RadioBDC Logo
Forever | HAIM Listen Live
< Back to front page Text size +

Security, Privacy, Identity in Enterprise GRC (part 2)

Posted by Chad O'Connor  January 14, 2014 06:00 AM

E-mail this article

Invalid E-mail address
Invalid E-mail address

Sending your article

This post is a continuation of Part 1 of “Security, Privacy, Identity in Enterprise GRC” where we discussed the policies and procedures that are the foundation of a GRC program. This post will discuss the systems and technology used to implement the program, including the policies and procedures. In each case, there is an emphasis put on the protection of enterprise information assets in the dynamic environment of cyber threats, privacy concerns, and legal and regulatory compliance.

This year, we will see many developments that will continue to increase the importance of enterprise GRC programs in many industries. These include further regulations coming from the Dodd Frank legislation, new environmental regulations limiting greenhouse gas emissions, actions to mitigate cybersecurity risks, and new healthcare regulations from the Affordable Care Act. The volume and complexity of these regulatory environments require well-designed systems and technology as important parts in a well-managed enterprise GRC program.

Enterprise systems perform a broad range of business-critical functions, including the implementation of policies and procedures necessary to protect sensitive corporate information and to enable regulatory compliance. The challenge for CIOs is to design and operate these systems balancing requirements for functionality, performance, and costs while providing necessary security and compliance with corporate policies and regulatory requirements. End users will focus on functionality and performance, the CFO will focus on the costs, while the GRC program must ensure proper security and compliance. There is a growing market for systems to implement the policies and procedures of a GRC program(1), but the definitions of policies and procedures must precede selecting a GRC platform.

The oversight policies and procedures for enterprise systems (and GRC platforms, in particular) must ensure that the above necessary, but often diverse, perspectives are balanced appropriately in the management of these systems. Of course, “appropriately” depends on the particular enterprise and its objectives. However, enterprise executives must address all of these perspectives completely and explicitly in the governance of these systems. There are various mechanisms for doing this, but all of these perspectives should be at the table for critical decisions. New information systems, quickly evolving cyber threats, and growing privacy concerns make these decisions difficult and often controversial. For example, meeting security compliance requirements [e.g., current shortcomings in FISMA(2)] may not provide adequate security. Additionally, new network tools for web address tracking may reveal information about requests by employees for health information. Improper handling of their logs could lead to privacy violations. Collaboration among senior executives and board members is essential for many things, and it is certainly necessary for successful enterprise systems. Conversely, successful GRC systems can do much to enable this collaboration.

Secure and flexible identity and access management (IAM) is a very important requirement for all enterprises and their information systems. Federated IAM systems provide capabilities to address IAM challenges across multiple organizations, which is a vital requirement for complex supply chains. Consortia like the InCommon Federation of higher education institutions(3) and the Transglobal Secure Collaboration Program(4) in the aerospace and defense sector have created many capabilities and services in federated identity management. There is much new activity in this area, including projects that are part of the NSTIC initiative [the National Strategy for Trusted Identities in Cyberspace(5)]. Role-based identity is critical in establishing who is entitled to access information across a supply chain while shielding the information from all others.

Finally, while new technology developments for enterprise systems in cloud, social, mobile, big data, security, wearable computers, unmanned autonomous systems, and other technology areas have considerable business value for many applications and markets they also present continuing challenges for GRC programs. As a result, there are many new developments(6) for GRC platforms, and some will succeed in the marketplace. Enterprise executives and board members must ensure that there is senior collaborative leadership from many viewpoints that will continue to address these issues as key parts of their organizational strategy.

Robert F. Brammer, Ph.D. is Chief Strategy Officer at Brainloop, Inc., making collaboration secure and compliant since 2000.

  1. French Caldwell and John A. Wheeler, “Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms,” Gartner Research Report G00245773, September 26, 2013
  2. United States Government Accountability Office, “FEDERAL INFORMATION SECURITY -- Mixed Progress in Implementing Program Components, Improved Metrics Needed to Measure Effectiveness;” GAO Report 13-776, September 2013
  5. The White House, “National Strategy for Trusted Identities in Cyberspace,” April 2011
  6. John A. Wheeler, “Hype Cycle for Governance, Risk and Compliance Technologies, 2013,” Gartner Research Report G00245240, 24 July 2013
This blog is not written or edited by or the Boston Globe.
The author is solely responsible for the content.

E-mail this article

Invalid E-mail address
Invalid E-mail address

Sending your article

Boston World Partnerships' expert "Connectors" discuss business strategy, entrepreneurship, Boston's place in the world economy, and much more. Using their insider perspective, they illuminate how Boston's innovative companies start, grow, scale, and go global.

Meet Boston's coolest, smartest and most dynamic founders in our REEL Innovators video series!

Resource Roll

ThinkingBoston on Twitter

    waiting for twitterWaiting for to feed in the latest ...