Modern GRC Controls: Starting with the Basics
In this digital age, it is critically important that businesses protect their assets whether it is their people, processes or the information that drives their business. Establishing good governance, either written or as part of their culture, Information Technology controls underlie their success of open up potential cases for failure.
However, in many cases, I have observed numerous companies establish GRC controls that are infrequently reviewed for effectiveness. In a number of cases, only a specific set of Business Risks have been reviewed to follow a prescribed set of threat modeling, but do not properly reflect today’s rapidly changing Information Solution architectures. GRC controls need to be constructed for specific contractual, regulatory, or compliance needs and should be reviewed on a biennial basis. At that two year mark, those control sets should be reviewed to see what has been beneficial or ineffective towards reducing or mitigating risk.
A Modern GRC Scenario for Thought
Let’s start with a simple control that can drastically limit the attack surface: User and Computer Account disablement. In one case, there was an Identity-based control set up for when a computer or user account had no activity for over 90 days, it would be disabled. Even though the reports were run monthly, or computers were rarely disabled. I simply asked two questions:
- How often did the Help Desk have to revive disabled accounts?
- How many user computer accounts were disabled per month?
The answers were eye opening. It was noted that for a firm with over 5,000 people the number of times a request came back to re-enable an account had occurred only three times in four years. With machine rebuilds and reimaging, we identified that if a machine had been disabled for over 60 days, it rarely was reinstated, even for specific quarterly or annual tasks. As a result, the control was not effectively reducing risk. If there was no usage for 60 days, a user account would be disabled, and in the coming year that would be reduced to 30 days. Computer accounts were left at 60 days for the people who had extenuating circumstances such as medical or family leave. But the residual effect is that the updated control did neither negatively impact the business nor disrupt the individual.
Now the fun begins. When you walk through the dozens or hundreds of controls that you have in place, you will find many that contradict each other, and that process can take some time. In one case, I attended a one-day workshop to review and justify about 120 controls. By the end of the day I was exhausted, frustrated, frazzled, and yet happy that we were able to cut out about 30 controls that either did nothing or were ineffective. We then sat down with Internal Audit and reviewed the changes and most, if not all, of the reductions were accepted. The real saving was in not producing blank reports, and tracking signoffs. We all agreed that signing off on a blank report had no value.
By reducing your controls to a more appropriate set, you can expand your governance with solutions such as Application-based GRC (App GRC) tools to encompass the whole solution across the Applications with the embedded Segregation and Separation of duties (SoD), their ancillary application integration into Enterprise Resource Planning (ERP) software, Communication integrations such as Email, Instant Messaging and collaboration communications tools, and any privileged infrastructure access to truly calculate what a modern risk assessment would encompass.