Bill Bensing’s Approach to GRC
Bill Bensing’s approach integrates governance, risk and control processes directly into the software development lifecycle, systems operations, and automates them to dramatically reduce the overall organizational governance efforts and to speed up the release cycle. Together with CROZ, he helps
organizations adopt and implement this approach.
Why?
Modern IT environments are dynamic and the days of a single major release per year are long gone. Security vulnerabilities must be patched immediately, and thanks to CI/CD pipelines, product and process improvements are implemented continuously. Complex end-to-end tests that take weeks are no longer practicable in modern, decentralized (micro) service architectures. Increasing regulatory requirements, which undoubtedly have their justification, are leading to ever greater volumes of data.
Random sampling over random sampling is neither cost-effective nor feasible for internal audit and auditors in terms of personnel. The revision is therefore inevitably becoming a bottleneck with regard to security-relevant software releases.
What?
- Autonomous Assurance:
Bensing suggests automating governance tasks to reduce manual work and the friction traditionally associated with these processes. By automating compliance checks, and assurance activities such as security audits, risk assessments, substantive testing, and other fieldwork, organizations can ensure that these aspects are applied continuously and consistently throughout the development process. GitOps and DevOps are joined by RegOps.
- Governance Engineering:
Governance Engineering is a teamwork approach which demonstrates how to bridge the gap between technologists, Audit, GRC and Compliance functions by defining new ways of working without having to re-create or re-think your organization. The way we work together must change to a collaborative environment where developers, operations and governance experts work together to develop and maintain systems that are compliant to applicable law from the outset.
This approach ensures that governance is an integral part of the development pipeline rather than a separate, disruptive phase so you can speed up the development process. The goal of Governance Engineering for the GRC & Audit professionals is to focus their skills and efforts on identifying new risks to take and how to mitigate these risks, while the software and operations teams can focus on execution. The outcome for organizations is governance processes become an inherent part of daily execution, and not a once-in-a-while activity.
- Continuous Approval to Operate (cATO):
In the new world, software changes are automatically checked for compliance and security standards in real time. This continuous monitoring ensures that deviations from standards are detected and remedied immediately, enabling rapid yet compliant software deployment. Instead of test approvals,the IT audit focuses on the audit of an adequate process – the more efficient, transparent and GRC-compliant software development process – and the process changes.
How?
Integration of IT Governance and DevOps through:
- Collaboration and communication:
Bensing emphasizes breaking down silos between development, operations and governance teams. This collaborative approach ensures that all stakeholders understand and align on governance requirements from the outset.
- Tools and automation:
Using tools to automate governance processes, specifically assurance related activities such as substantive testing of controls, helps embed these practices into the CI/CD pipeline so that every code change is compliant and secure before it reaches production. This reduces the risk of non-compliance and improves overall software quality and security.
- Education and culture:
Bensing emphasizes educating teams on the importance of governance and creating a culture where compliance and security are seen as a shared responsibility, not just the responsibility of a separate governance team.
Dont miss our event
Are you interested in freeing your compliance and audit competencies along the Software Development Lifecycle? Do you want to learn how to move DevOps processes from manual and semi-automated auditing to autonomous assurance to speed up your company’s release cycle?
To stay ahead of the curve and to ensure your institution complies with current and upcoming regulations, e.g., DORA, we recommend attending our specialized community meetup on 1st or 2nd October in Munich. For specific needs, also direct 1:1 sessions are possible. These workshops provide expert guidance and practical strategies for implementing the required changes. CROZ is working on this topic with our good friend and partner Bill Bensing, the well-known author and thought leader on GRC&A (Governance, Risk, Compliance and Assurance).
Improve your assurance capabilities and allow your professionals to focus on strategic and tactical tasks like risk identification and mitigation instead of static control procedures!
Are you interested in attending the community meetup (1st or 2nd October in Munich) or a specific 1:1 workshop session?
Get in touch with us!
Agenda
Start | End | Topic |
10:00 | 10:15 | Introductions |
10:15 | 10:30 | Autonomous Assurance – More-than Automated Assurance Introduce the goal of 24/7 Audit Ready and overcoming assurance problems that stand in the way, differentiate Audit vs. Assurance and Validation vs. Verification, explain the concept of a Governance Graph as the Autonomous Assurance foundation, and describe the NAPE Approach. |
10:30 | 11:00 | Governance Engineering (GovEng) – Team Design Strategy Discuss team design according to socio-technical concepts, and apply GovEng to both the 4-step Internal Audit process (Plan, Fieldwork, Reporting, Follow-up) and the Three Lines of Defense Model. |
11:00 | 11:10 | 1st Break |
11:10 | 12:00 | Design An Approach – Hands-on Lab Prep Review the selected ICT Lab process, define the plan and approach for applying NAPE and Autonomous Assurance, identify and define the procedure, control activities, and control actions, determine where to collect evidence, and define the control action tests to apply to the collected evidence. |
12:00 | 13:00 | Lunch Break |
13:00 | 14:00 | Implement the Approach – Leverage the NAPE Approach (Open Source) Create the NAPE Assurance Procedure, code the Control Action tests in Python, and run the assurance procedure against automatically collected evidence. |
14:00 | 14:30 | Workshop Retrospective |
Get in Touch with us
We support you from the analysis of your potential to the implementation of a practicable approach tailored to your needs.
- Advantages
- Our approach integrates the various challenges facing your company.
- In our workshops, we also consider the organizational and communicative impact within the company.
- Our methodology reflects the development of objectives and values in regulated industries.
Together, we will find the best way to implement your GRC requirements better and more efficiently.
Simply get in touch with us. We are here for you!