From the June 2010 issue of Treasury & Risk magazine

Six Steps to Better IT GRC

Securing corporate IT systems is crucial, but there are ways to make that effort more productive and less costly.


Companies have spent years beefing up their information technology governance, risk and compliance systems. With cutting costs now top of mind in corporate America, here are six ways to make IT GRC systems more productive and less costly.

1. Automate access controls. Today, most companies use a manual process to add users to an application or cancel their accounts. Switching to an automated system can save significant sums and reduce the risks associated with unwanted access.

According to an April study by research firm Ponemon Institute, based on responses from more than 700 IT professionals at U.S.-based companies, 87% believe employees have too much access to resources not relevant to their jobs. More than half of all organizations aren't able to keep up with access change requests.

Automating access controls isn't a simple process, and can take a couple of years to cover just key applications. The process is getting faster, however.

Brian Cleary, vice president of products and marketing at access management vendor Aveksa in Waltham, Mass., says a proof-of-concept rollout with a human resources database and eight or nine applications can take a couple of days.

The cost for a large organization ranges between $200,000 and $230,000, he says, with payback in 12 to 18 months as a result of reducing compliance-related overhead.

There's an additional payoff, Cleary says: customers can identify employees or former employees who have access to information that they shouldn't. "Thirty percent of all access rights get revoked because they're inappropriate, or the user is no longer at the company but the rights are still there," he says.

2. Centralize compliance management. E-mail is a popular way to distribute compliance policies, but there's no guarantee the people receiving an e-mail read it, or, if they do, will be able to find it again. A centralized compliance management system ensures every employee has signed off on the latest version of the company's policies, and can also be used to track changes and enforcement. Now, when employees do something wrong, they can't say that they didn't know they weren't supposed to do that. Such systems also save time and money during the audit process.

A number of vendors, including LogLogic and Aveksa, offer systems that help companies manage compliance policies and tasks by automating jobs that were previously handled manually.

3. Consolidation. There's always a trade-off between getting the latest and greatest systems and having one vendor handle everything. But over time, some vendors incorporate the best features provided by their competitors. It makes sense to revisit, on a regular basis, whether the company can get most of what it needs from a single vendor. This reduces license and maintenance costs, and significantly drives down complexity. It also makes it easier to move data around within an organization, giving companies a bird's-eye view of their risk and compliance situation and allowing them to react more quickly.

A number of vendors now offer enterprise-wide views of IT compliance, governance and risk-related activities, including nCircle.

"Systems are now being managed from a holistic point of view, with regular auditing of critical hosts to ensure they meet the desired standard," says Matt Haynes, senior manager of infrastructure architecture in U.S. Cellular's security architecture group. "We exert about a fifth of the effort with nCircle than with our previous manual audit processes."

Elizabeth Ireland, nCircle's vice president of strategy, says companies often have very diverse compliance environments.

"By making sure that different divisions aren't running different solutions, you can have a consistent method of ranking and scoring risk and measuring compliance," she says.

Consolidation also substantially reduces audit costs, since auditors only have to review one system, and not a dozen. "There's a definite savings in consolidating systems," Ireland says.

4. Continuous security monitoring. Some companies still conduct annual penetration tests or other systems checks and reviews. By automating the process or outsourcing it to a vendor, companies can get continuous monitoring for the same price, which can help spot problems before they escalate.

Staffing to monitor incoming threats is a round-the-clock job and a significant expense. Often, security employees wind up doing other tasks as well and may not be able to respond in an immediate or timely fashion if a breach does occur.

By centralizing this task, an outsourcing vendor can spread the cost of a security specialist across a number of customers.

And it's not just the staffing costs, adds Don Gray, chief security strategist at Omaha, Neb.-based security outsourcing vendor Solutionary.

"There are also all the implementation costs, and then the care and feeding of the hardware," he says. "And, depending on what your regulatory requirements are, storing the log information can be a huge consumer of disk."

Companies that switch to an outsourced security monitoring service can save 70% of their total costs, Gray says.

5. Track and reward performance. With continuous monitoring and a central clearing house for compliance and risk data in place, IT managers can be held accountable for results, just as they are now for safety violations. Managers' bonuses can be tied in part to their compliance performance, or companies can take a simple "hall of shame/hall of fame" approach by casting a spotlight on the best and worst performers.

"Nobody wants to be last," says nCircle's Ireland. "It's effective." The key, she says, is assigning ownership for individual objects and tracking performance over time.

6. Use grids and clouds. In the old days, companies bought one server to run one application. When the application wasn't running at capacity, the server sat idle. And if an application needed more capacity than the server had to offer, performance would slow--forcing many companies to run processing-intensive applications overnight, for example, in batch mode.

Grids and clouds--terms now often used interchangeably--let a company virtualize its physical assets, allowing it to run applications on whatever hardware has free capacity at any particular moment--within pre-set constraints. Processes that before would take hours can now be done in minutes, allowing for quick corrections and multiple-scenario analysis.

"What you end up with is a more credible decision-making process," says Marcus Cree, head of risk solutions for SunGard Trading and Capital Markets.

Comments