by Steve Schlarman – December 11, 2009
In the world of acronyms, information technologists seem to lag behind only government agencies in their ability to create jargon and abbreviations of cryptic concepts. IT-GRC is one member of the IT lingo club. The Information Technology Infrastructure Library, or ITIL, is a fellow acronym gaining more acceptance and popularity within the IT industry. ITIL provides a common framework to formalize a service-oriented management approach within IT and improve interaction between IT and the business.
Both IT-GRC and ITIL converge on one straightforward, yet complex, objective: Build an IT organization that is governed intelligently, meets customer and business requirements, and delivers a high level of service while minimizing risks and maximizing efficiencies and effectiveness. For many risk, audit and security professionals, ITIL remains an “IT Operations only” approach, but there are many ways to utilize ITIL to complement IT-GRC efforts.
One way to leverage the harmony between ITIL and IT-GRC is to look at governance, risk and compliance within IT as another IT Service offered to the business. To this end, ITIL can be used as a guideline for implementing the IT-GRC program. The ITIL approach is defined by five stages that follow an IT service from inception through retirement:
1. Service Strategy: Defining the overall goals, objectives and business functions within the service
2. Service Design: Designing the service components and processes within the overall service
3. Service Transition: Managing the rollout process and change management to the service and process
4. Service Operation: Executing the daily tasks and activities within the service
5. Continual Service Improvement: Quality assurance and monitoring of the service for improvement and optimization
IT-GRC can use this framework to guide the overall program development and management. While the entire sequence is beyond the scope of this article, the concepts within ITIL can be applied to IT-GRC, and IT-GRC program managers can leverage the approaches used within ITIL to build out the program.
With this in mind, I can explain my title for this article: ITIL + IT-GRC = Mass * Velocity. For those of you who can dust off physics equations stuck in your head from high school, you might recognize the Mass * Velocity portion. This is the equation to calculate Momentum (p=mv). My point is that for those organizations that are looking to implement IT-GRC programs and have already begun looking at ITIL to guide IT service development, there are some advantageous resources in your organization—namely those ITIL savvy operations people— that may be able to help move the IT-GRC program along.
As you look to mature and formalize the risk and compliance program, a few well-aimed discussions may help to guide the IT-GRC processes. Besides, any conversations between the IT-GRC side of the house and the operations side are just gravy. Since there is no equation for gravy (except in some Southern states), you can use these conversations to pick up momentum toward meeting your IT-GRC goals.
If you're interested in a little more discussion on this topic, I invite you to read an article I recently published with the EDPACS Journal, titled “What ITIL Can Teach IT-GRC.” (EDPACS: The EDP Audit, Control and Security Newsletter, Volume 40, Issue 2) And if you’d like to learn more about Archer’s approach to IT-GRC, please download the Archer IT-GRC data sheet from our web site.