SearchSecurity has coverage from RSA about a new version of the PCI Data Security Standard, due out sometime in Q3 of this year. It appears they're taking a pragmatic approach, and indications are that it will be an evolution based on user feedback rather than a drastic, revolutionary change. PCI has been a sensitive topic, and the general consensus from practitioners is that it doesn't really help prevent data breaches in and of itself. What it DOES do, however, is provide a stick to use to get your organization to fund information security and IT risk management gaps.

If we learned anything from SOX, it's that managing any non-trivial set of risks and controls in spreadsheets, word documents, word of mouth and prayer is a recipe for failure. PCI, in any incarnation, is no different.

Compliance expert Eric Krell from DRS Technologies speaks to Business Finance editor in chief Jack Sweeney about how the tactical precision with which key risk and compliance decisions were made allowed internal audit to blossom. DRS Technologies currently utilizes OpenPages to manage their SOX compliance requirements and takes advantage of the technology’s workflow automation capability to supplement the 302 certification process.

Listen to the Podcast

We're nearing the second anniversary of SAP's purchase of Virsa and their entry in a serious way to the GRC space.  Last week, they made a series of announcements about their GRC products, which now extend beyond industry apps and the SOD/access control arena to other areas of GRC.  Business Finance has a new GRC blog and covered SAP's announcements.  John Cummings notes that "the sheer scope of GRC offerings from SAP and other enterprise software providers is impressive, and point-solution vendors will need all of their agility to respond."  

Certainly, we wouldn't argue with that statement, but we would say that one of the most important parts of a GRC solution is how it fits into the rest of the system. While SAP (and maybe Oracle) might be able to make the argument that you should be single threaded on SAP, the rest of us cannot make that argument, so we have to play nice in the sandbox and 1) fit into the existing (heterogeneous) environment and 2) work across silos.  This latter point is critical because what the enterprise GRC platform vendors are delivering is a way to see risk across the organization.  When SAP demonstrates their risk management application, they focus on controls associated with a sales process; that's a very different solution, a tightly integrated top-to-bottom solution, but not very good at crossing silos.  And, as I blogged earlier in the week, the real value in risk management comes from relating risk together at the top of the business.  Of course, we're not an ERP vendor, but you have to wonder if you want the fox guarding the hen house.