What is GRC?
Governance, Risk, and Compliance (GRC) is the overarching concept of managing information assets for information protection. GRC ultimately reduces the cost of storing data over its lifecycle, reduces risk, provides for audit, and ensures data security.
The other main purpose of GRC is to prepare for litigation, meaning you know what data you have, you have clear policies that dictate how long data will live in various repositories and you have the ability to preserve any data that might be relevant to litigation or investigation to avoid spoliation (destruction of evidence). If an organization or individual takes legal action against your company, it is your duty to preserve any communications that might be relevant and failure to do so will result in an unfavorable judgement. Even if you accidentally delete email that may have been evidence, it’s assumed that you have done so maliciously. While an organization’s legal counsel is notified of all potential lawsuits, if often takes time to figure out what’s relevant and relay that information to the IT department to ensure emails from user ‘X’ are preserved. It’s very possible that before legal has time to reach out to IT, a backup gets overwritten that has a relevant email that’s now no longer in the system. By no fault of the organization, just a time-lapse, they can lose their case.
How does an organization ensure a strong GRC strategy?
- Data Inventory
- Establish Policies
- Automate classification, migration, retention and defensible deletion
- Regularly audit access controls
- Respond to litigation or audit
The first step to establishing a GRC program is Data Inventory – you have to know what you have, where it lives, how old it is, and who owns it before you can start planning. Data inventory also enables better preservation, collection and legal hold practices.
Once you have a map, then you can begin to establish policies that can be applied to existing data and data going forward. Crafting retention and classification policies can be extremely difficult and time consuming. The reality is most organizations have been working on them for years and they are still not fully established. The reason it’s difficult is because many organizations try to create policies based on every scenario without knowing what they actually have in their environment. It’s often thought about from a traditional records management perspective, but user-generated content does not fit neatly into these types of plans.
Once policies are established, the next step is to automate classification, migration, retention and legally defensible deletion of the data.
Another important process is auditing access controls. Regular auditing validates who has access to what content directly as well as through inherited group membership permissions and whether those permissions are still valid for your risk and compliance plan.
Once all of the above steps have taken place, organizations can reasonably respond to litigation or audit. To respond in a timely matter, organizations need to be able to preserve, collect, review, analyze, and produce the necessary information.
Electronic Discovery Reference Model from EDRM (edrm.net).
What Solutions does Bishop offer to support GRC?
HubStor – HubStor is a data-aware cloud archive that enables businesses to securely manage file system growth using the cloud. This allows companies to preserve unstructured workloads with security, control, and compliance.
Office 365 – Office 365 offers many information protection capabilities. Compliance Center encompasses archiving policies, eDiscovery and other audit features for risk and compliance. They’re also adding DLP and encryption to the compliance, eDiscovery, and archiving capabilities. What was previously a basic solution, has grown into a true comprehensive GRC solution.
Veritas Clearwell – Clearwell is an eDiscovery review and analytics tool. While this tool is great for these specific purposes, it does not cover the entire GRC lifecycle and should be used in tandem with other solutions.
How do Data Classification, Data Loss Prevention and Data Retention relate to GRC?
Data Classification – Data classification is the act of determining what type of content you’re handling so you can determine how it should be handled and retained. This can be done manually and/or automatically to ensure data risk management. Learn more about implementing Data Classification practices.
Data Loss Prevention DLP – Data Loss Prevention is similar to Data Classification in that it scans content for particular keywords or data strings. These tools will look for specific alpha-numeric patterns such as xxx-xxx-xxxx to identify a phone number or xxx-xx-xxxx to identify a Social Security number. Both of these data strings are considered Personally Identifiable Information or PII. DLP tools scan and process content in real-time preventing dissemination of sensitive information for data security and privacy purposes. Learn more about Data Loss Prevention solutions and services.
Data Retention – It is important to apply and enforce retention policies in a clear and uniform matter for risk and compliance. Retention policies enable legally defensible disposal which reduces costs and risks associated with storing unnecessary data. Your organization cannot be held liable if you have a firm policy in place and can prove that you actually follow and enforce it. Learn more about building and enforcing a Data Retention Policy.
What industries or company sizes are most affected?
Any company that could be involved in litigation needs to have a GRC strategy. Many people think that it’s only necessary for highly-regulated industries, but that’s not the case. If you have to produce unstructured content when you have no idea where it lives, it could require recovery of antiquated tape backups and that’s where the greatest cost and risk comes in. If you have a plan, your organization can save time and money, and reduce risk.