting attending the RSA Conference. You meet new people and catch up with old friends. Besides seeing new technologies, one of the most fun thing to do is hear how different vendors do the marketing spin and try to align to the theme of the conference, and trust me, some spins are really stretching it. This year’s theme is Cloud Security. A few announcements came out from GRC vendors (and their parent companies 
), almost all high level with no details, but just to get the company name and the word cloud in the same press release.
So what exactly does cloud mean to GRC, and vice versa?
- GRC solution in the cloud: This is being able to buy GRC solutions using the SaaS model and being able to consume it as another solution from the cloud. Nothing too new and exciting here. No different than people using salesforce.com for CRM. Any GRC vendor worth its salt has a SaaS offering.
- Integrate GRC to the cloud: As companies are starting to buy IT solutions that are cloud based, GRC solutions must be able to connect to cloud based applications to provide data collection and automation. Unlike on-premise systems where you can always resort to the flat file dump and import method of integrations, not all cloud based solution vendors can support such manual processes. GRC solutions must be able to offer out-of-the-box integrations to these cloud based solutions, for example, Agiliance product can connect to cloud based Verisign iDefense and QualysGuard to collect the data and evidences to drive automated compliance and risk management,
- Assess the risk of the cloud services: When a system is on premise, it is easier to assess its risks. You know where the server is located, you know how data flows, you can control who has access to the machine and the data, you do the back up and disaster recovery. All these things we know about on-premise solutions become “cloudy” when the solution goes to the cloud, pun intended . For an organization to embrace cloud based solutions, an organization must be able to assess the risk of these cloud based solutions and IT service providers, or it will risk violating international regulations and industry mandates on data privacy, exposing intellectual properties and other business data to competition, unable to ensure system availability and business continuity, just to name a few. An organization must have robust vendor risk management process and solutions in place before it can adopt cloud based solutions for critical business and IT systems. For example, salesforce.com, an Agiliance customer, performs security risk assessment on all of its 1,200+ partner applications available on its AppsExchange. Salesforces.com needs to ensure its platform and the customer data are not put at risk due to a poorly designed partner application.
- Certification of the cloud: While it is a challenge for a company to assess the risk of all its cloud solution vendors, it is an equal challenge for a cloud solution vendor to meet the assessment requirements from all of its customers. This many-to-many assessment model is highly redundant and not scalable for both the customers and the vendors. What is needed is a certification standard for the cloud. This can be based on either industry standards such as Cloud Security Alliance and BITS Shared Assessments or proprietary ones from a trusted authority. A solution vendor can earn a seal of endorsement by putting its solution through such a certification program periodically. Buying organizations can trust the integrity of the solution knowing the solution has been rigorously assessed by trusted third party. A number of Agiliance customers like Cisco Systems and Bell Canada are already using Agiliance based solutions to automate their security and privacy assessment services. The use of an automated GRC system ensures the consistency and integrity of the assessment process, as well as the quality and consistency of the outputted reports and recommendations. It doesn’t take a strong imagination to think that this can easily translate into a formal certification program, much like what the Big 4 audit firms do for financial reporting integrity.
I would like to hear what insights or comments you may have on how GRC and cloud impact each other.
Martin Kuppinger blog: What business has to learn so that IT can align
Pravin Kothari
Martin is really on a roll now. A nice follow up from Martin about how security and business functions must be better aligned. This is very timely to my current series of blogs on a risk based approach to security management. GRC and security functions must be better aligned if an organization wants to excel.
Michael Rasmussen’s blog: What Is GRC?
Pravin Kothari
In the last 3 months there has been many threads and blog posts on-line trying to define GRC. Some bloggers and analysts go as far as saying GRC doesn’t exist. Michael Rasmussen’s latest blog offers some very nice ways to look at what GRC is.
Kuppinger Cole: Linking GRC to security
Filed under: Technology | Tags: GRC, Kuppinger Cole, Security
Leave a Comment Pravin Kothari
Here is a nice blog entry by Martin Kuppinger of Kuppinger Cole on the different layers of GRC and how GRC is intimately linked to security.
