Governance, Risk and Compliance or "GRC" is an increasingly recognized term that reflects a new way in which organizations can adopt an integrated approach to these three areas. However, this term is often positioned as a single business activity, when in fact it includes multiple overlapping and related activities within an organization, e.g. compliance programs like BS ISO 27001 (Information Security Management), BS 25999 (Business Continuity Management), PCI DSS (Payment Card Industry Data Security Standard), plus management of internal audit, data protection, information assets, operational & IT risk, incidents, policy & procedures dissemination etc.

Achieving this breadth of combined operations and reporting requires a unified GRC strategy that guides people, standardizes processes, and integrates technology to embed GRC at every organizational level.

Technology for enterprise risk and compliance integrated with the very latest management information systems and web infrastructures is available today in Proteus Enterprise™. All of this across any number of differing business lines. Proteus Enterprise™ supports any Standard, e.g. ISO 27001, BS 25999, PCI, Sarbanes-Oxley, CobiT, BS 10012, PAS8000 - the emerging fraud standard, ISO9001, ISO18001, ISO14001, ISO 38500 - corporate governance of information technology, ITIL - and even your corporate plans.

Universal in its national language capabilities, we have just added Catalan (in addition to Spanish) for the Spanish home market.

Proteus Enterprise
A total governance risk and compliance solution for Global enterprises.

The GRC ‘Holy Grail’ – Automatic cross referencing and answering of ‘common’ Controls between multiple standards.

One of the most common questions we are asked is “is it possible to manage a single Control, such that it will automatically update the compliance status of ‘common’ controls in multiple standards?”

It is true that there are several industry and membership bodies that have taken the time to develop control cross-reference matrices, or Meta Standards, even though they often arrive at different interpretations of the compatibility and cross-reference links. Perhaps it is a measure of the inherent difficulty that these tables are often out of date, with the ever increasing frequency of new standards being developed, and existing standards being updated.

In response to user requests, we have developed capability to maintain Control cross references within Proteus®. Unfortunately, the outcome confirmed our suspicions that a) it was very difficult and time consuming to maintain, and b) the results were unreliable at best. The heart of the problem is that Controls are rarely identical in different standards. They may share a common name, but the context and level of detail is often significantly different. Our solution has been to adopt a completely different and novel approach, to make Control cross-referencing agile and specific as applied to individual assets, asset types, or asset groups, including people assets or functional roles. The main advantage – it works !

What comes next in the evolution of GRC solutions?

You might assume that there is a lot of commonality between competitive GRC solutions, but you would be wrong. As with other early stage, or growth markets, all aspiring technology providers miraculously have a ‘market leading GRC solution’. However, the reality is that they are often borne out of historic or legacy system that may have been originally developed as security technology, workflow management, ERP, compliance or risk management solutions. Of course they all have their strengths, but they also have weaknesses.

The scope and potential benefit of GRC functionality will vary between organisations, each needing to focus on particular GRC aspects due to the size, complexity, resources and budget constraints of the organisation. The starting point must be to match product features with requirements. Moreover, existing investment in security technology needs to be considered. The good news is that life may become a little easier. We predict that the next major evolution will not be yet more functionality, but instead it will be real-time integration with existing ‘tools’ such that the vast amount of data can be interpreted, prioritized and managed to greater and more immediate effect by linking to, and exploiting the business risk decision analysis capability of GRC management systems. See the News Item on iP-GRC

News

SCC, Europe’s largest independent IT Group, now list Proteus Enterprise™ in Catalyst and UK MoD IA Catalogues

Technology integrator, SCC, has added Proteus Enterprise™ into its mix of leading software applicati...

Partnership with IT Governance Limited for Entry Level Proteus® Sales via their web store.

Stephen Hall, Infogov’s CEO said today “IT Governance Limited recognise that information and informa...

Focus on NHS Standards, including IG Toolkit NHS information governance professionals will want to know that Proteus Enterprise™ now comes with the NHS IG Governance toolkit option.

Information Governance Limited announced that they are now able to enhance NHS governance risk and c...

Customer Comments

Proteus® was primarily brought in to enable us to achieve PCI compliance, but its uses beyond this remit were evident from the start. The ability of the solution to adapt to the needs of the entire organisation is unmatched

Partnerships