A recent blog post http://bit.ly/bVd2i1 from Forrester Research made some very useful points, in my opinion. The focus of the article was on flexibility, in two key respects. First, flexibility is a key requirement of any GRC program, primarily because the demands for risk and compliance are so fluid...
Posted to
Risk Management
on 02-03-2010
Filed under: Risk Management, GRC, Compliance, Sumner Blount, Forrester, regulation
The Problem The Chief Information Security Officer (CISO) is given the mandate to ensure the IT department is compliant with these four authority documents: SOX, COBIT, PCI and ISO 27001. The OLD Answer The CISO reads and analyzes each of these documents and identifies the “thou must…” and “thou shall...
Posted to
Risk Management
on 01-26-2010
Filed under: GRC, Compliance, CA GRC Manager, controls, Mike Hoefgen, UCF, Unified Compliance Framework, control rationalization
Many agencies have a good handle on IT security, with the FISMA guidelines spelled out in great detail. However, with the advent of the new financial stimulus packages, there is a greater impetus to streamline the process around managing financial controls. Traditionally, financial process controls and...
Posted to
Risk Management
on 01-19-2010
Filed under: Allan Gajadhar, GRC, controls, centralized approach, security, financial controls, IT Government Expo
In my numerous discussions with clients, I tend to find a recurring theme of organizations attempting to bridge the gap between business policies tied to regulations and security controls through a process called “The Policy Lifecycle.” The origin of this lifecycle starts with any number of groups that...
Posted to
Risk Management
on 01-12-2010
Filed under: GRC, Compliance, regulations, security, policies, Joann Kenny, policy lifecycle