No escape from the regulator

• Article 27 of 33
• SC Magazine, August 2011
• View the original article online

Page 1 | Page 2 | Page 3 | All 3 Pages

Trends in GRC systems
It's often unclear exactly what is a GRC product and what isn't. At the very least, GRC systems worthy of the name should offer audit, compliance, risk and policy management and be able to do at least some of the following functions: automate workflow management, produce audit trails, mask data and encrypt it, continuously monitor systems, offer flexible automated reporting, segregate duties, escalate status alerts and except certain kinds of alerts.

Gartner has noted market consolidation, with larger vendors becoming dominant through acquisition - IBM acquiring OpenPages, EMC-RSA acquiring Archer, BPS and Resolver merging to form BPS Resolver, Thomson Reuters acquiring Paisley, Software AG acquiring IDS Scheer, SoftPro Systems acquiring Cura, and Wolters Kluwer acquiring Axentis. As a result, the leading platforms, according to Gartner, are BWise, MetricStream GRC, IBM's OpenPages, Oracle GRC Suite, SAP BusinessObjects GRC and Thomson Reuters' Enterprise GRC. Other products worth watching include EMC-RSA's Archer eGRC, Enablon, Software AG's ARIS, SAS Enterprise GRC, Mega Suite, SoftPro Systems' Cura Enterprise, Jade's Enterprise Risk Assessor Kairos and Active Risk Manager.

With the market still in its relative infancy, however, the turmoil in compliance means that systems aren't yet close to being the magic bullets that buyers might wish for. Gartner says: "Customers are looking for vendors not just to provide content for standards, regulations and policies, but also to keep the content updated, manage content licences, provide alerts when a new regulation or change to a regulation emerges, and provide analysis and policy changes based on the impact of the change. No vendor is fully addressing this, although the major regulatory content publishers (such as Thomson Reuters and Wolters Kluwer) have some solutions for the financial services sector."

Case study: The Share Centre
For stockbroker The Share Centre, compliance has always been an issue, but increasingly so in recent years. "Compliance has been very visible within the organisation, with regular training in money laundering, data security and anti-bribery legislation," says Giles Roberts, IT infrastructure manager. He adds that "we get audited a lot more than we used to and third parties have been asking us for documentary proof of compliance. It's been a big change".

PCI compliance in particular compelled the company to examine its procedures, in part because its bank, urged in turn by the credit card issuers, asked it to. Roberts explains: "First, I did research into what the requirements were. I did a one-day introductory PCI DSS course and bought books. Then I developed a project plan and worked out what needed to be achieved with the IT infrastructure team. There was some involvement from the compliance department around education as well. Then I costed it and talked with the board about the procedures, since the IT push needed to come from the board."

Roberts is grateful that the board had the foresight to back the project. "They said, 'If that's what it costs, that's what it costs. If you need to spend an extra £50,000 to do it, then do it'." Nevertheless, there were "uncomfortable decisions" to be made. The group developing the company's core applications potentially had too much access to sensitive information, for example. Roberts eventually spent half of his time creating policies, and the other half dealing with the technological considerations.

Data Protection Act compliance meant the company had already implemented a data loss prevention strategy, including encrypting laptops and portable drives, a ban on USB devices, and monitoring of and restrictions on web browsing. As a result, most of the changes for PCI compliance were to do with shoring up perimeter security and investing in automation.

"The biggest investment was a log manager from LogRhythm, which saved us a lot of management costs: security events were a major area for automation," says Roberts. "But we also updated our firewalls, installed web application firewalls and isolated card data. Now only three of us can get onto the machine with this data."

The project took nine months to complete and cost £70,000. Maintenance charges on the new systems have come in at 15 to 20 per cent through three-year deals, for roughly a £10,000 annual bill on top of that initial outlay, Roberts reveals. In terms of manpower, compliance administration means that Roberts has effectively lost nearly one person from his team in extra hours.

Roberts' recommendation is to get buy-in from the board for any compliance project. "That's absolutely crucial. And don't believe what the vendors or anyone else says."

Page 1 | Page 2 | Page 3 | All 3 Pages