In the world of Information Security, acronyms are a way of life. In fact, we often refer to all these different acronyms as "alphabet soup." Keeping track of what they all mean and what they stand for can be challenging. With that in mind, over the next 3 blog posts, we are going to dig into one of those acronyms, IT GRC.
IT GRC stands for Information Technology Governance, Risk, and Compliance. Over these next 3 blog posts, we are going to define and discuss Governance, Risk, and Compliance and what these terms mean in "non-IT" language. To get started, let's define what GRC is. According to Gartner, GRC is "the simplification, automation, and integration of enterprise, operational, and IT Risk Management processes or data." To me, the key word in this definition is integration. The goal of any GRC program should be to have all business units or departments on the same page related to operations and the goals of the organization.
The first part of IT GRC is Governance. Since we love Gartner, their definition of IT Governance is "the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals" (Gartner, 2012). There are two components of IT Governance:
The final part that we need to talk about related to IT Governance is the use of IT Frameworks. These are controls that allow an organization to align control requirements, technical issues, and business risks. There are many IT Security Frameworks that you can choose to put in place, based on your business and vertical market. Here is a sample list of some of the more common IT Security Frameworks:
IT Governance is just the first part in the IT GRC solution. Our August webinar discusses IT GRC in more detail; what the components of an IT GRC program are, and how to begin this type of program at your organization.
IT GRC Webinar Recording
Gartner. (2012, February 8). IT governance (ITG) - Gartner IT glossary. Retrieved July 25, 2016, from Gartner, http://www.gartner.com/it-glossary/it-governance
Proctor, P. E., Wheeler, J. A., & Pratap, K. (2015, May 13). Definition: Governance, risk and compliance. Retrieved July 25, 2016, from Gartner, https://www.gartner.com/doc/3052217/definition-governance-risk-compliance