IT GRC - What is IT Governance?

In the world of Information Security, acronyms are a way of life. In fact, we often refer to all these different acronyms as "alphabet soup." Keeping track of what they all mean and what they stand for can be challenging. With that in mind, over the next 3 blog posts, we are going to dig into one of those acronyms, IT GRC.

IT GRC stands for Information Technology Governance, Risk, and Compliance. Over these next 3 blog posts, we are going to define and discuss Governance, Risk, and Compliance and what these terms mean in "non-IT" language. To get started, let's define what GRC is. According to Gartner, GRC is "the simplification, automation, and integration of enterprise, operational, and IT Risk Management processes or data." To me, the key word in this definition is integration. The goal of any GRC program should be to have all business units or departments on the same page related to operations and the goals of the organization.

The first part of IT GRC is Governance. Since we love Gartner, their definition of IT Governance is "the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals" (Gartner, 2012). There are two components of IT Governance:

• The selection and investment in IT Systems, its implementation, and the identification of the business results associated with those systems. This is a business decision and is handled by senior or executive management.
• Ensuring that the Information Technology department runs in an effective and compliant manner. This is a technology initiative and is the responsibility of senior IT Leadership.

The final part that we need to talk about related to IT Governance is the use of IT Frameworks. These are controls that allow an organization to align control requirements, technical issues, and business risks. There are many IT Security Frameworks that you can choose to put in place, based on your business and vertical market. Here is a sample list of some of the more common IT Security Frameworks:

• CoBIT
• NIST
• ISO 27001 / 27002
• HITRUST

IT Governance is just the first part in the IT GRC solution!

References:

Gartner. (2012, February 8). IT governance (ITG) - Gartner IT glossary. Retrieved July 25, 2016, from Gartner, http://www.gartner.com/it-glossary/it-governance

Proctor, P. E., Wheeler, J. A., & Pratap, K. (2015, May 13). Definition: Governance, risk and compliance. Retrieved July 25, 2016, from Gartner, https://www.gartner.com/doc/3052217/definition-governance-risk-compliance