Procedural controls consist of written statements of expected behavior for individuals and processes they must follow. These controls could include security incident response procedures and business continuity plans.
Technical controls include policies that can be technically automated or enforced across the IT infrastructure. For instance, technical controls could include a company's password policies, as well as the secure configuration and protection of system servers.
Once policies and controls are documented, the burden of IT GRC shifts to continuous IT infrastructure assessment, validation and monitoring. Regulators and auditors want to be assured that when gaps in a control structure become evident, the organization promptly identifies remediation tasks and completes them. Beyond the regulating authorities, executives within the organization want the same assurances. Organizations must therefore be able to automate processes that assure the ability to sustain compliance through continuous monitoring, reporting, and remediation.
Industry compliance leaders monitor, measure and assess controls 12 times more frequently than industry laggards. Enterprises with two or fewer compliance deficiencies and two or fewer data losses annually, conduct assessments once every 19 days, while laggards assess controls once every 230 days ("Core Competencies for Protecting Sensitive Data," IT Policy Compliance Group, October 2007).
What's more, nearly all IT security technology controls and procedures are now automated among the organizations performing as leaders in compliance. These leaders, according to the IT Policy Compliance Group, are reallocating funds from external contractors to equipment and software for automating the monitoring and measurement of controls and procedures, and consistently spending 32 percent less time on compliance than firms that do not automate such repetitive tasks.
Failing to comply with industry and governmental regulation comes at a great cost both in the form of penalties, damage to the organization's brand and financial loss. To protect valuable data, enterprises today must look to improve their IT GRC programs both from a policy and technology standpoint. The good news is that the executive suite is increasingly aware of the stakes and recognizes that IT GRC is a business decision that affects the viability of the whole company.
Sandeep Kumar is senior director of product management at Symantec responsible for the company's Compliance and Security Management products and directing
the strategy and delivery of Symantec's industry-leading IT governance, risk and compliance management solutions. Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a connected world. He can be reached at [email protected] and additional information on Symantec is available at www.symantec.com .