Skip to main content
Top

Hint

Swipe to navigate through the chapters of this book

2017 | Supplement | Chapter

A Framework for Assessing Organisational IT Governance, Risk and Compliance

Authors : Mikhel Vunk, Nicolas Mayer, Raimundas Matulevičius

Published in: Software Process Improvement and Capability Determination

Publisher: Springer International Publishing

share
SHARE

Abstract

Enterprises have reached to understanding that information technology (IT) is more than just a technical issue. Domains such as IT governance, risk management and compliance (GRC) have been established to steer it. Though there has been some improvements, these domains are usually considered separately, thus less business value is created due to complexity of the process flows. There has been little attempts to integrate all three aspects, however this was done using domain specific standard and not taking into account the existing state of the art. In this paper, we conduct a systematic literature review to understand the processes, roles, strategies, and technologies of IT GRC as well as their integration. Based on the results of the review, we propose an assessment framework, which could guide evaluation of the enterprise’s IT GRC concerns.
Literature
1.
go back to reference Racz, N., Weippl, E., Seufert, A.: A frame of reference for research of integrated governance, risk and compliance (GRC). In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 106–117. Springer, Heidelberg (2010). doi: 10.​1007/​978-3-642-13241-4_​11 CrossRef Racz, N., Weippl, E., Seufert, A.: A frame of reference for research of integrated governance, risk and compliance (GRC). In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 106–117. Springer, Heidelberg (2010). doi: 10.​1007/​978-3-642-13241-4_​11 CrossRef
2.
go back to reference ISACA: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (2012) ISACA: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (2012)
3.
go back to reference ISO/IEC 27005:2011: Information technology – security techniques – information security risk management. International Organization for Standardization, Geneva (2011) ISO/IEC 27005:2011: Information technology – security techniques – information security risk management. International Organization for Standardization, Geneva (2011)
4.
go back to reference ISO/IEC 38500:2015: Information technology - Governance of IT for the organization. International Organization for Standardization, Geneva (2015) ISO/IEC 38500:2015: Information technology - Governance of IT for the organization. International Organization for Standardization, Geneva (2015)
5.
go back to reference Racz, N.: Governance, Risk and Compliance for Information Systems: Towards an Integrated Approach. Sudwestdeutscher Verlag, Saarbrücken (2011) Racz, N.: Governance, Risk and Compliance for Information Systems: Towards an Integrated Approach. Sudwestdeutscher Verlag, Saarbrücken (2011)
6.
go back to reference Kitchenham, B., Charters, S.: Guidelines for performing systematic literature reviews in software engineering. School of Computer Science and Mathematics, Keele University (2007) Kitchenham, B., Charters, S.: Guidelines for performing systematic literature reviews in software engineering. School of Computer Science and Mathematics, Keele University (2007)
7.
go back to reference Mayer, N., Barafort, B., Picard, M., Cortina, S.: An ISO compliant and integrated model for IT GRC (Governance, Risk Management and Compliance). In: O’Connor, R., Umay Akkaya, M., Kemaneci, K., Yilmaz, M., Poth, A., Messnarz, R. (eds.) Systems, Software and Services Process Improvement. CCIS, vol. 543, pp. 87–99. Springer, Cham (2015). doi: 10.​1007/​978-3-319-24647-5_​8 CrossRef Mayer, N., Barafort, B., Picard, M., Cortina, S.: An ISO compliant and integrated model for IT GRC (Governance, Risk Management and Compliance). In: O’Connor, R., Umay Akkaya, M., Kemaneci, K., Yilmaz, M., Poth, A., Messnarz, R. (eds.) Systems, Software and Services Process Improvement. CCIS, vol. 543, pp. 87–99. Springer, Cham (2015). doi: 10.​1007/​978-3-319-24647-5_​8 CrossRef
8.
go back to reference De Smet, D., Mayer, N.: Integration of IT governance and security risk management: a systematic literature review. In: 2016 International Conference on Information Society (i-Society), pp. 143–148 (2016) De Smet, D., Mayer, N.: Integration of IT governance and security risk management: a systematic literature review. In: 2016 International Conference on Information Society (i-Society), pp. 143–148 (2016)
9.
go back to reference Racz, N., Weippl, E., Seufert, A.: Governance, risk & compliance (GRC) software - an exploratory study of software vendor and market research perspectives. In: 44th Hawaii International Conference on System Sciences, pp. 1–10 (2011) Racz, N., Weippl, E., Seufert, A.: Governance, risk & compliance (GRC) software - an exploratory study of software vendor and market research perspectives. In: 44th Hawaii International Conference on System Sciences, pp. 1–10 (2011)
10.
go back to reference Vicente, P., da Silva, M.M.: A business viewpoint for integrated IT governance, risk and compliance. In: 2011 IEEE World Congress on Services, pp. 422–428 (2011) Vicente, P., da Silva, M.M.: A business viewpoint for integrated IT governance, risk and compliance. In: 2011 IEEE World Congress on Services, pp. 422–428 (2011)
11.
go back to reference Krey, M.: Information technology governance, risk and compliance in health care - a management approach. In: 2010 Developments in E-systems Engineering, pp. 7–11 (2010) Krey, M.: Information technology governance, risk and compliance in health care - a management approach. In: 2010 Developments in E-systems Engineering, pp. 7–11 (2010)
12.
go back to reference Racz, N., Weippl, E., Seufert, A.: Integrating IT governance, risk, and compliance management processes. In: Proceedings of the 2011 Conference on Databases and Information Systems VI: Selected Papers from the Ninth International Baltic Conference, DB&IS 2010, pp. 325–338. IOS Press, Amsterdam, The Netherlands (2011) Racz, N., Weippl, E., Seufert, A.: Integrating IT governance, risk, and compliance management processes. In: Proceedings of the 2011 Conference on Databases and Information Systems VI: Selected Papers from the Ninth International Baltic Conference, DB&IS 2010, pp. 325–338. IOS Press, Amsterdam, The Netherlands (2011)
13.
14.
go back to reference Puspasari, D., Hammi, M.K., Sattar, M., Nusa, R.: Designing a tool for IT governance risk compliance: a case study. In: 2011 International Conference on Advanced Computer Science and Information Systems, pp. 311–316 (2011) Puspasari, D., Hammi, M.K., Sattar, M., Nusa, R.: Designing a tool for IT governance risk compliance: a case study. In: 2011 International Conference on Advanced Computer Science and Information Systems, pp. 311–316 (2011)
15.
go back to reference Shahim, A., Batenburg, R., Vermunt, G.: Governance, risk and compliance: a strategic alignment perspective applied to two case studies. In: Hercheui, M.D., Whitehouse, D., McIver, W., Phahlamohlaka, J. (eds.) HCC 2012. IAICT, vol. 386, pp. 202–212. Springer, Heidelberg (2012). doi: 10.​1007/​978-3-642-33332-3_​19 CrossRef Shahim, A., Batenburg, R., Vermunt, G.: Governance, risk and compliance: a strategic alignment perspective applied to two case studies. In: Hercheui, M.D., Whitehouse, D., McIver, W., Phahlamohlaka, J. (eds.) HCC 2012. IAICT, vol. 386, pp. 202–212. Springer, Heidelberg (2012). doi: 10.​1007/​978-3-642-33332-3_​19 CrossRef
16.
go back to reference Rath, D.M., Sponholz, R.: IT-Compliance: Erfolgreiches Management regulatorischer Anforderungen. Erich Schmidt Verlag GmbH & Co., Berlin (2009) Rath, D.M., Sponholz, R.: IT-Compliance: Erfolgreiches Management regulatorischer Anforderungen. Erich Schmidt Verlag GmbH & Co., Berlin (2009)
17.
go back to reference Racz, N., Weippl, E., Seufert, A.: A process model for integrated IT governance, risk, and compliance management. In: Proceedings of the Ninth International Baltic Conference on Databases and Information Systems, DB&IS 2010, Baltic. pp. 155–170 (2010) Racz, N., Weippl, E., Seufert, A.: A process model for integrated IT governance, risk, and compliance management. In: Proceedings of the Ninth International Baltic Conference on Databases and Information Systems, DB&IS 2010, Baltic. pp. 155–170 (2010)
19.
go back to reference ISO 31000:2009: Risk management – principles and guidelines. International Organization for Standardization, Geneva (2009) ISO 31000:2009: Risk management – principles and guidelines. International Organization for Standardization, Geneva (2009)
20.
go back to reference ISO 19600:2014: Compliance management systems — guidelines. International Organization for Standardization, Geneva (2014) ISO 19600:2014: Compliance management systems — guidelines. International Organization for Standardization, Geneva (2014)
21.
go back to reference ISO/IEC 33020:2015: Information technology – process assessment – process measurement framework for assessment of process capability. International Organization for Standardization, Geneva (2015) ISO/IEC 33020:2015: Information technology – process assessment – process measurement framework for assessment of process capability. International Organization for Standardization, Geneva (2015)
Metadata
Title
A Framework for Assessing Organisational IT Governance, Risk and Compliance
Authors
Mikhel Vunk
Nicolas Mayer
Raimundas Matulevičius
Copyright Year
2017
DOI
https://doi.org/10.1007/978-3-319-67383-7_25

Premium Partner