Beruflich Dokumente
Kultur Dokumente
Collaborative </wiki/Collaborative_governance>
Good </wiki/Good_governance>
Multistakeholder </wiki/Multistakeholder_governance_model>
Open-source </wiki/Open-source_governance>
Private </wiki/Private_governance>
By level
* Local </wiki/Local_governance>
* Global </wiki/Global_governance>
By field
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
Climate </wiki/Climate_governance>
Clinical </wiki/Clinical_governance>
Corporate </wiki/Corporate_governance>
Data </wiki/Data_governance>
Earth system </wiki/Earth_system_governance>
Ecclesiastical </wiki/Ecclesiastical_polity>
Environmental </wiki/Environmental_governance>
Higher education </wiki/Governance_in_higher_education>
Information </wiki/Information_governance>
Network </wiki/Network_governance>
Ocean </wiki/Ocean_governance>
Political party </wiki/Political_party_governance>
Project </wiki/Project_governance>
Self </wiki/Self-governance>
Service-oriented architecture </wiki/SOA_governance>
Soil </wiki/Soil_governance>
Technology </wiki/Technology_governance>
Transnational </wiki/Transnational_governance>
Website </wiki/Website_governance>
Measures
* World Governance Index </wiki/World_Governance_Index>
* Sustainable Governance Indicators
</wiki/Sustainable_Governance_Indicators>
Related topics
* Chief governance officer </wiki/Chief_governance_officer>
*
*Governance, risk management
and compliance*
* E-governance </wiki/E-Governance>
*
Environmental, social and
corporate governance
</wiki/Environmental,_social_and_corporate_governance>
* Market governance mechanism </wiki/Market_governance_mechanism>
* v </wiki/Template:Governance>
* t </wiki/Template_talk:Governance>
* e <//en.wikipedia.org/w/index.php?title=Template:Governance&action=edit>
*Governance, risk management, and compliance* or *GRC* is the umbrella
term covering an organization's approach across these three areas:
Governance </wiki/Governance>, risk management </wiki/Risk_management>,
and compliance </wiki/Regulatory_compliance>.^[1] <#cite_note-1> ^[2]
<#cite_note-2> ^[3] <#cite_note-3>
Contents
[hide <#>]
* 1 Overview <#Overview>
* 2 GRC topics <#GRC_topics>
o 2.1 Basic concepts <#Basic_concepts>
o 2.2 GRC market segmentation <#GRC_market_segmentation>
o 2.3 GRC product vendors <#GRC_product_vendors>
o 2.4 GRC data warehousing and business intelligence
<#GRC_data_warehousing_and_business_intelligence>
o 2.5 Integrated governance, risk and compliancy
<#Integrated_governance.2C_risk_and_compliancy>
* 3 GRC research <#GRC_research>
* 4 See also <#See_also>
* 5 References <#References>
* 6 Further reading <#Further_reading>
Overview[edit
</w/index.php?title=Governance,_risk_management,_and_compliance&action=edit&
section=1>]
GRC is a discipline that aims to synchronize information and activity
across governance, risk management and compliance in order to create
efficiency, enable more effective information sharing and reporting and
avoid wasteful overlaps. While interpreted differently in various
organizations, GRC typically encompasses activities such as corporate
governance </wiki/Corporate_governance>, enterprise risk management
</wiki/Enterprise_risk_management> (ERM) and corporate compliance with
applicable laws and regulations
Organizations reach a size where coordinated control over governance,
risk management and compliance (GRC) activities is required to operate
effectively. Each of these three disciplines creates information of
value to the other two. Each of the three GRC disciplines touch and
impact the same technologies, people, processes and information in any
organization.
Where governance, risk management and compliance are managed
independently from each other, the organization will have substantial
t§ion=5>]
The distinctions between the sub-segments of the broad GRC market are
often not clear. With a large number of vendors entering this market
recently, determining the best product for a given business problem can
be challenging. Given that the analysts don t fully agree on the market
segmentation, vendor positioning can increase the confusion.
Due to the dynamic nature of this market, any vendor analysis is often
out of date relatively soon after its publication.
Broadly, the vendor market can be considered to exist in 3 segments:
* Integrated GRC solutions (multi-governance interest, enterprise wide)
* Domain specific GRC solutions (single governance interest,
enterprise wide)
* Point solutions to GRC (relate to enterprise wide governance or
enterprise wide risk or enterprise wide compliance but not in
combination.)
Integrated GRC solutions attempt to unify the management of these areas,
rather than treat them as separate entities. An integrated solution is
able to administer one central library of compliance controls, but
manage, monitor and present them against every governance factor. For
example, in a domain specific approach, three or more findings could be
generated against a single broken activity. The integrated solution
recognizes this as one break relating to the mapped governance factors.
Domain specific GRC vendors understand the cyclical connection between
governance, risk and compliance within a particular area of governance.
For example, within financial processing that a risk will either
relate to the absence of a control (need to update governance) and/or
the lack of adherence to (or poor quality of) an existing control. An
initial goal of splitting out GRC into a separate market has left some
vendors confused about the lack of movement. It is thought that a lack
of deep education within a domain on the audit side, coupled with a
mistrust of audit in general causes a rift in a corporate environment.
However, there are vendors in the marketplace that, while remaining
domain-specific, have begun marketing their product to end users and
departments that, while either tangential or overlapping, have expanded
to include the internal corporate internal audit (CIA) and external
audit teams (tier 1 big four AND tier two and below, information
security and operations/production as the target audience. This approach
provides a more 'open book' approach into the process. If the production
team will be audited by CIA using an application that production also
has access to, is thought to reduce risk more quickly as the end goal is
not to be 'compliant' but to be 'secure,' or as secure as possible.
Point solutions to GRC are marked by their focus on addressing only one
of its areas. In some cases of limited requirements, these solutions can
serve a viable purpose. However, because they tend to have been designed
to solve domain specific problems in great depth, they generally do not
take a unified approach and are not tolerant of integrated governance
requirements. Information systems </wiki/Information_system> will
address these matters better if the requirements for GRC management are
incorporated at the design stage, as part of a coherent framework.^[5]
<#cite_note-5>
GRC data warehousing and business intelligence[edit
</w/index.php?title=Governance,_risk_management,_and_compliance&action=edi
t§ion=6>]
GRC vendors with an integrated data framework are now able to offer
custom built GRC data warehouse and business intelligence solutions.
This allows high value data from any number of existing GRC applications
to be collated and analysed.
The aggregation of GRC data using this approach adds significant benefit
in the early identification of risk and business process (and business
control) improvement.
Further benefits to this approach include (i) it allows existing,
specialist and high value applications to continue without impact (ii)
organizations can manage an easier transition into an integrated GRC
approach because the initial change is only adding to the reporting
layer and (iii) it provides a real-time ability to compare and contrast
data value across systems that previously had no common data scheme.
Integrated governance, risk and compliancy[edit
</w/index.php?title=Governance,_risk_management,_and_compliance&action=edi
t§ion=7>]
An integrated GRC (iGRC) takes information feeds from one or more
sources that detect or sense deviations, defects or other patterns from
security or business applications. This can include active sensor
technologies such as those to protect, monitor and manage information
networks and systems. By combining GRC technologies such as web based
information security </wiki/Information_security> management systems
with network security </wiki/Network_security> related sensor
technologies, it is suggested that defences against cyberattacks
</wiki/Cyberattack> are enhanced in real time.
Typical sensor types include:
* host based intrusion detection </wiki/Intrusion_detection>,
vulnerability assessment, configuration and policy compliance,
database logs, web site logs, file accesses
* hosts for penetration testing, email scanning
</wiki/Email_filtering>, spam filters </wiki/Spam_filter>
* network intrusion detection and prevention, netflow,
firewall/router/other network devices logs
* access and identity for successful or failed logins, new users,
deleted users, privilege escalation </wiki/Privilege_escalation>,
bio-metric identities
* web site vulnerability
</w/index.php?title=Web_site_vulnerability&action=edit&redlink=1>
detection (cross site scripting </wiki/Cross_site_scripting>, SQL
injection </wiki/SQL_injection> etc.), pages visited, referred from
* end-point monitoring such as permitted user activity, not permitted
user activity, data leakage </wiki/Data_leak> monitoring, USB usage
monitoring and reporting
* anti-virus, anti-phishing </wiki/Anti-phishing>, malware
</wiki/Malware> detection
* applications
most keep audit logs </wiki/Audit_log> of activity, and
* others such as event and audit log collection for operating systems,
infrastructure and applications
Cyber crime </wiki/Cyber_crime> has taken on such substantial importance
in recent years that target organisations for iGRC software are likely
to be those supporting critical national infrastructure, e.g. verticals
and industries with significant brand/reputation risk. It is suggested
that the primary value proposition for iGRC is as follows:
* To provide an insurance policy for CEOs wanting to assure the
integrity of critical controls and measures to maintain low
probability of occurrence of high impact risk events
* Calibration of risk profiles in the round and validation of controls
and measures baselines
* Automatisation capabilities of control status and threat level change
An iGRC configuration is GRC technology coupled to network sensors via
the open GRCiP protocol to enable recognition of threats at an early
stage through the automatisation of control status and threat level
change and then enabling the measures to avoid it, thereby de-risking
the enterprise as a whole.
GRC research[edit
</w/index.php?title=Governance,_risk_management,_and_compliance&action=edit&
section=8>]
A publication review carried out in 2009 found that there was hardly any
scientific research on GRC. The authors went on to derive the first GRC
short-definition from an extensive literature review. Subsequently the
definition was validated in a survey among GRC professionals. "GRC is an
integrated, holistic approach to organisation-wide GRC ensuring that an
organisation acts ethically correct and in accordance with its risk
appetite, internal policies and external regulations through the
alignment of strategy, processes, technology and people, thereby
improving efficiency and effectiveness."
The authors then translated the definition into a frame of reference for
GRC research.
Each of the core disciplines - Governance, Risk Management and
Compliance - consists of the four basic /components/: strategy,
processes, technology and people. The organisation's risk appetite
</wiki/Risk_appetite>, its internal policies and external regulations
constitute the /rules/ of GRC. The disciplines, their components and
rules are now to be merged in an integrated, holistic and
organisation-wide (the three main /characteristics/ of GRC) manner
aligned with the (business) operations that are managed and supported
through GRC. In applying this approach, organisations long to achieve
the /objectives/: ethically correct behaviour, and improved efficiency
and effectiveness of any of the elements involved.^[6] <#cite_note-6>
See also[edit
</w/index.php?title=Governance,_risk_management,_and_compliance&action=edit&
section=9>]
* Conformity assessment </wiki/Conformity_assessment>
* Records management </wiki/Records_management>
* Regulatory compliance </wiki/Regulatory_compliance>
References[edit
</w/index.php?title=Governance,_risk_management,_and_compliance&action=edit&
section=10>]
1. *Jump up ^ <#cite_ref-1>* Anthony Tarantino (2008-02-25),
/Governance, Risk, and Compliance Handbook/
<http://books.google.co.uk/books?id=3aUyqPxYw10C>, ISBN
</wiki/International_Standard_Book_Number> 978-0-470-09589-8
</wiki/Special:BookSources/978-0-470-09589-8>
2. *Jump up ^ <#cite_ref-2>* Denise Vu Broady, Holly A. Roland
(2008-04-25), "The ABCs of GRC"
<http://books.google.co.uk/books?id=1Vi35vE6c1IC&pg=PA9>, /SAP GRC
For Dummies/, ISBN
</wiki/International_Standard_Book_Number> 978-0-470-33317-4
</wiki/Special:BookSources/978-0-470-33317-4>
3. *Jump up ^ <#cite_ref-3>* Silveira, P., Rodriguez, C., Birukou, A.,
Casati, F., Daniel, F., D'Andrea, V., Worledge & C., Zouhair, T.
(2012), /Aiding Compliance Governance in Service-Based Business
Processes/
<http://www.igi-global.com/chapter/handbook-research-service-oriented-system
s/60900>,
IGI Global, pp. 524 548, retrieved 2013-04-06
4. *Jump up ^ <#cite_ref-4>* Lamm, Blount, etc., /Under Control:
Governance Across the Enterprise/
<http://www.amazon.com/Under-Control-Governance-Across-Enterprise/dp/1430215
925>,
retrieved 2013-04-06
5. *Jump up ^ <#cite_ref-5>* Bonazzi, R., Hussami, L. & Pigneur, Y.
(2009), "Compliance Management is Becoming a Major Issue in IS
Design"
<http://people.hec.unil.ch/ypigneur/files/2010/01/complianceManagement.pdf>,
in D'atri, Alessandro; Sacc, Domenico, /Information Systems:
People, Organizations, Institutions, and Technologies/, Springer,
pp. 391 398, doi
</wiki/Digital_object_identifier>:10.1007/978-3-7908-2148-2
<http://dx.doi.org/10.1007%2F978-3-7908-2148-2>, retrieved 2013-04-06
6. *Jump up ^ <#cite_ref-6>* Racz, N., Weippl, E. & Seufert, A. (2010),
Bart De Decker, Ingrid Schaumller-Bichl, ed., /A frame of reference
for research of integrated GRC/, Communications and Multimedia
Security, 11th IFIP TC 6/TC 11 International Conference, CMS 2010
Proceedings, Berlin: Springer, pp. 106 117, ISBN
</wiki/International_Standard_Book_Number> 978-3-642-13240-7
</wiki/Special:BookSources/978-3-642-13240-7>
Further reading[edit
</w/index.php?title=Governance,_risk_management,_and_compliance&action=edit&
section=11>]
* Adam Krug (2011-04-12), "Governance Risk and Compliance & HSE
Software System Case Studies
<http://www.cmo-compliance.com/GRC_HSEQ_Safety_Environment_Software_Implemen
tation_Case_Studies.html>",
Case Studies 1 - 34
Retrieved from
"http://en.wikipedia.org/w/index.php?title=Governance,_risk_management,_and_comp
liance&oldid=633994291"
Categories </wiki/Help:Category>:
* Business software </wiki/Category:Business_software>
Help </wiki/Help:Contents>
About Wikipedia </wiki/Wikipedia:About>
Community portal </wiki/Wikipedia:Community_portal>
Recent changes </wiki/Special:RecentChanges>
Contact page <//en.wikipedia.org/wiki/Wikipedia:Contact_us>
Tools