Is Identifying GRC a Key to Data Protection?

By CIOReview | Tuesday, August 16, 2016
606
973
208

The three pillars—Governance, Risk Management and Compliance (GRC) needs emerge repetitively for organizations and gravely impact their business objectives and decisions involved in improving their overall efficiency and performance. Gartner says, “GRC is neither a project nor a technology, but a corporate objective for improving governance through more-effective compliance and a better understanding of the impact of risk on business performance.” Under the umbrella of GRC, ‘governance’ includes rules, policies, internal procedures and much more which directs the organization towards achieving objectives and enhancing customer relationship. Along with the above management approach, risk management identifies, controls, and mitigates the threats that prevent an organization from meeting its objective. Lastly, the compliance successfully adheres to the requirements emanating from laws, regulatory acts, contracts and many more. It ensures that organizations are aware of and take steps to comply with relevant laws and regulations.

“It is easy to untangle a string when you have got both the ends,” likewise a CIO knows whether or not his company needs a GRC system but should be aware of the appropriate method of implementing it. A 2016 EMC’s global research on data protection revealed that nearly 57 percent of the enterprises use more than two data protection vendors. Where 56 percent of the IT infrastructures are deployed on-premise and 29 percent are in public cloud. These 2,200 IT decision makers had $900,000 worth of  data loss. And with improper GRC implementation the enterprises encountered 22 hours of average downtime.

Listed are some of the steps to be followed for successful implementation of GRC system for protecting data of an organization.

Identify the Type of Data or Information that is Collected: It is very important for an organization’s IT team to understand the types of data that is flows in and out of their company. Data for healthcare organizations are subject to the mandates by the Healthcare Insurance Portability and Accountability Act (HIPAA) compliant. Therefore, firms need to implement solutions that are HIPAA compliant. CIOs must have a proper knowledge of the data type in order to select a best compliance system.   

Gather and Examine Internal Policies: Enterprises from different continuums frequently upgrade and change their security policies. There is a constant needs to gather and sort all the internal policies of the company—data retention and destruction policies, privacy policies, data security procedures, data breach notice plans, new hire and other employee training material, computer-use agreements and internal auditing and monitoring processes. A proper compilation of these internal policies serves as base to develop a strong data security plan.   

Deploy Information Security Team and Evaluate Risks: Prior to the development of data security plans, a data security team is important. This team of individuals is responsible for ensuring information security, privacy compliance, and data protection, as well as a board member and personnel from legal, IT, human resources, and communications/public relations departments.

After the data security team is assembled, draft the risks involved with non-compliance privacy laws, mishandling of personal and customer data, data breaches, disclosure obligations, unfavorable publicity, and others. Following the draft and analysis of the risks, firms need to engage the team to take necessary actions in order to mitigate the risks. Finishing with actions, timely audits are necessary to access the re-occurrence of the eliminated risks as company’s organizational control and systems continuously develop with changing market trends.

As data integrity and privacy become the primary objective of any organization, customizing data according to the user would help prevent data related risks and internal breaches. Additionally, a CIO can manage compliance processes by automating it. This helps to save much of the time which can improve work efficiency.  We hope the above takeaways help organizations reflect on their data security approaches keeping other challenges at bay by addressing their GRC needs.