Encrypted and password protected files? Have some form of IT security
guard escort this data throughout the organization and its partners? And how
do you make these efforts universal throughout the organization on a highly
granular or granular enough level or align it with corporate security policies?In large part, this is a challenge with a lot of ideas and possibilities, but without
a defining technology or method. According to the Gartner report mentioned
earlier, and others in the field, there is no definitive IT GRC product — yet. It is
an emerging market and as time goes on, products will emerge or a core of
applications used for existing needs will be leveraged into an end-to-end IT
GRC solution.However, as you begin to consider how your company handles IT GRC, there
is one overarching thought that could help you create a context within which
to target your efforts — leveraging the network.Leveraging the network .....................................................................
A company’s network is the one place that all of its data and applications come
into contact with each other and the conduit through which information trav-
els throughout the enterprise and beyond. Therefore, thinking in terms of aChapter 14: IT GRC 277
The buddy system: Keeping track of partners
Control of information often extends beyond the
company’s walls: Suppliers and partners often
receive sensitive information, so it is important
to consider what measures are being taken to
ensure these people act responsibly too. As a
starting point, it would be wise to consider:
Setting and documenting policies defining
who the partners are and which partners
should have access to what and what can
be shared with a partner.
Ensuring that partners’ internal policies
should match your goals with regard to IT
GRC and protecting information. This can be
accomplished via a service level agreement
stating what each side must live up to.Collaborating carefully. There is also the
issue of federated websites and the means
by which partners gain access behind thecurtain. Protocols should be established
that are protective and create an auditable
trail, but allow for an efficient workflow.Integrating the GRC framework with under-
lying network technology to prevent data
leakage.
Enforcing data transfer policies.Encrypting communications and other forms
of IP data transfer.
The partner’s IT environment should have the
capacity to be able to support your company’s
IT GRC goals. Especially for key partners, a site
visit is in order to evaluate how well what the
partner says matches what it does (for example,
how easy is it to gain physical access to
servers?).