GRC (Governance, Risk Management, Compliance) is frequently reduced to IAM (Identity and Access Management) or, in best case, to a more business-centric layer on top of IAM infrastructures. In our research and publications around GRC we've pointed out that GRC platforms will have to go well beyond IAM - SIEM, BSM (with aspects like business continuity), and other areas will have to be covered.
If you ask the question the other way round, that becomes more obvious: What are the controls that business requires from IT?
That question is, from my perspective, the core question for the selection as well as the conception of any GRC platform. There are GRC aspects outside of IT but even these have to be managed in a consistent way, thus such a platform has to support them. Within these controls, risk controls are amongst the most important ones. I've recently blogged about the need for an integrated Risk Management. Risk controls cover many aspects, including the fulfillment of compliance regulations and business continuity.
The breadth of a GRC platform becomes visible if you take (still IT-driven) for example ISO 27001. ISO 27001 includes a huge number of controls, with many which are neither IAM-related nor can any IT system automatically provide the status information. Even more, to provide the current status for these controls, many different IT systems have to deliver - IAM, SIEM, and many more. GRC platforms will have to support any type of control. They will have to support the ability to report manually as well as automated. And they will have to support interfaces to many lower-level systems.
The controls, on the other hand, will have to be multi-layered, supporting at least a business view ("Are the core security requirements met?") as an IT view ("Are we in compliance with all the controls described in ISO 27001?"). The business layer is sort of an abstraction of the IT view.
There are several lessons we should learn about GRC platforms:
- We should understand them as the overall interface for business control (thus being bi-directional) of IT
- We should position them in that way, looking at them from the business perspective and the questions business likes to get answered
- We should understand that this includes many different technologies, well beyond IAM (but with IAM and the "access control" part of it being highly important)
- We should work on standards which support the interaction with existing and new IT systems