Michael Rasmussen has a great post on the difference between enterprise GRC and IT-GRC up on his
blog. As someone who has previously worked for an early IT-GRC vendor, I have a lot of thoughts on the topic of GRC and IT-GRC.
Michael's fundamental assertion that enterprise GRC is a lot broader than IT-GRC is I think true. I also believe that the IT-GRC products tend to go a whole lot deeper than the enterprise GRC products, meaning that IT-GRC implementations necessarily get into the details of IT assets, and the multitude of controls that affect compliance and risk status.
Both IT-GRC and enterprise GRC are concerned with helpi
ng organizations to manage governance, risk and compliance, and there are many similarities between the products that address these markets. Both generally have assessment engines, status dashboards, and policy management functions. The IT-GRC products tend to have much less mature governance capabilities.
Both categories seem to be moving quickly towards automated (vs. assessment-based) gathering of control state.
More blog postings to come on the topic of IT-GRC. It is nice to see the large analyst firms come around to recognizing that the IT-GRC products are fundamentally different than the Paisley's, OpenPages, et al of the world.
Jim Hietala
www.compliancefocus.com
Jim Hietala
Jim Hietala, GSEC, GCFW and CISSP, is the principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. Jim has provided consulting services to organizations such as SANS, The Open Group Security Forum, Logical Security, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, and others. He holds a B.S. in Marketing from Southern Illinois University.
Editorial focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
