IT Governance, Risk, and Compliance – Part II

IT Governance, Risk, and Compliance: A method of analysis based on the Symantec Response Assessment Module (RAM)
Part I of this blog series introduced the concepts of IT governance, risk, and compliance (GRC). To quote:

“In recent times, companies, organizations, and consulting firms from various sectors have started to address the great issues that lie at the base of IT. These issues are governance, risk management, and compliance. Every organization should be able to transform these problems into opportunities to continually improve IT. In practice, everyone realizes that these three issues are related.”
Here I will continue to expand on GRC issues by touching on phases 1.2.1: Design and 1.2.2: Build.
1.2.1    Phase 1: Design
In the Design phase, datacenter security analysis begins and a questionnaire for the datacenter managers is prepared. The main objective is to acquire all of the basic information required.
To facilitate the work of the interviewees and the subsequent processing of their responses, the survey is designed so that:
1.    Each question is in close relation with a given control or security countermeasure.
2.    Interviewees need to choose from a selection of only six answers for each question. Each answer is associated with six different scores, as follows:

 
The possible responses and related scores.
In addition to the general preparation of the survey, during the design phase the answers are constructed so as (continue reading...)