I appreciate that compliance requirements help to enforce some sort of minimum acceptable standards for security and information management, but compliance is just table stakes. It is possible for companies that just follow the letter rather than the spirit of the law to be compliant without truly being secure. Regardless, though, most businesses fall under one or more compliance frameworks, and need a way to efficiently achieve and maintain compliance.
I wrote about the challenges of effectively managing governance, risk, and compliance in this blog post:
There are a lot of moving parts in any organization. For most companies, the challenge of juggling the needs of the business itself is intensified by a variety of government and third-party mandates that dictate requirements the organization must comply with. Organizations need tools and processes to effectively manage it all.
Businesses that deal with health-related personal information must comply with the rules of the Health Insurance Portability and Accountability Act (HIPAA). Organizations that accept, transfer, or store credit card data are required to follow the Payment Card Industry Data Security Standard (PCI-DSS) guidelines. Companies that are publicly traded are governed by the mandates of the Sarbanes-Oxley Act (SOX). These are just a few of the most common and well-known compliance frameworks, and many businesses fall under all three of these and many more all at the same time.
The one constant in an IT environment is change, and every change to the IT environment is a potential risk or compliance issue. The compliance frameworks themselves also evolve over time, and new compliance mandates are introduced. IT and security admins have enough on their plate already, and a GRC platform helps minimize the complexity and simplify the task of managing governance, risk, and compliance.
Governance, Risk, and Compliance (GRC) isn’t just about IT, either. Businesses face risks and compliance requirements in other areas that have nothing to do with computer security or data protection. There is a trend, though, of merging the two together. Organizations are starting to understand that IT is a part of the business, and IT is beginning to grasp that it must fit in with and facilitate business processes.
You can read the full article on the RSA blog: Managing the Complexity of Governance, Risk, and Compliance.