practices. Specifically, Gartner, an IT research and advisory company, issued
a report by Mark Nicolett and Paul E. Proctor in May of 2007 that delineates
eight core IT GRC functions:
�Controls and policy mapping:IT controls and policies should be
mapped into defined control objectives.
�Policy distribution and attestation:Policies should be broadly dissemi-
nated throughout the enterprise with a means for employees to attest
that they have read them and will comply.
�IT control self-assessment and measurement:Assess your use of IT con-
trols and collect data so that you can measure exactly how well you are
doing and can note improvements over time.
�GRC asset repository:IT assets should be defined and grouped accord-
ing to the business process they support and classified according to
requirements for confidentiality, integrity, and availability.
�Automated general computer control collection:Essentially the status
of computer controls can be collected from the source in an automated
fashion.
�Remediation and exception management:Show where there were gaps
in your process or problems (exceptions) and document how you
addressed them so that you can show this information to auditors.
�Basic compliance reporting:Integrate compliance data in a form that is
acceptable to auditors
�Advanced IT risk evaluation and compliance dashboarding:This helps
the business make good decisions based on IT risk management and
compliance information.
What Gartner is essentially saying is that IT GRC is about defining IT policies,
processes, and controls so that they are based on best practices; making sure
these policies are widely known throughout the enterprise; mapping the poli-
cies to technical controls; evaluating compliance issues and the risk of being
noncompliant; and then automating the audit and regulatory reporting of
your company’s efforts.
Understanding IT Governance in Terms of Risk and Compliance .........
Simply put, IT governance is about how a company manages its IT landscape.
It is governance directly tied to IT topics, so it involves fashioning IT policies
and procedures that the company establishes in order to govern itself from a
risk and compliance perspective.
Chapter 14: IT GRC 267
