Simplifying compliance and risk management

Identify and Budget Remediation Tasks

One common failing of IT Governance, Risk, and Compliance programs is turning assessment results into action. From a liability perspective, the only thing worse than having a serious vulnerability is having knowledge of the vulnerability and not remediating it within a reasonable period of time.

Organizations will need to research solutions and develop schedule and cost estimates, working in conjunction with the organization’s management team. In general, at this stage, we recommend creating a 12 month plan covering all security initiatives, their approximate timing, cost, and resourcing. The strategic plan can then be presented to the organization’s governance body (e.g. Security Committee or Board of Directors) for approval and resourcing.

TruComply provides organizations with an excellent starting point for planning activity. TruArx has developed default remediation tasks, with budget estimates, for all 2,700 controls in the UCF. As a result, clients can quickly review these estimates, adjust them as required, and then proceed to prioritization and scheduling.

With Managed Compliance and Risk Services, clients also receive assistance from a TruArx consultant to translate assessment results into a pragmatic, risk-based strategic plan. To do this, an expert TruArx IT GRC consultant will review assessment findings, work with internal managers to identify solutions and resource estimates, and build a plan for executive review and approval. The TruArx consultant will then update the plan on a quarterly basis to reflect progress to date as well as any shift in priorities.

Assign Remediation Tasks

To ensure accountability, the organization should not only assign a remediation project to the individual who will actually perform it (‘task owner’), but also an executive who will be ultimately responsible for ensuring it gets done (‘business owner’). After all, no one has the job ‘Remediator’ and daily operational responsibilities are likely to result in unacceptable delays unless management makes it a priority to complete remediation tasks on the agreed upon schedule.

TruComply provides a central repository for recording task and business owner assignments and managing all aspects of the workflow from initial notification of the individual that they have been assigned a task through completion. Further, administrators can require the task owner to submit ‘proof’ that the task was successfully completed.

As with ‘Identify and Budget Remediation Tasks’ above, as part of Managed Compliance and Risk Services, clients receive assistance from a TruArx consultant to translate assessment results into a pragmatic, risk-based strategic plan. Resourcing at both the business owner and task owner level is a critical element of this plan. Once the plan is approved, the TruArx consultant will then configure all assignments in TruComply.

Report on and Manage Progress

To keep focus on remediation activity, it is important to have regular meetings where progress is reviewed and action is taken if results are unacceptable. Without such a discipline, remediation efforts typically lose momentum. In our experience, this is all too common, with organizations failing the same controls year after year.

TruComply greatly simplifies managing the remediation project by providing a centralized database of projects and their status as well as associated reporting. With TruArx Managed Compliance and Risk Services, a TruArx consultant will typically host two (2) status meetings each month to review remediation tasks. The first meeting is an optional meeting that provides attendees with an opportunity to ask questions, communicate roadblocks, request additional resources, etc. After the meeting, the TruArx consultant will update TruComply tasks based on feedback from the meeting and prepare a summary status report.

The second meeting is with business owners. Business owners are members of the management team who may not be the ones actually executing the projects, but are ultimately responsible for them. At this meeting, the TruArx consultant will review the status report, facilitate a discussion of why certain projects are behind, and take notes of any resourcing decisions/actions which are agreed to during the meeting. The TruArx consultant will then update tasks in TruComply appropriately based on meeting results.