ZenGRC Team

Defining Goals – an Excerpt from our GRC Software Buyers’ Guide

ZenGRC Team · November 3, 2016 ·

When purchasing a GRC software tool, there are several steps that a business should take to find the best tool for their needs. In our last blog post we discussed conducting a compliance self assessment. Today we want to talk about the next phase – defining goals.

Once you have assessed your current processes, it’s time to define what you hope to achieve with the implementation of a new compliance tool and plan out your strategy.

Adopting GRC software will likely affect many different departments in your organization, and it is important to talk through the impact with all involved parties. Defining the specific requirements for each department up front and discussing the benefits of the tool will help get team buy-in and make the transition to the tool easier.

Other important questions to cover during the goal setting phase include identifying KPIs, defining short-term and long-term goals, and thinking through possible integrations with existing GRC software currently in use.
To get a copy of our goal questionnaire, as well as a complete overview of the compliance tool purchasing process, Download our GRC Software Buyer’s Guide now.

How to Conduct a Compliance Self-Assessment – an Excerpt from our GRC Software Buyers’ Guide

ZenGRC Team · November 1, 2016 ·

Last week we shared some tips and tricks to help you find the best GRC tool for your company and your specific compliance needs. Purchasing a GRC tool is an important decision. The right GRC tool can streamline your work and significantly reduce the hassle related to managing your compliance program. But choosing the right tool requires a big investment in time and resources.

You know you need a GRC tool, but where to begin? The best place to start is by gaining an understanding of the regular and periodic processes that your team uses to ensure your company stays compliant. By understanding and documenting your compliance processes, you’ll gain a strong understanding of the opportunities for improvement.

We call it a “compliance self-assessment” and our GRC Software Buyers’ Guide comes with a ready-made questionnaire designed to help you assess the state of your compliance program.

For a copy of our assessment worksheet, download the GRC Software Buyers’ Guide today. It will bring you one step closer to finding the GRC tool of your dreams.

The Cyber Regulations are Coming. Get Your 2017 Budget Ready Now.

ZenGRC Team · October 27, 2016 ·

Read the news and chances are you’ll see yet another report of a major cybersecurity breach. Big brands and small companies alike, none are immune. So it came as little surprise to see a recent article in Fortune reporting on new cybersecurity regulations for companies in the financial industry from the State of New York.

In essence the rules will hold financial firms accountable for preventing cyberattacks by requiring them to encrypt sensitive data and appoint CISOs. What’s more, they require senior executives to sign off on cyber-compliance. The rules go into effect in 2017. And while they apply only to financial firms licensed by the State of New York, given the sheer number of financial companies in the state, the new regulations will make a big impact.

Several things really struck me about this story. First, most current infosec regulations today relate to open standards managed by industry associations. Think of PCI or SOC2 or ISO. Those regulations aren’t mandated by a government agency. Even NIST or FedRAMP relate to contracts companies have with the government—so they are really more about contract compliance rather than government-mandated compliance. I would expect that additional state and federal government entities will follow New York’s lead and we’ll see a big jump in the number of national and international regulations related to cybersecurity.

For those of us in the compliance industry, more and more complexity is the new normal. How do we—both as an industry and as infosecurity practitioners at organizations—even begin to manage this? And how do companies remain healthy and innovative under the weight of all this compliance complexity?

If you manage information security for your company, what do these new regulations mean for you?

Regulatory requirements are no longer just the domain of the compliance and risk team. These are C-level and Board-level issues. Companies will pay a steep cost for non-compliance. Your day-to-day job may be focused on protecting your company’s infrastructure in order to prevent a breach. But with these new regulations on the horizon, you need to start speaking the language of the CEO and Board on these issues. New York’s new cyber regulations are a catalyst for thinking more strategically about information security and compliance.

More complexity is coming and you need to be prepared. Are you managing your compliance program with a mess of spreadsheets? The more regulations you need to comply with, the more untenable your spreadsheet management becomes. Now’s the time to start investigating solutions for automating compliance and audit-related tasks and workflows.

Urgency is the watchword of the day. If the New York cyber regulations proceed unaltered, they will go into effect January 2017, and companies will have a mere six months to comply. That’s not much time. And it means infosec managers need to communicate to upper management now—right away THIS year—to factor these new requirements into the 2017 budget. The clock is ticking to get your house in order before the end of Q2 2017, or risk not just a cyber breach (which is bad enough), but also falling out of compliance with the State of New York.

Here at ZenGRC, we’ll be watching these new regulations closely and we’re here to answer any questions you may have. Don’t hesitate to contact us at engage@zengrc.com.

When to Implement a GRC Tool? – An Excerpt from ZenGRC’s GRC Software Buyer’s Guide

ZenGRC Team · October 24, 2016 ·

While the benefits of an all-in-one GRC software solution are clear, a lot of businesses get hung up on timing, asking when is the right time to implement a GRC tool?

Below are three common reasons why businesses put off implementing GRC tools, and responses to why these scenarios are actually the perfect time to get started.

“We’re doing just fine using spreadsheets.”

Research shows that almost 90% of all spreadsheets have errors. When you talk about the data in your compliance program, a 90% error rate, in most industries, is going to be completely unacceptable. The underlying cause is due to the lack of structure around collaboration and version control. If you’re using spreadsheets to manage multiple compliance programs, it’s imperative that you move to a system of record that provides you with a single source of truth that’s more reliable.

“I have an audit coming up”

An audit is a great opportunity to mature from your spreadsheets to a more robust tool. Part of the audit preparation involves getting your compliance data properly documented and collated for the auditor. Taking the additional step to migrate that content into a GRC tool where you can keep it up to date and use it as the basis for ongoing reporting helps you to leverage that work, getting more value out of your audit prep investment. Once you get results back from your audit, you can track your compliance posture and use the GRC tool to aid in remediation, rather than being forced to create and maintain new spreadsheets.

“Budgets are tight right now”

No compliance team is ever over-resourced. However, paying high earning professionals to manage inefficient spreadsheet-based programs is not the best use of your limited budget. Your team’s time would be better spent implementing and ensuring controls are operating effectively, rather than trying to reconcile a handful of spreadsheets or babysitting colleagues via email. A GRC tool that can send automated reminders for compliance tasks is a better investment than having a member of your staff sending out reminder emails and tracking completion status manually!

Be proactive and make managing GRC less of a hassle and more productive!

Smarter Compliance, Less Risk – an Excerpt from ZenGRC’s GRC Software Buyer’s Guide

ZenGRC Team · October 19, 2016 ·

Wondering how a GRC software tool can impact your business? Check out another excerpt from our Governance, Risk Management, and Compliance Software Buyer’s Guide to learn about the benefits of implementing an all-in-one GRC tool.

Smarter Compliance, Less Risk

Take a look at how an all-in-one tool can reduce your risk of non-compliance while decreasing costs and maximizing revenue, streamlining your audit, and improving accountability.

Increase Productivity

A GRC tool significantly lowers costs associated with managing compliance programs. First, a GRC tool will streamline and eliminate manual processes and allow teams to more easily become and stay compliant. Second, you will be able to utilize a GRC tool as your single source of truth for everything related to your compliance needs. Third, a GRC tool will significantly decrease the number of errors, gaps, and omissions that are currently being found in your spreadsheets. All of these benefits lead to a more productive compliance team.

Your All-in-One Compliance Tool

With a GRC tool, compliance teams can leverage a system of record, automated workflows, audits, pre-risk assessments, reporting & dashboards, and multiple third-party integrations all from one central platform. A GRC tool makes compliance trackable, automated and more visible for CISOs and their teams.

Automate Your Compliance Tasks

Companies commonly find that the real value of automation lies in the fact that there are routine tasks which must be completed. The GRC platform can automate some of those, and send reminders for those tasks which require human interaction.

Deliver Robust Reporting

CISOs often find it difficult to determine the ROI on their compliance efforts because of an inability to aggregate important compliance-related data. By utilizing out of the box reports, a GRC software tool allows businesses to understand their true compliance posture and identify gaps or overlaps in their programs. Dashboards and advanced reports deliver important metrics to users and business decision-makers.

Support Your Audit Team

Audit teams execute a process. And like any business process, they need quality input. A well-documented compliance program in a GRC tool and the ability to conduct an audit over that program can jumpstart your internal audit teams, and ease the burden of providing information to an external auditor. Key tasks in the audit process also gain an efficiency boost from a GRC tool, such as automating evidence collection and dashboards to show progress. At the end of the audit, the outputs can be fed back into the GRC tool for automated tracking. Issues can be assigned for remediation, while the auditor’s opinions of control effectiveness can be documented to show your compliance posture.

To get more information on the GRC purchasing process including, assessment worksheets, vendor evaluation questions and implementation tips, download the full GRC Software Buyers’ Guide now.