I’m an Identity and Access Management kind of guy. I don’t pretend to deny it, however sometimes it does cloud some of my views of the rest of the enterprise. Take the GRC concept for example. As an Identity Management guy, I always looked at GRC as CRG:
- Compliance – How to I show an auditor changes that happen to a user’s identity throughout the identity life-cycle?
- Risk – How do I make sure that there’s no conflict of interest and ensure Segregation of Duties (SoD), ensuring Compliant User Provisioning
- Governance – What are the rules put into place that govern Compliance and Risk?
I also never considered how GRC works outside of the IAM world or why it’s important. After listening to a great presentation from SAP, I got a nice, if basic education which has gotten me to change my thinking from CRG to GRC.
A firm set of governance principles and procedures must be determined before engineering any mitigation processes for risk and compliance. Without this the potential for “Compliance Creep” (risk is assumed) will run amok. And without regular discussion and review there is no way to make sure that all items subject to risk and compliance review will be monitored and prioritized.
The fact is that we need to be continuously checking compliance. Almost any potential work-flow needs these checks and not always the risks that we consider in the IAM world. We’re well ware of the issues involved with granting elevated privileges, but what about ensuring that the links to partner sites remains secure? This are also part of ensuring compliance.
My view of risk has not changed as much, we know from a purely IAM perspective, that we need to consider segregation of duties, administrator accounts, service accounts, SSL, etc. But of course we need to think about the larger level as well. Who provides authorization, approvals and ensures accuracy? What do we do to make sure that users, approvers and administrators are using the system correctly?
What I got out of this is that all three concepts must be considered together and entail a three part process:
- Governance – What are our priorities in managing Risk and Compliance
- Risk – What are our risks at the process level and the operational level? How are they to be mitigated?
- Compliance – How do we monitor and record these risks?
I’m thinking this will be a large part of Identity and Enterprise Architecture discussions for some time to come.