FFIEC News

Avacuna Unveils Integrated GRC to Advance IT Alignment for Multiple Governance Frameworks

(Nov 28, 2007)-- Avacuna announced its integrated GRC (Governance, Risk Management and Compliance) service, which builds upon its successful compliance assessment and security risk management programs. Integrated GRC affords businesses currently using an existing IT systems governance framework the ability to rapidly and efficiently map new processes and controls introduced by secondary or tertiary standards, frameworks and best practice guidelines. Many companies managing mature Sarbanes-Oxley Section 404 (SOX 404) controls developed under the COSO or CobiT models find themselves tasked with incorporating alternative framework mandates driven by regulatory compliance deadlines, security risk concerns or corporate efficiency objectives. These organizations increasingly need to reconcile objective-specific standards such as PCI DSS, ISO 27002 (formerly 17799) and ITIL with a framework already in full production, and Avacuna expects this trend will continue through 2011.

"In conjunction with multi-framework methodologies we've already tested and used effectively, integrated GRC represents a critical turning point that will transform the way companies approach governance," said Tom Leh, Managing Partner of Avacuna. "Companies whose controls have matured in recent years are recognizing that while common frameworks such as CobiT are helpful, no single approach in isolation can deliver a holistic IT governance environment. With integrated GRC, companies can selectively apply only those guidelines relevant to their specific business interests while determining which certifications or report automation tools, if any, will contribute to measurable gains in productivity. This service reinforces Avacuna's commitment to a more strategic alignment of IT governance with corporate governance."

Working closely with financial services, hospitality and insurance customers to update their information systems policies, processes and controls, Avacuna encounters a variety of dynamic governance challenges and applies hybrid processes to lower risk for each specific environment. The growing Florida company plans to expand aggressively in 2008 with a broader focus on unified GRC vulnerability assessments, security risk management and customized awareness training. "We're observing that while GRC software remains at an embryonic stage of development from a risk assessment and controls perspective, solutions are being evaluated more frequently than recent research predicted," said Leh. "These tools are becoming their own distinct vulnerability category at a faster pace than initially anticipated. Customers are requesting evidence of sufficiently robust application security controls from GRC automation and data reporting vendors vying to participate in security risk management projects, and we're now working with third party suppliers more frequently to close compliance remediation gaps."

Avacuna has experienced solid awareness training service growth and predicts even greater numbers of organizations will demonstrate renewed interest in this practice during the coming year. "Many companies have completed only preliminary stage awareness programs often characterized as excessively generic and targeted primarily to internal audiences," Leh noted. "Companies are now calling for customized use cases that audiences can identify with on a personal level. We are inspired to be in a position to help clients innovate their external customer education resources, produce flexible and contextualized awareness campaigns, and to enlighten a risk class that contributes significantly to data breach and threat scenarios."

Share or bookmarklet this web page at: