RadioBDC Logo
| Listen Live
< Back to front page Text size +

Security, Privacy, Identity in Enterprise GRC (part 1)

Posted by Chad O'Connor  October 29, 2013 11:00 AM

E-mail this article

Invalid E-mail address
Invalid E-mail address

Sending your article

Part 1 – Policies and Procedures

Many organizations are developing enterprise-wide governance, risk management, and compliance (GRC) programs. GRC programs include governance (the processes by which executives and boards manage the enterprise), risk management (the processes by which management addresses risks to the enterprise), and compliance (the processes with which the enterprise complies with applicable laws and regulations). As enterprises become increasingly information-intensive, the protection of information assets is becoming more important in all three primary aspects of GRC programs.

Protection of information assets is a dynamic and significant topic for many enterprises. For example, Lloyd’s Risk Index (1) for 2013 lists cyber risk as #3 on its list of 50 corporate risk priorities among business, economic, political, environmental, and natural hazard risks. To show how this situation is changing, cyber risk did not make the top ten risks in the Lloyds Risk Index two years ago (2). Other organizations, including the White House (3) and US Intelligence community (4) identify cyber risk as a serious national threat.

At the same time, privacy is a priority topic for many government, corporate, and academic organizations that must comply with many laws and regulations governing privacy (5). The recent NSA disclosures have led to many debates on the relative needs for “security versus privacy.” However, the issues addressed in a GRC program are much broader and must incorporate both security, privacy, and more. In the words of one CEO with whom I spoke recently, “the risk that NSA may look at some of my data in the cloud is only one of the many business risks that we face, and many are more significant.”

How then to address the issues related to protection of sensitive information amidst all of the risks faced by today’s enterprises? Organizations must address policies, procedures, systems, and technology. The order is important. In Part 1, I discuss policies and procedures. Part 2 will focus on systems and technology. Some organizations buy a system platform first without sufficiently defining their policies and the procedures to implement them. This generally leads to trouble.

First, today’s enterprise policy manual should be an information system and not a thick book on a shelf. It requires centralized management, on-line availability throughout the enterprise (in part with business partners), and frequent executive and board review. To promote simplicity and transparency, there should be FAQ lists and required training programs for all who need this information. Additionally, there should be auditable records of training participation. Because of the growth in areas in which organizations need explicit policy statements, these policy information systems will be large, with capabilities to analyze policy drafts for consistency and conflict avoidance with other policies. Policies should be written so that computers can analyze the text for summarization and for resolution of policy conflicts.

Policies for control of sensitive information are particularly important for organizations with complex supply chains. These supply chains may include raw materials, finished parts, and outsourced business processes. As diverse as today’s supply chains are, they all involve sensitive information whose handling requires policies that recognize current cyber threats, regulatory requirements, and the needs to protect intellectual property. For example, Registration, Evaluation, Authorization, and Restriction of Chemicals (REACH) is a European Union Regulation (6) for controlling production and use of chemicals and their potential impacts on health and environment. Companies involved in registering a chemical have the obligation to share data about it with government agencies and other specified organizations. Data in the registration documents is valuable intellectual property, and enterprise policies must ensure proper protection.

Secondly, enterprises need well-defined procedures for implementing the above policies. These procedures should also be a part of the above enterprise policy and procedure system with mechanisms to promote effective implementation. Procedures begin with well-defined organizational responsibilities. Increasing numbers of organizations now have positions for Chief Information Security Officer and Chief Privacy Officer, in addition to CEO, CFO, and CIO. Teams incorporating multiple perspectives, including information security and privacy, should make many significant corporate decisions. Information assets such as big data initiatives and BYOD practices often include sensitive corporate and personal information that have security and privacy implications. Reporting relationships for the CISO and CPO and decision-making procedures including security and privacy considerations should receive board-level approval.

In Part 2, I will discuss the systems for implementing the above policies and procedures. I also will summarize some new technologies that will affect future GRC programs.

Robert F. Brammer, Ph.D. is Chief Strategy Officer at Brainloop, Inc., making collaboration secure and compliant since 2000.

1. Lloyds, “Lloyds Risk Index 2013”,, 2013
2. Lloyds, “Lloyds Risk Index 2011”,, 2011
3. The White House, “Remarks By The President On Securing Our Nation's Cyber Infrastructure”, May 29, 2009
4. Senate Select Committee on Intelligence, “Remarks as delivered by James R. Clapper, Director of National Intelligence,” March 12, 2013

This blog is not written or edited by or the Boston Globe.
The author is solely responsible for the content.

E-mail this article

Invalid E-mail address
Invalid E-mail address

Sending your article

Boston World Partnerships' expert "Connectors" discuss business strategy, entrepreneurship, Boston's place in the world economy, and much more. Using their insider perspective, they illuminate how Boston's innovative companies start, grow, scale, and go global.

Meet Boston's coolest, smartest and most dynamic founders in our REEL Innovators video series!