As everyone knows effective Governance is the key factor of every organizations’ success; whether its small scale industry or mammoth sized corporates. The modern day organizations are facing really complex and ambiguous situations on their day to day Governance process. The problems evolving over a period should be addressed in dynamic way than conventional way. So, the organizations should be ready to face the challenges extended on Governance domain.
I believe, identifying the risk factors will drive the way to success. Compliance and governance will go hand in hand to comply with various regulations enforced by governmental bodies, regulators, internal policies or industry mandates. Compliance is not a onetime activity, the organizations should make it repetitive so they can continue with the regulation at lower cost and ensure mandatory compliance liability.
When we go for security solution design, it is important that we understand the business problem, need or opportunity. Our approach and methodologies should be based on that. Also we need to optimize architecture across customer needs, business constraints, and technological realities. For that we need to follow the industry trends and standards, both from a business and technical standpoint.
As a Security team, we need to closely watch the technology developments to ensure that our organization is effectively positioned to respond to any of the security threats. We need to develop technical roadmaps for future implementations across the enterprise to ensure the soundness of the solution. We also need to maintain a forward looking perspective on emerging technology developments and their relevance to both business and technology strategies.
Worldwide there has been a growing realization among various government and regulatory authorities to have regulations that ensure strong internal controls are implemented in organizations to protect the interests of various stakeholders, particularly the shareholders. For instance, in India the new Companies Act, 2013 lays very strong emphasis on Internal Financial Controls (IFC) and holds the board to be directly responsible for overseeing its implementation and enforcement in the organization.
Performing information security risk assessments for third parties has become recognized part of the annual compliance and risk management plan in many companies, particularly in highly-regulated industries. While conducting risk assessments is a day-to-day activity, there are several problem areas that can limit the effectiveness and meeting overall program targets.
What are some of the challenges companies face in developing or managing a third party risk management program?
1. We have thousands of third parties in our company. How do we prioritize vendor risk assessments to address the highest risks first?
Governance, Risk and Compliance can be a challenging area for CIOs and CISOs to navigate. With the board of directors and C-suite as key stakeholders, the ability to deliver results through the complex GRC environment is now more critical than ever.
What has your GRC done for you lately?
Let's look at an example of a typical month for the CIO and CISO. Due to publicity of recent data breaches in the industry, you are scheduled to deliver an Information Security update at the next Audit Committee meeting.
1. The annual IT security risk assessment is complete and the results have been presented. The external risk consultants worked with internal teams to identify risks and weaknesses. You have captured the high points for the Audit Committee presentation.
2. You plan to make sure the enterprise risk register is up-to-date with findings, remembering to check in with the SOX and PCI teams. What is the status of PCI 3.0 readiness?