Designing IA for AI - Information Architecture Conference 2024
SLVA - Developing an IT GRC Strategy
1. Presentation Title Comes Here
Name & Surname
Company
Developing an IT GRC Strategy
Assess once, test once, satisfy many…
Kris Budnik
MD, SLVA Information Security
2. What is GRC?
An academic definition of the word “mess” – CFO Magazine
A prickly tangle of controls and practices buried inside functional
or geographic silos with hundreds of isolated activities.
Bewildering complexity and duplication, even as it leaves major
gaps uncovered and fails to deliver the desired results
- Deloitte
Isn’t the GRC acronym invented by consulting and
technology firms to help sell services and
software? – Risk Management Magazine
3. Current state of GRC activities in IT
BIAs
Information Risk
Assessments
Data Classification
MaturityAssessments
Vulnerability
Assessments
GCCs
SLA/OLA
management
Configuration
Management
Policies
Standards
Application Control and
Authorizations (ACR)
Penetration
Testing
Change
Control
Performance
Management
Incident
Management
Access
Management
ProjectManagement
Laws/Regulations
4. But why is GRC important?
While there may be debate about the GRC term, there is near
consensus on the following:
- Executives and directors are being held to higher standards and levels of
accountability
- Compliance costs have spiralled amidst the increasing volume and
complexity of laws, regulations and rules
- Stakeholders are more active and aggressive
- More transparency is demanded
- The speed and consequence of “risk events” have dramatically
increased
- Lee Dittmar, Deloitte Consulting
5. So what is GRC really?
A system of people, processes and technology that enables an
organisation to:
- understand and prioritize stakeholder expectations
- set business objectives that are congruent with values and risks
- operate within legal, contractual, internal, social and ethical boundaries
- provide relevant, reliable and timely information to appropriate
stakeholders
- enable the measurement of the performance and effectiveness of the
system
- OCEG
“…call it whatever you want. For the sake of argument, throw
away the term altogether. Now ask yourself: Did the underlying
business issues go away?”
- Lee Dittmar, Deloitte Consulting
6. Fitting the pieces together
• Identify all who play part in the process
- IT Ops, Security Ops, Information Risk, IT Audit, Information
Security, Ops Risk, ERM, executive, etc.
• Identify what drives IT GRC in your environment
- Laws/Regulations, Industry standards, Common practices, Internal requirements
• IMap the key elements of the IT operation that contribute
to GRC in the environment
• IAlign the elements to remove
duplication, identify control gaps and
define effective measurement
criteria
7. Integrated IT Governance, Risk and Compliance
Policies
Standards
Procedures
Laws/Regulations
BIAsInform
ation
Risk
Assessm
ents
Data Classification
MaturityAssessments
Vulnerability
Assessments
GCCs
ACRs
8. Maximising efficiency…
Laws & RegulationsLaws & Regulations Industry Standards &
Frameworks
Industry Standards &
Frameworks Internal requirementsInternal requirementsDrivers and
Constraints
Drivers and
Constraints
• Eliminating “silo” responses creates opportunities for
harmonization and consolidation
Harmonised
GRC
objectives
Harmonised
GRC
objectives
Consolidated
GRC
activities
Consolidated
GRC
activities
Assess Once, Test once, Satisfy manyAssess Once, Test once, Satisfy many
R1R1 R2R2 R3R3 R4R4
C1C1 C2C2 C3C3 C4C4
C5C5 C6C6 C7C7 C8C8
C9C9 C10 C11C11 C12C12
9. Does it work?
The following is an example of the level of consolidation realized
by a global financial services company’s Information Technology
division…
139
Authoritative sources that applied to the global Information Technology division at the
organisation
4,900 + Over 4,900 individual requirements
276 Reduction by over 17 times from 4,900+ to 276 rationalized requirements
3 to 1
Over 3 million hours of assessment and reporting reduced to 1 million hours across 30,000
employees
5 to 1
Information Security, BCP, FFIEC & FDICIA, PCI, and SOX assessments reduced to a single
integrated RCSA
Source: Deloitte