The latest buzz in Information Technology is IT-GRC, hyped by vendors and abetted
by analysts as the next great wave of IT management solutions.
GRC stands for Governance, Risk, and Compliance, and IT-GRC packages claim
to be able to integrate these three domains under one roof. The underlying promise
is that finally the board and management can get control of IT and appropriately
govern and manage the IT operations to ensure that enterprise risk management
goals are met. Regulators and business partners will be kept satisfied by the
organization and its partners in regards to compliance.
But just as the best financial management systems and a bevy of auditors have
not stopped the flow of financial misconduct by motivated perpetrators, this
promise will also fundamentally miss the mark without directly addressing the
issue of security.
As evidenced most recently in the Hannaford data breach incident, where the
trust of an estimated 4.2 million payment card holders was violated through
a security flaw, an organization can have a risk management program and a compliance
program and still not be secure.
According to public statements, Hannaford used an IT-GRC package to manage
their risk and compliance program, had undertaken and passed outside assessments
and audits, and from all outside appearances, had been doing "the right
things." But, if having a risk management and compliance program nets the
organization a very public and costly data breach, exactly what is the point?
How many dollars spent on those programs would have been better spent on addressing
the fundamentals of security?
After the breach was publicized, Hannaford president and CEO Ronald C. Hodge
said in a statement: "We have taken aggressive steps to augment our network
Section 4.1 of the PCI Standard reads, "Encrypt transmission of cardholder
data across open, public networks," stating further, "Sensitive information
must be encrypted during transmission over networks that are easy and common
for a hacker to intercept, modify, and divert data while in transit." Is
it arguably "reasonable" to believe that internal networks are significantly
less vulnerable to attack than public networks? Yes. Is it actually true in
the real world of the large distributed network? Probably not.