Best Practices to Simplify IT Risk and Compliance Management
Organizations have been constantly under pressure to improve business and operational efficiency and save on resources. The pressure is on the rise due to various factors such as economic meltdowns, increasing staff expenses and so on. Hence, simplifying the programs, organization structure, the tasks required, etc., to bring in synergies among strategic enterprise programs such as information risk management, protecting information and associated infrastructure and ensuring compliance with applicable external mandates has assumed paramount significance. In this context, I wanted to share with you few IT security services best practices to simplify IT Risk and Compliance Management:
- Lay down the objectives to be achieved through IT Risk and Compliance Management
- Create a bridge to link and align with business objectives and expectations
- Use this to bring every stakeholder on the same page in terms of expectations, the language (risk & compliance taxonomy) that will be used, governance structure, roles and responsibilities of stakeholders, and standards and best practices to be used
- Initiate a dialogue on how the objectives will be measured. Since it will be too early to talk about measurement, the discussion can be at a fairly high level
E.g., instead of getting into the details of how user security awareness will be measured, it would help to just identify it as one of the metrics at this point. This would help linking back to the overall objectives and g.et more clarity into the process
- Identify a standard that is suitable to your organization and its culture, and adapt it. Using best practices straight out of the book is never a good idea.
- Create a policy for IT Risk and Compliance management in line with the objectives
- Define the scope for IT risk management
- Pilot the program for a particular business function or the IT function itself and socialize it with others
- Define the parameters for evaluating risk exposure such as risk appetite, tolerance levels, evaluation method for threats and likelihood, risk impact estimation criteria and risk treatment options. This will help bring everyone on the same page.
- Identify business critical and sensitive data and map them to the compliance requirements at a high level
- Draft a data classification compliance policy and lay down minimum security safeguards. Avoid creating multiple policies for each compliance
- Address security requirements first. then bring the compliance requirements into the picture
- It is very likely that compliance requirements are met already to a significant extent. This approach will also be influenced by your immediate priorities.
- Identify a suitable tool for risk management that addresses assets inventory, threats, vulnerabilities, impact, evaluation, etc.
- Tool helps keep your program on track and provides for efficient management
- Measurement, audit and improvement become easier with a tool
- Avoid manual process as it is time consuming, error prone, voluminous, and also runs a risk of making IT as well as business averse to the practice of IT risk management
- Prioritize and start working on implementing the action plans to achieve the risk management policy objectives that address data protection and compliance objectives
This is not an exhaustive list and based on a given context we can explore several such factors. I am sure that each one of you might be following some additional enterprise IT-GRC best practices to simplify IT Risk and Compliance Management. I will be happy to hear your thoughts and experiences.