IT GRC Lifecycles – supporting each of Governance, Risk and Compliance – how about ITIL?
One
of the big issues I hear from many customers and colleagues facing us in GRC is
that there just so many different approaches and methodologies in play to address our challenges – that implementing an
end-end GRC program is hampered. In the
IT GRC world alone, we have, to mention a few:
CIOs need approaches
that dovetail with transforming IT as a Service
What
all these lack is a common high-level approach that resonates with what a CIO
is increasingly building as IT becomes more of a service.
We
absolutely need to start aligning our approaches, even at the highest level, if
we are to advance the cause of integrating and gaining synergies with end-end
programs for GRC.
Here’s
a thought – why not abstract approaches to a higher level that can accommodate the
internationally accepted standards and methods – using the main stages of ITIL?
At EMC Consulting,
in fact, that is what we are doing, and it works well. IT GRC involves all the
aspects of IT – from business continuity and data protection, through
information governance and life cycle management, asset management, change and configuration
management and of course, security management.
Integrating
ITIL stages with GRC
Here’s
a
diagram showing how to pull together the main phases of ITIL: Strategy,
Design, Implement and Operate – and move around the life-cycle
whether you are looking through the governance-only lens, the risk
management/security-only lens, the compliance-only lens or any
combination.
This
sort of approach typically resonates more with the cloud and datacenter folks,
the pure IT folks. But as we transition
to the cloud – (and a good read on this, pulling concepts together is Chuck
Hollis’s recent post on the 10 Big Ideas Shaping IT Infrastructure Today) - isn’t that what we need to do as GRC practitioners?
It’s the GRC-enable cloud, whether private or public, a key end-state?
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.