Deploying a robust security framework that can challenge GRC related issues and comply with the standards is critical. Here's what seven industry experts have to say.
1) Adequate Segregation of duties– establishing theright
structure and RACI (Responsibility, Accountability, Consultation, and Informed) chart for each IT process and deploying ISO 27001-2013, besides involving business users in all GRC modules is critical, says Sunder Krishnan, Chief Risk Officer, Reliance Life Insurance and Chairman, ISACA India Task Force.
2)Creating a unified compliance framework
with clear RACIs (Responsibility, Accountability, Consultation, Informed) matrix is key, besides which integrating service desk with audit and compliance is a best practice observes Amit Pradhan, CISO, Cipla Ltd.
3) Assessment of IT policieswith necessary corrections made
and published in a structured format, with necessary IT controls and a measurable self-assessment program and create an exclusive manager level position in the IT organisation for IT governance and compliance who reports directly to the CIO will help in complying effectively with GRC standards, says Ashok Jade, CIO, Shalimar Paints.
4) Identifying an owner for each risk to ensure
accountability, ascertaining that risk rating is in sync with business value drivers, effective communication policies and an efficient selfassessment methodology with consequences of non-compliance, and building an effective feedback mechanism would help in evaluating the effectiveness of GRC, believes Rishi Mehta, VP & CISO, Religare.
5)Mapping the security and compliance
program to current and even future regulations is important. It is crucial for security programmes to be based on security principles rather than on a dogged adherence to regulatory mandates, and to distinguish between security spending and compliance spending, says Murtaza E Bhatia, National Manager (Security), Dimension Data.
6) Do not have a long term plan; work out a 90-day
security deployment plan and also envisage how it can be integrated with risk processes,” says Sangram Gayal, India Business Manager, Archer eGRC, RSA, The Security Division of EMC.
7) Make security deployments user centric and seamless. Security solutions should be simple and include ease of use feature which can be scaled up if any new technology is deployed, says Baha Masoud, VP - Marketing, NetIQ.