MetricStream, a US company that supplies Governance, Risk and Compliance applications, held their GRC Summit in London on November 11th and 12th. Governance is important to organizations because of the increasing burden of regulations and laws upon their operations. It is specifically relevant to IT security because these regulations touch upon the data held in the IT systems. It is also highly relevant because of the wide range of IT service delivery models in use today.
Organizations using IT services provided by a third party (for example a cloud service provider) no longer have control over the details of how that service is delivered. This control has been delegated to the service provider. However the organization will likely remain responsible for the data being processed and held in a way that is compliant. This is the challenge that governance can address and why governance of IT service provision is becoming so important.
The distinction between governance and management is clearly defined in COBIT 5. Governance ensures that business needs are clearly defined and agreed and that they are satisfied in an appropriate way. Governance sets priorities and the way in which decisions are made; it monitors performance and compliance against agreed objectives. Governance is distinct from management in that management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the objectives. This is illustrated for cloud services in the figure below.
Governance provides an approach to IT security that can be applied consistently across the many different IT service delivery models. By focussing on the business objectives and monitoring outcomes it decouples the activities involved in providing the service from those concerned with its consumption. Most large organization have a complex mix of IT services provided in different ways: on premise managed internally, on premise managed by a third party, hosted services and cloud services. Governance provide a way for organizations to ensure that IT security and compliance can be directed, measured and compared across this range of delivery models in a consistent way.
Since this specification and measurement process can involve large amounts of data from a wide variety of sources it helps to use a common governance framework (such as COBIT 5) and technology platform such as the MetricStream GRC Platform. This platform provides centralized storage of and access to risk and compliance data, and a set of applications that allow this data to be consumed from a wide variety of sources and the results shared through a consistent user interface available on different devices.
The need for this common platform and integrated approach was described at the event by Isabel Smith Director Corporate Internal Audit at Johnson & Johnson. Ms Smith explained that the problem of an integrated approach is particularly important because Johnson and Johnson has more than 265 operating companies located in 60 countries around the world with more than 125,000 employees. These operating companies have a wide degree of autonomy to allow them to meet the local needs. However the global organization must comply with regulations ranging from financial, such as Sarbanes Oxley, to those relating to health care and therapeutic products. Using the common platform enabled Johnson and Johnson to achieve a number of benefits including: getting people across the organization to use a common language around compliance and risk, to streamline and standardize policy and controls and obtain an integrated view of control tests results.
In conclusion organizations need to take a governance led approach to IT security across the heterogeneous IT service delivery models in use today. Many of these are outside the direct control of the customer organization and their use places control of the service and infrastructure in the hands of a third party. A governance based approach allows trust in the service to be assured through a combination of internal processes, standards and independent assessments. Adopting a common governance framework and technology platform are important enablers for this.