Wednesday, February 12, 2014

IT GRC Lifecycles – supporting each of Governance, Risk and Compliance – how about ITIL?

One of the big issues I hear from many customers and colleagues facing us in GRC is that there just so many different approaches and methodologies in play  to address our challenges – that implementing an end-end GRC program is hampered.  In the IT GRC world alone, we have, to mention a few:

CIOs need approaches that dovetail with transforming IT as a Service
What all these lack is a common high-level approach that resonates with what a CIO is increasingly building as IT becomes more of a service.
We absolutely need to start aligning our approaches, even at the highest level, if we are to advance the cause of integrating and gaining synergies with end-end programs for GRC.

Here’s a thought – why not abstract approaches to a higher level that can accommodate the internationally accepted standards and methods – using the main stages of ITIL? At EMC Consulting, in fact, that is what we are doing, and it works well. IT GRC involves all the aspects of IT – from business continuity and data protection, through information governance and life cycle management, asset management, change and configuration management and of course, security management. 

Integrating ITIL stages with GRC
Here’s a diagram showing how to pull together the main phases of ITIL: Strategy, Design, Implement and Operate – and move around the life-cycle whether you are looking through the governance-only lens, the risk management/security-only lens, the compliance-only lens or any combination.
This sort of approach typically resonates more with the cloud and datacenter folks, the pure IT folks.  But as we transition to the cloud – (and a good read on this, pulling concepts together is Chuck Hollis’s recent post on the 10 Big Ideas Shaping IT Infrastructure Today-  isn’t that what we need to do as GRC practitioners? It’s the GRC-enable cloud, whether private or public, a key end-state?
 GRC method

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.