Feature

Criteria and Methodology for GRC

Platform Selection
Anand Singh, CISM, CISSP, More than a decade ago, the acclaimed experiences in evaluating GRC platforms for
is a senior consultant with management philosopher Peter Drucker stated, multiple enterprises and the use of requirements
extensive background “the diffusion of technology and commodification engineering techniques. They can be used as
in information security of information transforms the role of information building blocks to which the unique requirements
and compliance, as a into a resource equal in importance to land, of the organization can be added to arrive at a
practitioner and a researcher. labor and capital.”1 The exponential growth complete set of requirements that need to be
He specializes in IT risk of information after the Internet boom of the considered. While they are being defined here
management and its use as 1990s shows the accuracy of his foresight. In for GRC platforms in totality, they can easily be
a decision-support system to today’s world, the fortunes of most organizations adapted for tool sets addressing individual areas
determine the economics of are tied to the information they possess and of governance, risk or compliance. The criteria
security investment. He is a the sophistication with which they are able to are structured in three major sections: general
highly sought-after speaker manage it. As a consequence, governance, risk considerations, functional requirements and
on information security management and compliance (GRC) issues nonfunctional requirements. How to use the
issues. He can be reached at around information have become central to criteria to arrive at a decision is described further
anand.singh@gmail.com. organizational strategies. Investment in these through a scoring model and a case study.
areas has been increasing steadily, topping
David J. Lilja, Ph.D., is the US $32 billion in 2008, a growth of 7.4 percent General Considerations
Louis John Schnell Professor over 2007.2 The criteria are general in nature and applicable
and head of electrical and GRC platforms provide a single, federated to all enterprises, irrespective of regulations
computer engineering at framework that integrates organizational applicable to them, their size or the business
the University of Minnesota processes and tools, supporting those processes sector in which they operate. These are must-
in Minneapolis (USA). He for the purpose of defining, maintaining and haves and, hence, are generally used for
also serves as a member monitoring GRC. An appropriately chosen GRC exclusionary purposes, i.e., to narrow the field
of the graduate faculties platform can lead to reduced complexities and of proposals that would be considered. Figure 1
in computer science and increased efficiencies. Selecting a GRC platform summarizes the parameters and artifacts that can
scientific computation, and is a complex endeavor, though, and requires be used to evaluate vendors against the criteria:
is a fellow of the Minnesota extensive collaboration among business, IT, • Cost—GRC solutions can vary significantly in
Supercomputing Institute. compliance and audit. It requires a substantial cost. While considering cost, it is important
His research interests investment of time and effort in addition to the to consider the total cost of ownership
include security, computer capital investment required for purchasing and (TCO). Some important TCO components are
architecture and performance maintaining the platform. Making the task of hardware, implementation and consulting fees,
analysis. He has been elected selecting a platform even more complex is the training, customization, maintenance, security,
a fellow of the Institute of fact that this space is populated with a large and operational costs. Also, this is a useful
Electrical and Electronics number of competing products—AXENTIS, metric to have for ROI calculations.
Engineers (IEEE) and a fellow MetricStream, OpenPages, Paisley, Modulo and • Vendor reputation—With the growing
of the American Association Archer, to name a few. Thus, it is imperative that popularity and demand of GRC platforms, a
for the Advancement of the platform selection is done intelligently, to significant number of vendors have jumped
Science (AAAS). He is the ensure positive return on investment (ROI). into this space. In addition to there being a
author of the book Measuring The following sections provide comprehensive surfeit of genuine vendors, the picture is further
Computer Performance: A criteria that can be used to evaluate and select a clouded by some vendors that market GRC
Practitioner’s Guide. GRC platform for an enterprise. These criteria solutions that are thinly disguised versions of
have been determined through interviews their existing product suite targeting a different
with experts in different industry segments, space. As competition heats up and market
examination of industry best practices, the forces weed out weaker players, only the
1 ISACA JOURNAL VOLUME 1, 2010
 stronger players will survive. Hence, it is important not to • Governance—The IT Governance Institute (ITGI) defines
get stuck with a solution that might become unsupported in governance as “the set of responsibilities and practices
the future, either because the vendor has ceased to exist or exercised by the board and executive management with
because it has exited this space. This can be accomplished the goal of providing strategic direction, ensuring that
through a thorough appraisal of the vendor’s installed base, the objectives are achieved, ascertaining that the risks are
references and financial viability. managed appropriately and verifying that the enterprise’s
• Product scope, strategy and vision—Threats and resources are being used responsibly.”4 In light of this
vulnerabilities are ever changing. The recent financial definition, it is clear that the governance component of
meltdown is leading to a change in regulatory landscape. All the GRC platform must be evaluated for the requirements
of this is a stark reminder that GRC is an ongoing process presented in figure 2.
that might require an expansion of scope. Another driver for
this is the fact that many countries are still working toward Figure 2—Governance Requirements
maturing their regulations and compliance regimes—
Requirement Explanation
J-SOX3 being one such example. Finally, as organizations
Business alignment Facilitate alignment of governance with
enter new market segments, they have to adapt to GRC organization’s business objectives
requirements in that space. All of these factors mean that
it is important to examine the product scope, strategy and Policy, standard Policies are the medium through which
and procedure management communicates its direction and
vision to make sure that the vendor has a long-term view
management intent. Standards and procedures are the
of its product offering and has mechanisms to adapt and vehicles used to implement policies across the
expand as the landscape changes. Product road map and organization. Therefore, the GRC platform must
research and development (R&D) strength (measured support the development, maintenance and
communication of these.
in terms of R&D head count and investment) are some
Oversight Enable executive management oversight
examples of how to further this examination.
through appropriate reporting mechanisms
such as a security and/or compliance
Figure 1—Evaluating General Considerations dashboard

General Decision support Provide cost/benefit and other data to the

Considerations Example Evaluation Parameters and Artifacts executive management for decision-making
purposes (e.g., risk data can be used to
Cost Software, hardware, licensing, training, determine the economics as well as justify the
customization, consulting, maintenance, security security investment)
and operations
Vendor reputation References, installed base and financial viability • Risk management—Risk management is activity directed
(market capitalization, financial results, annual
toward assessing, mitigating (to an acceptable level) and
reports)
monitoring risk. The principle goal of an organization’s risk
Product strategy Product road map, R&D head count and R&D
and vision budget management process should be to protect the organization
and its ability to perform its mission, not just its IT assets.5
Figure 3 presents the high-level requirements for risk
Functional Requirements
management.
Functional requirements are used to define the behavior
• Compliance—Compliance is an increasingly complex task
of the target software, including features and capabilities
given the global footprints of organizations, the increase
that determine what a system is supposed to accomplish.
in regulatory environment (which is likely to become even
The following sections define high-level requirements for
more stringent given the opportunities exposed by the
each of the three principal components—governance, risk
current economic crises) and local regulations. Figure 4
management and compliance—as well as for other general
presents the requirements to ensure that these needs are
functionality:
supported by the GRC platform.

ISACA JOURNAL VOLUME 1, 2010 2

 assessments, the industry standard for determining the
Figure 3—Risk Management Requirements
maturity of information security practices at a vendor, is one
Requirement Explanation
way a GRC platform can demonstrate its strength.
Risk baseline It should facilitate development of the risk baseline • Workflow—A good workflow engine is essential to the
based on an organization’s risk appetite.
success of a GRC platform. Given the large number of areas
End-to-end risk Risk management is a continual process. It should
and users involved in the GRC platform, there is a need
management begin at the conception stage, be considered
throughout the software development life cycle to manage and distribute work and monitor its progress
(SDLC) and end only when the system is retired. through all of these steps.
The GRC platform must support this ongoing • Document management—GRC platforms are used for
management of risk.
organization and management of an extensive body of
Adaptability Since an organization’s risk profile, threats and
documentation. In addition to policies, standards and
vulnerabilities change frequently, it is important for
risk management to be adaptive to these changes. procedures, they are used for housing organizational
controls, tests conducted to verify the robustness of these
Consistency It must provide consistency, i.e., different areas of controls and custom attributes. Therefore, strong document
the same organization should manage their risks management features are essential to success.
in a consistent fashion. This makes the task of risk
consolidation simpler and more manageable.
Nonfunctional Requirements
Metrics It must facilitate collection of metrics about
incidents, vulnerabilities and threats. These data Nonfunctional requirements are used to define the operation
in turn can be used for monitoring losses and of the system or the environment in which the software
assigning cost-effective controls to remediate or should run. Since the spectrum of nonfunctional requirements
mitigate future losses.
is very large, the field has been narrowed to the requirements
that are most applicable to the selection of a GRC platform:
Figure 4—Compliance Requirements • Security—GRC platforms house critical information
Requirement Explanation about the security posture of the enterprise, including
Regulatory Report on global events, regulatory changes and information about vulnerabilities, risks and data as well
intelligence linkage with legal databases such as WestLaw and as their classification. The consequences of a security
LexisNexis breach are great and include exploitation of vulnerabilities,
Requirements Ensure authoritative libraries of all applicable damage to credibility, financial loss and legal liability.
and controls compliance-driven requirements and associated As such, strong security measures should be provided in
library controls
the platform to enforce not only protection from external
Correlation Provide ability to correlate similar requirements
breaches (e.g., through encryption), but also from insider
across different compliance regulations for
efficiency purposes misuse of information by allowing enforcement of the two
Remediation Facilitate the ability to track identified remediation fundamental principles of security: least privilege (i.e.,
management measures and their progress individuals should have just enough permissions and rights
Reporting Deliver the ability to generate reports, including to fulfill their roles) and need to know (i.e., individuals
ad hoc reports, needed for audits should have access to specific information only if it is
essential for them to carry out their roles).
• Vendor oversight—Regulators are increasingly focused • Scalability—The amount and the complexity of information
on personally identifiable information (PII) and how resources within organizations are increasing at an exponential
organizations manage such data among vendors that have rate. In addition, it might be necessary for organizations
access to the data. For example, healthcare providers to most to scale their GRC platform for new risks and compliance
organizations have access to PII. They require organizational regimens. This could be necessitated by their foray into
due diligence to ensure that their vendors have mature new market segments, expansion of their global footprints
information security practices to protect their data. GRC making them subject to local regulations, or new regulations
platforms should facilitate this effort. Support for shared coming into existence. Determining scalability requirements
3 ISACA JOURNAL VOLUME 1, 2010
 appropriately upfront provides flexibility for future growth. • Support—Supportability deals with the ease of
Because scalability is based on future needs, it requires a customization to meet the unique needs of the organization,
certain amount of prediction and estimation to plan for it. An incorporation of new features or enhancements, and bug
examination of the strategic business plan of the organization fixes. A good example of a supportability requirement is, in
for the next few years might provide this insight. the case of an organization that has to adhere to Payment
• Interface—To achieve maximum efficiency from the Card Industry (PCI) standards, the GRC platform vendor
GRC platform, it is important that it provide interfaces should provide updates when the new versions of PCI get
for integration with enterprise applications used to drive released. Maintenance, updates, consulting services and
business processes (e.g., integration with an identity customization are some areas to consider when evaluating
management system or configuration management database vendors against this dimension.
[CMDB]). This will help automate data collection, controls
and processes and, hence, simplify analysis, reporting and Example Selection Process Walk-Through
remediation. The criteria presented previously can be combined with a
• Usability—Usability requirements specify the ease of use weighting mechanism to arrive at a decision on which GRC
of a system. Given that a GRC platform would be used tool to select. An example case study is presented here.
by a broad spectrum of users including business, IT, audit A medium-sized retail organization is looking to strengthen
and compliance, it is important that their input is sought in the governance and risk management of its information. It has
evaluating the usability of any platform under consideration. been classified as a tier-2 vendor for PCI. In addition, it offers
The five parameters that should be considered for this pharmacy services in its stores and, hence, has to be compliant
purpose are ease of learning (evaluated through training with the US Health Insurance Portability and Accountability
and documentation provided), task efficiency (efficiency Act (HIPAA). It has budgeted TCO of US $750,000 for a
of the system for frequent users), ease of remembering, GRC solution to manage these efforts for a five-year period.
understandability and subjective satisfaction.6 It is not looking to include US Sarbanes-Oxley Act compliance
in the ambit of this GRC tool because it intends to continue
Figure 5—Requirements Solicitation Questions
leveraging its existing point solution for that. The following is
1. What is your biggest GRC area of concern?
a step-by-step description of how the organization arrived at a
2. What compliance regulations are applicable to your area? decision using the criteria defined previously (figure 7 shows
3. Have you failed any areas of compliance audits in the past? the results of these steps):
If so, what were the findings? 1. It created a request for proposal (RFP) defining the GRC
4. What improvements would you like to see in your current needs of the organization and invited vendor responses. Based
mechanism for prioritizing the security budget?
on exclusionary criteria, it narrowed the vendor choices to A,
5. How do you rate the effectiveness of your security controls? B and C.
6. What would you like to see in the reports indicating the 2. It partitioned its stakeholders into primary (those who are
current status of compliance? directly impacted by the platform choice) and secondary
7. How do you evaluate your risk currently? What are possible (those who are intermediaries in the selection process)
areas of improvement? stakeholders. Its primary stakeholders were office of the
8. What are critical threats to your area?
Figure 6—Criteria Weight Determination
9. How many times have you experienced these threats in the
past 12 months? Stakeholder Interest Score
10. What area are you more concerned about, insider abuse or 1-2 secondary stakeholders 1
external threat? Please provide specifics. 3 secondary stakeholders or more 2
11. Have any of your end users expressed dissatisfaction with At least one primary stakeholder 3
the extra steps they have to go through because of the
security controls? More than 2 (but not all) primary stakeholders 4
12. Do you have a good data classification mechanism? All primary stakeholders 5

ISACA JOURNAL VOLUME 1, 2010 4

 Figure 7—Decision Table
Vendor A Vendor B Vendor C
Weight Rating Rating Rating
Requirements (W) Explanation/Comments R(A) R(A)*W R(B) R(B)*W R(C) R(C)*W
Governance
Business alignment 5 4.1 20.5 4.7 23.5 2.8 14.0
Policy, standard and procedure management 5 4.7 23.5 3.5 17.5 3.5 17.5
Oversight 4 3.4 13.6 3.7 14.8 4.4 17.6
Decision support 3 Intention to rely on existing tool 4.1 12.3 3.3 9.9 4.4 13.2
set as much as possible
Risk Management
Acceptable risk baseline 4 4.7 18.8 4.8 19.2 3.3 13.2
End-to-end risk management 3 Mostly off-the-shelf software 4.5 13.5 2.1 6.3 4.7 14.1
means that managing risk across
SDLC is not critical.
Adaptability 4 2.1 8.4 3.1 12.4 2.3 9.2
Consistency 5 1.8 9.0 4.3 21.5 2.1 10.5
Metrics 5 4.2 21.0 3.0 15.0 2.9 14.5
Compliance
Regulatory intelligence 4 3.3 13.2 4.4 17.6 4.3 17.2
Requirements and controls library 5 4.1 20.5 4.0 20.0 3.8 19.0
Correlation 3 Since HIPAA and PCI are mostly 3.1 9.3 2.1 8.3 1.9 5.7
nonoverlapping, being able to
correlate across the two is not
critical.
Remediation management 4 4.3 17.2 3.9 15.6 2.8 11.2
Reporting 5 4.3 21.5 4.2 21.0 3.3 16.5
Vendor oversight 2 2.3 4.6 1.5 3.0 3.5 7.0
Workflow 5 3.9 19.5 5.0 25.0 0.9 4.5
Document management 5 4.5 22.5 4.1 20.5 4.5 22.5
Security 5 5.0 25.0 5.0 25.0 4.5 22.5
Scalability 2 Does not anticipate a change in 3.8 7.6 5.0 10.0 4.9 9.8
its regulatory environment
Interface 4 2.2 8.8 4.1 16.4 3.8 15.2
Usability 5 4.5 22.5 4.3 21.5 4.2 21.0
Support 5 4.1 20.5 1.9 9.5 3.0 15.0
Other Requirements
Import existing HIPAA controls 5 4.0 20.0 2.7 13.5 1.3 6.5
Automatic evidence collection 5 4.0 20.0 4.0 20.0 2.9 14.5
Project management 4 3.9 15.6 4.2 16.8 3.3 13.2
Exceptions management 4 1.3 5.0 3.7 14.8 3.6 14.4
Fit in existing infrastructure 3 Hardware is a small part of the 3.4 10.1 1.9 5.7 1.2 3.6
overall allocated budget.
Support for ISO Guide 73 3 Risk calculation method used in 1.5 4.5 5.0 15.0 4.2 12.6
some departments
Background check of vendor consultants 1 Most vendors would comply if 4.0 4.0 3.3 3.3 4.8 4.8
selected.
Segregation of duties 4 Not a strength of the organization 4.1 16.4 3.2 12.8 4.4 17.6
currently
Total 448.85 455.4 398.1
Legend:
g Functional requirement
g Nonfunctional requirements
g Unique organizational requirements

5 ISACA JOURNAL VOLUME 1, 2010

 CISO, IT, internal audit and pharmacy process owners. The proposed approach helps facilitate business and
Its secondary stakeholders were vendor management, the IT in understanding the essential criteria to consider when
business continuity planning (BCP) team and finance. evaluating GRC platforms. In addition, it illustrates how
3. It identified its other requirements, primarily using the these criteria can be rolled into a scoring model to arrive at
requirements solicitation questions, shown in figure 5 an objective decision. This ROI-driven approach will improve
(also included in figure 7 under “Other Requirements”). an organization’s ability to select the right GRC platform that
fits its need and, in turn, will help it manage the complexities
associated with GRC efficiently.
4. It weighted all criteria on a scale of 1 to 5 (see figure 6).
(Note that since this article focused on identifying essential Endnotes
requirements in the previous sections, most of those 1
Drucker, P.; Management Challenges of 21st Century,
would be weighted 3 or more; when unique organizational Harpers Business, 1993
requirements are added, the spread from 1 to 5 would 2
Hagerty, John, et al.; “The Governance, Risk Management
likely be observed). Figure 7 reflects the weights along with and Compliance Spending Report, 2008-2009: Inside the
explanations where the choice of a weight is not obvious. $32B GRC Market,” www.amrresearch.com
5. It created a committee drawn from primary and secondary 3
Uehara, K., et al.; “J-SOX Challenge: Efforts to Comply
stakeholder teams. For vendors still under consideration, With the New Japanese Regulation,” Information Systems
this committee rated them against each requirement Control Journal, vol. 5, 2008, p. 34-37
on a scale of 0 to 5, using consensus method (some 4
IT Governance Institute, Board Briefing on IT Governance,
stakeholders chose to recuse themselves on occasions, as 2nd Edition, 2003
they were not knowledgeable about the requirement under 5
Stoneburner, Gary; Alice Goguen; Alexis Feringa; Risk
consideration). A vendor should be disqualified if it has a Management Guide for Information Technology Systems,
score of 0 on any criteria rated 3 or above (i.e., any criteria Special Publication 800-30, National Institute of Standards
of significant interest to the primary stakeholders). The and Technology (NIST), 2001
following were used as raw data to arrive at a decision: 6
Lauesen, Soren; Houman Younessi; “Six Styles of Usability
– Vendor demonstrations Requirements,” Proceedings of REFSQ’98, Presses
– White papers, spec sheets and other documentation Universitaires de Namur, 1998
– Data from research organizations such as Gartner,
Forrester and Burton Group Authors’ Note
6. It computed a total weighted score for each vendor. Since The authors would like to thank Greg Handrick, R&D
the scores of vendor A and vendor B are close to each manager at Boston Scientific, and Kim Pender, security
other, it had those vendors bid against each other to reduce compliance manager at Target Corp., for reviewing the article
costs and ended up choosing vendor B as a result. and providing valuable feedback and suggestions.

Conclusion
Businesses are increasingly relying on GRC platforms to
achieve synergies across governance, risk and compliance. In
the crowded landscape of GRC platforms, arriving at the right
choice for an enterprise is a complex decision. It is imperative
that all applicable criteria are considered to ensure positive
return on investment (ROI). It is also necessary to make the
evaluation process as objective as possible.

ISACA JOURNAL VOLUME 1, 2010 6