Pros and Cons of mapping all of my compliance policy controls to every entity through GRC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2023 05:17 PM
Hi,
My organization has about 17 agency customers, and each agency customer has a varying number of business applications (1300 total applications across the enterprise), all of which are expected to comply with my organizations 18 information security policies; the 18 information security policies contain controls/safeguards that total about 600 control objectives.
We have loaded the authority documents and done all the citations and control objective mapping.
We have about 400 open audit or risk assessment findings against some of the 1300 business applications.
We need to complete entity scoping and map controls to the entities (1300 business applications). We plan to complete the entity scoping/entity types by agency (e.g., Business Applications: agency, Business Applications: agency, etc., one entity type per agency).
I'd like to know pros and cons and recommendations around whether we should go ahead and map all 600 control objectives to each of the 1300 entities/business applications since each business application is required to comply with them versus pros/cons/recommendations about whether it's better to map fewer controls to each business application/entity and then map additional controls as needed.
Seems like we could save some work by mapping all the control objectives to all business applications/entities upfront.
Looking forward to hearing from the experts.
Thank you.
Shirl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2023 11:35 AM
Hi,
Based on the amount of controls across the 18 IS policies I highly doubt that they are 1- all unique and 2- all relevant, for each and every 1300 applications. Even 18 IS policies seems almost excessive in itself. In other words, the premises seem off.
The setup you mention means that Application Owners will have to answer the controls - since I do not imagine one person at an Agency Customer doing it for all the applications. Oftentimes controls about recruitment, physical security, training and onboarding of employee - would be out of scope for them over and over again.
From my experience a large set of controls are centralized while only a subset is cascading down to the application owner level. The control attestation fatigue that the regime you mention will drive the quality of the attestations down to zero since it will become a clicking exercice.
From a pure technical point of view, if you do have to document those 600 COs for those 18 Policies no matter what - you will have to define either Common Controls (1 CO that covers the intent of a multitude of COs across IS Policies) as well as scoping the relevancy of the Policies against Types of applications just to avoid overwhelming the employees. You can easily relate Applications to Locations and let GRC aggregate the compliance scores via Upstream Entities f.ex.
