Governance, risk and compliance (GRC) are three things that, like taxes, come part and parcel of running a business of any size. These activities are as welcome as taxes, and carried out with about as much enthusiasm as greets the annual audit. That's not to say many companies don't comply in full, and fairly, but let's face it, no one does it enthusiastically.
As technology becomes more pervasive, compliance gets more complicated. Regulators and governments find themselves having to protect people and businesses from threats unrealised, and unimagined. New legislation around data, and where, when, how and why it may be possessed, moved, stored and used is a case in point.
Cloud computing, which enables companies and individuals to store data almost anywhere, given once it's in the cloud it's anyone's guess where it physically resides, poses its own challenges.
Says Gerrie van Gaalen, partner at Van Gaalen Attorneys: “Data comes in various forms - personal information, confidential information and operational critical information. It's crucial for organisations to remember they are ultimately responsible for their data. This responsibility cannot be transferred to any other organisation, regardless of how much a supplier may deal in data. Therefore, it is the organisation's responsibility to ensure their partners are up to scratch with the legislation applicable to their environment. The issue of reasonability, accountability and risk becomes infinitely more complex when dealing with cloud-based services.”
Says Dimension Data CTO for the Middle East and Africa, Mayan Mathen: “Organisations will mitigate the governance, risk, and compliance issues of cloud computing by working with cloud service providers that understand their sector or industry. Financial institutions, with their extremely specific and tightly regulated GRC requirements, for example, would choose cloud service providers that specialise in the financial services industry.
“The implication of this approach,” he says, “is that cloud computing cannot be all things to all people and that cloud computing cannot be a generic service offering. In fact, the requirement for specialisation among cloud service providers may end up being more stringent than currently applies to outsourcers, simply because control of data will be that much further removed from the customer. We expect that customers will, therefore, impose much stricter service level agreements on their cloud service providers.”
It's crucial for organisations to remember they are ultimately responsible for their data.
Gerrie van Gaalen, partner, Van Gaalen Attorneys
Add King III to the mix, and you have a potent mix of responsibility and liability that organisations and their service providers need to navigate.
Says Dimension Data's Middle East and Africa GM for Network Integration, Jeff Jack: “King III acknowledges that IT is a business enabler and therefore requires that all managers, not only IT managers, take appropriate steps to mitigate the risk of disruption to or failure of IT systems. In other words, IT needs to form part of an organisation's overall governance framework.
“Any organisation where IT plays a vital role in producing profit needs to ensure IT is governed properly, irrespective of whether or not there is legislation to enforce it,” says Jack, referring to King III's voluntary status. “You need to look at what it means to stakeholders or the market when the company says it will make less profit because of an IT system problem.”
Virtual boundaries
The advent of virtualisation brings its own challenges too: how do you audit something that's not physically there, as it were?
Says Mathen: “Virtualisation is a straightforward uncoupling of the physical and the logical, so the data centre is no longer a place somewhere where data lives. We're now talking about virtual data centres. Because we can uncouple the physical and logical, my corporate telephone number, for example, previously chained to my desk, can now be wherever I am, using unified communications technology. Cloud is a very elastic topic - it gives us the stimulus to buy IT from a location not controlled by us, on systems not owned or controlled in some aspect by us, and this is where GRC comes into play.
“I don't think all the answers are out there yet,” he adds. “Things like federation and so on are all in their infancy. It comes down to people and organisational change. People still think if they can hold it in their hands, it's more secure, but that's not true. Most intrusions take place inside the organisation. One early adopter said their security had improved through moving to the cloud.”
This, he says, is because it's the cloud providers' business to make sure its clients' data is protected and that it has military grade plus security in place, something most private organisations can't or won't do.
Built in
GRC's not just for the cloud, or an issue when new legislation hits the streets. It also needs to filter through the organisation.
Says Jack: “King III sets the framework; it needs to filter into the organisation so the company can do something about it. King III says: 'Do a benchmark, determine the state you're in and show yearly improvement on mitigating risk.'
One early adopter said their security had improved through moving to the cloud.
Mayan Mathen, CTO for the Middle East and Africa, Dimension Data
“As business is more and more supported by IT and unable to function without it, you need to enforce a best practice life cycle, from end of sale to the end of the period when that equipment is supported. If you're an IT-heavy organisation, what's your risk profile when you have a significant number of devices in key areas of your business that are no longer supported by the vendor you bought them from?” he asks.
With the Protection of Personal Information Bill set to hit the streets this year still, organisations are going to be facing some serious compliance challenges, like ensuring they have a handle on what personal information they have, how they may use it, how it must be stored, how it must be secured and who to notify when it is used. Never a one-off activity, compliance is about to take on a whole new dimension of importance, and cost.
Share