Evolution in governance risk and compliance is necessary to ensure an appropriate security posture across hybrid IT environments. So, in this next series of posts, I’ll outline specifics on how to update and modernize your Governance, Risk, and Compliance (GRC) efforts from static, one-time access reviews and certifications into a dynamic, modern continuous-monitoring environment.
A new way to be aware is around the subject of comprehensive Application GRC. Today, organization’s need to conduct more granular audits that are specified within Enterprise Resource Planning (ERP) applications, and across the organization’s portfolio of applications. The goal is to work toward governing comprehensive Segregation of Duties (SoD) Matrix that require audit and control.
The scope of the Governance needs to include the application access, database access, system administration, and network controls to complete the audit trail story in order to adhere to modern compliance mandates.
In the past, this was a separate, loosely-tied-together process, so IT organizations and security/risk management professionals could meet audit requirements. From a risk and security perspective, the audit questions, and how you answer, are how you can actually address cybersecurity threats and prove you’re security posture is validated.
Business solutions are rarely self-contained. With the use of an ERP, and a Customer Relationship Manager (CRM), there are many business role functions that cross application silos. And, if you mix in Electronic Mail and Collaboration software, such as Microsoft SharePoint, and Office 365, or the file sharing capabilities of Microsoft OneDrive, you really see a modern day sprawl of technology that requires governance. The real business world is expanding. To govern access means, IT pros need to quickly address change. Unfortunately, traditional software and solutions are being stretched beyond their capabilities.
The approach to compliance has to address these issues to address a complete access audit. Thus, the need for a single point of view or a centralized pane of glass. Full visibility across the applications, data, and infrastructure is needed right out-of-the-box so the appropriate and governerned business is accomplished. I haven’t seen a business case, recently, where the business stopped a new initiative due to lack of general financial controls. Business security and financial control are mapped and mitigated. Modern identity governance and access compliance now has to keep up with this rigorous standard.
At Saviynt, we recommend an approach that includes out-of-box, support for multiple ERP applications. Our solution is delivered via a managed cloud offering so it’s constantly up-to-date. There are new solutions that address these concerns. What a lot of organizations don’t realize, combining multiple application access SOD controls under a common application SOD framework and risk control matrix is available today. Control mapping standard for SOX, HIPAA, CIS, COSO, GDPR, PCI, and others, is available and can be leveraged. Quite honestly, since my experience within this realm for many years, I believe the need to build from scratch should is eliminated. Migration from legacy GRC applications has to allow for integration and holistic management – not a single leap of faith in a single vendor.
The scope of modern GRC controls you should work to achieve ought to showcase the integration of multiple application GRC systems. This purview needs to represent the applications running across your hybrid IT environment, and the integrated applications running between. Only then, can appropriate risk management systems govern and control and defend the frameworks that run the business for the stakeholders in the organization that are responsible for mitigating risk across the board.
This month, I had hosted a webinar to showcase multiple application GRC efforts from Saviynt and one of our partners. We discussed specifics of complex environments and the benefits that we have seen in implementing a structured approach that plans for adaption of change to meet compliance and business needs. You can watch the recording by clicking the below link.
Webinar Title: LegionStar: How to do Application Governance in a Multi-application Environment
Watch Recording: https://saviynt.com/webinars/webinar-how-to-enable-multiple-cloud-application-governance-in-the-hybrid-cloud-environment-2018/