5 Most Common GRC Needs
5 MOST COMMON GRC NEEDS
And how to address those GRC needs
1. Automating a Process for the Review and Approval of Your Policies
You need to document a “review and approval” process for your IT policies and procedures. If it’s been a year without a review of your policies and procedures, it’s time to update them and prove that you did. Even if you’ve had a recent change in your policies, how is it made available to the employees who reference them?
Make ServiceNow your system of record for your IT and business policies. SHAW Data Security will import your policies in the correct format, help you implement a documented review and approval process, and ensure the policies are accessible by your employees with a user-friendly interface or portal.
2. Putting a System in Place to Administer Controls and IT Compliance
Stakeholders such as IT management, internal audit, and corporate compliance need confirmation that there is adherence to current policies and controls. Internal ‘owners’ of the business services, applications, and/or systems must attest to whether their systems are compliant with the control or not. How are new projects being assessed against current policy before being rolled out and how are existing products services being re-assessed?
Here’s how SHAW Data Security’s experts, can help you put a system in place:
- Import your relevant controls in ServiceNow. If you use a tool like Unified Compliance Framework (UCF) or Compliance Forge to support your Common Control Framework, we can help you get the proper structure for the system of record.
- Direct controls to the relevant people for attestation within ServiceNow.
- Enable risk analysts to interact with business owners to resolve control compliance issues.
- Create compliance reporting that shows control attestations results
3. Tracking Identified Risks
Your IT department is supporting your information security program with vulnerability scanning, penetration testing, compliance assessment. How do you keep track of risks that have been identified and determine which are higher priorities than others? You need a central place to store and quantify IT risk in a risk register to track, manage and report risks. You would like to establish a risk register that can be integrated with automated systems as well as manual ad hoc entry and can present the risks in ways that allow IT management to prioritize company efforts, resources and make informed decisions.
Data Security’s experts are able to:
- Help you with the processes of identifying and quantifying risks within your different processes and documenting the risks within ServiceNow.
- Resolve those risks in a documented life cycle including mitigation, remediation or acceptance plans.
- Monitor and report on this risk data from different business functions angles, locations, or divisions to make business decisions.
4. Managing Your Third Party Vendor Risk
Although confidentiality and security clauses within vendor contracts are essential to vendor agreements, they are not enough to prove that data is protected when under the care of a third-party. You need a documented process to prove that you have evaluated your vendors and that they are handling data according to best security practices.
We can help you Manage Your Third Party Vendor Risk
and establish or improve an existing process, implement an automated system that reliably tracks and documents the results, and even provide risk analyst personnel to staff the process.
5. Being Ready For An Audit
You need to be prepared for an audit by having your plan in place and documented. Ensure that you are collecting the right information in ServiceNow to allow you to address questions that auditors may ask.
