So how do you create a reliable IT inventory? How are your IT risks, vulnerabilities and threats related? Which method and criteria should you use to assess IT risk exposure? How do you report on results? Are you really compliant with IT regulations? Which controls should you put in place to reduce IT risk, support objectives and be compliant with all those regulations worldwide? Do you really manage your external IT vendor risk?
To answer these questions, many companies are still using giant Excel spreadsheets to define and constantly update key information about IT assets, regulations and related risks. If this is the case in your company, you may already spend a major part of your worktime on it, while still observing constant misalignment of that information with actual regulations, internal infrastructures and IT vendor networks.
But risk management is ALL about making decisions, not compiling information in separate repositories of threats, risks or assets, and updating them on a periodic basis. Today this approach is neither sufficient nor efficient. An IT manager’s goal should be to establish a global approach to managing IT risks by linking all these elements to provide the right information, at the right time, to the right person in order for her to make appropriate decisions based on the appropriate context.
GRC platforms, and particularly those focusing on IT risks, help IT departments, IT risk managers, and information security managers to establish their company’s IT risk profile and monitor KRIs in an efficient manner. In doing so, they build the foundation of a risk-aware IT Governance.
Indeed, an IT GRC platform can provide an in-depth impact analysis of change and risks on IT infrastructure, data and capabilities and by uniting the company’s IT landscape, IT portfolio management practice, IT vendors and organization and business layers.
To create complete awareness regarding IT risk, those platforms are also managing compliance to IT regulations. Either managed internally by the IT regulation manager, or pulled from an external data base like UFC, regulations can then be analyzed to assess control levels and evaluate compliance accordingly.
Some platforms are also focusing on modeling IT risk networks in order to show how threats and vulnerabilities that affect IT applications and technologies, end up also threatening business goals, strategies and processes. This business impact analysis network allows managers to enhance internal understanding of each critical risk. It helps to concentrate resources on a cohesive risk-aware IT, and eventually business roadmap.
Are you familiar with MEGA’s new HOPEX IT Risk Management solution? It meets the above challenges, it helps you define a cohesive, risk-aware IT and business roadmap, that is to say the basis of a sustainable, business-driven IT Governance.