In-Depth

CA Unveils Compliance Automation and Governance Management Tool

CA positions GRC Manager as the industry's first portfolio-based solution for IT governance and risk management

• By Stephen Swoyer
• 10/09/2007

Governance is one of a handful of hot buzzwords. It's also one of the murkiest. Some define governance as a way to ensure compliance with regulatory requirements as well as to achieve IT and business alignment, too. Others emphasize governance's importance as a means to identify, categorize, and manage compliance risks.

CA belongs to the latter camp. The company touts an IT governance model it calls IT Governance, Risk, and Compliance (GRC). Last week, CA announced GRC Manager, a new product that lets compliance officers, analysts, and C-level executives monitor and manage IT risks across an enterprise.

Officials position GRC Manager as the industry's first visual portfolio-based solution. The concept of a portfolio view in IT governance is analogous to that of the portfolio view in financial performance management (FPM), says Marc Camm, vice-president of GRC with CA. In the FPM space, the portfolio approach enables the measurement and objective evaluation of investment scenarios.

Ditto for governance, he says. GRC Manager lets compliance officers tailor their GRC portfolios to suit the desired risk posture of an organization.

"We're speaking to the CCO, the CIO, the corporate counsel who's ensuring that there are controls in place to mitigate risk and undertake compliance with different mandates," Camm explains. "[GRC Manager] lets you manage IT risk through a unique portfolio-based approach that incorporates automation of the underlying controls. We can categorize risk on different processes, objectives, and assets, and we can then visualize and report on those risks at an enterprise level." There's more here, too, according to Camm: GRC Manager provides test—and test overlap detection—functionality.

"When controls are put in place, we can test those controls that are mitigating those risks, and any control that's not up to standard or has failed, you can undertake remediation tasks and track that through project and portfolio management," he indicates.

"One of the things that has driven the demand and the reason to create the product was, first of all, the [existence of] multiple, overlapping controls based on many different regulations. You may have SOX controls and HIPAA controls and [you've configured them to] mitigate certain risks indicated in those regulations. You have to test those controls on a regular basis. What happens in an enterprise is that they go through and they test their controls for SOX, and they may test their controls for HIPAA, or [Graham-Leach-Bliley], or others, and they go back and they're testing controls that they've already tested, because certain controls span over different regulations."

GRC Manager eliminates this test overlap, Camm says, by identifying and testing controls once, then mapping redundant or overlapping controls.

Elsewhere, compliance officers can use GRC Manager to map their IT risks and controls to specific legislative mandates, industry regulations, and corporate policies. CA calls this "cross-referencing”—the idea being that it can help mitigate (or, ideally, eliminate) the isolation or silo-ing of governance data that's all too common in most organizations.

"The way they typically approach this is by creating a bunch of rows and columns in a spreadsheet and tracking [risk and compliance] that way," Camm observes. "That creates different views in the enterprise and silos of management. It doesn't give you an overall enterprise view of your risk, because it's stored in different spreadsheets across your enterprise."

GRC Manager bundles the Unified Compliance Framework, a subscription service that maps a canned set of more than 4,000 controls to 280 standards and regulations—including not just SOX, HIPAA, and GLB, but also COBIT, COSO, NIST, ISO17799:2005, PCI, and NERC. "If you want to be compliant with this particular regulatory mandate in this particular discipline, it's going to tell you what controls you have in place and what risk that will mitigate. It really gives you sort of a holistic view across all of your IT risk," Camm explains.

CA does not, however, position GRC Manager as a bulletproof—or risk-free—tool; it doesn't indemnify users against compliance mishaps or other regulatory issues that might occur as a result of GRC Manager's use.

"What we're doing is providing a framework to categorize and organize data and information. The predefined reports that are mapped to the regulations and standards, those are published pieces of information that we then map to controls," Camm explains. "Anybody who's undertaking this, it's not really to say it's a cookie cutter, out-of-the-box approach—do all of this and you'll be covered. What this says is 90 percent of the data that you need to understand the process is included. You still need to create whatever workflows map to your processes. So this isn't a one-stop shop to actually ensure you're in compliance."

GRC Manager does, however, give compliance officers a visual means to monitor and manage the GRC process, Camm insists. "We really are looking here for risk and control management, information governance, identity and access management—these are all things that have risk and control issues around them. The technology we're introducing here really allows you to follow a streamlined process which allows you to put together your overall governance plan. This lets you reduce the resources your organization is going to have to invest to undertake compliance and reduce risk."