when developing a governance, risk and compliance framework to be implemented within a large organisation companies often look at market best practice standards, regulatory requirements and internal standards. Within a wider model it will be required for organisation to look strategic risks, operational risks and tactical risks to ensure the entire organisation is covered under the Governance risk and compliance framework.
Information systems and data - tier 3
As can be seen in the above image, the high level view showing a government, a popular risk and compliance framework outline consists out of 3 tiers. Only tier 3 includes information systems and data as a primary focus. A framework and its implementation is only complete and only makes sense if you ensure you will focus on all 3 tiers and not only on one or two of them.
Even thought this post will focus on tier 3, information systems and data, in an overall governance , risk and compliance framework all the layers should be covered. Having stated that, all the 3 tiers will influence each other and the end-to-end model cannot be created without having cross functions and overlap.
Implementation by standardization and Enterprise Architecture
When looking at tier 3 specific one of the things that will become obvious rather quickly is that creating and implementing a governance risk and compliance framework will require standardization.
To be able to build a good and workable governance, risk and compliance framework you will have to standardize and limit the number of technologies as much as possible. Building standardized building blocks and adopting them in your enterprise architecture repository for your organisation and ensuring they are complimented with standard implementation and security rules is a good rule by default. Ensuring the standardized solution building blocks and the governance risk and compliance framework are complementing to each other is a vital corner stone for being successful in tier 3 implementations.
The below diagram shows a part of TOGAF relevant to building a governance, risk and compliance framework enabled Enterprise Architecture.
When developing a governance, risk and compliance framework you will have to ensure that this framework will be adopted in the Enterprise Architecture framework as a standard. This means that the framework will have to be implemented in the standards information base. By doing so it will ensure that it is included in the architecture landscape and as a result will end up in the solution building blocks.
The "Standards Information Base" will hold standards on architecture, standards on configuration as well as coding and development standards. This will also hold all standards coming from the governance, risk and compliance framework to ensure that this is embedded in the foundation of the architecture.
It is of vital importance to ensure that not only the standards coming from the governance, risk and compliance framework are included in the "Standards Information Base". It is equally important to ensure that they are applied and used and that an architecture compliance review process is in place to ensure this.
Having the standards derived from the governance, risk and compliance framework embedded in the enterprise architecture and ensuring that it is applied on an architecture level and used in the right manner will help enforcing the implementation in tier 3.
Having a governance, risk and compliance framework in place, embedding it in the "Standards Information Base" of your Enterprise Architecture Repository and ensuring with a architecture compliance review process that the standards are included in the resulting architectures and solution building blocks in only a part of the end-to-end solution.
Ensuring that your architecture is in line with the requirements stated in the governance, risk and compliance framework is not a guarantee that it is implemented in this manner. And when it is implemented in compliance with the standards it is not a guarantee that it will remain that way during operations.
What is required to ensure a correct level of compliance with he standards is a constant monitoring of the current deployments and to what level they are compliant. Solutions like Puppet can be used up to a certain level to complete this task and report the level of deviation from the standard requirements however solutions like Puppet (and others) are not designed for this specific purpose and are only able to do this task up to a certain level.
Oracle provides a fully build for purpose solution as part of the Oracle Management Cloud Service. The Oracle Compliance Cloud Service is a software-as-a service solution that enables the IT and Business Compliance function to assess and score industry standard benchmarks, REST-based cloud resources and your own custom rules. With the Oracle compliance Cloud Service you can score, assign and remediate compliance violations both on premise and in the cloud.
The Oracle Compliance Cloud Service will allow you to monitor systems and applications deployed in the Oracle cloud in other public clouds, in your local datacenter and in your private cloud. Providing a constant monitoring and reporting to enable you to have a realtime insight into the level of compliance. This can be against the standards defined by your own organisation or against industry and regulatory standards.
Having the ability to constant have a realtime insight and define automatic actions in case a check fails ensures that you gain more control over the actual implementation of the governance, risk and compliance framework in tier 3. having the option to do realtime and constant assessments will uncover situations that might lead to possible issues directly and empowers IT to ensure security, reliability and compliance at all times.