GRC software alleviates audit process for financial firms

Compliance is a necessary evil for financial institutions, but it's nothing new. From the first days of Gramm-Leach-Bliley Act (GLBA), financial firms have been subjected to periodic audits to ensure they have implemented security controls that protect private customer financial data.

Assembling and presenting data to auditors in a cogent fashion can be more than a full-time job. Many large financial firms devote considerable time and resources to gather data, make sense of it, and then build reports. Considering the number of governance, risk and compliance (GRC) products on the market, I think such efforts may not be a good use of time. Thus, for organizations that find they spend as much time gathering data and building reports as they do actually protecting information, GRC software is something to look at.

In concept, GRC software is about automating the compliance reporting process. Let's first examine what that means. Basically financial firms need to report on a few things to keep an auditor happy:

GRC software for companies large and small
The definition of GRC has been muddled by a whole bunch of different vendors trying to stake a claim in the space. Thus, it's hard to understand what GRC really means and whether a "new" type of offering is needed to meet your organization's needs.

The reality of the situation today is that the needs of large financial services firms are totally different from those of smaller financial organizations. While the sheer data aggregation ability for a global bank makes the payback of these tools a no-brainer, that assumes the tools will save time in gathering data and generating reports.

The fact is most large financials tend to be among those experimenting with cutting-edge security and compliance tools. So in many cases, these firms already have a tool in place to do what many GRC-specific products promise to do; you just may not know it as GRC. Things like identity management, SIMs and rep

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Red Flags Rule compliance How AML compliance applies to remote deposit capture Tokenization and PCI compliance Data governance and classification The PCI compliance case for source code review Identity management for financial firms in turbulent times PCI DSS: Best practices for compliance Red Flag Rules compliance demands a risk-based approach Understanding the impact of new state data protection laws Understanding the FFIEC remote deposit capture guidance Auditing, testing and assessment for financial services compliance Regulatory reform will require much work ahead Red Flags Rule compliance Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment Federal examiners need to pay more attention to IT risks PCI certification isn't always the right answer Forensic accounting success depends on information security support The truth about vendor management Opinion: Why you should document your security policies Financial firms fight cyberthreats, brace for difficult year

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Common Vulnerabilities and Exposures  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

orting engines usually comprise a bulk of the GRC functionality. It makes sense for these larger organizations to put together a matrix of the tools already in place and weigh those against the capabilities of one of these so-called GRC tools to really understand the overlap.

The first generation of GRC software suites tends to be big, expensive and take quite a while to implement. Since automation is all about getting a better return on your time investment, if the solution costs too much or takes to long to receive value -- then it's not worth the effort.

For smaller financial organizations, I recommend a "poor-man's" GRC. True data integration and common compliance reporting may not be worth the time or the effort. Leveraging a log management data and cross-referencing it with information from more proactive tools like vulnerability scanners can handle a bulk of the audit preparation for much less money. Is it as automated as a fancy GRC suite? No. But it enables precious budget dollars to be spent on other projects. Remember, passing an audit doesn't help a financial services firm to gather more assets, close more M&A transactions or lend more money. It allows a company to keep the lights on and focus on all those other things it does well. After all, GRC boils down to spending as little cash as possible by making sure an organization isn't duplicating its efforts.

One last word of caution for financial companies of all sizes: stay focused on the difference between security and compliance. A GRC suite can help an organization pass an audit, but it doesn't do much to protect data. Documenting the organization's security strategy and processes will put it in decent shape for an audit. Not vice-versa.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.