Phy-gital Roundtable: Breakfast Roundup from Germany and Netherlands

02 May '15 | Debjyoti Paul

German Shoppers: Meet Them in the Fast Lane to Phy-gital

15 January '15 | Ralf Reich

Shoppers Will Share Personal Information (But They Don’t Want to be “Friends”)

15 January '15 | Anil Venkat

Modernize or Perish: Property and Casualty Insurers and IT Solutions

14 January '15 | Manesh Rajendran

Benelux Reaches the Phy-gital Tipping Point: Omnichannel Readiness is Crucial

13 January '15 | Anil Gandharve

The New Omnichannel Dynamic: Finding Core Principles Across Industries

13 January '15 | Debjyoti Paul

Technology does not disrupt business – CIO day 2014 Roundup

02 December '14 | Anshuman Singh

Apple Pay – The Best Is Yet To Come

02 December '14 | Indy Sawhney

Digital transformation is a business transformation enabled by technology

01 December '14 | Amit Varma

3 Stages of FATCA Testing and Quality Assurance

06 October '14 | Raman Suprajarama

3 Reasons why Apple Pay could dominate the payments space

18 September '14 | Gaurav Johri

Beacon of Hope: Serving Growth and Customer Satisfaction

05 August '14 | Debjyoti Paul

The Dos and Don’ts of Emerging Technologies Like iBeacon

30 July '14 | Debjyoti Paul

What You Sold Us On – eCommerce Award Finalist Selections

17 July '14 | Anshuman Singh

3 Steps to Getting Started with Microsoft Azure Cloud Services

04 June '14 | Koushik Ramani

8 Steps to Building a Successful Self Service Portal

03 June '14 | Giridhar LV

Innovation outsourced – a myth or a mirage or a truth staring at us?

13 January '14 | Ramesh Hosahalli

What does a mobile user want?

03 January '14 | Gopikrishna Aravindan

Best Practices to Simplify IT Risk and Compliance Management

Posted on: 16 May '11

Organizations have been constantly under pressure to improve business and operational efficiency and save on resources. The pressure is on the rise due to various factors such as economic meltdowns, increasing staff expenses and so on. Hence, simplifying the programs, organization structure, the tasks required, etc., to bring in synergies among strategic enterprise programs such as information risk management, protecting information and associated infrastructure and ensuring compliance with applicable external mandates has assumed paramount significance. In this context, I wanted to share with you few IT security services best practices to simplify IT Risk and Compliance Management:

  1. Lay down the objectives to be achieved through IT Risk and Compliance Management
  2. Create a bridge to link and align with business objectives and expectations
  3. Use this to bring every stakeholder on the same page in terms of expectations, the language (risk & compliance taxonomy) that will be used, governance structure, roles and responsibilities of stakeholders,  and standards and best practices to be used
  4. Initiate a dialogue on how the objectives will be measured. Since it will be too early to talk about measurement, the discussion can be at a fairly high level
    E.g., instead of getting into the details of how user security awareness will be measured, it would help to just identify it as one of the metrics at this point. This would help linking back to the overall objectives and more clarity into the process
  5. Identify a standard that is suitable to your organization and its culture, and adapt it. Using best practices straight out of the book is never a good idea.
  6. Create a policy for IT Risk and Compliance management in line with the objectives
  7. Define the scope for IT risk management
    1. Pilot the program for a particular business function or the IT function itself and socialize it with others
    2. Define the parameters for evaluating risk exposure such as risk appetite, tolerance levels, evaluation method for threats and likelihood, risk impact estimation criteria and risk treatment options. This will help bring everyone on the same page.
  8. Identify business critical and sensitive data and map them to the compliance requirements at a high level
  9. Draft a data classification compliance policy and lay down minimum security safeguards. Avoid creating multiple policies for each compliance
  10. Address security requirements first. then bring the compliance requirements into the picture
    1. It is very likely that compliance requirements are met already to a significant extent. This approach will also be influenced by your immediate priorities.
  11. Identify a suitable tool for risk management that addresses assets inventory, threats, vulnerabilities, impact, evaluation, etc.
    1. Tool helps keep your program on track and provides for efficient management
    2. Measurement, audit and improvement become easier with a tool
    3. Avoid manual process as it is time consuming, error prone, voluminous, and also runs a risk of making IT as well as business averse to the practice of IT risk management
  12. Prioritize and start working on implementing the action plans to achieve the risk management policy objectives that address data protection and compliance objectives

This is not an exhaustive list and based on a given context we can explore several such factors. I am sure that each one of you might be following some additional enterprise IT-GRC best practices to simplify IT Risk and Compliance Management. I will be happy to hear your thoughts and experiences.

Mindtree Blog Archives

Mindtree blog Archives are a collection of blogs by various authors who have independently contributed as thought leaders in the past. We may or may not be in a position to get the authors to respond to your comments.

  • Javier Lopez

    Thanks for the article. These are great guidelines to follow. I especially appreciate #5 regarding identifying a standard suitable for the organization. This is something I find particularly difficult when the culture of a company has never been around security or compliance.

    If possible, could you elaborate on #11 (tool). What tools do other companies and organizations use? And do you find that they vary depending on compliance requirements and company size?

    • Thiru

      Thanks for your comments Javier.
      As for the tools,yes, size and compliance requirements do matter in the selection of the right tool for you.
      1.CRAMM from Siemens is popular and is definitely useful.
      2.ISMS RAT is the simplest of all i guess.
      3.Others are RiskPac, RiskWatch
      There are other solutions, so called GRC suites that are more expansive in coverage & application. GRC solutions can manage policies, controls, assess risks, manage audit and report on complianc with good data analytics & reporting. GRC is offered by Protivity, Thomson Paisley, MEthodware, Metricstream, SAPGRC, Oract GRC manager, EMC2s’ Archer eGRC, CCH TeamMate, Modulo, etc., THese can be very expensive.