Navigating the GRC Maze
A daunting array of regulatory and compliance requirements face businesses these days, as various breakdowns and meltdowns have prompted political leaders and entire industries to introduce a growing tangle of laws, regulations and industry standards.
From Sarbanes-Oxley (SOX) to the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS) to the EU Privacy Directive, governance, risk management and compliance (GRC) solutions have moved into the mainstream.
Today, GRC touches almost every corner of an enterprise, including business operations, security and IT assets. Moreover, new and expanding technologies—including mobility, cloud computing and social media—have made it more difficult than ever to keep data secure and comply with government and industry requirements. “The GRC landscape is continuing to change, and companies must change with it,” observes Rob Dyson, a senior consultant at Accenture.
As systems and organizations become more interconnected and intertwined, it’s vital to understand where data travels, where it’s stored and who has access to it. In addition, sustainability initiatives and other corporate reporting requirements create new wrinkles and challenges. “Organizations must find a way to build an effective governance framework that bridges IT and business operations,” explains Don Ulsch, CEO of consulting firm ZeroPoint Risk Research.
How can an IT department develop an effective technology foundation? What role does it have in helping business leaders formulate policies and guidelines? And what types of systems and tools are necessary to build a robust and flexible GRC framework?
For most organizations, it’s a topic that requires considerable attention and resources. Says Nitin Bhas, research analyst for Juniper Research in the United Kingdom: “Enterprises must be able to provide constant real-time protection for applications, files and data.”
It’s impossible to dispute the power and value of IT. Over the past few decades, it has transformed the business landscape and provided capabilities that would have once been unimaginable. But with all the gain comes a certain amount of pain.
“Technology, by its nature, advances faster than the ability to provide an appropriate governance framework,” Ulsch points out. “Today, businesses find themselves facing enormous challenges in securing data.”
Although many organizations have constructed a GRC framework—with applications and tools designed to monitor, report and provide alerts about compliance-related activities—gaps and potential hazards exist, Ulsch says. Instant messaging, mobile communications, clouds and social media communications ratchet up the challenges.
“Many organizations deal with these systems by writing a policy, procedure or prohibition,” he adds. “Unfortunately, people often violate policies and undermine procedures.”
The upshot? Risk mitigation must focus on a number of key areas: security deployment, privacy, threat and risk analysis, compliance with government regulations and industry requirements, enforcement strategies, internal audits and overall practices management. Building a holistic approach into a GRC framework means focusing on these issues—both internally and with service providers.
Sallie Mae, the world’s leading provider for student planning and loans, is among the organizations that have worked hard to tackle GRC in a comprehensive way. The Fortune 500 company manages more than 10 million student loans valued at $268 billion.
Altogether, about 10,000 employees and contractors handle documents and oversee business processes. Consequently, Sallie Mae must monitor 162 different compliance rules and regulations, including SOX, FISMA (Federal Information Security Management Act), FFIEC (Federal Financial Institutions Examination Council), GLBA (Gramm-Leach-Bliley Act) , PCI DSS and FACTA (Fair and Accurate Credit Transactions Act.)
Building an automated compliance model was critical, says Jerry Archer, chief security officer for Sallie Mae. In the past, the organization stored records in a mélange of systems and files, including spreadsheets that sometimes ballooned to more than 3,000 entries.
Now, Sallie Mae uses SailPoint IdentityIQ to oversee a role-based access management framework. The system provides visibility into user-access privileges and provides complete oversight into identity data. Managers work with a finite set of defined roles rather than an infinite number of individual users. All the information is visible through a dashboard.
The approach has paid significant dividends—particularly as employees have turned to laptops, smartphones, tablets and other mobile tools to exchange data. The system manages VPNs, tokens and other authentication tools. IdentityIQ also allows the company to provide access to social networking sites for authorized employees on an exception basis.
The results have been impressive. While the number of controls rose from 800 to 2,500 during the last two years, Sallie Mae was able to slash overall GRC expenses by 40 percent.
Accenture’s Dyson says that companies and application vendors are increasingly focusing on merging the IT and business sides of GRC. He points out that while authentication, passwords, robust reporting and monitoring, and other controls are an important part of the picture, systems must tie together technology, process controls and risk management. “These are the three cornerstones of effective GRC,” he explains.
Today’s global business environment presents thorny GRC challenges. ZeroPoint’s Ulsch points out that organizations may find themselves dealing with the business practices of contractors and third-party providers, background checks in other countries, foreign corrupt practices and a spate of other issues. The ability to track internal transactions and processes is only one part of the picture. It’s not unusual for GRC to span an entire supply chain.
One company that understands this issue is Tognum America (formerly MTU Detroit Diesel), a manufacturer of engines used in boats, military systems and off-highway equipment. The firm ships products to dozens of countries and must cope with a tangle of regulations and restrictions. This includes U.S. Customs requirements, as well as export controls, sanctions and embargo lists that change on a regular basis. A breach could result in fines or a loss of business, says Christin Gleissner, manager of logistics and customs compliance.
In the past, the company relied on spreadsheets and manual processes to keep track of compliance issues related to incoming and outgoing shipments. “There was much greater risk of human error,” Gleissner says.
Tognum America now relies on SAP BusinessObjects Global Trade Services (GTS) system to automate its GRC processes. This includes checking the latest restriction lists, which sometimes change between the receipt of an order and shipment of that order.
But the challenges don’t stop there. Orders stream in via a number of networks and systems. In some cases, customers call the company directly. In other instances, distributors enter orders, or employees place an order from a computer located in the office or from a mobile device in the field.
The GTS system tracks all the orders and provides a real-time view of any issues or problems. “It makes it easy to ensure that we’re achieving the highest level of compliance,” Gleissner says.
In fact, since turning to the GTS system, Tognum America has boosted compliance ratings by more than 15 percent to the current level of more than 95 percent. It also has achieved the added benefit of reducing invoicing discrepancies by 80 percent.
Managing Payment Cards
Another company that has embraced GRC in a major way is CardSmith, a provider of electronic payment and transaction processing solutions used primarily by colleges and universities. The firm manages cashless payment cards for nearly 150 schools. Students rely on the cards to purchase meals, supplies and other campus goods.
“Parents transfer money into the account as necessary,” says Taran Lent, vice president of product management and development for CardSmith. “So it’s essential to have the highest level of trust in the system.”
The payment cards—in many cases multiuse smartcards that also provide access control for dorms and other areas—require tight oversight and adherence to a number of regulatory and compliance issues, including PCI DSS, Gramm-Leach-Bliley, the Patriot Act and the Credit Card Accountability, Responsibility and Disclosure (CARD) Act of 2009.
As a result, CardSmith turned to NeoSpire, a hosted security solution that provides a variety of protections and reporting tools that meet the PCI Council’s Data Security Standard. The system handles host intrusion detection, vulnerability management, monitoring and testing, and PCI DSS security scanning.
“It is critical to protect cardholder data,” Lent says. “There is a huge monitoring component to the business. Systems and processes must be in place to handle all the requirements.”
In addition, CardSmith places a premium on securing computers, point-of-sale terminals and mobile payment terminals—as well using encryption and protecting logs from tampering. For example, the NeoSpire system maintains snapshots of logs, which are written and recorded in real time. “They cannot be altered, and there’s a centralized management capability,” Lent notes.
CardSmith also controls and manages data flowing out to smartphones, tablet devices and other mobile tools. Students check their account balances using these devices. All the while, data travels across wireless networks in an encrypted state.
“We require all information that’s sent to CardSmith to be encrypted,” Lent says. “We are working to stay on the leading edge of security.”
Among other things, this means pushing for tamper-proof terminals at universities and health care providers and the use of tokens as a substitute for sending actual card numbers. The result? “We see very little fraud, and we’ve been able to achieve extremely high levels of compliance,” he says.
GRC is a maze of regulations that keep getting more complex. Juniper Research’s Bhas points out that mobile transactions present a growing challenge. A recent study conducted by the consulting firm found that only 4 percent of smartphones and tablets are currently protected with security software.
Enterprise policy compliance must focus on keeping all devices and systems protected and patches up to date, he notes. But it’s also crucial to prevent devices from running unauthorized applications and to block devices that fail a policy check. “Policy compliance needs to work regardless of the brand of the device,” he says.
Likewise, organizations must have a way to monitor and manage all types of communications, including IM, mobile texting, Skype and social media. Preventing unauthorized access to information and thwarting potential data leakage is paramount.
“An organization must make sure that it is capturing all the information and communication flowing in and out,” says ZeroPoint’s Ulsch. Ratcheting up the stakes is the interconnected nature of data and servers. Too many organizations lack tools to capture communications taking place through newer and nontraditional media.
An effective GRC framework finds ways to capture and establish ownership of information. It also cuts across multiple entities, including shareholders, stakeholders, investors and insurers. A high level of flexibility is important, and balancing productivity with protection is essential.
“If there’s a major breach, it not only raises regulatory and compliance issues—including possible penalties and fines—it erodes confidence in the institution and, over time, may lead to a loss of business,” Ulsch explains.
Taking a Broad Approach
One organization that’s taking a broad approach to GRC is the Northern Ireland Civil Service (NICS). The government organization has more than 25,000 civil servants delivering key services, as well as economic and social policy data, to government ministers and citizens throughout the country. Protecting sensitive data and records while adhering to regulatory requirements, including the U.K.’s Data Protection and Freedom of Information acts, is vital, says Mike Beare, project manager in the Department of Finance and Personnel.
NICS data resides in a tangle of documents and systems that involve 11 government departments and more than 250 sites. Using Hewlett-Packard TRIM records management software, NICS has built a single virtual data repository known as Records NI (Northern Ireland).
The system contains both structured and unstructured data—including more than 9 million documents and information about email accounts, network devices and hard disks. It allows the agency to control who may access information, and also tracks documents and how they’re used and shared.
What’s more, the Records NI system makes it easier to pull up needed information—whether it has originated from a journalist submitting a Freedom of Information Act request or a government official asking for legislative records. Beare says that the system has helped NICS achieve a much higher level of compliance while improving overall workflows.
A Holistic Approach
Accenture’s Dyson says that, ultimately, effective GRC revolves around well-defined processes, the right tools and technologies, and ensuring that employees and partners are trustworthy and educated about the risks inherent in today’s business environment. “GRC should be thought of as a way to bring information together from a variety of different sources,” he says. “The objective is to create a dashboard with all the information needed for GRC management.”
A holistic approach to GRC is critical, ZeroPoint’s Ulsch adds. Businesses must undergo a comprehensive audit of systems and processes to build a strategy and solution that spans the business and IT sides of the enterprise. In some cases, he says, it’s helpful to unleash security experts or hire white-knight hackers who attempt to break into systems, steal data and identify vulnerabilities.
Ulsch believes that organizations usually benefit by wresting control of GRC away from the executive who directs security and placing it in the domain of an audit and risk committee. In a similar fashion, a chief risk officer who reports to the board or a general council rather than to the CEO creates much-needed independence, he adds.
In the end, compliance is about managing risk in the best possible way. “Often overlooked is the fact that you can be in total compliance with a regulation or requirement but still face a related problem that can undermine or destroy a business,” Ulsch explains. “It’s important to look beyond specific tools and create an entire GRC framework that addresses all types of systems, processes and data. Successful organizations think of the ‘g’ and the ‘c’ as lower-case letters and the ‘R” as a capital letter. Risk is at the center of everything.” "