Protection SchemesBy Samuel Greengard | Posted 2009-08-04 Email Print
In today’s data-centric world, organizations are striving to do a better job of recognizing and containing risks.
One thing that makes GRC so challenging is the fact that it touches all corners of an organization, including security. Server security, vendor patches, endpoint systems, firewalls and other components all play a key role in managing data and ensuring that it doesn’t fall into the wrong hands. Consequently, IT managers need to take an active role in maintaining various systems and ensuring that technology solutions fit the underlying business processes.
IT leaders also need to work closely with GRC vendors. “Many companies rely on outside vendors, and there’s a clear risk associated with sharing access rights and data privileges,” Pfefferman points out. “It is critically important to identify high-risk vendors that are dealing with your critical information, including intellectual property and customer records. You have to know where data is stored, how it is protected and what the company is doing with it.”
At the Visiting Nurse Service of New York (VNSNY), the largest not-for-profit home health care firm in the United States, security is a key component in GRC, says Chief Information Security Officer Larry Whiteside. HIPAA is a core issue, and maintaining secure electronic medical records is imperative. The VNSNY must also comply with MAR regulations from the National Association of Insurance Commissioners.
As a result, the company monitors all network traffic using Symantec’s Security Incident Manager (SIM) application, and it uses endpoint encryption for laptops, USB drives, and other equipment and devices that employees carry into the field. Altogether, the company manages approximately 8,000 devices, including 4,500 machines that travel outside the company’s offices.
In addition, the VNSNY has conducted a thorough e-discovery and risk assessment analysis using Symantec’s Vontu Data Loss Prevention (DLP) technology. “It was an eye-opening experience because we did not realize how much unstructured data we had residing all over the enterprise,” Whiteside reports.
The result? In addition to adding specific applications and solutions, the organization changed many of its policies and data retention practices. For example, the VNSNY now deletes e-mail messages after 15 months. “Unless someone has a specific business reason and gets approval from a committee, it’s gone,” Whiteside explains.
It’s clear that GRC has emerged as a mainstream issue—and one that no company can afford to ignore. While a multitude of vendors offer products, it’s ultimately up to the IT organization to work with business leaders to build a culture of accountability and assemble the right combination of hardware, software and policies. In addition, the ability to track Key Performance Indicators (KPIs), Key Result Areas (KRAs) and metrics is significant. The use of Balanced Scorecards and the ability to manage multiple regulatory issues within a single dashboard are also important.
Make no mistake, governance, risk and compliance issues aren’t about to disappear. Business and IT leaders must learn to collaborate on solutions that provide visibility deep into the organization. They must also automate processes by connecting systems scattered across departments and divisions.
As Huron’s Kispert puts it: “An organization must go beyond the vendor buzz about GRC and design a comprehensive and effective solution. With a view of data and systems across the enterprise, it’s possible to manage risk effectively.”