Workshops‎ > ‎cs-ga-2011‎ > ‎

Chrisan Herrod

University of Maryland University College

The Economics of Information Governance, Risk, and Compliance (GRC)

This presentation will focus on the development and implementation of an IT-Governance, Risk and Compliance (IT-GRC) program and will illustrate through a case study the success of this type of program in both a federal organization and an academic institution.

IT GRC is an investment. Making the case to CIO’s involves developing a business case that includes looking at security, risk management and compliance as the primary means to improve processes and to enable the business to improve and grow without impediments. The argument that resonates is business enablement and business process improvement.

Using Security alone as an argument to improve business processes is no longer sufficient. It is a worn argument and not in step with business process improvement given the lean IT spending by companies in the past two years. “The bad things will happen” argument does not win the hearts and minds of executives.

IT-GRC as a real concept can demonstrate a valuable Return on Investment (ROI) however, the concept must be demonstrated along with process improvements that should include an improvement in organizational efficiency, a reduction is risk, a platform for openly acknowledging and discussing risks, and a way to meet the ever-growing compliance requirements for national and international organizations.

Developing and implementing an IT-GRC program that is consistent with Corporate/organizational information assurance (IA) goals is a value added service and is the key to ensuring CIOs, CEOs, and the Audit committee of the Board of Directors support program activities.

Information security technologies underpin many business initiatives. Privacy, E-business, IT Continuity and compliance with regulatory requirements are the most prominent areas where information security becomes part of the supporting infrastructure. But security for the sake of security is no does not constitute a holistic approach to IA. IT-GRC is a combination of sound practices and procedures coupled with
technology solutions where they make sense. An IT GRC program that enables company’s to maintain the privacy of consumer data; that allows company’s to engage in e-business without fear of exposure and that significantly reduces a company’s exposure, and ensures company’s are in compliance with government rules and regulations is the type of program.