A GRC approach is a well disciplined, organised and a structured way to co-ordinate the information and the activities of a firm. It is very important to monitor the data on a regular basis which can be scheduled by GRC by enforcing certain rules and procedures. GRC merely involves the installation that harmonize the data in multiple departments including IT control self assessment and evaluation, IT asset repository, finance and auditing, Enterprise risk management, IT compliances as well as in the legal domain. The tools provided by GRC become increasingly important for the company to manage the risk. The Gartner’s approach to GRC have defined 6 cases and they are-

IT risk management : It mainly consider the data security issues, the processes of data security and its implementation.

Operational risk management : This area deals with the operational risk in the organisation, the capital allocation, time and expense management, predictive analytics all comes under this GRC vendor.

Audit Management : The audit team maintains an audit cycle such as audit planning, audit risk management, audit repository, evidence management etc

Vendor risk management : It uses the VRM tools for measuring the management and considers the third party related risk.

Business continuity management : facilitating the services after any major disruption takes place. The protection of the data when any disaster happens is controlled by GRC tools.

Corporate compliance and oversight : The corporate ethics, code of conduct, the governance codes and the standards and policies that affect the overall efficiency of the firm.

Despite of the well organised structure there are certain issues which act as a barrier in achieving the GRC goals and they are:
1. Lack of collaboration and the co-operation
2. Lack of clear leadership
3. The organisational changes which are not very easily acceptable at each level
4. Difficulty in hiring those people who are skilled in GRC implemented field only.
5. Inadequacy of that particular technology.
6. The imbalance created in the other departments.

The main stumbling block for GRC is that it can be applied to any specific domain or we can say to an individual area at a time which causes various other problems. This flaw is very well routed by Integrated Governance, Risk and Compliances (iGRC). There are basically four components of GRC and they are strategy, people, technology and processes. The subjects, components and the rules of GRC are merged to make an integrated GRC. The impact of iGRC can be seen when we understand the benefits it can have over other compliances. The benefits of Having IGRC are given below.

Integrity of Critical controls : The critical infrastructure of the firms are required to be controlled at an early stage which can be substantially handled by iGRC software and tools.

Management system with network security : The GRC technology is being configured with the network sensors and thus providing high security by recognising the threats at a significant level. The data leakage and e-mail spamming can be easily detected if network security is being provided with GRC.

Vulnerability detection : The main cause of risks are that the vulnerabilities in the system are not detected by the system makers themselves which causes a loophole in the system.

Keeping the Users login data : The entries of the new users as well as the existing ones can be maintained which can easily detect the attackers. Maintaining the record of all the end points so that any new entity can be easily observed.

Firewalls and other network security essentials : Data entering and leaving the system is to be re-checked and recorded. It can provide with the network intrusion detection and preventions and the router management system.

Elevated automation : The automation of control checks at each level, the change in threat levels and taking the measures to avoid it.

Archita Srivastava
MBA-IT
IIIT Allahabad

The IT Act of 2000 has set in a framework for electronic transactions by creating provisions for checking crimes such as computer hacking. Fast Track Civil Courts and Appellate Tribunals are there to hear the disputes under the act. But a stricter measure is required to protect data and a more rigorous legal environment providing measure against data leaking and cyber crime is needed.

Previously, the original act called for penalty for damaging computer and computer systems under Section 43, but with the amendment compensation can be claimed for stealing computer source codes too. Clause 43A has made data protection more explicit. If a company uses a person’s data and sensitive personal data is leaked – the person can claim for damage. This forces the companies to protect data by maintaining and implementing reasonable security priorities. And if a Company fails to provide such a measure the Central Government will prescribe some practices and procedures in consultation with the professional bodies and association.

The amended Act of 2000 imposes imprisonment of three years and a fine of rupees five lakh for any person or intermediary who discloses the personal information of an individual or a firm without his consent. This to some extent ensures a smooth business flow against international borders. Also, the original act had been updated for crime specific subsections related to hacking and obscene material. Traffic data, logs and information is maintained by intermediaries for Cyber security with respect to guidelines provided by Central Government. This ensures availability of Cyber Forensic Data needed in the investigation and prosecution of cyber crimes.

The Government has updated and included new definitions for communication devices, cyber cafes, cyber security and electronic signatures and the Indian Computer Emergency Response Team (ICERT). Intermediaries too need to provide assistance to ICERT in doing its job. The nodal agency provides procedure for the same. The ICERT will perform all functions related to the Cyber Security: Service providers, intermediaries, companies, and others will have to provide information to the agency when required and in accordance with procedures that shall be prescribed by the Nodal Agency.

What is next needed are the Right Tools that are able to dynamically classify content and identify the scope of information in real time as much needs to be done in incorporating accountability of the data shared.

Source: Whitepaper

Sonam Sharma
MBA-IT
IIIT Allahabad