I wish to disagree with Bob Blakley’s claim that "GRC (Governance, Risk Management and Compliance) had little in common and are not one concept and should all be treated separately." Risk can be thought of as the need to measure the possibility of an impact and how to mitigate it. Compliance can be thought of as the need to meet a policy (legal or otherwise), often due to a perceived risk. Governance can be thought of as the processes that manage risk and compliance. All three should be examined by IT auditors. They should be considered as interdependent in their implementation. Any enterprise that treats them separately will not derive the inherent synergies. A good example in the IT and IAM world is the synchronisation of the Identity Directory with platforms and applications that a user is authorised to access. Some implementations such as IBM’s TIM provide the capability of automated synchronisation as a closed-loop (i.e. they can't get out of step). This real-time "reconciliation" meets RBAC policies (governance), reduced incidence of security and fraud related activity (risk) and meets SOX (compliance). This happens immediately and constantly, rather than once every six months if done independently. G, R and C have little in common? I don’t think so. Allan Milgate
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
Post new comment